Privacy Policy

Last updated: January 16, 2025

ProHeadshots AI ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains what personal information we collect, how we use it, your rights, and the safeguards we apply while providing AI headshot generation services.

This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Information We Collect

1.1 Information You Provide Directly

  • Account Information: Email address, name, and authentication data provided via Google OAuth through Supabase Auth
  • Uploaded Photos: Personal photos you upload for AI training and headshot generation (1-3 photos per order)
  • Payment Information: Billing details processed through our secure payment gateway (we do not store full credit card numbers on our servers; only transaction metadata like order ID, amount, currency, and payment status for order fulfillment and customer support)
  • Communications: Messages, support tickets, and feedback you send to us

1.2 Automatically Collected Information

  • Usage Data: Pages visited, features used, time spent on the platform, navigation paths
  • Technical Data: IP address, browser type and version, device type, operating system, screen resolution, referring URL
  • Cookies and Similar Technologies: Session cookies, authentication tokens, preference settings (see Section 8 for details)
  • Operational Logs: Server logs, error logs, security logs, timestamps, performance metrics

1.3 Information from Third Parties

  • Google OAuth: Profile information (email, name, profile picture) when you sign in with Google
  • Payment Processor: Transaction status, payment method type, and geographic location data from our payment gateway for fraud prevention and compliance

2. How We Use Your Data

We use collected information for the following purposes:

2.1 Service Delivery (Contractual Necessity)

  • Train AI models using your uploaded photos
  • Generate and deliver professional headshots
  • Process payments and manage your orders
  • Provide customer support and respond to inquiries

2.2 Service Improvement (Legitimate Interest)

  • Analyze usage patterns to improve platform performance
  • Debug errors and optimize AI model quality
  • Develop new features based on user behavior
  • Conduct security monitoring and fraud prevention

2.3 Communication (Consent or Legitimate Interest)

  • Send order confirmations and delivery notifications
  • Notify you of service updates or policy changes
  • Respond to support requests and feedback
  • Send promotional communications (with your consent, opt-out available)

2.4 Legal Compliance (Legal Obligation)

  • Comply with legal requirements and court orders
  • Enforce our Terms of Service and Acceptable Use Policy
  • Detect and prevent fraud, abuse, or illegal activities
  • Maintain financial and tax records

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process your data based on:

  • Contract Performance: Processing necessary to provide the service you requested (generating headshots)
  • Legitimate Interest: Improving service quality, security, and fraud prevention (balanced against your privacy rights)
  • Consent: Marketing communications, optional analytics (you can withdraw consent anytime)
  • Legal Obligation: Compliance with laws, regulations, and legal processes

4. Data Sharing and Third-Party Processors

We share your data only with trusted third-party service providers necessary to operate our service:

4.1 Essential Service Providers

  • Supabase: Authentication, database hosting (US-based, GDPR-compliant)
  • AWS S3: File storage for uploaded photos and generated headshots (US-East-1 region, encrypted at rest)
  • Replicate: AI model training and inference (processes uploaded photos, generates headshots)
  • Payment Gateway: Secure payment processing (PCI-DSS Level 1 compliant, handles all credit card data and financial transactions on encrypted servers)

4.2 Legal and Safety Disclosures

We may disclose your information if required by law or to:

  • Respond to legal process (subpoenas, court orders)
  • Enforce our Terms of Service or Acceptable Use Policy
  • Protect our rights, property, or safety, or that of users or the public
  • Report illegal content (e.g., CSAM) to NCMEC or law enforcement
  • Prevent fraud, security threats, or technical issues

4.3 No Sale of Personal Data

We do not sell your personal information to third parties for monetary or other valuable consideration. We do not share data with advertisers or data brokers.

5. Data Retention and Deletion

We retain your data only as long as necessary for the purposes outlined in this policy, or as required by law. Our retention practices are designed to balance service functionality, legal compliance, and your privacy rights.

