Privacy Policy

HeadshotCraft (headshotcraft.com) Operated by: Nextfield Labs LLC Last Updated: February 13, 2026 Effective Date: February 13, 2026

1. Introduction

HeadshotCraft ("we," "us," "our") operates the website headshotcraft.com (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our AI-powered professional headshot generation service.

We take your privacy seriously — especially regarding the photos you upload. Please read this policy carefully.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address (via Google OAuth through Clerk).
• Uploaded Photos: Facial photographs you upload for AI headshot generation.
• Payment Information: Billing details processed by Stripe. We do not store your full credit card number on our servers.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, timestamps, referring URLs.
• Device Information: Browser type, operating system, screen resolution, IP address.
• Cookies & Similar Technologies: See our Cookie Policy.

3. How We Use Your Information

| Purpose | Legal Basis (GDPR) | |---|---| | Provide the headshot generation service | Performance of contract | | Process your uploaded photos through AI | Performance of contract | | Process payments via Stripe | Performance of contract | | Send transactional emails (receipts, account) | Performance of contract | | Improve our service and AI quality | Legitimate interest | | Comply with legal obligations | Legal obligation | | Prevent fraud and abuse | Legitimate interest |

4. How We Handle Your Photos

This is the most important section. Your photos are sensitive biometric-adjacent data, and we treat them accordingly.

4.1 Upload & Processing

• Uploaded photos are transmitted over encrypted connections (TLS/HTTPS).
• Photos are sent to Replicate API for AI processing. Replicate acts as our data processor.
• Replicate's data handling: https://replicate.com/privacy

4.2 Storage & Retention

• Original uploaded photos are stored temporarily for processing and are automatically deleted within 30 days of upload, or upon your request — whichever comes first.
• Generated headshots are stored in your account for as long as your account is active.
• Upon account deletion, all photos (uploaded and generated) are permanently deleted within 30 days.

4.3 What We Do NOT Do With Your Photos

• We do not sell your photos to third parties.
• We do not use your photos to train our own AI models.
• We do not share your photos with advertisers.
• We do not use facial recognition for identification purposes.

4.4 Replicate API (Sub-Processor)

Replicate processes your photos solely to generate headshots on our behalf. Per Replicate's policy, inputs and outputs from API calls are not used to train their models and are deleted after processing. We have a Data Processing Agreement (DPA) in place with Replicate.

5. Third-Party Services

| Service | Purpose | Data Shared | |---|---|---| | Replicate | AI image processing | Uploaded photos | | Stripe | Payment processing | Billing info, email | | Clerk | Authentication (Google OAuth) | Email, name, profile picture | | Analytics (if applicable) | Usage analytics | Anonymized usage data |

Each provider operates under their own privacy policy and acts as a data processor under applicable agreements.

6. Data Retention

| Data Type | Retention Period | |---|---| | Account information | Until account deletion + 30 days | | Uploaded photos | 30 days after upload, or upon request | | Generated headshots | Until account deletion + 30 days | | Payment records | 7 years (legal/tax requirement) | | Usage logs | 12 months |

7. Your Rights

7.1 All Users

• Access: Request a copy of your personal data.
• Deletion: Request deletion of your account and all associated data.
• Download: Export your generated headshots.
• Correction: Update your account information.

7.2 EEA/UK Users (GDPR)

In addition to the above, you have the right to:

• Restrict processing of your data.
• Object to processing based on legitimate interest.
• Data portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time (where processing is based on consent).
• Lodge a complaint with your local Data Protection Authority.

7.3 California Users (CCPA/CPRA)

• Right to know what personal information we collect and how it's used.
• Right to delete your personal information.
• Right to opt out of the sale of personal information. We do not sell your data.
• Right to non-discrimination for exercising your rights.

7.4 How to Exercise Your Rights

Email us at: [email protected]

We will respond within 30 days (or sooner as required by applicable law). We may verify your identity before processing requests.

8. Data Security

• All data transmitted via TLS/HTTPS encryption.
• Photos stored with encryption at rest.
• Access controls and authentication on all internal systems.
• Regular security reviews.
• Stripe PCI DSS compliance for payment data.

9. International Data Transfers

Your data may be processed in the United States. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards for cross-border transfers.

10. Children's Privacy

HeadshotCraft is not intended for anyone under 16 years of age. We do not knowingly collect data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or a prominent notice on the website. Continued use after changes constitutes acceptance.

12. Contact Us

Nextfield Labs LLC Wyoming, USA Email: [email protected]