Privacy Policy

At PortraitSmith, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our AI-powered headshot generation service.

By using PortraitSmith, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

1. Information We Collect

1.1 Information You Provide

When you create an account and use our Service, we collect:

• Account Information: Email address, full name, password (encrypted), and optional profile photo
• Photos: Images you upload for headshot generation
• Generation Preferences: Style selections, customization options, and generation settings
• Payment Information: Processed securely through Stripe (we do not store credit card details)
• Feedback: Optional ratings and comments about generated images

1.2 Automatically Collected Information

When you access our Service, we automatically collect:

• Usage Data: Pages visited, features used, time spent, generation history
• Device Information: Browser type, operating system, device identifiers
• Log Data: IP address, access times, error logs, referral URLs
• Performance Data: Generation times, API response times, error rates

1.3 OAuth Authentication

If you sign in using Google OAuth, we receive:

• Your name and email address from your Google account
• Profile picture (if you choose to share it)
• OAuth token for authentication (not your Google password)

2. How We Use Your Information

We use your information to:

• Provide the Service: Generate AI headshots, manage your account, process images
• Process Payments: Handle credit purchases and maintain transaction records
• Improve Our Service: Analyze usage patterns, fix bugs, develop new features
• Communicate: Send service updates, respond to support requests, notify about account activity
• Security: Detect fraud, prevent abuse, enforce our Terms of Service
• Legal Compliance: Comply with legal obligations and protect our rights
• Analytics: Understand user behavior to enhance user experience

We do NOT use your photos or generated images to train AI models or for any purpose other than providing the Service to you.

3. How We Share Your Information

3.1 Third-Party Service Providers

We share your information with trusted third-party services that help us operate:

• Supabase: Authentication, database hosting, and file storage (images)
• Google Gemini AI: AI image generation (your photos are sent to Google for processing)
• Stripe: Payment processing (credit card transactions)
• Vercel: Web hosting and content delivery

These providers are contractually obligated to protect your data and use it only for providing services to us.

3.2 Legal Requirements

We may disclose your information if required by law, legal process, or government request, or to:

• Comply with legal obligations (subpoenas, court orders, etc.)
• Protect our rights, property, or safety, or that of our users
• Prevent fraud, security threats, or illegal activity
• Enforce our Terms of Service

3.3 Business Transfers

If PortraitSmith is acquired, merged, or sold, your information may be transferred to the new owner as part of the transaction. We will notify you before your information becomes subject to a different privacy policy.

3.4 Aggregated Data

We may share aggregated, anonymized data that does not identify you personally (e.g., "1,000 headshots generated this month") for analytics, marketing, or research purposes.

4. Data Storage and Retention

4.1 Where We Store Data

Your data is stored on secure servers provided by:

• Supabase: User profiles, generation history, and metadata (hosted on AWS)
• Supabase Storage: Uploaded photos and generated headshots
• Vercel: Application hosting and edge caching

Data may be processed and stored in the United States and other countries where our service providers operate.

4.2 How Long We Keep Data

• Account Information: Until you delete your account or after 2 years of inactivity
• Uploaded Photos: Stored until you delete them or close your account
• Generated Images: Stored until you delete them or close your account
• Payment Records: Retained for 7 years for tax and accounting compliance
• Usage Logs: Retained for 90 days for security and debugging
• Anonymized Feedback: Retained indefinitely for product improvement

4.3 Deletion

When you delete images or close your account, we permanently remove your data from our active systems within 30 days. Backup copies may persist for up to 90 days before complete deletion. Payment records are retained as required by law.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data encrypted in transit (HTTPS/TLS) and at rest
• Authentication: Secure password hashing and OAuth 2.0 for Google login
• Access Controls: Row-level security policies limit data access to authorized users
• Payment Security: PCI-DSS compliant payment processing via Stripe
• Infrastructure: Hosted on secure, SOC 2 compliant platforms
• Monitoring: Automated security monitoring and intrusion detection

However, no method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

6. Your Rights and Choices

6.1 Access and Portability

You have the right to:

• Access your personal information through your account dashboard
• Download your generated images at any time
• Request a copy of your data in a portable format
• View your generation history and credit transactions

6.2 Correction and Updates

You can update your account information (name, email, profile photo) at any time through your account settings.

6.3 Deletion

You have the right to:

• Delete individual uploaded photos or generated images from your account
• Request complete account deletion, which will remove all your personal data (except payment records required by law)
• Withdraw consent for data processing by deleting your account

To delete your account, visit your account settings or contact support@portraitsmith.ai.

6.4 Marketing Communications

We may send you service-related emails (e.g., password resets, payment confirmations). You can opt out of promotional emails by clicking "unsubscribe" in any marketing email or updating your preferences in account settings.

6.5 Do Not Track

Our Service does not currently respond to Do Not Track (DNT) browser signals.

7. International Data Transfers

PortraitSmith operates in the United States. If you access our Service from outside the U.S., your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

By using our Service, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence. We take steps to ensure your data receives adequate protection wherever it is processed.

8. Privacy Rights for Specific Jurisdictions

8.1 GDPR (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit how we process your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

Legal Basis for Processing: We process your data based on:

• Contract Performance: To provide the Service you requested
• Consent: For optional features like marketing communications
• Legitimate Interests: For security, fraud prevention, and service improvement
• Legal Obligations: To comply with applicable laws

8.2 CCPA (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the "sale" of personal information (Note: We do not sell personal information)
• Right to Non-Discrimination: Equal service and pricing regardless of privacy choices

Categories of Personal Information We Collect:

• Identifiers (name, email, IP address)
• Commercial information (purchase history, credits)
• Visual information (uploaded photos, generated images)
• Internet activity (usage data, device information)

To exercise your CCPA rights, contact us at support@portraitsmith.ai with "CCPA Request" in the subject line.

9. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. By using our Service, you represent that you are at least 18 years old.

We prohibit uploading images of minors (individuals under 18) to our Service. If you believe we have inadvertently collected information from or about a minor, please contact us immediately at support@portraitsmith.ai, and we will delete such information promptly.

10. Cookies and Tracking Technologies

10.1 What We Use

We use the following technologies to enhance your experience:

• Session Cookies: Essential for authentication and maintaining your login session
• Local Storage: Store user preferences and temporary data
• Analytics: Usage statistics to improve our Service (may include third-party tools)

10.2 Types of Cookies

• Strictly Necessary: Required for core functionality (authentication, security)
• Functional: Remember your preferences and settings
• Performance: Analyze usage patterns and improve performance

10.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may limit functionality of our Service. Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Block cookies from specific sites
• Accept or decline all cookies

11. Third-Party Links and Services

Our Service may contain links to third-party websites or integrate with third-party services (e.g., Google OAuth, Stripe payment pages). We are not responsible for the privacy practices or content of these third parties.

We encourage you to review the privacy policies of any third-party services before providing them with your personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the "Last Updated" date at the top of this page
• Material changes will be notified via email or prominent notice on our website
• Your continued use of the Service after changes constitutes acceptance

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-related inquiries, please include "GDPR Request" in your subject line.
For CCPA-related inquiries, please include "CCPA Request" in your subject line.

We will respond to your request within 30 days (or as required by applicable law).