5.1 Automatic Retention Periods

  • Uploaded Training Photos (Raw Input):
    • Storage Location: AWS S3 (US-East-1 region)
    • Retention Period: Automatically deleted 30 days after order completion
    • Purpose: AI model training and quality troubleshooting
    • Early Deletion: You can request immediate deletion via support@profilelift.pro
    • Access: Only accessible by authorized system processes and support staff (for troubleshooting only)
  • AI Training Models (LoRA):
    • Storage Location: Replicate (third-party AI service)
    • Retention Period: Retained for 90 days after creation, then automatically deleted
    • Purpose: Generate your headshots (model is unique to your order)
    • Access: Only accessible by Replicate's inference system
    • Note: Cannot be used to train other models or reverse-engineer your photos
  • Generated Headshots (Final Output):
    • Storage Location: Replicate CDN (temporary), links stored in Supabase database
    • Retention Period: Retained indefinitely for download access (URLs may expire after 6 months)
    • Purpose: Allow you to download and access your purchased headshots
    • Deletion: You can request deletion anytime, effective within 3 business days
    • Recommendation: Download and backup your headshots locally within 6 months
  • Account Information:
    • Storage Location: Supabase (PostgreSQL database, US-based)
    • Retention Period: Retained until you delete your account or request deletion
    • Purpose: Authentication, service delivery, support
    • Includes: Email, name, Google OAuth profile data, order history metadata
  • Payment Transaction Records:
    • Storage Location: Supabase database (metadata only, no card details)
    • Retention Period: 7 years to comply with tax, accounting, and anti-fraud regulations
    • Purpose: Financial reporting, tax compliance, fraud prevention, refund processing
    • Includes: Order ID, amount, currency, payment status, transaction date
    • Does NOT Include: Full credit card numbers (handled exclusively by our PCI-DSS compliant payment processor, never stored on our servers)
  • Operational Logs (Server Logs, Error Logs):
    • Storage Location: Vercel (hosting platform) and internal logging systems
    • Retention Period: 90 days for standard logs, up to 1 year for security logs
    • Purpose: Debugging, performance monitoring, security incident investigation
    • Includes: IP addresses, timestamps, error messages, API requests
  • Support Communications:
    • Storage Location: Email service and support ticketing system
    • Retention Period: 3 years after case closure
    • Purpose: Customer support, dispute resolution, service improvement
  • Abuse Reports and Safety Records:
    • Storage Location: Secure internal database and law enforcement reporting systems
    • Retention Period: Retained indefinitely for safety, legal, and law enforcement purposes
    • Purpose: User safety, legal compliance, cooperation with law enforcement
    • Includes: CSAM reports (NCMEC), fraud reports, terms violations, banned accounts
    • Note: Cannot be deleted as required by law

5.2 Data Deletion Process

Automatic Deletion: Data that reaches its retention period is automatically and permanently deleted from our systems using secure deletion methods:

  • Overwriting data multiple times (DOD 5220.22-M standard)
  • Removing all references and backups
  • Verifying deletion completion

User-Requested Deletion: To request early deletion of your data:

  1. Email support@profilelift.pro with your request
  2. Specify which data you want deleted (e.g., "delete all uploaded photos")
  3. We will verify your identity (to protect your account security)
  4. Deletion will be completed within 3 business days
  5. You will receive confirmation once deletion is complete

Backup Retention: Deleted data may persist in backups for up to 30 additional days, after which backups are purged. During this period, backed-up data is not accessible for operational use.

Legal Holds: If your data is subject to a legal hold (e.g., pending investigation, court order, law enforcement request), we cannot delete it until the hold is released. We will notify you if this applies.

5.3 Data Anonymization

For certain analytics and research purposes, we may anonymize your data instead of deleting it. Anonymized data:

  • Cannot be linked back to you or used to identify you
  • Is aggregated with data from other users
  • Is used only for statistical analysis and service improvement
  • Does not include photos, names, email addresses, or other identifying information
  • Example: "Users uploaded an average of 12 photos" (no individual data)

6. Your Privacy Rights

6.1 Rights for All Users

  • Access: Request a copy of your personal data we hold
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Data Portability: Receive your data in a structured, machine-readable format

6.2 Additional Rights (GDPR - EEA/UK/Switzerland Users)

  • Right to Restriction: Limit how we use your data
  • Right to Object: Object to processing based on legitimate interest
  • Right to Withdraw Consent: Withdraw consent for optional processing
  • Right to Lodge a Complaint: File a complaint with your local data protection authority (e.g., ICO in UK, CNIL in France)

6.3 California Residents (CCPA/CPRA)

  • Right to Know: Request disclosure of collected personal information categories, sources, purposes, and third parties we share with
  • Right to Delete: Request deletion of personal information (with exceptions)
  • Right to Opt-Out: Opt out of "sale" or "sharing" of personal data (we do not sell data)
  • Right to Non-Discrimination: Equal service and pricing regardless of privacy choices

6.4 How to Exercise Your Rights

To exercise any of these rights, email us at support@profilelift.pro with your request. We will respond within:

  • GDPR: 30 days (may extend to 60 days for complex requests)
  • CCPA: 45 days (may extend to 90 days)

We may request verification of your identity before fulfilling requests to protect your privacy.

