Privacy Policy

1. Introduction

Picks Office operates picksoffice.com. This Privacy Policy explains how I collect, use, store, and protect your personal data when you use the site, subscribe to my services, or interact with me through Discord, Telegram, or other channels.

As a Germany-based business, I comply with the EU General Data Protection Regulation (GDPR). For users located in California, I also address your rights under the California Consumer Privacy Act (CCPA).

2. Information Collected

I collect the following categories of personal data when you use the site or subscribe to my services.

Account information includes your name (if provided), email address, and password when you create an account. If you sign up via Discord or Google OAuth, I receive basic profile data from those services.

Platform identifiers such as your Discord ID and/or Telegram ID are collected when you connect your account to access subscriber communities. These are used solely to manage channel access.

Payment information is processed exclusively by Stripe, which is PCI DSS Level 1 certified. I never see, store, or access your full credit card number. I receive only a transaction reference, subscription status, and billing email.

Usage and analytics data includes page views, feature usage, session duration, and interaction patterns collected via PostHog. PostHog respects Do Not Track (DNT) browser settings. IP addresses are not stored in a personally identifiable form. Analytics cookies require your prior consent.

Communication data includes messages sent via the contact form, Discord, Telegram, or email, and is used solely to respond to your inquiries.

3. Legal Basis for Processing (GDPR)

Under the GDPR, I process personal data only where I have a lawful basis. Processing your account data, subscription, and payment to deliver the services you subscribed to is based on contract performance (Art. 6(1)(b)). Analytics tracking via PostHog is based on your consent (Art. 6(1)(a)), which you can withdraw at any time. Improving the service, preventing fraud, and ensuring security is based on legitimate interest (Art. 6(1)(f)). Retaining transaction records as required by German tax and commercial law is based on legal obligation (Art. 6(1)(c)).

4. How Information Is Used

Your data is used to provide and maintain the service including picks, track record, dashboard, and community access. It is also used to process subscription payments through Stripe, manage your access to Discord and Telegram subscriber channels, send transactional emails such as subscription confirmations, password resets, and billing notifications, analyze product usage to improve features via PostHog with your consent, and respond to your questions and support requests.

I will never sell your personal information to third parties.

5. Third-Party Services

I use the following third-party services that may process your data. Stripe handles payment processing and is PCI DSS Level 1 certified. Vercel provides website hosting and CDN. PostHog provides product analytics and requires your consent. Render hosts the backend (Strapi CMS). Discord and Telegram serve as subscriber community platforms. Each service has its own privacy policy available on their respective websites.

Data may be transferred to the United States. Such transfers are covered by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by the GDPR.

6. Cookies and Browser Storage

I use a minimal set of cookies and browser storage. Under the GDPR and ePrivacy Directive, non-essential cookies require your consent. Essential cookies that are strictly necessary do not.

Essential cookies include two httpOnly server-set cookies named "token" and "jwt" used for authentication. Essential localStorage items include a user object stored after login, and legacy JWT and token keys from the OAuth callback flow. These are required for the service to function and do not require consent.

Functional storage includes a theme preference (light/dark mode) in localStorage and a session flag in sessionStorage that remembers if you dismissed the sticky CTA bar. These do not require consent.

Analytics storage includes a PostHog cookie and a corresponding localStorage item for device and session identification. These are only set after you give explicit consent via the cookie banner. PostHog is also configured to respect the Do Not Track (DNT) browser signal.

I do not use any marketing or advertising cookies. There is no Google Analytics, no Facebook Pixel, no Google Ads, no Vercel Analytics, no Hotjar, and no Clarity.

You can manage cookies via the cookie banner on first visit, your browser settings, or by contacting me to withdraw consent at any time.

7. Payment Data

All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. I never see, store, or process your full payment card details. Stripe may collect your payment method details, billing address, and IP address to process transactions and prevent fraud. For details, see Stripe's privacy policy at stripe.com/privacy.

8. Data Retention

Account data is retained while your account is active and deleted within 30 days of an account deletion request. Transaction records are retained for 10 years as required by German tax law (§ 147 AO). Analytics data is anonymized and aggregated, with raw session data auto-deleted after 90 days. Support messages are retained for up to 2 years for service quality and dispute resolution.

9. Data Security

I implement industry-standard security measures including HTTPS encryption (TLS 1.3), httpOnly secure authentication tokens, environment-isolated API keys, and rate-limited endpoints. Payment data is handled entirely by Stripe (PCI DSS Level 1). The backend runs on isolated infrastructure via Render with restricted access. While no system is 100% secure, I take all reasonable precautions to protect your information.

10. Your Rights (GDPR)

As a data subject, you have the right to request a copy of all personal data I hold about you (Art. 15), request correction of inaccurate data (Art. 16), request deletion of your account and associated data (Art. 17), export your data in a machine-readable format (Art. 20), object to processing based on legitimate interest (Art. 21), restrict processing while a dispute is resolved (Art. 18), and withdraw consent for analytics at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@picksoffice.com. I will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The competent authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

11. Your Rights (CCPA — California Residents)

If you are a California resident, the CCPA grants you the right to know what personal information I collect, use, and disclose about you, the right to request deletion of your personal information, the right to opt out of the sale of your personal information (I do not sell your personal information), and the right to non-discrimination for exercising your privacy rights.

To exercise your CCPA rights, email privacy@picksoffice.com with the subject line "CCPA Request".

12. Children's Privacy

My services are not intended for individuals under 18 (or the legal gambling age in your jurisdiction, whichever is higher). I do not knowingly collect personal information from anyone under this age. If you believe a minor has provided personal data, please contact me immediately.

13. Changes to This Policy

I may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. For significant changes, I will notify registered users via email at least 14 days before the changes take effect.

14. Contact

Picks Office – Luca Eggerdinger, Pfarrkirchener Str. 10, 84389 Postmünster, Germany. privacy@picksoffice.com