FreeHeadshot logo
FreeHeadshot.org

Privacy Policy

Last updated: 2026-05-18·Email us with questions

This page explains exactly what data FreeHeadshot collects, why we collect it, how long we keep it, and who else gets to see it. It is intentionally specific. We process face photos, which under GDPR and several US state laws is treated as a special category of personal data, and we owe you the most direct possible explanation of what we do with it.

The 30-second version

If you read nothing else, read this list. Every claim here is repeated in detail further down, with the lawful basis attached.

  • Uploaded photos travel over HTTPS, get processed once for your generation, and disappear from our servers within 24 hours.
  • Face data (the math signature the AI model uses to recognize you) is computed in memory during a single generation request and discarded the instant the request finishes. We never write it to a database, never persist it, and never reuse it across sessions.
  • We do not train any AI model on user photos. Ever. The models we use are pretrained by Google and other vendors. Your face is not training data.
  • If you create an account we keep your email, plan status, and a short metadata trail of your generations (style picked, timestamps, image counts). We do not keep the generated image bytes on our servers beyond a short delivery window.
  • We do not sell personal data. We do not share it with advertisers or data brokers. We do not load Google AdSense or Facebook Pixel anywhere on the site.
  • You can email [email protected] at any time to get a copy of your data, delete it, or opt out of anything. We reply within 24 hours on weekdays.

Who runs this site

FreeHeadshot.org is operated by a small team you can reach at [email protected]. The legal controller for the data you submit on this site is the entity behind that email address. If you are a EU/EEA resident and need a formal name for a GDPR Article 30 record, write to that address and we will provide the legal entity and registered service-address information on request.

For routine privacy contacts (data subject requests, deletion, complaints), the same email is the fastest path. We do not run a separate ticketing system that buries privacy questions inside support workflows. Privacy mail goes to a human inbox.

What we collect

Three categories. Nothing else. If you can think of a category we collect that is not in this list, please email us so we can either add it or stop collecting it.

1. The photo or photos you upload

When you use the studio at /studio, you submit one or more photos. Until the moment you press Generate, the photo lives only on your device. When you press Generate, your browser uploads it over HTTPS to our server, which immediately forwards it to Google's Gemini API for image generation, then returns the generated images to your browser. The original photo and the generated images are stored on our infrastructure only as long as needed to complete delivery, with a hard maximum of 24 hours.

2. Account data (only if you create an account)

Most users never need to. The free tier requires no account. If you upgrade to a paid tier or sign in for any reason, we store: your email address, the plan you are on, a Supabase user identifier, and a small history of generation events (style chosen, time, success or failure, an image count). We do not store generated image bytes in your account history beyond a short window after each generation.

3. Technical and payment data

Standard request metadata that every website receives: IP address, user agent, the referring URL, the path you hit, response status, response time. We keep these as security logs for 30 days, then they get rotated out. If you pay, our processor Creem sees the card details. We never see card numbers, only the last four digits and a customer ID for receipts.

How we treat face data specifically

Face images are biometric data when used to identify or distinguish a person. Under GDPR Article 9 they are a special category of personal data. Under several US state laws including California's CPRA, Illinois BIPA, Texas CUBI, and the Washington My Health My Data Act, biometric identifiers carry extra obligations on companies that process them. We follow these rules in practice, not just on paper.

Concretely, this is how a face photo moves through our system:

  1. You hit Generate. Your browser uploads the photo over a TLS 1.3 connection to our Vercel-hosted endpoint.
  2. The endpoint immediately forwards the photo to Google's Gemini 2.5 Flash Image API. The forwarding is server-to-server over Google's encrypted endpoint.
  3. Gemini returns generated image bytes to our server.
  4. Our server runs post-processing in memory (cropping, light tone correction, optional watermark). The post-processing is deterministic image math, not AI.
  5. The finished images are returned to your browser in the response body. Your browser displays them.
  6. The original photo and any temporary intermediate files are wiped from our infrastructure within 24 hours of upload. Most are wiped within minutes; 24 hours is the contractual maximum.
  7. Any face embedding (a high-dimensional vector representation of your facial features) that exists inside the Gemini pipeline lives only inside that single generation request and is gone when the request returns. We do not extract embeddings on our side and we do not store them.

Why we're allowed to process face data

Under GDPR we rely on two lawful bases that have to coexist for biometric processing:

  • Article 6(1)(b) — contract performance. You asked us to generate a headshot. We cannot do that without processing the photo. The processing is necessary to deliver the service you requested.
  • Article 9(2)(a) — explicit consent. Because face data is special-category data, contract performance alone is not enough. The act of uploading a photo into the studio with knowledge of how the system works (which is what this page exists to communicate) constitutes explicit consent for the single, narrowly-scoped purpose of generating your headshots. You can withdraw that consent at any time by closing the page before Generate, or by emailing us afterward to demand deletion of any residual data.

