Cookie Policy
Last updated: 28 May 2026
The short version
This summary is not legally binding — the full Policy below governs. We've put it here to help you understand the headlines.
- Strictly necessary cookies keep the site working. We don't need your consent for these.
- Analytics cookies help us see how the platform is used. We ask before setting them.
- Functional cookies remember your preferences. We ask before setting them.
- No advertising cookies. We do not run third-party advertising on Pictl.
- Manage anytime via the cookie settings link in our footer.
- Cookies cross subdomains. Cookies set on pictl.ai apply across app.pictl.ai and explore.pictl.ai.
We recommend reading this Policy alongside our Privacy Policy and Terms of Service.
1. What are cookies and similar technologies?
A cookie is a small text file placed on your device when you visit a website. Cookies let sites remember you between page loads and visits, keep you signed in, and measure how the site is used.
This Policy covers cookies and similar technologies, including:
- Local storage and session storage — browser-based key/value stores used to persist settings, drafts, or session state. Session storage is cleared when the tab closes; local storage persists until cleared.
- Pixel tags and web beacons — tiny images or scripts that record whether a page or email was viewed.
- Service worker storage — used to enable offline functionality, faster loads, and push notifications (where you have opted in).
- Device fingerprinting — we do not use device fingerprinting for tracking. If this changes, we will update this Policy and obtain consent.
For the rest of this Policy, "cookie" refers to all of these technologies unless we say otherwise.
2. Why we use cookies
We use cookies to:
- keep the core Service working (such as keeping you signed in);
- remember your preferences (language, theme, editor settings);
- understand how visitors use the platform so we can improve it;
- detect and prevent fraud, abuse, and security threats;
- ensure the platform works reliably across browsers, devices, and networks.
We do not use cookies to serve third-party advertising or to build advertising profiles. If we ever introduce advertising cookies, we will update this Policy and obtain fresh consent.
3. Cookies we use
The tables in this section list the cookies set across the Service. We keep these tables current as the platform evolves; if you spot anything that looks out of date, please email legal@pictl.ai.
3.1 Strictly necessary
These cookies are essential. Without them you would not be able to sign in or use the Service. Under UK PECR, EU ePrivacy Directive, and equivalent rules elsewhere, these cookies do not require consent.
| Cookie | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
sb-[project-ref]-auth-token | Supabase | Authentication session token | Rolling, up to 7 days | HTTP cookie (HttpOnly, Secure) |
sb-[project-ref]-auth-token-code-verifier | Supabase | PKCE code verifier for OAuth | Session | HTTP cookie (HttpOnly, Secure) |
__Host-next-auth.csrf-token | Next.js / Auth | CSRF protection on form submission | Session | HTTP cookie (HttpOnly, Secure, SameSite=Strict) |
__Secure-next-auth.callback-url | Next.js / Auth | Post-login redirect URL | Session | HTTP cookie (Secure) |
cookie_consent | Pictl (1st party) | Records your cookie consent choice | 12 months | HTTP cookie |
cf_* | Cloudflare | DDoS protection, bot mitigation, edge routing | Session / up to 30 days | HTTP cookie |
3.2 Analytics / performance
These help us understand how visitors interact with the Service. The data is used in aggregate or pseudonymised form to improve the platform. We ask for consent before setting these.
| Cookie | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
ph_[api_key]_posthog | PostHog | Unique pseudonymous identifier for product analytics (page views, events) | Up to 13 months | HTTP cookie / local storage |
ph_[api_key]_posthog_ses | PostHog | Session boundary identifier | 30 minutes (rolling) | HTTP cookie / local storage |
posthog_survey_[id] | PostHog | Records whether you've seen or dismissed an in-app survey | Variable | Local storage |
_vercel_speed_insights | Vercel | Anonymous performance metrics for the front end | Session | Local storage / script |
PostHog is run on the EU Cloud (Frankfurt) where reasonably practicable, with IP anonymisation enabled.
