Privacy Policy

1. Introduction

Welcome to PortraitWiz. We are committed to protecting your privacy and personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our AI-powered portrait generation service. It also describes your rights regarding your personal data and how to exercise them.

Please read this Privacy Policy carefully. If you do not agree with our practices, please do not use the Service.

3. What Personal Data We Collect

We collect different types of personal data depending on how you interact with our Service.

3.1 Account and Authentication Data

What we collect:

• Name (from Google OAuth profile)
• Email address (from Google OAuth profile)
• Profile picture (from Google OAuth - optional)
• Google account identifier (for authentication)
• Account creation date and time
• Last login date and time

How we collect it: Directly from you when you connect your Google account to create an account.

Legal basis: Performance of contract - necessary to create and manage your account.

3.2 Biometric Data (Special Category Data)

What we collect:

• Facial photographs you upload for portrait generation
• Facial features and biometric identifiers extracted from your photos
• Facial geometry data used for AI processing

How we collect it: Directly from you when you upload photos to generate portraits.

Legal basis: Explicit consent (Article 9(2)(a) GDPR) - biometric data is special category data under Article 9(1) and requires your explicit, separate consent.

Important: This is the most sensitive data we process. We treat it with the highest level of protection and delete it quickly (see Section 6 for retention).

3.3 Payment and Billing Data

What we collect:

• Subscription plan selected
• Payment method type (credit card brand, last 4 digits)
• Billing name and address
• Transaction history (dates, amounts, payment status)
• Stripe customer identifier
• Currency and region

What we DON'T collect: We do not store full credit card numbers, CVV codes, or complete payment credentials. These are processed and stored securely by Stripe, our PCI-DSS compliant payment processor.

4. How We Use Your Personal Data

We use your personal data only for specified, explicit, and legitimate purposes. We will not use your data in ways incompatible with these purposes.

4.1 To Provide the Service (Performance of Contract)

• Create and manage your account: Authentication, login, account settings
• Process portrait generation: Analyze your uploaded photos using AI to create portraits
• Deliver generated portraits: Store and provide access to your generated images
• Manage subscriptions: Process payments, allocate credits, handle renewals
• Communicate about the Service: Send transactional emails (receipts, generation confirmations, subscription updates)
• Provide customer support: Respond to your inquiries and resolve issues

4.2 Based on Your Explicit Consent

• Process biometric data: Extract facial features from your photos for AI portrait generation
• Send marketing communications: Promotional emails about new features or offers (you can opt out)

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

4.3 What We Do NOT Do With Your Data

We NEVER:

• Sell your personal data to third parties
• Use your uploaded photos to train our AI models or any other AI models
• Share your photos or generated portraits publicly without your permission
• Use your biometric data for facial recognition or identification beyond portrait generation
• Use your data for automated decision-making with legal or similarly significant effects
• Share your data with third parties for their own marketing purposes

6. Data Retention - How Long We Keep Your Data

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, and reporting requirements.

6.1 Biometric Data - Shortest Retention

Uploaded Photographs:

• Retention period: 24-48 hours maximum after portrait generation
• Automatic deletion: Photos are automatically and permanently deleted from all systems after processing
• Early deletion: You can request immediate deletion at any time during the processing period

Extracted Biometric Features:

• Retention period: Immediately after portrait generation (seconds to minutes)
• Purpose: Used only during the active generation process
• Storage: Never permanently stored - deleted as soon as processing completes

Why such short retention? Biometric data is highly sensitive. We minimize risk by keeping it for the absolute minimum time necessary.

7. Who We Share Your Data With

We share your personal data only when necessary to provide the Service, comply with law, or protect rights and safety. We never sell your data.

