Privacy Policy

Table of contents

1. Who we are and how to reach us
2. Scope of this Policy
3. The data we collect
4. How we use data
5. Legal bases for processing
6. How we share data
7. International data transfers
8. Retention
9. Security
10. Your rights and choices
11. Region-specific notices
12. Children
13. Application stores and advertising transparency
14. Automated decision-making
15. Changes to this Policy
16. How to contact us about privacy

1. Who we are and how to reach us

PickOS Inc. (“PickOS,” “we,” “us,” “our”) is the controller of the personal information described in this Policy unless a specific PickOS-operated platform discloses a different controller. PickOS is the parent company of platforms such as MyPick (MyPick.com).

You can reach our privacy team via the Contact page (select “Legal / privacy” as the topic) or by writing to privacy@pickos.com. If you are in the EEA or the United Kingdom and we appoint a representative or Data Protection Officer, their contact details will be published here.

2. Scope of this Policy

This Policy covers personal information processed when you visit pickos.com, register for or use any PickOS platform (including MyPick), interact with our applications on any operating system, contact our support team, communicate with us in person or by phone, or otherwise interact with PickOS.

Where a PickOS platform publishes its own product-specific privacy notice, that notice supplements this Policy and prevails to the extent of any conflict for that platform’s use. Third-party services you reach through links or integrations (such as identity providers, application stores, operating-system vendors, payment processors, social platforms, advertising networks, and analytics or support partners) are governed by their own privacy notices.

3. The data we collect

3.1 Information you provide at enrollment

When you create an Account, we collect the data you submit, which may include: legal or business name, email address, mobile or other phone number, password (stored only as a salted hash), country of residence or operation, language preference, role within MyPick (Promoter, Seller, or other), organisation details (where applicable), tax or business identifiers (where required for invoicing or KYC), and any document you upload to verify identity or business standing.

3.2 Authentication and account-security data

To secure your Account and detect abuse, we process: timestamps of sign-ins and sign-outs, IP addresses, network and ISP signals, device fingerprints (browser, OS, screen, timezone, language), MFA enrollment and method, hashes of authentication secrets, session tokens (issued and revoked), risk and fraud signals from our anti-abuse systems, and records of password resets and recovery attempts.

3.3 Federated sign-in data

When you sign in through any third-party identity provider we support, we receive only what that provider sends and what you authorise — typically a stable user identifier, your email address (or a private relay address where the provider offers one), your display name, locale, and a profile-picture URL. We never receive your password from such a provider.

3.4 Usage and device data

As you use the Services we collect: pages and screens viewed, features used, search queries within the Services, clicks and gestures, approximate location derived from IP, diagnostic and crash data, performance metrics (such as latency and error rates), application version, operating-system version, locale and language, and — where your operating system makes them available and you have permitted them — advertising or measurement identifiers, subject to the consent prompts your device provides.

3.5 Cookies and similar technologies

See our Cookie Policy for the technologies we deploy on the Services and how to manage them. In mobile applications, equivalent technologies (local storage, secure keychain, mobile measurement SDKs) are described in this Policy and within product documentation.

3.6 Support, sales, and other communications

When you contact us — via support form, email, in-app chat, phone, or in-person — we collect the content of your message, attachments you choose to send, audio recordings or transcripts where you have been notified and consented (for example, “this call may be recorded”), and metadata needed to route, prioritise, and audit the request.

3.7 Commerce and payments data

Where the Services process payments or payouts, we use licensed payment processors. We typically receive limited tokenised transaction data such as the last four digits of a card, card brand, billing country, processor reference, and amount, but not full card numbers, CVV, or full bank-account numbers. For payouts to Sellers and Promoters on MyPick, we may collect tax-residency and identification information required by law (KYC / AML).

3.8 Content you choose to publish

Content you publish on or through MyPick (for example, public profiles, public listings, ratings, comments, attachments) is processed in line with the public visibility you select and with MyPick’s product rules.