3.3 Functional
Functional cookies remember preferences that improve your experience but are not strictly necessary. We ask for consent before setting these.
| Cookie | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
pictl_theme | Pictl (1st party) | Light/dark mode preference | 12 months | Local storage |
pictl_editor_prefs | Pictl (1st party) | Editor and generation settings | 12 months | Local storage |
pictl_locale | Pictl (1st party) | Language / locale preference | 12 months | Local storage |
3.4 Marketing / targeting
We do not currently use marketing or targeting cookies. Pictl does not run third-party advertising and does not build advertising profiles.
If we introduce marketing cookies, we will update this Policy, list each cookie, and obtain fresh consent before they are set.
4. Consent and your choices
4.1 How we obtain consent
The first time you visit Pictl, a cookie consent banner is shown. You can:
- Accept all cookies;
- Reject all non-essential cookies (this option is presented as prominently as Accept);
- Customise your preferences category-by-category (strictly necessary, analytics, functional).
Your choice is recorded in the cookie_consent cookie for 12 months. You can change your choice at any time using the Cookie settings link in our footer. Strictly necessary cookies are not affected by your choice — they are always set.
We aim to meet ICO guidance and EDPB Guidelines on consent. In particular:
- there are no pre-ticked boxes for non-essential cookies;
- non-essential cookies are not set before you give consent;
- you can withdraw consent as easily as you gave it; and
- we do not use deceptive design ("dark patterns") to nudge you towards accepting more than you want.
4.2 Accessibility of the cookie banner
The cookie banner is designed to meet WCAG 2.2 Level AA: it is keyboard-navigable, screen-reader compatible, and operable without colour vision or fine motor control. See our Accessibility Statement for details.
4.3 Browser-level controls
You can also control cookies through your browser. Most browsers let you view, block, or delete cookies, opt into the Global Privacy Control signal (which we honour for opt-out of sale/sharing under CCPA/CPRA), and turn on Do Not Track (which our analytics provider respects). Browser-specific guidance:
- Google Chrome — support.google.com/chrome/answer/95647
- Mozilla Firefox — support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox
- Safari — support.apple.com/en-gb/guide/safari/sfri11471/mac
- Microsoft Edge — support.microsoft.com/en-us/microsoft-edge/view-cookies-in-microsoft-edge-a7d95376-f2cd-8e4a-25dc-1de753474879
Blocking strictly necessary cookies will prevent you from signing in or using core features.
5. Third-party cookies
Some cookies are set by third parties listed in Section 3 (Supabase, PostHog, Vercel, Cloudflare). We have reviewed each for compliance with PECR / ePrivacy / equivalent rules and have a Data Processing Agreement in place with each provider. Each provider also has its own privacy policy.
| Provider | Purpose | Category | Privacy Policy |
|---|---|---|---|
| Supabase | Database, authentication | Strictly necessary | supabase.com/privacy |
| PostHog | Product analytics | Analytics | posthog.com/privacy |
| Vercel | Hosting, CDN, performance | Strictly necessary / analytics | vercel.com/legal/privacy-policy |
| Cloudflare | DDoS protection, DNS | Strictly necessary | cloudflare.com/privacypolicy |
| OAuth sign-in (if used) | Strictly necessary | policies.google.com/privacy | |
| Stripe | Payment fraud prevention | Strictly necessary | stripe.com/privacy |
6. Scope — domains this Policy covers
This Policy applies to all cookies set when you visit:
- pictl.ai (the marketing site)
- app.pictl.ai (the main application)
- explore.pictl.ai (the Discovery Layer)
- any other pictl.ai subdomain
Cookies set on the apex domain (pictl.ai) are typically accessible across subdomains. Cookies set on a specific subdomain are scoped to that subdomain.
7. Personal data processed through cookies
Some cookies process personal data. Where this happens, the legal bases under UK/EU GDPR are:
- Strictly necessary cookies — performance of contract (Article 6(1)(b)) — necessary to provide the Service you asked for.