7. International Data Transfers

Our service is hosted in the United States. If you access the service from outside the U.S., your data will be transferred to and processed in the U.S.

For EEA/UK/Switzerland users: We rely on appropriate safeguards for international transfers, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with third-party processors
  • Processors certified under EU-U.S. Data Privacy Framework (where applicable)

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide, protect, and improve our service. This section explains what cookies we use, why we use them, and how you can control them.

8.1 What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, smartphone) when you visit a website. They help websites remember information about your visit, such as your preferred language, login status, and settings. Cookies can be "session cookies" (deleted when you close your browser) or "persistent cookies" (remain on your device for a set period).

Similar technologies include:

  • Local Storage: Similar to cookies but can store larger amounts of data
  • Session Storage: Stores data only for the current browser session
  • Web Beacons (Pixels): Small transparent images used to track page views

8.2 Types of Cookies We Use

Strictly Necessary Cookies (Essential)

Purpose: These cookies are essential for the website to function properly. Without them, you cannot use our service.

Examples:

  • Authentication Cookies: Keep you logged in as you navigate the site (managed by Supabase)
    • Cookie name: sb-access-token, sb-refresh-token
    • Duration: Session (deleted when you log out or close browser)
    • Data stored: Encrypted authentication token
  • Session Management: Remember your current session and prevent re-authentication on every page
    • Cookie name: next-auth.session-token
    • Duration: 30 days (or until logout)
  • Security Cookies: Protect against Cross-Site Request Forgery (CSRF) attacks
    • Cookie name: __Host-next-auth.csrf-token
    • Duration: Session
  • Load Balancing: Distribute requests across servers for optimal performance
    • Cookie name: __vercel_live_token
    • Duration: Session

Can you disable them? No. These cookies are essential for the service to work. Disabling them will prevent you from using the website.

Performance and Analytics Cookies (Optional)

Purpose: Help us understand how visitors use our website so we can improve it. These cookies collect anonymous information about page visits, traffic sources, and user behavior.

Examples:

  • Vercel Analytics: Tracks page views, performance metrics, and navigation paths
    • Cookie name: __v_a
    • Duration: 1 year
    • Data stored: Anonymous visitor ID, page views, session duration
    • Privacy: No personal data collected (GDPR compliant)
  • Vercel Speed Insights: Measures page load times and performance
    • Cookie name: __v_s
    • Duration: Session
    • Data stored: Performance metrics (load time, time to interactive)

Can you disable them? Yes. You can disable these cookies in your browser settings (see Section 8.5). Disabling them will not affect website functionality, but it will limit our ability to improve the service.

Functional Cookies (Optional)

Purpose: Remember your preferences and settings to provide a more personalized experience.

Examples:

  • Language Preference: Remember your preferred language
    • Storage: Local Storage
    • Key: user-language
    • Duration: Persistent (until cleared)
  • Theme Preference: Remember if you prefer dark or light mode (if implemented)
    • Storage: Local Storage
    • Key: theme-preference
    • Duration: Persistent

Can you disable them? Yes. You can clear local storage in your browser settings. Disabling them means you'll need to re-set your preferences on each visit.

8.3 Third-Party Cookies

We use a limited number of trusted third-party services that may set cookies:

  • Google OAuth (Authentication): When you sign in with Google, Google may set cookies for authentication purposes. See Google's Cookie Policy.
  • Vercel (Hosting and Analytics): Vercel uses cookies for performance monitoring and analytics. See Vercel's Privacy Policy.
  • Supabase (Authentication and Database): Supabase uses cookies for secure authentication. See Supabase's Privacy Policy.

