Privacy Policy

PICO ("we", "us", "our") is a parcel tracking and pickup coordination service. We operate the PICO mobile application, the business portal, and the website at pico-ai-app.com. For any privacy-related question, request, or complaint, please contact us at support@pico-ai-app.com.

2.1 Account information

• Name, email address, and profile picture provided by Google OAuth sign-in.
• Account preferences and settings you configure inside the app.

2.2 Parcel and pickup data

• Parcel records, tracking numbers, statuses, and pickup codes you add or that are auto-detected.
• Pickup group memberships, shared pickup requests, and household assignments.
• Business store information (name, address, operating hours) when a user registers a store.

2.3 Gmail data (optional, requires your explicit consent)

• Email metadata and message content needed to identify parcel-related emails.
• Gmail history events required to keep parcel status updates in sync.
• OAuth tokens (access token and refresh token) to maintain sync for your connected mailbox.

2.4 Device and technical data

• Push notification tokens to deliver delivery alerts and pickup reminders.
• Device type, operating system version, and app version for bug diagnostics.
• Server-side logs (IP address, request timestamps) retained for security and operational purposes.

2.5 Usage data

• In-app feature usage patterns to improve the product (aggregated and non-identifiable where possible).

PICO does not request Gmail access during initial sign-in. Gmail is requested only after you are already signed in and explicitly choose to enable the "sync from Gmail" feature.

When Gmail is connected, PICO requests the scope https://www.googleapis.com/auth/gmail.readonly. This is strictly read-only access. PICO cannot and does not send, delete, modify, or move any email.

We use Gmail access only to:

• Detect parcel-related emails (shipping confirmations, delivery notices, collection codes).
• Create and update parcel records inside your PICO account.
• Perform a backfill of recent parcel emails when you first connect Gmail.
• Stay synchronized through Gmail history and push notifications from Gmail's watch API.

We do not use Gmail data to: display advertising, train third-party AI models, access your Google Drive or Calendar, read non-parcel emails beyond what is necessary to classify them, or share your email content with other users or third parties.

PICO's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• To provide, operate, and improve the PICO service.
• To auto-detect parcels from connected Gmail accounts and keep tracking data up to date.
• To send push notifications about delivery status, pickup readiness, and expiring collection windows.
• To enable pickup groups and shared household coordination features.
• To support business users in managing their pickup-point operations and customer interactions.
• To diagnose and resolve technical issues.
• To comply with our legal obligations and enforce our Terms of Service.
• To communicate with you about significant product changes, security notices, and support responses.

We do not use your data for targeted advertising and we do not sell your personal information to any third party.

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases:

• Contract performance — to provide the service you signed up for (account management, parcel tracking, pickup coordination).
• Consent — for Gmail access and for sending push notifications. You can withdraw consent at any time.
• Legitimate interests — for security monitoring, fraud prevention, abuse detection, and product improvement, where these interests are not overridden by your rights.
• Legal obligation — where processing is required to comply with applicable law.

When you connect Gmail, PICO stores your OAuth access and refresh tokens server-side to maintain continuous sync without requiring you to re-authorize repeatedly. Tokens are stored encrypted in our backend database. Access to production token data is restricted to authorized personnel only.

We use industry-standard security measures including:

• Encrypted data storage and transport (TLS in transit, encryption at rest).
• Role-based access controls on backend systems.
• Regular security reviews of our Gmail integration.

Despite these measures, no system is completely secure. If you become aware of a security incident affecting your account, please contact us immediately at support@pico-ai-app.com.

We retain your data as follows:

• Account data — retained for the lifetime of your account and deleted within 30 days of account deletion.
• Parcel records — retained while your account is active to support parcel history. Deleted within 30 days of account deletion.
• Raw email content — not stored persistently. We extract parcel data and discard the raw email text.
• Gmail OAuth tokens — immediately invalidated and removed when you disconnect Gmail or delete your account.
• Server logs — retained for up to 90 days for security and operational diagnostics.
• Push notification tokens — removed when you uninstall the app, revoke notification permission, or delete your account.

We do not sell your personal data. We may share data in these limited circumstances:

• Service providers — cloud hosting and infrastructure providers (e.g., Google Cloud, Vercel) who process data on our behalf under confidentiality obligations.
• Push notification services — Apple APNs and Google FCM receive device tokens to deliver notifications.
• Other PICO users — parcel and pickup information may be visible to members of a pickup group you have joined, or to a business store you interact with through the platform.
• Legal requirements — if required by law, court order, or governmental authority.
• Business transfers — in the event of a merger, acquisition, or sale of assets, data may be transferred to the successor entity, subject to this Privacy Policy.

PICO sends push notifications about parcel status changes, pickup readiness, and expiring collection windows. You can disable push notifications at any time in your device operating system settings or inside the PICO app. Disabling notifications does not affect your account or parcel data.

The PICO mobile app does not use browser cookies. The PICO web properties (pico-ai-app.com, the business portal) may use essential cookies required for session management and security. We do not use third-party advertising cookies.

We may collect anonymized, aggregated usage analytics to understand feature adoption and improve the product. This data cannot be used to identify individual users.

PICO is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@pico-ai-app.com and we will delete that information promptly.

PICO's servers are located in data centers that may be outside your country of residence. If you are in the EEA or UK, data may be transferred to and processed in countries that do not provide the same level of data protection as your home country. In such cases, we rely on the standard contractual clauses approved by the European Commission or equivalent transfer mechanisms to protect your data.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your account and associated data.
• Portability — receive your data in a structured, machine-readable format.
• Restriction — request that we restrict processing of your data in certain circumstances.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — disconnect Gmail or disable notifications at any time without penalty.
• California residents (CCPA) — the right to know, delete, opt-out of sale (we do not sell data), and non-discrimination.

To exercise any right, contact us at support@pico-ai-app.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

If you are in the EEA and believe your rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority.

You can disconnect Gmail at any time from the PICO profile / settings screen. Upon disconnection:

• Future mailbox sync is stopped immediately.
• Your OAuth tokens are revoked and deleted from our systems.
• Parcel records already detected remain in your account (you may delete them manually).

You can also revoke PICO's Gmail access directly from your Google Account permissions page.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify active users through the app or by email. Continued use of PICO after changes take effect constitutes acceptance of the revised policy.

For any privacy-related question, deletion request, or complaint:

Email: support@pico-ai-app.com

We aim to respond to all privacy requests within 30 days.