Under US frameworks (CCPA/CPRA, BIPA, CUBI, MHMDA) we rely on the user-initiated nature of the upload. You are the data subject, you are the one initiating the processing, and the processing is necessary to deliver the result you requested. Where a state law requires an explicit written release for biometric processing (Illinois BIPA is the strictest), the act of submitting the photo with awareness of this policy satisfies the written-release requirement under the same logic.

How long anything sticks around

This is a question we get often, so it gets a table. All durations are maximums. In practice we delete sooner.

WhatHow long we keep itWhy
Your uploaded photo24 hours maximum, usually under one hourDelivery and re-download buffer; then auto-deleted by a cron job
Generated images (server copy)24 hours maximumSame delivery buffer
Generated images on your deviceUp to youWe have no copy of these once you have downloaded
Face embeddingsZero seconds beyond the generation callWe do not extract or persist embeddings
Generation metadata (style, time, count)While your account is active, plus 90 days after closureCustomer support, fraud prevention, quota accounting
Account email and Supabase user IDUntil you ask us to deleteAuthentication, contacting you about your purchase
Payment metadata (last 4, Creem ID)7 yearsTax and chargeback record requirements
Server access logs (IP, user agent, route)30 daysSecurity, debugging, abuse investigation
Email correspondence with our support address3 yearsOngoing customer relationship and audit trail

Other companies that touch the data

We use a small number of third-party services to run the site. Each one is bound by a data processing agreement that mirrors the commitments we make to you. We list every one of them by name so you know exactly who has access to what.

  • Google LLC (Gemini API) processes the uploaded photo in transit to perform the actual image generation. Google's API terms commit to not retaining customer content longer than the service requires and not using it to train Google's models. Region of processing: Google's global edge.
  • Vercel Inc. hosts the application and runs our serverless functions. They see traffic logs, function execution data, and the request bodies that pass through their edge. Region: Frankfurt (eu-central) for European visitors, US East for North American visitors, automatically selected.
  • Cloudflare Inc. sits in front of our DNS as a CDN and DDoS shield. They see the same request metadata as Vercel. Cloudflare's data processing addendum is in place.
  • Supabase Inc. hosts the database that stores your email, plan, and generation metadata when you have an account. Region: EU-central. Encrypted at rest.
  • Creem GmbH processes payments. They see card data, billing address, and the transaction amount. We see only the last four card digits and a Creem customer reference. Region: EU.
  • Vercel Web Analytics records anonymous page-view counts. No cookies, no cross-site identifiers. You can opt out of analytics in your browser by enabling Do Not Track.

We don't train on user faces

This is the single most common question we get, so it gets its own section. We do not train, fine-tune, or otherwise improve any machine-learning model using photos that users submit. Not the Gemini model, which we do not control and which Google does not train on customer content under its API terms. Not any downstream model. Not any future model we might build. Not under any commercial pressure. The infrastructure to do so does not exist on our side, and we will not build it.

Where we do use AI training data, it was assembled by the model vendor (Google, in the case of Gemini) from public sources before we ever became their customer. Our role is to call their API, not to train it.

Your rights under GDPR

If you are a resident of the EU, EEA, UK, or Switzerland, GDPR and UK GDPR give you a set of rights against any organization that processes your personal data. Here is the full list and the request channel for each:

  • Right of access — you can ask for a copy of all the data we hold about you. We deliver this within 30 days, usually within 48 hours.
  • Right of rectification — if anything we hold is wrong, you can have it corrected.
  • Right of erasure (right to be forgotten) — you can demand we delete your data. We delete within 30 days unless we have a legal obligation to keep specific records (payment records are required for 7 years by EU tax law).
  • Right to restrict processing — you can ask us to freeze your data in place without deleting it, useful while a dispute is being resolved.
  • Right to data portability — you can ask for your data in a structured machine-readable format (JSON) so you can take it elsewhere.
  • Right to object — you can object to specific processing activities. There are almost none of these on our side because we do not run profiling or direct marketing.
  • Right to withdraw consent — for biometric processing specifically, you can withdraw consent at any time. Doing so prevents future processing but does not undo the generation you already received.
  • Right to lodge a complaint — you can file a complaint with your national data protection authority. We would obviously rather hear from you first so we can fix the problem, but you do not need our permission to contact your regulator.

All of these requests go to [email protected] with the subject line "GDPR request" so we route them quickly. We do not charge for any of them.

US state privacy rights

Several US states give residents rights that overlap with but are not identical to GDPR. The list keeps growing. If you live in one of these states, you have at minimum the rights below. If you live in a state not listed here that has its own privacy law, the same rights almost certainly apply and we will honor them.

