FreeHeadshot logo
FreeHeadshot.org

Security & Data Handling

Last updated: 2026-05-21·Email us with questions

Generating a headshot means handing a website a photo of your face. That deserves a clear, honest explanation of what happens to it. Here is exactly how we protect your data, in plain terms.

1. Security at a glance

  • Your source photo is processed in memory only and never written to disk.
  • We never create or keep a face embedding (the numeric template of a face).
  • We never train AI on your photos and never sell or share them.
  • All traffic uses TLS 1.3; stored outputs use AES-256 at rest.
  • Generated images for anonymous users are deleted within 24 hours.
  • The only company that ever sees your photo is Google's Gemini API, which generates the image.

2. How we handle your photo

When you upload a selfie, it travels over an encrypted connection to our server, gets passed to the Google Gemini 2.5 Flash Image API for the generation, and is then released from memory. It is never written to a database, an object store, or a log. There is no 24-hour window on the source photo because it never reaches durable storage at all. The only thing that persists is the generated output, and only if you are signed in and choose to keep it.

3. Encryption

  • In transit: TLS 1.3 on every connection, with HSTS preload enabled.
  • At rest: generated images stored for signed-in users are encrypted with AES-256, handled natively by the storage provider, and served only through expiring signed URLs tied to your session.

4. Deletion & retention

Source photos are never stored, so there is nothing to delete there. Generated outputs for anonymous users are removed within 24 hours. If you have an account, your generations live in a private gallery and you can delete any of them, or your whole gallery, from your dashboard at any time. Full retention windows are in the Privacy Policy.

5. No training, no selling

We do not train, fine-tune, or evaluate any AI model on your photos. The model we use, Google Gemini 2.5 Flash Image, was built by Google long before you uploaded anything. We do not sell, rent, or share your photos or personal data with advertisers or data brokers. Ever.

6. Who touches your data

Your uploaded photo only ever reaches Google's Gemini API (for the generation) and our own hosting. It is not sent to our payment, email, or analytics vendors. The full list of sub-processors, with purpose and region, is in our Data Processing Agreement.

7. Infrastructure & access

  • Hosted on Vercel's edge/serverless network, with the database on Supabase (managed Postgres) in an EU region.
  • Production access is limited to the operator account and protected by multi-factor authentication.
  • Row-level security on every user-keyed table, so one account can never read another's data.
  • Audit logs retained for a minimum of 90 days.

8. Abuse & bot protection

Anonymous generations pass a Cloudflare Turnstile challenge (a privacy-friendly CAPTCHA) before they run, and rate limiting is keyed on the real visitor IP behind our Cloudflare proxy. Every prompt is also screened by content moderation before it reaches the model. These measures protect both your experience and our costs from automated abuse.

9. Payment security

Payments are handled by Creem (our merchant of record), which embeds Stripe for card capture at checkout. We never see or store full card numbers. We keep only a payment record (amount, tier, and a processor reference) for receipts and refunds.

10. Account security

Accounts are optional. When you do create one, sign-in uses a 6-digit email code or a password, managed by Supabase Auth. We recommend a unique password if you choose the password method. You can delete your account and all associated data from your dashboard at any time.

11. Compliance

We honor GDPR and UK GDPR rights (access, deletion, rectification, portability, objection) and CPRA rights (know, delete, opt out of sale or sharing, which we never do). See the Privacy Policy and the Data Processing Agreement for the details and how to exercise each right.

12. Responsible disclosure

Found a vulnerability? We want to hear about it. Email [email protected]with the subject “Security disclosure” and a description of the issue and how to reproduce it. Please give us a reasonable window to fix it before any public disclosure. We do not currently run a paid bounty, but we genuinely appreciate the help and will credit you if you'd like.

13. Contact

Email: [email protected]
Related: Privacy Policy · Data Processing Agreement · Terms of Service

Questions? Email [email protected]. We reply within 24 hours on weekdays.

Open the studio