FreeHeadshot logo
FreeHeadshot.org

Data Processing Agreement

Last updated: 2026-05-21·Email us with questions

This DPA forms part of our Terms of Service. It applies whenever you submit personal data to FreeHeadshot.org and we process it on your behalf, which in practice means the photo you upload. It is written to satisfy Article 28 of the EU GDPR, the equivalent UK GDPR provisions, and the service-provider requirements of the California CPRA.

1. Overview & when this applies

Most people who use FreeHeadshot are generating a headshot of themselves. In that case you are both the person whose data is processed and the person asking us to process it, and a formal processor agreement is a nice-to-have rather than a strict legal need. But the moment you use FreeHeadshot on behalf of an organization, or you upload a photo of someone else (an employee, a client, a team member), GDPR treats you as the data controller and us as your data processor. This DPA is the contract that governs that relationship.

It is incorporated into our Terms of Service by reference. Where this DPA and the Terms conflict on a data-protection point, this DPA wins.

2. Definitions

Capitalized terms not defined here take the meaning given in the EU GDPR. In particular, personal data, processing, data subject, controller, processor, sub-processor, special-category data, and supervisory authority carry their statutory meanings. Biometric data means personal data resulting from specific technical processing of physical characteristics that allow or confirm unique identification, which is the category a face photo can fall into. SCCsmeans the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914) and, for the UK, the ICO's International Data Transfer Addendum.

3. Roles: controller and processor

  • Controller: you, the FreeHeadshot user, whether an individual acting for an organization or a business account.
  • Processor: FreeHeadshot.org.
  • Sub-processors: the vendors listed in §9 that we engage to deliver the service.

We do not determine the purposes of the processing. You decide what photo to upload and what to do with the result. We only act on your instructions, as described in §6.

4. Subject matter, scope & duration

The subject matter is the processing of personal data needed to provide the FreeHeadshot service. We process personal data only to:

  • Generate AI headshots from the photo you upload.
  • Run safety and content checks required to operate the service responsibly.
  • Maintain your account and generation history if you create an account.
  • Process payment if you buy a paid tier.
  • Enforce our Acceptable Use Policy and prevent abuse.
  • Comply with our legal obligations.

Processing continues for as long as you use the service. Specific retention windows by data type are set out in our Privacy Policy. The headline is short: your source photo is processed in memory only and is never written to disk, and generated images are deleted within 24 hours unless you are signed in and choose to keep them in your private gallery.

5. Data subjects & data categories

Data subjectCategories of personal dataHow long we hold it
The end user (account holder)Email, display name, billing record metadata, generation history, anonymous cookie ID, hashed IP + user-agentLife of the account; see Privacy Policy
The person in the uploaded photo (usually the user)Facial image (potential biometric / special-category data), the generated derivative imagesSource photo: in-memory only, never stored. Outputs: 24h, or in your gallery if signed in

6. Processing on your instructions

We process personal data only on your documented instructions, including instructions you give through the product interface (uploading a photo, picking a style, clicking generate), unless we are required to process it by EU or member-state law. If a law requires us to process beyond your instructions, we will tell you before doing so unless that law prohibits the notice on important grounds of public interest. If we believe an instruction infringes the GDPR, we will inform you.

7. Our obligations as processor

FreeHeadshot will:

  • Process personal data only on your documented instructions (§6).
  • Ensure that everyone authorized to process the data is bound by a duty of confidentiality.
  • Implement and maintain the technical and organizational measures in §11, as required by Article 32.
  • Engage sub-processors only under §9, and impose data-protection terms on them that are no less protective than this DPA.
  • Assist you, by appropriate measures, in responding to data-subject rights requests (§13).
  • Assist you with your obligations under Articles 32 to 36 (security, breach notification, DPIAs), taking into account the information available to us (§12 and §14).
  • Notify you without undue delay, and in any case within 72 hours, after becoming aware of a personal-data breach (§12).
  • At your choice, delete or return all personal data at the end of the services, and delete existing copies unless storage is required by law (§15).
  • Make available the information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits (§16).

8. Your obligations as controller

You confirm and agree that:

  • You have a lawful basis under Article 6 for the personal data you submit.
  • Where the photo includes biometric or other special-category data under Article 9, you have obtained explicit consent from each data subject, or you rely on another valid Article 9 condition.
  • If you upload a photo of someone other than yourself, you have that person's permission and the right to do so.
  • Your instructions to us comply with data-protection law.
  • You will not use the service for anything prohibited by our Acceptable Use Policy, including generating images of a person without their consent.

9. Sub-processors

You give general written authorization for us to engage the sub-processors below. We impose data-protection obligations on each of them through their own terms or a DPA. We will give at least 30 days' notice before adding or replacing a sub-processor (by updating this page and, for account holders, by email where practical), during which you may object in writing on reasonable data-protection grounds.

