Privacy Policy

Last Updated:

This Privacy Policy explains how Picolab ("Picolab," "we," "us," or "our") collects, uses, stores, discloses, and protects information in connection with our website, mobile applications, games, privacy-focused applications, and related services (collectively, the "Services").

Picolab develops different categories of products. Some of our applications, such as privacy-focused and security-focused apps, are designed to function primarily on the user's device. Other products, such as games, may include advertising, in-app purchases, and other platform-dependent features. As a result, the types of information processed may differ depending on the specific Service, the features used, and the choices made by the user.

By accessing or using our Services, you acknowledge this Privacy Policy.

1. Scope

This Privacy Policy applies to:

  • Picolab-operated websites that link to this Privacy Policy;
  • iOS applications published by Picolab;
  • games published by Picolab;
  • privacy-focused, security-focused, and productivity applications published by Picolab;
  • support communications and customer service interactions; and
  • other digital services operated by or on behalf of Picolab that link to this Privacy Policy.

This Privacy Policy does not apply to third-party services, websites, platforms, or infrastructure that we do not own or control, including Apple services, iCloud, the App Store, Google advertising services, and external websites or destinations selected by the user. Those services are governed by their own terms and privacy practices.

2. Information We May Process

Depending on the Service you use, we may process the following categories of information.

2.1 Information You Provide Directly

We may process information you provide when you contact us, request support, submit feedback, send an email, or otherwise communicate with us. This may include your name, email address, message content, and any files or attachments you choose to send.

2.2 Information Processed Within Privacy-Focused Applications

Some Picolab applications are designed to process information that you choose to create, import, scan, or store inside the app. Depending on the product, this may include passwords, usernames, notes, URLs, two-factor authentication data, card records, files, attachments, scanned documents, OCR-derived text, local settings, security preferences, AutoFill metadata, local OCR-derived content, security-scoped bookmarks, local notification preferences, Keychain-protected cryptographic material, and other content managed by the user.

For App Store purchases, Picolab does not collect, receive, or store your payment card number. This payment-related statement does not apply to card information or similar records that a user voluntarily chooses to store inside a privacy-focused app as part of the user's own encrypted content.

2.3 Device and Technical Information

Depending on the Service, we or our service providers may process technical and diagnostic information such as device type, operating system version, app version, language and region settings, crash information, diagnostics data, performance data, advertising-related identifiers, network information, and app interaction data.

2.4 Information Received from Apple Platform Services

Where applicable, we may receive limited information from Apple necessary to operate app functionality provided through Apple's platform, including purchase status, entitlement status, restore-purchase status, subscription status, and iCloud-related status information.

2.5 Website Information

If you visit a Picolab website, we may process standard website and network information such as browser type, device type, IP address, pages visited, referring pages, and operational or security-related information. If cookies or similar technologies are used, they may be used for essential functionality, security, performance, analytics, or user experience, depending on the website or feature.

We do not currently respond to "Do Not Track" signals from browsers, as no uniform standard for such signals has been established. We will revisit this position if a recognized standard emerges.

3. How We Use Information

We may use information to:

  • provide, operate, maintain, and improve our Services;
  • enable app features and product functionality;
  • restore purchases and provide premium access;
  • respond to support requests and other communications;
  • investigate crashes, bugs, technical issues, misuse, fraud, or abuse;
  • secure our Services and protect users;
  • show, manage, and measure advertising in games;
  • comply with legal obligations; and
  • enforce our terms and protect our rights and legitimate business interests.

For users in the European Economic Area (EEA) and other jurisdictions with similar requirements, we process your information based on: (i) the necessity to perform our contract with you (to provide the Services); (ii) our legitimate interests (such as improving our products, securing our apps, and basic analytics); (iii) your explicit consent (where required, such as for personalized advertising); and (iv) compliance with our legal obligations. Where we rely on legitimate interests, we balance those interests against your rights and will not process your information in ways that override your fundamental rights and freedoms.

4. Talos and Other Local-First Privacy Applications

Talos is a local-first, privacy-focused encrypted vault application. Talos is designed to store and process the user's private vault content primarily on the user's device. Picolab does not operate a Talos backend server and does not maintain a Picolab-hosted database containing Talos vault data.

Talos vault content may include passwords, usernames, email addresses, URLs, notes, tags, custom fields, two-factor authentication data, card records, files, attachments, scanned documents, OCR-derived text, document metadata, and other content that the user creates, imports, scans, or stores in the app.

If the user chooses local storage, the encrypted Talos vault database is stored in the app's local document storage on the user's device, subject to the user's device settings, operating system behavior, backups, exports, and file-management choices. If the user chooses iCloud storage or iCloud backup destinations, encrypted Talos vault files or backup files may be stored in the user's personal iCloud account using Apple's iCloud services. Picolab does not host those vault files on Picolab-operated servers.

Picolab does not have access to the contents of a user's Talos vault. Picolab cannot view, read, unlock, decrypt, recover, reset, or disclose private vault content stored in Talos, unless the user intentionally and directly shares that information with Picolab, such as by including it in a support email or other direct communication.