- Analytics cookies — consent (Article 6(1)(a)) and PECR Regulation 6 / equivalent ePrivacy rules.
- Functional cookies — consent (Article 6(1)(a)) and PECR Regulation 6 / equivalent ePrivacy rules.
Note that under PECR (UK) and the ePrivacy Directive (EU), the only exemption from the consent requirement for storing or accessing information on a user's device is "strictly necessary" for a service the user has requested. Legitimate interests is not a basis to bypass cookie consent.
Full details of how we process personal data — including your rights — are in the Privacy Policy.
8. International transfers
Some of our cookie providers are based outside the UK/EU/EEA, or transfer data to the US. We apply the safeguards described in Section 17 of the Privacy Policy, including UK IDTA, EU SCCs, UK Data Bridge, and EU–US Data Privacy Framework certifications where available.
For analytics specifically, we use the EU Cloud instance of PostHog where reasonably practicable to minimise transfers outside the EU/EEA.
9. Retention
Cookie durations are listed in Section 3. Analytics data collected through PostHog is retained for 13 months in our PostHog account, after which it is aggregated or deleted.
10. Notices for specific jurisdictions
California (CCPA/CPRA). Pictl does not "sell" or "share" personal information for cross-context behavioural advertising as defined under the CCPA/CPRA. We honour Global Privacy Control (GPC) signals as an opt-out of sale/sharing, even though we do not sell or share. You may also exercise your rights through the Do Not Sell or Share My Personal Information link in our footer.
EU/EEA (ePrivacy Directive). Implementation of the ePrivacy Directive varies by member state. Where local rules are stricter than this Policy (for example, France's CNIL guidance on equivalence between Accept and Reject buttons), the stricter rule applies in that jurisdiction.
Quebec (Law 25). We disclose the use of technology that allows you to be identified, located, or profiled. We do not use cookies for profiling.
11. Changes to this Policy
We may update this Policy from time to time to reflect changes in the cookies we use, our analytics providers, or applicable law. For material changes:
- we will update the date at the top of this Policy;
- we will refresh the consent banner so you can review and re-confirm; and
- where law requires, we will obtain fresh consent before applying changes.
12. Governing law
This Policy is governed by the laws of England and Wales. Disputes are subject to the exclusive jurisdiction of the courts of England and Wales, except where applicable law gives you a right to bring proceedings in your country of residence or to complain to your local data protection authority.
13. Contact us
Questions about this Policy or our use of cookies:
Email: legal@pictl.ai Post: Art Skool Ltd, 167–169 Great Portland Street, 5th Floor, London, England, W1W 5PF
You may also complain to a data protection authority. In the UK, that is the Information Commissioner's Office (ico.org.uk, 0303 123 1113). In the EU, your national authority. Elsewhere, see the Privacy Policy for authority contacts.
14. Effective date and review
Effective from: 2026-05-28.
Review triggers:
- any new cookie or tracking technology added to the platform;
- any change to analytics or advertising provider;
- material change to our data-processing practices;
- changes to PECR, EU ePrivacy, CCPA/CPRA, or equivalent law;
- annually, at minimum.
Next scheduled review: 2027-05-15 or earlier if triggered above.
Beta status. This Policy (v1.0) has been prepared internally to align with Terms of Service v1.5 and Privacy Policy v1.0, and to extend coverage to a global "catch-all" baseline. It has not yet been reviewed by a qualified solicitor. External legal review is planned before general public launch.
Change Log
| Version | Date | Summary |
|---|---|---|
| v0.1–v0.4 | Apr 2026 | Initial UK-only drafts; PECR / functional cookie consent basis corrected. |
| v1.0 | 2026-05-15 | Realigned to Terms of Service v1.4 and Privacy Policy v1.0; extended to global catch-all (CCPA/CPRA, Quebec Law 25, EU member-state variations); added Cloudflare and Stripe rows; added GPC and DNT handling; added accessibility note; tightened consent-banner requirements (ICO + EDPB + CNIL). |