Important: We do NOT use:

  • Advertising cookies or ad tracking
  • Social media tracking pixels (Facebook Pixel, Twitter Pixel, etc.)
  • Cross-site tracking or behavioral advertising
  • Data brokers or third-party marketing services

8.4 How We Use Cookie Data

Data collected through cookies is used for:

  • Authentication: Keep you logged in securely across pages
  • Security: Protect against unauthorized access and attacks (CSRF, XSS)
  • Performance Monitoring: Identify slow pages and optimize load times
  • Usage Analytics: Understand which features are most popular (aggregated, anonymous data only)
  • Error Tracking: Detect and fix bugs or technical issues
  • User Experience: Remember your preferences (language, theme)

We do NOT use cookie data for:

  • Selling to third parties
  • Targeted advertising
  • Creating detailed user profiles for marketing
  • Tracking you across other websites

8.5 How to Control and Delete Cookies

Browser Settings: You can control cookies through your browser settings:

  • Chrome: Settings → Privacy and Security → Cookies and other site data → Manage cookies
  • Firefox: Settings → Privacy & Security → Cookies and Site Data → Manage Data
  • Safari: Preferences → Privacy → Manage Website Data → Remove cookies
  • Edge: Settings → Cookies and site permissions → Manage and delete cookies

Browser Options:

  • Block all cookies: Prevents websites from setting any cookies (will break essential functionality)
  • Block third-party cookies: Allows first-party cookies only (recommended for privacy)
  • Clear cookies on exit: Automatically deletes cookies when you close the browser
  • Private/Incognito mode: Doesn't save cookies after you close the window

Do Not Track (DNT): We respect browser DNT signals for optional cookies. However, essential cookies will still be used to maintain basic functionality.

Clear Cookies: To delete existing cookies:

  1. Open your browser settings
  2. Navigate to Privacy or Security settings
  3. Find "Clear browsing data" or "Manage cookies"
  4. Select "Cookies and other site data"
  5. Choose a time range (e.g., "All time") and click "Clear data"

Note: Clearing cookies will log you out of ProHeadshots AI and other websites. You will need to log in again.

8.6 Mobile Device Tracking

iOS (iPhone/iPad): Settings → Safari → Privacy & Security → Block All Cookies or Prevent Cross-Site Tracking

Android: Settings → Google → Ads → Opt out of Ads Personalization (note: we don't use ad tracking)

8.7 Cookie Retention Periods

Different cookies have different lifespans:

Cookie TypeDurationWhen Deleted
Session CookiesUntil browser closedAutomatically when you exit
Authentication30 daysWhen you log out or after 30 days
Analytics1 yearAfter 1 year or when you clear cookies
PreferencesPersistentWhen you clear local storage

8.8 Changes to Cookie Policy

We may update this cookie policy to reflect changes in technology, legal requirements, or our practices. We will notify you of significant changes by updating the "Last updated" date at the top of this Privacy Policy.

8.9 Contact Us About Cookies

If you have questions about our use of cookies or tracking technologies, contact us at:

support@profilelift.pro

9. Data Security Measures

We implement comprehensive, multi-layered security measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction. Our security practices follow industry standards and best practices.

9.1 Encryption

  • Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security) with 256-bit encryption. This protects your data from interception during transmission.
  • Data at Rest: All stored data is encrypted using AES-256 (Advanced Encryption Standard) encryption:
    • Uploaded photos stored in AWS S3 use server-side encryption (SSE-S3)
    • Database records in Supabase are encrypted at the disk level
    • Backup files are also encrypted with AES-256
  • Password Hashing: User passwords (if applicable) are hashed using bcrypt with a minimum of 12 rounds, making them computationally infeasible to reverse.

9.2 Access Controls

  • Principle of Least Privilege: Employees and systems are granted only the minimum access necessary to perform their functions.
  • Role-Based Access Control (RBAC): Access to user data is restricted based on job roles:
    • Developers: No access to production user data (only anonymized logs)
    • Support Staff: Limited access for troubleshooting (with audit logs)
    • Automated Systems: Access only to necessary data via API keys
  • Multi-Factor Authentication (MFA): All administrative accounts require MFA to prevent unauthorized access.
  • API Key Rotation: API keys for third-party services (AWS, Replicate, payment gateway) are rotated every 90 days and stored in encrypted secret management systems (Vercel Environment Variables with zero-knowledge encryption).

