Privacy Policy

Last updated: 2026-04-26

POC / Beta notice. PicPut is an early proof-of-concept run by an individual developer. Treat anything you put into the app as potentially impermanent: data may be wiped during development, accounts may be reset, and features may change without notice. Do not use this app to store information you cannot afford to lose or that has real-world legal sensitivity.

Who runs this

PicPut is operated by Jeff Slarve as a personal project. A contact email will be published here once the picput.com mail setup is complete.

What this app does, in plain terms

PicPut lets you encode information inside ordinary images using a steganographic system called ScribbleCrypt, then optionally send those encoded images to other PicPut users. "Encode" here means the bytes of your message are mixed into the pixels of an image using a key (a set of parameters). It is not end-to-end encryption in the cryptographic sense. Anyone who has the matching key can decode the image.

What is collected and stored

When you create an account and use the app, the following is stored on Google's servers (via Firebase):

Account info: email address; if you sign in with Google, your Google display name and profile picture.
Profile: the display name you choose. Your display name is readable by any other signed-in user (this is how friends find you to send requests).
Social graph: who you've sent friend requests to, accepted, or removed; which groups you've joined.
Messages: for each direct message you send, the sender ID, recipient ID, timestamp, and subject line are stored as ordinary (unencoded) data in our database. The message image itself is stored in ScribbleCrypt-encoded form.
Keys: the ScribbleCrypt keys you save are stored in obfuscated form. They are not encrypted in a cryptographic sense; a determined operator with database access could potentially decode them.
Local app settings: settings like your display preferences are stored in your browser's localStorage and stay on your device.

What is NOT collected

We do not collect your real-world name beyond what you provide as a display name.
We do not collect your phone number, physical address, or precise location.
We do not collect any payment information (the app is free).
We do not collect your contacts or sync them to our servers.
We do not sell or rent your data to anyone, ever.

Sub-processors (third parties that handle your data on our behalf)

Google Firebase (Authentication, Firestore database, Cloud Storage, Hosting, App Check). Data is held on Google Cloud servers, primarily in the United States. See firebase.google.com/support/privacy.
Google Analytics for Firebase. Aggregates usage signals (page views, clicks, errors) so we can understand how the app is being used. We do not link these signals to your real-world identity.
Google reCAPTCHA v3. Runs invisibly to distinguish real users from automated abuse. Google receives a request signal on each interaction. See policies.google.com/privacy.

How long data is kept

For as long as your account exists. If you delete your account or ask us to delete your data, we will remove your profile, friendships, messages, keys, and stored images from our active database. Note that some data may persist for a limited period in Google Cloud backups outside our direct control, and some aggregated analytics signals may not be reversibly tied to your identity to begin with.

Your rights

You can:

Sign out at any time.
Delete your stored keys, messages, and images from within the app.
Request full account and data deletion once a contact email is published (see "Who runs this" above).

If you are in the EU/UK (GDPR) or California (CCPA), you may have additional rights including access, correction, and portability. Once a contact email is published we will respond to such requests as best we can within the constraints of a personal-project POC.

Security limitations (read this honestly)

ScribbleCrypt is encoding, not encryption. Treat it as obfuscation that resists casual inspection, not as a guarantee against a determined adversary.
Direct message metadata (who messaged whom, when, with what subject) is not obfuscated. If knowing that two specific accounts communicated would harm you, do not use this app for that communication.
The server holds your encoded image bytes. If compelled by legal process or breached, those bytes could be obtained by a third party — though without the key, decoding would still be required.
This is a POC built by one person. There has not been a third-party security audit.

Children

This service is not intended for children under 13 (or under 16 in jurisdictions where that is the threshold). Do not create an account on behalf of a child.

Changes to this policy

We may update this policy as the app evolves. The "Last updated" date at the top will reflect any change. For material changes (e.g., new sub-processors, expanded data collection), we will surface a notice in the app.

Not legal advice

This document is written in plain language by the operator and has not been reviewed by an attorney. Before this app is used by real users at scale, this policy should be reviewed by a lawyer competent in privacy law for the relevant jurisdictions.

Source of truth: docs/privacy.md in the PicPut repo. Keep this page in sync when the markdown changes.