Privacy Policy

Last Updated: 13 June 2025

1. Introduction

SmartHeadshots.ai ("we," "us," "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, process, and protect your information when you use our AI headshot generation service.

Data Controller Information:

2. Information We Collect

2.1 Personal Information

  • Account Data: Name, email address, password (hashed if applicable), profile information
  • Payment Information: Billing details, transaction history (processed by Dodo Payments)
  • Contact Data: Information you provide when contacting support

2.2 Content Data

  • Uploaded Photos: Facial images you upload for AI headshot generation
  • Generated Content: AI-created headshots and associated metadata

2.3 Technical Information

  • Device Data: IP address, browser type, operating system (if applicable)
  • Usage Data: Service interactions, preferences, session information (if applicable)
  • Cookies: As detailed in our Cookie Policy

2.4 Communications

  • Support Communications: Messages, feedback, and support requests
  • Marketing Communications: If you opt-in to receive updates

3. How We Use Your Information

3.1 Service Provision (Contract Performance - GDPR Article 6(1)(b))

  • Generate AI headshots from your uploaded photos
  • Provide customer support and respond to inquiries
  • Process payments and maintain account functionality
  • Deliver purchased services and content

3.2 Legitimate Interests (GDPR Article 6(1)(f))

  • Improve service quality and user experience
  • Prevent fraud and ensure platform security
  • Analyze usage patterns for service optimization
  • Maintain system security and integrity

3.3 Consent-Based Processing (GDPR Article 6(1)(a))

  • Send marketing communications (only with explicit consent)
  • Use optional analytics and tracking tools
  • Share testimonials or user-generated content

3.4 Legal Compliance (GDPR Article 6(1)(c))

  • Comply with applicable laws and regulations
  • Respond to legal requests and court orders
  • Maintain records as required by law

4. Data Sharing and Third Parties

4.1 Service Providers We share data with trusted third-party providers who assist in service delivery:

  • Supabase: Authentication, database, and storage services
  • Astria: AI model training and image generation
  • Dodo Payments: Payment processing and billing
  • Vercel: Website hosting and content delivery

4.2 Legal Requirements We may disclose information when required by law, court order, or to:

  • Protect our rights, property, or safety
  • Prevent fraud or illegal activities
  • Comply with legal obligations
  • Respond to government requests

4.3 Business Transfers In case of merger, acquisition, or sale of assets, your data may be transferred to the new entity with equivalent privacy protections.

4.4 No Commercial Sale We do not sell, rent, or trade your personal information for commercial purposes.

5. International Data Transfers

5.1 Cross-Border Processing Your data may be processed in countries outside India/EU by our service providers.

5.2 Safeguards

  • We utilize reputable third-party service providers, such as Supabase (for database and authentication, with data hosted in their EU region) and Vercel (for website hosting), to deliver our Service. These providers are responsible for the security of their own infrastructure. We rely on their stated security and compliance measures, including any Data Processing Addendums (DPAs) or standard contractual terms they provide, to help protect your data when it is processed by them, including for transfers of data of EU residents.

6. Data Retention Periods

6.1 Uploaded Photos

  • Retention: Automatically deleted within 7 days of upload
  • Purpose: AI model training and headshot generation
  • User Control: Can be deleted instantly upon request

6.2 Generated Headshots and AI Models

  • Retention: Deleted within 30 days of creation
  • Purpose: Service delivery and user access
  • User Control: Available for download during retention period

6.3 Account Information

  • Retention: Until account deletion requested via support@smartheadshots.ai
  • Purpose: Account management and service provision
  • Post-Deletion: Retained for 1 year for legal compliance, then permanently deleted

6.4 Payment Data

  • Retention: 7 years as required by Indian financial regulations
  • Purpose: Tax compliance, fraud prevention, dispute resolution
  • Storage: Processed and stored by Dodo Payments per their retention policies

6.5 Marketing Data

  • Retention: Until opt-out + 2 years for preference management
  • Purpose: Marketing communications and preference tracking

7. Your Rights and Choices

7.1 Universal Rights

  • Access: Request information about data we hold about you
  • Correction: Update or correct inaccurate personal information
  • Deletion: Request deletion of your personal data
  • Portability: Receive your personal data, which you have provided to us, in a structured, commonly used, and machine-readable format, where technically feasible.
  • Objection: Object to certain types of data processing

7.2 GDPR Rights (EU Residents)

  • Withdrawal of Consent: Withdraw consent for consent-based processing
  • Restriction: Request limitation of data processing
  • Automated Decision-Making: Object to solely automated decisions
  • Supervisory Authority: Lodge complaints with data protection authorities

7.3 CCPA Rights (California Residents)

  • Right to Know: What personal information we collect and how it's used
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of sale of personal information (we don't sell data)
  • Non-Discrimination: We won't discriminate for exercising CCPA rights

7.4 Exercising Your Rights You may request immediate deletion of your data by contacting our support team at support@smartheadshots.ai. We aim to process such requests promptly, typically within [e.g., 7-10 business days]. Please note that due to the nature of data backups and system logs, some de-identified or residual data may persist for a limited period (e.g., up to 90 days) before being completely purged, but it will not be used for active processing.

8. Data Security

8.1 Security Measures

  • Encryption: Data encrypted in transit (TLS)
  • Access Controls: Role-based access with multi-factor authentication
  • Monitoring: Continuous security monitoring and threat detection
  • Regular Audits: Periodic security assessments and updates

8.2 Data Breach Response In case of a data breach, we will:

  • Contain and assess the breach within 24 hours
  • Notify affected users within 72 hours if high risk
  • Report to relevant authorities as required by law
  • Implement remediation measures

8.3 Limitations While we implement industry-standard security measures, no system is completely secure. You use the service at your own risk.

9. Cookies and Tracking

Detailed information about our use of cookies is available in our separate Cookie Policy, incorporated herein by reference.

10. Third-Party Links

Our service may contain links to external websites. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies.

11. Children's Privacy

  • Our Service is not intended for or directed to individuals under the age of 18 (or the age of legal majority in their jurisdiction). We do not knowingly collect personal information from individuals under this age. If we become aware that we have inadvertently collected personal information from a child without parental consent (where applicable by law, though our primary policy is not to serve under 18s), we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@smartheadshots.ai.

12. Regional Compliance

12.1 India (Digital Personal Data Protection Act) We are committed to complying with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (DPDP Act). Users in India ("Data Principals") have certain rights regarding their personal data, such as the right to access, correct, update, or request deletion of their personal data, the right to grievance redressal, and the right to nominate. To exercise these rights, please contact us at support@smartheadshots.ai. Our collection, processing, and retention of your data are done in accordance with the consent you provide and for the purposes outlined in this Privacy Policy and our Terms and Conditions.

12.2 Other Jurisdictions Users in other regions have privacy rights per their local applicable laws.

13. Contact and Complaints

13.1 Privacy Inquiries For privacy-related questions or to exercise your rights, contact: Email: support@smartheadshots.ai

13.2 Complaints If you believe we have not adequately addressed your privacy concerns, you may:

  • Contact our Data Protection Officer at support@smartheadshots.ai
  • Lodge a complaint with your local data protection authority
  • Pursue legal remedies under applicable law

14. Policy Updates

We may update this Privacy Policy periodically. Material changes will be communicated via:

  • Email notification to registered users
  • Prominent notice on our website
  • Updated effective date at the top of this policy

Continued use of our service after updates constitutes acceptance of the revised policy.

This Privacy Policy is effective as of June 3, 2025