Privacy Policy — HeadshotCraft

Last Updated: [Launch Date] Effective Date: [Launch Date]

HeadshotCraft ("we," "us," or "our") is operated by Nextfield Labs LLC, a Wyoming limited liability company. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI headshot generation service at headshotcraft.com (the "Service").

Please read this policy carefully. Because our Service processes facial photographs, we want to be especially transparent about how we handle your data.

1. Information We Collect

1.1 Information You Provide

• Account Information: When you create an account (via Google OAuth or email), we collect your name, email address, and profile picture (if provided by Google).
• Payment Information: When you purchase a plan, Stripe processes your payment. We do not store your credit card number, CVV, or full card details. We receive only a truncated card identifier, billing name, and transaction records from Stripe.
• Uploaded Photographs: You upload selfie photographs for AI headshot generation. This is biometric-adjacent data and we treat it with the highest level of care. See Section 3 for full details.
• Communications: If you contact us via email or support, we collect the content of those communications.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, number of headshots generated, timestamps.
• Device & Browser Data: IP address, browser type, operating system, device type, screen resolution.
• Cookies & Similar Technologies: See our Cookie Policy for details.
• Analytics: We use Plausible Analytics, a privacy-focused analytics tool that does not use cookies and does not collect personal data.

1.3 Information from Third Parties

• Authentication Provider: Provides your profile data (name, email, avatar) when you sign in.
• Stripe: Provides transaction status and subscription details.

2. How We Use Your Information

| Purpose | Legal Basis (GDPR) | |---------|-------------------| | Provide the Service (generate headshots from your photo) | Performance of contract | | Process payments | Performance of contract | | Send transactional emails (receipts, download links) | Performance of contract | | Improve the Service and fix bugs | Legitimate interest | | Analyze usage patterns (anonymized, no personal data) | Legitimate interest | | Prevent fraud and abuse | Legitimate interest | | Comply with legal obligations | Legal obligation | | Send marketing emails (only with your explicit consent) | Consent |

We do NOT use your photographs to train, fine-tune, or improve any AI models.

3. Your Photographs — How We Handle Them

Because our Service involves facial photographs, we hold ourselves to a higher standard of transparency:

3.1 Processing Flow

1. Upload: Your selfie is uploaded to our secure servers (Cloudflare R2).
2. Face Detection: We perform client-side face detection (face-api.js) to verify photo quality. This happens in your browser — the face detection data never leaves your device.
3. AI Generation: Your photo is sent to our AI processing provider (Replicate or fal.ai) to generate professional headshots.
4. Delivery: Generated headshots are made available for you to view, select, and download.
5. Deletion: All photos are automatically deleted per the schedule below.

3.2 Photo Retention & Deletion

| Data | Retention | Deletion Method | |------|-----------|----------------| | Uploaded selfie | 48 hours | Automatic (Cloudflare R2 lifecycle rule) | | Generated headshots | 48 hours | Automatic (Cloudflare R2 lifecycle rule) | | AI processing provider cache | Per provider policy (Replicate: not retained after processing) | Automatic | | Download links | 48 hours (links expire) | Automatic |

After 48 hours, your original photos and all generated headshots are permanently deleted from our servers. We do not keep copies.

3.3 What We Do NOT Do With Your Photos

• ❌ We do NOT use your photos to train AI models.
• ❌ We do NOT sell or share your photos with advertisers.
• ❌ We do NOT use facial recognition to identify you.
• ❌ We do NOT create biometric templates or faceprints from your photos.
• ❌ We do NOT retain your photos beyond the 48-hour window.

3.4 Early Deletion

You can request immediate deletion of your photos at any time by:

• Clicking "Delete My Photos" in your account dashboard, or
• Emailing contact@headshotcraft.com

We will delete all your photos within 1 hour of receiving the request.

4. Biometric Data Notice

4.1 Illinois BIPA Compliance

Although we do not create or store biometric identifiers or biometric information as defined under the Illinois Biometric Information Privacy Act (BIPA), we provide this notice out of an abundance of caution:

• We process facial photographs solely to generate AI headshots.
• We do not extract, collect, or store biometric identifiers (e.g., faceprints, face geometry scans).
• Client-side face detection is used only to verify photo quality and runs entirely in your browser.
• All photos are deleted within 48 hours.

4.2 Other State Biometric Laws

We comply with biometric data laws in Texas (CUBI), Washington (HB 1493), and other applicable jurisdictions by:

• Not collecting biometric identifiers.
• Deleting all facial photographs within 48 hours.
• Providing clear notice of our photo handling practices (this section).

5. How We Share Your Information

We do not sell your personal information. We share data only with:

| Recipient | Purpose | Data Shared | |-----------|---------|------------| | Replicate / fal.ai | AI headshot generation | Uploaded photos (temporarily, deleted after processing) | | Stripe | Payment processing | Billing info, transaction data | | Cloudflare | Hosting, CDN, temporary photo storage | Usage data, photos (48h) | | Plausible Analytics | Privacy-focused usage analytics | Anonymized page views (no personal data, no cookies) | | Law Enforcement | If legally required | As required by applicable law |

6. Your Rights

6.1 For All Users

• Access: Request a copy of your personal data.
• Deletion: Request deletion of your account and all associated data (photos are auto-deleted in 48h regardless).
• Correction: Update or correct your personal information.
• Data Export: Download your data in a machine-readable format.
• Photo Deletion: Request immediate deletion of your photos at any time.

6.2 EEA/UK Residents (GDPR)

In addition to the above:

• Right to restrict processing
• Right to data portability
• Right to object to processing based on legitimate interest
• Right to withdraw consent at any time
• Right to lodge a complaint with your local Data Protection Authority

Data Protection Contact: privacy@headshotcraft.com Response Time: Within 30 days.

6.3 California Residents (CCPA/CPRA)

• Right to Know what personal information we collect and how it's used.
• Right to Delete your personal information.
• Right to Opt-Out of Sale — we do not sell your personal information.
• Right to Non-Discrimination for exercising your privacy rights.
• Right to Limit Use of Sensitive Personal Information — we only use your photos to provide the Service.

6.4 Exercising Your Rights

Email: contact@headshotcraft.com Or use the self-service options in your account settings.

7. Data Retention

| Data Type | Retention Period | |-----------|-----------------| | Account information | Until you delete your account | | Uploaded photos | 48 hours (auto-deleted) | | Generated headshots | 48 hours (auto-deleted) | | Payment records | 7 years (legal/tax requirement) | | Analytics data | Plausible does not store personal data | | Support communications | 2 years |

8. Data Security

• All data in transit is encrypted via TLS/HTTPS.
• Photos are stored in Cloudflare R2 with access controls and 48h auto-expiry.
• Payment data is handled entirely by Stripe (PCI DSS Level 1 compliant).
• Client-side face detection means facial analysis data never reaches our servers.
• Access to production systems is restricted to authorized personnel only.

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to contact@headshotcraft.com.

9. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) where applicable. Our service providers maintain their own compliant data transfer mechanisms.

10. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly. Contact us at contact@headshotcraft.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy with a new "Last Updated" date.
• Sending an email notification for significant changes (if you have an account).

Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

Nextfield Labs LLC Email: contact@headshotcraft.com Website: headshotcraft.com

This privacy policy is provided for informational purposes and does not constitute legal advice. For specific legal questions, consult a qualified attorney.