Talos does not send the user's master password to Picolab. The master password is used on the device to unlock the encrypted vault. If biometric unlock or certain protected actions are enabled, Talos may store protected cryptographic material in the iOS Keychain. This is used to support local device-based unlocking or protected access flows. Picolab does not receive the master password or the private contents of the vault through this process.

Talos may use Apple's platform services when the user chooses or enables related features. This may include iCloud document storage, App Store purchases and purchase restoration through StoreKit, iOS Keychain, Face ID or Touch ID, local notifications, file access, the system photo picker, camera access for scanning documents or QR codes, and Apple's AutoFill credential provider infrastructure.

If Talos AutoFill is enabled and available, Talos may store a minimized AutoFill index in the app's shared container and may register limited credential identity metadata with Apple's AutoFill system so that iOS can show relevant suggestions. This limited metadata may include service domains or host identifiers, usernames or email addresses used for login entries, entry identifiers, database identifiers, and whether a record has a password or one-time code. It does not include stored passwords, card numbers, CVC codes, secure notes, documents, attachments, full vault contents, or TOTP secrets. When the user selects a credential to fill, the Talos AutoFill extension may locally access the encrypted vault file and use Keychain-protected cryptographic material and, where required, device authentication to retrieve the selected password or one-time code. This processing occurs on the user's device and is not sent to Picolab servers.

Talos may process imported files, selected photos, scanned documents, and OCR-derived document text on the device. OCR and document analysis are performed locally using Apple system frameworks and app logic. Derived document data may be stored locally as part of Talos document-vault state or vault metadata. Picolab does not receive these documents, scans, or OCR results unless the user directly shares them.

Some Talos features require optional external connections. If password breach checking is enabled or manually used, Talos hashes the password on the device and sends only the first five characters of the SHA-1 hash prefix to the Have I Been Pwned Pwned Passwords service. The full password is not sent. If favicon downloads are enabled, Talos may contact the saved website domain or fallback favicon providers to retrieve site icons, which may reveal the relevant domain to those services. StoreKit purchase and restore flows are handled by Apple. User-initiated exports, backups, sharing, external links, AirDrop, Files, email, or other destinations are processed according to the user's chosen destination and the relevant third party's practices.

Talos, as currently implemented and reflected in the reviewed implementation, does not include Picolab-operated account registration, Picolab-hosted vault sync, advertising SDKs, third-party analytics SDKs, or third-party crash reporting SDKs. Other Picolab apps or games may use different services as described elsewhere in this Privacy Policy.

Because Talos is designed so that private vault content remains under the user's control, Picolab generally cannot recover a lost master password or restore vault contents on the user's behalf. Users are responsible for maintaining access to their master password, device, iCloud account, exported vault files, and backups.

Deleting records, vaults, backups, or the app may affect data stored locally on the device, in iCloud, in the iOS Keychain, in Files, or in destinations selected by the user. Picolab cannot remotely inspect or delete private Talos vault content that is not hosted by Picolab.

5. Advertising in Games

Some Picolab games may display advertisements served by Google AdMob or related Google advertising services.

When advertising is enabled in a game, Google and its advertising services may process certain information from the device or app environment in order to deliver, measure, secure, and improve advertising. Depending on the app, region, device settings, consent status, and advertising configuration, this may include advertising identifiers, device information, IP address, approximate location derived from IP address, diagnostics information, ad interaction data, app launch data, performance data, and other app or product interaction information.

Where required by applicable law or platform requirements, Picolab will present appropriate consent or permission choices before serving personalized advertising or enabling related advertising data processing.

Advertising practices may vary by game, region, device settings, and whether personalized or non-personalized ads are used.

6. In-App Purchases and Subscriptions

Some Picolab apps and games may offer digital products, premium features, consumables, non-consumables, or subscriptions through Apple's App Store and StoreKit.

When you make an App Store purchase, the payment transaction is processed by Apple and is subject to Apple's billing rules, terms, and privacy practices. Picolab may receive limited transaction-related information from Apple as necessary to provide purchased content or premium access, such as product identifiers, transaction status, entitlement status, restore status, subscription status, renewal status, or cancellation status.

Picolab does not collect, receive, or store your payment card number for App Store purchases.

7. Permissions and Device Access

Depending on the product and the features you choose to use, a Picolab app may request access to certain device capabilities, such as the camera, Face ID, Touch ID, local notifications, file access, the system photo picker, or Apple's AutoFill credential provider infrastructure.

We request only the permissions reasonably necessary for the relevant feature or functionality. You may manage permissions at any time through your device settings.

8. Sharing and Disclosure of Information

We may disclose information in the following circumstances:

  • to service providers that help us operate our website, customer support, advertising, analytics, hosting, security, or app functionality;
  • to Apple in connection with App Store purchases, subscriptions, purchase restoration, iCloud usage, AutoFill credential identity metadata, system Keychain or biometric platform features, or other Apple platform features;
  • to Google in connection with advertising services used in games;
  • to a third-party destination, platform, or service selected by the user when the user exports, shares, backs up, or transmits content;
  • where required by applicable law, legal process, court order, subpoena, regulatory request, or governmental authority;
  • where we believe disclosure is necessary to protect the rights, property, safety, security, or integrity of Picolab, our users, or others;
  • in connection with a merger, acquisition, restructuring, financing, bankruptcy, or sale of assets; or
  • with the user's consent or at the user's direction.