4. How we use data

We use personal information to:

• Create, authenticate, and administer Accounts, including verifying eligibility.
• Deliver, personalise, and improve the Services and individual platform features.
• Operate MyPick, including matching Promoters and Sellers, processing payouts, and operating dispute mechanisms.
• Provide customer support, including triage, resolution, and follow-up.
• Detect, prevent, and respond to fraud, abuse, security incidents, and breach of our Terms.
• Conduct analytics and research, generally on aggregated or de-identified data, to improve product performance and reliability.
• Send transactional and security messages (such as login alerts, billing receipts, policy updates) and, where you have opted in, product announcements or marketing.
• Comply with legal, tax, accounting, regulatory, and dispute-resolution obligations.
• Carry out corporate transactions, including investments, financings, mergers, and asset sales, with appropriate safeguards.

5. Legal bases for processing

Where the GDPR, the UK GDPR, or a similar regime applies, we rely on the following lawful bases:

• Performance of a contract — to provide the Services you request, operate your Account, and process payments.
• Legitimate interests — to secure the Services, prevent fraud, debug and improve products, run a sustainable business, and conduct corporate transactions, in each case balanced against your rights and freedoms.
• Consent — for non-essential cookies and similar technologies, marketing communications where required, and for any optional features that involve sensitive data or profiling with significant effects.
• Legal obligation — to comply with tax, accounting, anti-money-laundering, sanctions, and other legal requirements; to respond to lawful requests from public authorities.
• Vital interests — in rare cases where processing is necessary to protect a person’s life or physical integrity.

6. How we share data

We share personal information only as described below:

• Service providers (processors) who act under our instructions — for hosting, content delivery, email and SMS delivery, analytics, error monitoring, customer support tooling, identity verification, payment processing, and security operations.
• Social, advertising, and measurement partners when you interact with integrations or when we run measurement pixels under your consent. Where pixels load only after consent, the partner generally becomes a separate controller for the data its tag observes.
• Application Stores, operating-system vendors, and device manufacturers as required for app distribution, updates, in-app purchase, push delivery, and platform-level privacy or safety tools.
• Other users of the Services when you choose to make Content public, when MyPick connects you with another user as part of a campaign or transaction, and when sharing is the inherent purpose of the feature you used.
• Professional advisors and auditors under confidentiality obligations.
• Government authorities and courts where we are legally compelled, or where disclosure is necessary to protect the rights, property, or safety of PickOS, our users, or the public.
• Acquirers and successors in the context of a merger, acquisition, financing, reorganisation, or sale of assets, with appropriate confidentiality and continuity protections.

We do not sell personal information for monetary consideration. Where applicable laws define “sale” or “share” more broadly to cover certain advertising-related uses, we describe and offer opt-outs in the relevant region-specific notice (Section 11).

7. International data transfers

PickOS is a global organisation. To deliver the Services, personal information may be transferred to, processed in, and stored in countries other than your own, including jurisdictions whose data-protection laws differ from your local laws. Where required, we rely on lawful transfer mechanisms, including the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, or equivalent safeguards. You may request a copy of the relevant safeguards via privacy@pickos.com.

8. Retention

We retain personal information only for as long as needed to fulfil the purposes described in this Policy, comply with our legal and contractual obligations, resolve disputes, and enforce our agreements. Typical retention guidelines include:

• Account records: for the life of the Account and a reasonable period after closure to handle legal, tax, and dispute matters.
• Authentication and security logs: short to medium term (commonly 30 to 365 days), longer for incidents under active investigation.
• Support tickets and communications: up to 24 months after closure, longer for matters under audit, dispute, or legal hold.
• Financial records: as long as required by tax and accounting law (commonly 5 to 10 years).
• Marketing consents and opt-outs: for as long as the consent record is needed to evidence compliance.

When we no longer need personal information, we delete or anonymise it.