9.3 Infrastructure Security

  • Trusted Cloud Providers: We use industry-leading providers with SOC 2 Type II and ISO 27001 certifications:
    • Vercel: Hosting and CDN (SOC 2 Type II certified)
    • AWS S3: File storage (FedRAMP, PCI-DSS, HIPAA compliant)
    • Supabase: Database and authentication (ISO 27001, SOC 2 certified)
    • Replicate: AI processing (enterprise-grade security)
  • Network Security: Firewalls, DDoS protection, and intrusion detection systems protect our infrastructure from attacks.
  • Secure Development: Code undergoes security reviews and automated vulnerability scanning before deployment.

9.4 Content Security

  • Automated Content Moderation: AWS Rekognition scans uploaded photos for:
    • Explicit or suggestive content (nudity, sexual content)
    • Violence or graphic imagery
    • Hate symbols or offensive gestures
    • Approximate age detection (flagging potential minors)
  • Hash Matching: Uploaded images are checked against known CSAM databases (PhotoDNA hashes provided by NCMEC) to detect illegal content.
  • Manual Review: Flagged content is reviewed by trained moderators within 24 hours.

9.5 Monitoring and Incident Response

  • 24/7 Security Monitoring: Automated systems monitor for suspicious activity:
    • Unusual login patterns or failed authentication attempts
    • Abnormal data access patterns
    • Potential data exfiltration
    • DDoS attacks or brute force attempts
  • Audit Logs: All access to user data is logged with timestamps, user IDs, and actions performed. Logs are retained for 1 year and reviewed regularly.
  • Incident Response Plan: In case of a security incident:
    1. Immediate containment to prevent further damage
    2. Investigation to determine scope and impact
    3. Notification to affected users within 72 hours (GDPR requirement)
    4. Reporting to relevant authorities if required
    5. Remediation and prevention of future incidents
  • Data Breach Notification: If a breach affects your personal data, we will notify you via email with details about:
    • What data was affected
    • What we are doing to address the breach
    • What you can do to protect yourself
    • Contact information for questions

9.6 Employee Training and Policies

  • All employees with access to user data receive annual security and privacy training
  • Employees sign confidentiality agreements and are subject to disciplinary action for policy violations
  • Background checks are conducted for employees with access to sensitive data
  • Access is immediately revoked when employees leave the company

9.7 Security Audits and Compliance

  • Regular Security Audits: We conduct quarterly internal security audits and annual third-party penetration testing.
  • Vulnerability Scanning: Automated vulnerability scanners run weekly to detect potential security issues.
  • Compliance: We maintain compliance with:
    • GDPR (General Data Protection Regulation)
    • CCPA/CPRA (California Consumer Privacy Act)
    • PCI-DSS (Payment Card Industry Data Security Standard) - through our certified payment gateway
    • COPPA (Children's Online Privacy Protection Act) - we prohibit users under 18

9.8 Your Security Responsibilities

While we implement strong security measures, you also play a role in protecting your data:

  • Keep Your Credentials Secure: Do not share your account password or login credentials with anyone.
  • Use Strong Passwords: If using email/password login, use a unique, strong password (we recommend a password manager).
  • Enable MFA: If available for your account type, enable multi-factor authentication.
  • Be Cautious of Phishing: We will not ask for your password via email. Always verify the sender before clicking links.
  • Report Suspicious Activity: If you notice unusual account activity, contact us immediately at support@profilelift.pro.

Important Security Disclaimer:

While we implement industry-leading security measures, no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee absolute security against all possible attacks, including:

  • Zero-day vulnerabilities in third-party services
  • Advanced persistent threats (nation-state actors)
  • Social engineering attacks targeting users
  • Hardware failures or natural disasters

By using our service, you acknowledge these inherent risks. We will continue to improve our security posture and notify you promptly of any significant security incidents.

10. Children's Privacy

ProHeadshots AI is not intended for users under 18 years old. We do not knowingly collect personal data from minors. If we discover that we have inadvertently collected data from a minor, we will delete it immediately. Parents or guardians who believe we may have collected data from a minor should contact us at support@profilelift.pro.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal requirements, service changes, or business practices. Changes will be posted on this page with an updated "Last updated" date. For material changes, we will notify you via email or prominent notice on the platform. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact Information

For privacy inquiries, data requests, or complaints:

Email: support@profilelift.pro

Response time: Typically within 3 business days

For GDPR-related inquiries: Contact us at support@profilelift.pro