Sub-processorPurposeRegion
Google LLC (Gemini 2.5 Flash Image API)The AI model that generates the headshot, used per request only. We are an independent service and not affiliated with Google.US / Global
Vercel Inc.Application hosting and edge/serverless computeUS / EU regions
Supabase Inc.Managed Postgres database and authenticationEU (Frankfurt) for our project
Cloudflare, Inc.DNS, CDN, TLS, web application firewall, and bot protection (Turnstile)Global edge network
Cloudflare R2 / S3-compatible storageStores generated headshots for signed-in users (source selfies are never stored here)Global
Creem (merchant of record)Payment processing for paid tiersEU / Global
Stripe, Inc.Card capture and processing, embedded by Creem at checkoutUS / Global
Resend (Plyn, Inc.)Transactional email (sign-in codes, receipts, account notices)US

10. International data transfers

Some sub-processors operate outside the EU/EEA and the UK. Where personal data is transferred to a country without an adequacy decision, the transfer is governed by the EU Standard Contractual Clauses (2021/914) and, for UK data, the ICO International Data Transfer Addendum, together with any supplementary measures identified by a transfer impact assessment. Where a sub-processor is in a country covered by an adequacy decision (for example a participant in the EU-US Data Privacy Framework), that adequacy basis applies instead.

11. Security measures (Article 32)

We maintain technical and organizational measures appropriate to the risk, including (without limitation):

  • Encryption in transit: TLS 1.3 on all connections.
  • Encryption at rest: AES-256 for stored generated images, handled natively by the storage provider.
  • In-memory source handling: uploaded photos are processed in memory and never written to durable storage; face embeddings are discarded at the end of the request.
  • Automatic deletion: generated outputs for anonymous users are deleted within 24 hours.
  • Access control: production access is limited to the operator account and protected by multi-factor authentication.
  • Database isolation: row-level security on every user-keyed table, so accounts cannot read each other's data.
  • Abuse protection: rate limiting keyed on the real visitor IP, a bot challenge (Cloudflare Turnstile) on anonymous generations, and content moderation before generation.
  • Logging: audit logs retained for a minimum of 90 days.
  • Vendor review: at least an annual review of sub-processor security posture.

12. Personal-data breach notification

If we become aware of a personal-data breach affecting data we process for you, we will notify you without undue delay and within 72 hours. The notice will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures we have taken or propose to take. We will help you meet your own notification duties to supervisory authorities and data subjects under Articles 33 and 34.

13. Assisting with data-subject rights

Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability, and objection. Because we hold so little (no face embeddings, and source photos that never persist), most requests are simple to satisfy. Account holders can also export or delete their data directly from their dashboard, and anyone can email us at [email protected].

14. DPIA & prior consultation

Where your processing is likely to result in a high risk and you must carry out a Data Protection Impact Assessment under Article 35, or consult a supervisory authority under Article 36, we will provide reasonable assistance and the information available to us. We maintain our own internal DPIA for the face-generation workflow and can share a summary on request.

15. Return & deletion of data

On termination of the services, or at your request, we will delete or (at your choice) return the personal data we process for you and delete existing copies, unless EU or member-state law requires us to keep it. In practice there is very little to return: source photos were never stored, and generated outputs are short-lived or sit in your own deletable gallery. Retention windows are listed in the Privacy Policy.

16. Audits & proof of compliance

We will make available the information reasonably necessary to demonstrate compliance with Article 28 and this DPA. For most customers, this page plus our Privacy Policy and security summary are sufficient. Where a documented audit is genuinely required, we will cooperate with a reasonable audit (including inspection) conducted by you or an independent auditor you mandate, on reasonable prior notice, no more than once per year except where required by a supervisory authority, and subject to confidentiality.

17. California (CPRA) terms

For data subject to the California Consumer Privacy Act as amended by the CPRA, we act as a service provider. We do not sell or share personal information, and we do not retain, use, or disclose it for any purpose other than performing the service for you, or as otherwise permitted by the CPRA. We will not combine your data with data from other sources except as the CPRA allows. You retain the right to take reasonable steps to ensure we use personal information consistently with your CPRA obligations.

18. Liability

Each party's liability under this DPA is subject to the overall limitation of liability in our Terms of Service, except to the extent applicable data-protection law does not permit that cap, in which case the statutory position applies.

19. Term, termination & precedence

This DPA takes effect from your first use of the service and stays in force for as long as we process personal data on your behalf. It terminates automatically when that processing ends, after which §15 applies. This DPA prevails over any conflicting data-protection term in the Terms of Service.

20. Acceptance & signed copies

Acceptance is recorded by your continued use of the service after the “Last updated” date at the top of this page. If your organization needs a countersigned copy on letterhead for its records, email [email protected]with the subject “DPA countersignature request” and we will send a PDF within 5 business days.

21. Contact

Questions about this DPA, our sub-processors, or a transfer mechanism? We're happy to help.

Email: [email protected]
Contact form: freeheadshot.org/contact
Related: Privacy Policy · Terms of Service · Acceptable Use · Refund Policy

Questions? Email [email protected]. We reply within 24 hours on weekdays.

Open the studio