9. Security

We implement administrative, technical, and organisational safeguards designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. These safeguards include encryption in transit (TLS) for traffic with our servers, encryption at rest for stored secrets and data fields where appropriate, hashed and salted authentication secrets, role-based access control with least-privilege principles, audit logs for sensitive access, network segmentation, regular vulnerability scanning, and a documented incident-response plan. No system is perfectly secure; we therefore strongly recommend that you enable MFA, use a unique strong password (or a passkey), keep your devices and apps up to date, and report suspected incidents promptly.

10. Your rights and choices

Depending on where you live and which Service you use, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete personal information, subject to certain exceptions (for example, to retain transaction records required by tax law).
• Port a copy of personal information in a structured, commonly used, machine-readable format.
• Restrict or object to certain processing, including direct marketing.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a supervisory authority in your jurisdiction.

To exercise your rights, use the in-product privacy controls, the unsubscribe link in any marketing email, or contact privacy@pickos.com. We may need to verify your identity before fulfilling certain requests. We will not retaliate against you for exercising your rights.

11. Region-specific notices

11.1 European Economic Area, the United Kingdom, and Switzerland

If you are in the EEA, the UK, or Switzerland, this Policy is your GDPR / UK GDPR notice. The legal bases on which we rely are listed in Section 5. You may object at any time to processing based on legitimate interests (Section 6) and to direct marketing.

11.2 California, USA

Under the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), California residents have rights to know, delete, correct, and limit certain uses of sensitive personal information, and to opt out of “sale” or “sharing” as defined by California law. We do not knowingly “sell” personal information for money. Where some uses of cookies for cross-context behavioural advertising could be considered “sharing,” we honour the Global Privacy Control (GPC) and our cookie preferences tool.

11.3 Other U.S. states

Residents of states with similar comprehensive privacy laws (for example, Colorado, Connecticut, Virginia, Utah, Texas, Oregon) have rights mirroring those above. Use the same channels in Section 16 to exercise them.

11.4 Other regions

Where local privacy law in your jurisdiction grants additional rights (for example, Brazil’s LGPD, Canada’s PIPEDA, the UAE PDPL, Saudi Arabia’s PDPL, India’s DPDP Act, or similar), we honour those rights through the same contact channels.

12. Children

The Services are not directed to children below the age of digital consent in their country. We do not knowingly collect personal information from such children. If you believe a child has provided personal information to PickOS, please contact privacy@pickos.com so we can investigate and, where appropriate, delete the data and close the account.

13. Application stores and advertising transparency

Our applications are distributed through Application Stores and must comply with each store’s privacy disclosures and runtime permissions. Where an Application Store, operating-system vendor, or device manufacturer offers a public data-safety, privacy-label, or similar transparency programme, we maintain disclosures aligned with our actual processing and update them when our practices change.

We honour platform-level user controls — including any operating-system tracking-permission prompt, any in-app advertising-identifier reset, and any device-level "limit ad tracking" or equivalent setting — independently of, and in addition to, web-based consent.

For advertising, social, or analytics integrations, our deployments comply with the consent framework that applies to your region — for example, recognised industry consent and signal frameworks in the EEA / United Kingdom, advertising-platform consent modes, operating-system tracking permissions, and the Global Privacy Control where applicable law requires it.

14. Automated decision-making

Some Services use automated tools to detect fraud, evaluate authentication risk, prioritise support, and rank or recommend Content. Where any automated decision produces legal or similarly significant effects on you (for example, declining payments or restricting access), we provide meaningful information about the logic, the significance, and the consequences, and (where required by law) the right to human review.

15. Changes to this Policy

We may update this Policy from time to time. We will revise the “Last updated” date and, where the change is material, provide reasonable advance notice (in-product notice, email, or banner on pickos.com). Material changes that affect existing data may, where required by law, take effect only after you affirmatively consent.

16. How to contact us about privacy

For privacy questions, complaints, or rights requests, contact privacy@pickos.com or use the Contact page with topic “Legal / privacy.” If you are in the EEA, the UK, or Switzerland, you may also lodge a complaint with your local data protection supervisory authority.

This Privacy Policy is written by PickOS Inc. and reflects our actual practices. It is not legal advice; for jurisdiction-specific questions, please consult your own counsel.