Data Processing Agreement
This DPA forms part of our Terms when you (Controller) submit personal data to FreeHeadshot (Processor) — most commonly your uploaded photos. It satisfies Article 28 of the EU GDPR and the equivalent UK GDPR provisions.
1. Definitions
Terms in this DPA have the meanings given in the EU GDPR. “Personal data”, “processing”, “data subject”, “controller”, “processor”, and “sub-processor” carry their statutory meanings.
2. Roles
- Controller: you, the FreeHeadshot user (whether an individual or a business).
- Processor: FreeHeadshot.org.
3. Subject matter and duration
FreeHeadshot processes personal data only as necessary to:
- Generate AI headshots from photos you upload.
- Maintain your account if you create one.
- Process billing if you purchase a Premium tier.
- Enforce our Acceptable Use Policy.
- Comply with legal obligations.
Processing lasts as long as you use the service. Retention windows for specific data types are listed in our Privacy Policy §3.
4. Categories of data subjects and personal data
| Data subject | Categories of data |
|---|---|
| End user (you) | Email, account profile, billing record metadata, generation history, IP+UA hash, anonymous cookie ID |
| Subject of uploaded photo (typically also you) | Facial image, face embedding (in-memory only), generated derivative images |
5. Processor obligations
FreeHeadshot will:
- Process personal data only on documented instructions from you (including via the product interface).
- Ensure all personnel with access to personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures (see §8) per GDPR Article 32.
- Only engage sub-processors that meet the standards of this DPA, and maintain an up-to-date sub-processor list (see §7).
- Assist you in fulfilling data-subject rights requests (access, deletion, portability, etc.).
- Notify you of any personal-data breach within 72 hours of becoming aware, per GDPR Article 33.
- Delete or return all personal data at the end of services, except where required by law to retain it.
- Make available all information necessary to demonstrate compliance with this DPA and allow reasonable audits.
6. Controller obligations
You confirm that:
- You have a lawful basis (GDPR Article 6) for the personal data you submit.
- Where the data includes biometric/face data (Article 9 special-category data), you have explicit consent from each data subject.
- You will not use the service for purposes prohibited by our Acceptable Use Policy.
7. Sub-processors
FreeHeadshot uses the following sub-processors. By accepting this DPA you provide general authorization for these sub-processors. We will give 30 days notice before adding new ones; you may object in writing.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting + edge network | US / EU regions |
| Supabase Inc. | Managed Postgres + auth | EU (Frankfurt) region for our project |
| Google LLC (Gemini API) | AI image generation (in-request only) | US / Global |
| Replicate Inc. | Fallback AI inference | US |
| Cloudflare Inc. | DNS, CDN, edge traffic | Global edge network |
| Creem (payment processor) | Payment processing for Premium tiers | EU / Global |
8. Technical and organizational measures
FreeHeadshot maintains the following measures (non-exhaustive):
- TLS 1.3 for all data in transit.
- AES-256 at rest via the underlying storage provider.
- Access to production limited to the operator account; multi-factor authentication required.
- Automated job that deletes uploaded photos and generated bytes within 24 hours.
- Face embeddings processed in memory and discarded at end of request — never persisted.
- Row-level security on all user-keyed Postgres tables.
- Audit logs retained for 90 days minimum.
- Annual review of sub-processor compliance.
9. International transfers
Some of our sub-processors operate outside the EU/EEA. Transfers are governed by the European Commission's Standard Contractual Clauses (2021/914) or equivalent UK SCCs. Where a sub-processor is established in a country with an adequacy decision, that adequacy basis applies.
10. Data-subject rights
FreeHeadshot will assist you in responding to data-subject rights requests within the GDPR statutory deadlines. End users may also exercise their rights directly with FreeHeadshot via [email protected].
11. Liability
Each party's liability under this DPA is subject to the overall liability cap in our Terms of Service, except where capped liability is prohibited by applicable data-protection law.
12. Term and termination
This DPA is effective from your first use of the service and remains in force as long as we process personal data on your behalf. On termination, we delete personal data per Privacy Policy §3 retention windows.
13. Governing law
This DPA is governed by the law applicable to our Terms of Service, but EU/UK statutory data-protection rights apply regardless of governing law.
14. Signature / acceptance
Acceptance of this DPA is recorded by your continued use of the service after the “Last updated” date at the top of this page. If your organization requires a countersigned copy on letterhead, email [email protected]with the subject “DPA countersignature request” — we'll send a PDF version within 5 business days.
15. Contact
Email: [email protected]
Form: /contact
Questions? Email [email protected]. We reply within 24 hours on weekdays.
Open the studio