7.1 Essential Service Providers (Data Processors)

Google LLC (Gemini AI API)

• Purpose: AI portrait generation processing
• Data shared: Uploaded photographs, facial images
• Location: EU data centers (we use EU regional endpoints)
• Safeguards: Your photos are NOT used to train Google's AI models (paid tier guarantee)

Stripe Technology Europe Limited

• Purpose: Payment processing, subscription management
• Data shared: Payment information, billing details, transaction history
• Location: Established in Ireland (EU)
• Safeguards: PCI-DSS Level 1 compliant

Supabase, Inc.

• Purpose: Database, authentication, file storage
• Data shared: Account data, authentication tokens, generated portraits, usage data
• Location: We use EU regions for data residency
• Safeguards: SOC 2 Type 2 compliant, encryption at rest and in transit

9. Data Security Measures

We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, loss, misuse, or alteration.

9.1 Technical Security Measures

Encryption:

• Data encrypted in transit using TLS 1.3 (Transport Layer Security)
• Data encrypted at rest using AES-256 encryption
• Database encryption with encrypted backups
• Secure key management practices

Access Controls:

• Role-based access control (RBAC) limiting data access to authorized personnel only
• Multi-factor authentication (MFA) required for administrative access
• Principle of least privilege - minimum necessary access
• Regular access reviews and audits

9.2 Specific Protections for Biometric Data

Given the sensitivity of biometric data, we implement enhanced protections:

• Biometric data encrypted with strongest available algorithms
• Processed in isolated, secure environments
• Automatic deletion within 24-48 hours (cannot be recovered)
• Never transmitted to unauthorized systems
• Minimal retention principle strictly enforced

10. Your Rights Under GDPR

As a data subject under GDPR, you have extensive rights regarding your personal data. These rights are guaranteed by law and can be exercised free of charge.

10.1 Right of Access (Article 15)

What it means: You have the right to obtain confirmation of whether we process your personal data and, if so, receive a copy of it.

10.2 Right to Rectification (Article 16)

What it means: You have the right to correct inaccurate personal data and complete incomplete data.

10.3 Right to Erasure / “Right to be Forgotten” (Article 17)

What it means: You have the right to request deletion of your personal data in certain circumstances.

10.4 Right to Data Portability (Article 20)

What it means: You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

10.5 Right to Object (Article 21)

What it means: You have the right to object to processing based on legitimate interests or for direct marketing.

10.6 Right to Lodge a Complaint

What it means: You have the right to complain to a supervisory authority if you believe we are processing your data unlawfully.

Primary Supervisory Authority (Latvia):

• Data State Inspectorate (Datu valsts inspekcija)
• Address: Elijas iela 17, Rīga, LV-1050, Latvia
• Phone: +371 67 22 31 31
• Email: info@dvi.gov.lv
• Website: https://www.dvi.gov.lv/en

11. Children's Privacy

Minimum Age: 18 years old

PortraitWiz is not intended for and may not be used by individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18.

If you are a parent or guardian and believe your child under 18 has provided us with personal data, please contact us immediately and we will delete the account and all associated data promptly.

12. Cookies and Tracking Technologies

We use cookies and similar technologies to provide, improve, and protect our Service.

Strictly Necessary Cookies

• Authentication cookies (keep you logged in)
• Security cookies (CSRF protection, session management)
• Preference cookies (user settings)

Third-Party Cookies

• Stripe: Payment processing and fraud detection
• Google: OAuth authentication cookies

We do NOT use:

• Advertising cookies
• Social media tracking cookies (beyond authentication)
• Cross-site tracking cookies

17. Updates to This Privacy Policy

We may update this Privacy Policy to reflect changes in law, new features, or changes in data processing practices.

For material changes:

• Email notification to all users at least 30 days before effective date
• Prominent banner in the Service
• Summary of key changes

Continued use after effective date constitutes acceptance of updated Privacy Policy.

18. Contact Us

For privacy questions, data subject rights requests, or security concerns, please contact us:

• General Privacy Inquiries: support@portraitwiz.com
• Data Subject Rights: support@portraitwiz.com
• Security Concerns: support@portraitwiz.com

Response time: Within 1 month for data subject rights requests, within 5 business days for general inquiries.