piclog

Privacy Policy

This privacy policy explains how Poths Solutions GmbH (“piclog”, “we”, “us”) processes personal data in connection with the piclog platform at piclog.app. It applies to visitors, registered users, and visitors of blogs hosted on piclog. It is written in accordance with the Swiss Federal Act on Data Protection (nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Data controller

Poths Solutions GmbH
Pfingstweidstrasse 94, 8005 Zürich, Switzerland
UID CHE-252.021.973 MWST
piclog@poths-solutions.com

2. Data we collect and why

Account and authentication

When you create an account we collect your email address. We use it to authenticate you and for transactional messages related to your account. We also record technical metadata about authentication activity (such as sign-in events and API token usage) for security and account management purposes. Legal basis: performance of a contract / legitimate interest.

Blog content

Content you create and publish on your blog is stored on our infrastructure and served publicly. Files you upload may contain embedded metadata (such as GPS coordinates or timestamps) — you are responsible for reviewing this before publishing. Legal basis: performance of a contract.

Contact form messages

When a visitor submits a contact form on a hosted blog, their contact details and message are forwarded to the blog owner. We do not retain these messages after delivery. Legal basis: legitimate interest of the blog owner.

Blog subscriptions

When a visitor opts in to receive emails from a hosted blog, we collect and store their email address on behalf of the blog operator. The email is retained until the visitor unsubscribes or the blog is deleted. We send a confirmation email immediately after sign-up (double opt-in), after which the subscriber may receive emails from the blog operator in connection with their subscription (such as new story notifications and newsletters). Every such email includes an unsubscribe link. Legal basis: consent (the visitor actively checks the subscription checkbox and confirms via email).

Server logs

Our servers automatically record IP addresses, request paths, timestamps, and HTTP status codes in standard access logs. Logs are retained for up to 30 days for security and debugging purposes. Legal basis: legitimate interest.

3. Cookies and local storage

We only set technically necessary cookies. A session cookie is set to keep you signed in across requests. No tracking, advertising, or analytics cookies are set. No consent banner is required because we do not use non-essential cookies.

4. Third-party processors

We share data with the following service providers, solely to operate the platform:

  • Supabase (self-hosted) — authentication, database, and file storage. Hosted on Hetzner infrastructure in Nuremberg, Germany (EU).
  • Hetzner Object Storage — file and media storage, region nbg1 (Nuremberg, Germany, EU).
  • Resend (Resend, Inc., USA) — transactional and system email delivery. Data is transferred to the USA under appropriate contractual safeguards.

All processors are bound by data processing agreements and are only permitted to process data on our behalf.

5. International data transfers

Switzerland benefits from an EU adequacy decision, meaning data transfers between the EU and Switzerland are treated as equivalent in terms of protection. For transfers to the USA (Resend), we rely on standard contractual clauses (SCCs) and the processors' respective Data Protection Agreements.

6. Data retention

  • Account data: retained for the lifetime of your account. Deleted within 30 days of account deletion.
  • Blog content: deleted immediately when you delete the blog or story.
  • Server logs: up to 30 days.
  • Contact form messages: not retained — forwarded to the blog owner and discarded.
  • Blog subscriber emails: retained until the subscriber unsubscribes or the blog is deleted.

7. Your rights

Under the nDSG (and GDPR where applicable) you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Receive a copy of your data in a portable format
  • Object to processing based on legitimate interest

To exercise any of these rights, contact us at piclog@poths-solutions.com. We will respond within 30 days.

8. Blog visitors and data controller responsibility

Blog operators who collect visitor data through their blog (e.g. via the contact form or subscription opt-in) act as independent data controllers for that data. piclog acts as a data processor on their behalf, storing and processing that visitor data solely to operate the blog. Blog operators are responsible for their own compliance with applicable privacy law, including providing their visitors with a privacy policy where required.

9. Supervisory authority

If you believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to registered users. The date at the bottom of this page indicates the last update.

Last updated: May 2026