Picolab does not sell the private contents of Talos vaults or other local-first encrypted vault data, because that content is not hosted on Picolab-operated servers.

California Privacy Rights (CCPA/CPRA)

Picolab does not "sell" or "share" your personal information (including private vault data) for cross-context behavioral advertising as defined under California law. We only disclose information to service providers for the business purposes described in this policy. California residents may submit privacy rights requests by contacting us using the information in Section 16.

9. Data Retention

We retain information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide Services, maintain operational records, respond to support matters, comply with legal obligations, resolve disputes, and enforce agreements.

As a general guideline: support communications and related correspondence are retained for the duration reasonably required to resolve the matter and for any applicable limitation period thereafter; technical and diagnostic data is retained for the period necessary for operational and security purposes; advertising-related identifiers and interaction data are subject to the retention practices of our advertising service providers; and transaction-related information received from Apple is retained as required to confirm entitlements and comply with applicable law.

For local-first privacy applications such as Talos, a substantial portion of user content remains under the user's control on the user's device or in the user's chosen storage account until the user deletes it. Because Picolab does not host Talos vault content on Picolab servers, Picolab may be unable to inspect, delete, recover, or restore that private vault content on the user's behalf.

10. Data Security

Picolab uses reasonable administrative, technical, and organizational measures designed to protect information processed in connection with the Services.

For privacy-focused applications, this may include encryption, secure storage mechanisms, device-based protections, and app-level security features. For website, support, and game-related services, this may include access controls, operational safeguards, vendor management, and security practices appropriate to the nature of the information involved.

No method of storage, transmission, or processing can be guaranteed to be completely secure. Accordingly, while we take reasonable steps to protect information, we cannot guarantee absolute security.

Data Breach Notification

In the event of a personal data breach affecting information that Picolab processes (excluding private vault content that Picolab does not host), Picolab will take appropriate steps to investigate and mitigate the breach. Where required by applicable law - including the GDPR and other applicable data protection regulations - we will notify the relevant supervisory authorities and, where required, affected individuals within the timeframes prescribed by law.

11. International Transfers

Depending on the Service used, information may be processed in countries other than the country in which the user resides, including through Apple platform infrastructure, Google advertising infrastructure, hosting providers, support providers, or other service providers used by Picolab.

Where applicable, Picolab will take reasonable steps intended to ensure that personal information is handled in a manner consistent with applicable law.

12. Children's Privacy

Picolab does not knowingly collect personal information from children in violation of applicable law.

We do not knowingly collect or solicit personal information from anyone under the age of 13 (or 16 in certain jurisdictions such as the EU). Our Services are not directed to children where prohibited by law unless the specific product clearly states otherwise and includes any legally required notices, protections, or consent mechanisms.

If we learn that we have inadvertently collected personal information from a child under the relevant minimum age, we will take steps to delete that information as quickly as possible. If you believe that a child has provided personal information to Picolab in a manner that violates applicable law, please contact us using the information in Section 16 and we will review the matter and take appropriate action.

13. Your Rights and Choices

Depending on your location and the applicable law, you may have rights relating to your personal information, including the right to request access, correction, deletion, restriction, objection, portability, or withdrawal of consent where consent is the legal basis for processing.

You may also have choices regarding app permissions, advertising preferences, personalized advertising, notifications, cookies, and similar technologies, subject to the device, platform, and Service you use.

Where a privacy-focused application is designed so that Picolab does not have access to the contents of user vault data, certain rights relating to that private vault content may need to be exercised directly by the user on the user's own device or storage account.

Right to Deletion

You may request the deletion of your personal information that we maintain. For privacy-focused apps (like Talos), since we do not host your vault data on our servers, you can exercise this right by deleting your vault or the application from your device. For other data (like support emails or technical records), please contact us directly using the information in Section 16. We will respond to your request within the timeframe required by applicable law.

To submit any privacy-related request, please contact Picolab using the contact details in Section 16. We may need to verify your identity before responding to certain requests.

14. Third-Party Services

Our Services may rely on or interact with third-party services, platforms, or infrastructure, including Apple services, iCloud, the App Store, Google advertising services, website infrastructure, email providers, analytics providers, hosting providers, and other vendors selected by Picolab or the user.

Picolab is not responsible for the independent privacy or security practices of third parties that we do not own or control. Users should review the privacy policies of those third parties where relevant.

15. Changes to This Privacy Policy

Picolab may update this Privacy Policy from time to time.

If we make material changes, we may provide notice through the website, within the relevant app, or by other appropriate means. The "Last Updated" date at the top of this Privacy Policy indicates when it was last revised. Continued use of our Services after the effective date of any changes constitutes your acknowledgment of the updated policy.

16. Contact Us

If you have questions, concerns, or privacy-related requests, please contact: privacy@picolab.app

For all privacy-related inquiries, please use "Privacy Request" in the subject line of your email to ensure a prompt response.