EU / UK Privacy Notice (GDPR)
Last Updated: May 22, 2025
This page supplements the Picaboo Privacy Policy and applies exclusively to individuals located in the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”). It explains your additional rights and our obligations under the General Data Protection Regulation (EU 2016/679) and the UK GDPR (collectively, “GDPR”).
1. Data Controller & Representative
| Role | Contact |
|---|---|
| Data Controller | Picaboo Corporation 1 Church Hill, St.John’s, NL A1C 3Z7, Canada |
| General Privacy Enquiries | privacy@picaboo.com |
| Data Protection Officer (DPO) | privacy@picaboo.com |
| EU Representative | privacy@picaboo.com |
| UK Representative | privacy@picaboo.com |
2. Lawful Bases for Processing
We rely on one or more of the following legal bases under Article 6 GDPR:
- Contract (Art. 6 (1)(b)) – Processing necessary to perform the contract with you (e.g., fulfill your orders).
- Consent (Art. 6 (1)(a)) – For optional uses like marketing communications. You may withdraw consent at any time.
- Legitimate Interests (Art. 6 (1)(f)) – To improve security, prevent fraud, and enhance user experience. We balance these interests against your rights and freedoms.
- Legal Obligation (Art. 6 (1)(c)) – For compliance with tax, accounting, and other legal obligations.
3. International Transfers
Your personal data will be transferred to and processed in the United States. We implement the following safeguards:
- Data Privacy Framework (DPF) – Where we transfer data to the US, we rely on the EU–US and UK–US DPF certification of our cloud providers / subprocessors.
- Standard Contractual Clauses (SCCs) – We enter SCCs with US-based service providers where DPF is not available.
You may request a copy of the relevant safeguards by contacting privacy@picaboo.com.
4. Your GDPR Rights
Subject to the conditions and exceptions set out in the GDPR, you have the right to:
| Right | Description |
|---|---|
| Access | Obtain confirmation as to whether we process your personal data and, where applicable, receive a copy. |
| Rectification | Request that we correct inaccurate or incomplete data. |
| Erasure | Request deletion of your data (“right to be forgotten”). |
| Restriction | Request limitation of processing in certain circumstances. |
| Portability | Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller. |
| Object | Object to processing based on legitimate interests and to direct marketing at any time. |
| Withdraw Consent | Withdraw any consent you have given us, without affecting prior lawful processing. |
We will respond within one month (or up to three months for complex requests, in which case you will be informed of the extension).
5. Automated Decision-Making
Picaboo does not use personal data to make decisions based solely on automated processing that produce legal or similarly significant effects on you.
6. Supervisory Authority Complaints
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your local supervisory authority. A list of EU authorities is available at https://edpb.europa.eu/about-edpb/board/members_en. UK residents may contact the Information Commissioner’s Office (ICO) at https://ico.org.uk.
7. Data Retention & Deletion
We retain personal data only as long as necessary for the purposes described in our main Privacy Policy, or as required by law. When data is no longer needed, we securely delete or anonymise it.
8. Updates to This Notice
We may update this EU/UK Privacy Notice periodically. Any changes will be posted on this page with an updated “Last Updated” date.
9. Contact Us
Questions, concerns, or requests regarding this notice or our data-protection practices may be directed to our DPO at privacy@picaboo.com or by post to the controller address above.
