Last updated: 25 May 2026
Privacy Policy
This Privacy Policy explains what data Picata (“we”, “us”) collects when you use the audit at picata.ai, what we do with it, and the choices you have. We aim to collect only what we need to run the audit and to keep the product working.
Who we are
Picata is operated by Menturi OÜ, an Estonian private limited company (registry code 17205350). For privacy questions, email privacy@picata.ai.
What we collect
- Google Ads data.When you connect your Google Ads account, we read campaign performance, search terms, keywords, audiences, spend, and conversion data for the last 30–90 days using Google’s official API. Access is read-only: we cannot change, pause, or create anything in your account.
- Account info. Your email address and the Google account identifier returned by Google during sign-in.
- Payment info. If you purchase the full report, our payment processor, Stripe, handles your card details. We store the transaction reference and the email tied to the purchase, not card numbers.
- Usage data. Standard server logs (IP address, user agent, requested URL, timestamp) for security and debugging.
How we use it
- To generate your audit report and the recommendations in it.
- To deliver the paid unlock (if purchased) and process the payment.
- To respond to support requests you send us.
- To keep the service secure and to debug issues.
How we share it
We do not sell your data and we do not share it with advertisers. We share data with the following categories of processors only as needed to run the product:
- Google:we use Google’s Ads API to read your account data. Google’s own terms and privacy policy apply to that integration.
- Stripe:for the $49 unlock payment. Stripe’s privacy policy applies to your card data.
- AI provider (OpenAI):to turn your audit into a written report, we send the relevant Google Ads metrics and entity names (such as campaign names and search terms) to OpenAI’s API. We disable storage of these requests, and OpenAI does not use data submitted through its API to train its models.
- Cloud hosting providers: run the application and store the data at rest, with data hosted in the EU where possible.
- Email delivery providers: send you the report and any account-related emails.
We may also share data if required by law, or to enforce our Terms.
Google user data and Limited Use
Picata’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In practice, we only use the Google Ads data you connect to provide and improve the audit you asked for. We do not use it for advertising, we do not sell it, and we do not transfer it to others except the processors listed above as needed to run the product or where the law requires it. No human reads your Google Ads data except where you ask us for support, where it is necessary for security, or to comply with law.
Retention
How long we keep your data depends on what it is:
- Audit data tied to your account: for as long as your account is active, and up to 30 days after you disconnect, in case you want to come back. You can ask us to delete it sooner.
- Billing and transaction records: 7 years, as required by Estonian accounting and tax law.
- Server and security logs: from 30 days up to 12 months, depending on the source.
You can ask us to delete your account and the underlying audit data at any time by emailing privacy@picata.ai; we will do so within 30 days, except where law requires us to keep certain records (e.g. billing).
Your rights
Under the EU GDPR (and equivalents like the UK GDPR and California CCPA), you have rights to access, correct, delete, and port the personal data we hold about you, and to object to certain uses. To exercise any of these rights, email privacy@picata.ai. You also have the right to lodge a complaint with your local data-protection authority. In Estonia, that is the Andmekaitse Inspektsioon (AKI).
Disconnecting Google Ads access
You can revoke Picata’s read-only access to your Google Ads account at any time from your Google account permissions page. Revoking stops any further data pulls; it does not by itself delete data we already have. For that, request deletion as above.
Security
We use standard industry practices to protect your data in transit (TLS) and at rest. No system is perfectly secure; if we ever become aware of a breach affecting your data, we will notify you in line with applicable law.
Children
Picata is not directed to anyone under 16, and we do not knowingly collect data from children.
Changes
If we make material changes to this policy, we’ll update the “Last updated” date at the top and, where appropriate, notify you by email.
Contact
Questions about this policy? Email privacy@picata.ai.