  • California (CCPA/CPRA) — right to know what we collect, right to delete, right to correct, right to opt out of sale and sharing (we do not sell or share for cross-context behavioral advertising), right to limit use of sensitive personal information (we already limit face data to the single use described above), right to opt out of automated decision-making technology (ADMT) under the 2025 CPPA regulations.
  • Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Indiana, Delaware, Florida, New Jersey, New Hampshire, Minnesota, Maryland, Kentucky, Rhode Island and any state whose comprehensive privacy law has come into force — equivalent rights apply.
  • You can exercise any of these by emailing the same address. We do not require you to create an account, fill out a form, or submit ID for any request that does not require identity verification.

Illinois BIPA and Texas CUBI specifically

Two state laws on biometric data deserve their own paragraph because they carry the most aggressive enforcement history.

Illinois Biometric Information Privacy Act (BIPA). If you live in Illinois, your face data is a biometric identifier under BIPA. We process it only for the single purpose of generating your headshots. We do not retain it beyond the duration of the generation request. We do not disclose it to any third party except Google's Gemini API for the sole purpose of performing the generation you requested. The act of uploading a photo through our studio constitutes the written release BIPA requires. You can revoke that release by emailing us, in which case we will permanently destroy any residual data we may hold. We will not sell or trade your biometric data under any circumstance.

Texas Capture or Use of Biometric Identifier Act (CUBI). The same commitments apply. We capture biometric identifiers only with your informed consent (provided by uploading a photo with awareness of this policy), we use them only for the requested generation, and we do not retain them beyond the time reasonably necessary.

International data transfers

Some of our processors are based in the United States. Where your data is transferred from the EU/EEA to the US, the transfer relies on the EU-US Data Privacy Framework certifications held by Google, Vercel, and Cloudflare, plus Standard Contractual Clauses as a backup mechanism. We have signed SCCs with every processor that transfers EU data outside the EEA. You can request copies of the relevant SCCs by email.

Children and age

FreeHeadshot is not intended for users under the age of 16, and not at all for users under 13. We do not knowingly collect data from anyone under 13. We do not market the service to minors. If you are a parent or guardian and you believe your child has used the service, email us and we will delete all related data.

Cookies and analytics

We use one essential first-party cookie for the upload session (so the studio remembers your choices between page reloads). It expires when you close the tab. No tracking pixels, no advertising cookies, no third-party fingerprinting scripts.

For analytics, we use Vercel Web Analytics, which counts page views without setting cookies and without cross-site identifiers. If your browser sends a Do Not Track signal or you have ad-blockers active, the analytics script does not load.

Security practices

Concrete security measures rather than marketing language:

  • Transport encryption. TLS 1.3 across all endpoints. HSTS preload list submission. No HTTP fallback for any production traffic.
  • At-rest encryption. All data on Supabase and Vercel storage is encrypted with AES-256.
  • Strict CSP. The Content-Security-Policy header on every page disables inline scripts (except hashed/nonced), restricts connections to a whitelist of named domains, and sets frame-ancestors to none to prevent clickjacking.
  • Standard hardening headers. X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy disabling camera, microphone, and geolocation by default. The studio page explicitly re-enables camera only when needed.
  • Authentication. Magic-link by default. No password storage. Sessions expire after 30 days of inactivity.
  • Row-level security. Database access is gated by Supabase RLS policies so even a compromised server token cannot read another user's records.
  • Minimal access. The number of humans with production database access is small enough that we can name them on request. Access is audited.
  • No third-party advertising or tracking scripts are loaded on any page.

If something goes wrong

In the event of a security incident affecting personal data, we follow the GDPR Article 33 timeline: notification to the relevant supervisory authority within 72 hours of becoming aware of the breach, and notification to affected users without undue delay where the breach is likely to result in a high risk to user rights. Under US state laws, we follow the applicable notification timelines, which range from immediately (in some states) to 60 days.

Changes to this policy

When we update this page, the "Last updated" date at the top of the page changes. For material changes (anything that broadens what we can do with your data, narrows your rights, adds a new processor, or changes a retention period), we will:

  • Send an email notice to anyone with an account at least 30 days before the change takes effect.
  • Show a banner on the homepage and the studio for at least 14 days announcing the change.
  • Keep the previous version of the policy archived. If you want a copy of a prior version, email us.

If a change is purely cosmetic (a typo fix, clearer wording, no change in meaning), we will just update silently.

Contact and complaints

For any privacy question, request, or complaint, email [email protected]. We reply within 24 hours on weekdays. Use the subject line that fits:

  • GDPR request — for access, deletion, portability, or any other GDPR right
  • CCPA request — for California-specific rights
  • BIPA opt-out — for Illinois biometric opt-out
  • Privacy complaint — for anything else, including reporting a perceived violation

If we cannot resolve your complaint to your satisfaction, you can lodge a formal complaint with your national or state data protection authority. We would obviously prefer you give us a chance to fix the issue first, but we will not stand in the way of you contacting your regulator.

Related pages: Terms of Service, Refund Policy, Acceptable Use Policy, About FreeHeadshot.

Questions? Email [email protected]. We reply within 24 hours on weekdays.

Open the studio