Privacy Policy
Effective Date: 4/14/2026 | Last Updated: 4/14/2026
1. Introduction
GetMyAIPhoto ("we," "our," or "us"), operated by Hyper Photon, LLC, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI headshot generation service at getmyaiphoto.com (the "Service").
By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, including photos, email addresses, and IP addresses.
- Service: The getmyaiphoto.com website and AI headshot generation functionality.
- Processing: Any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- Data Controller: Hyper Photon, LLC, which determines the purposes and means of processing Personal Data.
- Data Processor: Third parties that process Personal Data on our behalf (e.g., OpenAI, Google, Stripe).
- Session: A unique browser session identified by an anonymous UUID. No login or account is required.
- Cookies: Small data files stored on your device by your web browser. See our Cookie Policy for details.
3. Information We Collect
3.1 Images You Upload
When you use our Service, you upload personal photos that may contain your likeness. We process these images solely to provide the AI headshot generation service. Uploaded files are assigned random UUIDs; your original filename is not used in storage or URLs. Your photos are transmitted to third-party AI providers, including OpenAI and Google, for processing. See Section 7 for details.
3.2 Technical Information
We automatically collect certain technical information, including:
- Browser type and version
- Device information and operating system
- IP address (used in-memory for rate limiting to prevent abuse and not stored in our application database)
- Usage data (pages visited, time spent on the Service)
- Cookies and similar tracking technologies (see our Cookie Policy)
No user accounts are created. Sessions are identified by anonymous UUIDs with no login or registration required.
3.3 Payment Information
When you make a purchase, we collect:
- Email address, which is required for order confirmation and delivery of purchased photos
- Payment details processed by Stripe. We do not store your credit card number, CVV, or full payment credentials on our servers.
- Transaction records such as Stripe session ID, payment intent ID, purchase amount, currency, and timestamp for order fulfillment and legal compliance
Payment processing is handled entirely by Stripe, which is PCI-DSS compliant and has its own privacy policy governing payment data.
4. How We Use Your Information
The following table describes how we use each type of data, the legal basis for processing under GDPR, and the applicable retention period:
| Data Type | Purpose | Legal Basis (GDPR Art. 6) |
Retention |
|---|---|---|---|
| Uploaded photos | AI headshot generation | Contract performance (Art. 6(1)(b)) | 24 hours |
| Generated photos | Service delivery, preview, purchase | Contract performance (Art. 6(1)(b)) | 7 days |
| Email address | Purchase confirmation and photo delivery | Contract performance (Art. 6(1)(b)) | 90 days after last transaction |
| Transaction records | Order fulfillment, tax and financial compliance | Legal obligation (Art. 6(1)(c)) | Up to 7 years |
| IP address | Rate limiting and abuse prevention | Legitimate interest (Art. 6(1)(f)) | In-memory only; not persisted |
| Analytics data (GA4) | Service improvement and usage analysis | Consent (Art. 6(1)(a)) | 14 months |
| Cookie preferences | Remember your consent choice | Legitimate interest (Art. 6(1)(f)) | Until cleared by you |
5. Consent Model
5.1 Essential Processing (No Opt-Out)
The following processing is necessary for the Service to function and does not require separate consent:
- Photo processing for AI headshot generation (core service)
- Payment processing via Stripe
- Email delivery of purchased photos via SMTP
- Rate limiting for abuse prevention
- Font delivery via Google Fonts for typography rendering
5.2 Non-Essential Processing (Requires Consent)
The following processing only occurs with your explicit consent:
- Google Analytics 4 cookies are loaded only after you accept them through our consent banner
You can use our core service (upload, generate, preview, and purchase photos) without consenting to any non-essential data processing.
6. Data Retention and Deletion
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Uploaded photos (originals) | 24 hours | Automatic (hourly cleanup task) |
| Generated photos (AI output) | 7 days | Automatic (hourly cleanup task) |
| Preview/watermarked images | 7 days (with parent generation) | Automatic |
| Session records (anonymous) | 7 days after all files deleted | Automatic |
| Customer email addresses | 90 days after last transaction | Scheduled deletion |
| Transaction records (financial) | Up to 7 years | As required by tax/financial law |
| Analytics data (GA4) | 14 months | Google's retention policy |
Immediate Deletion: You may request immediate deletion of your uploaded and generated photos at any time by contacting us at support@getmyaiphoto.com. We will process your request without undue delay.
7. AI Processing and No-Training Guarantee
No-Training Guarantee: We do not use your photos to train our own AI or machine learning models. Your photos are processed solely to generate your requested headshots and are then deleted according to the retention schedule above.
Our Service relies on third-party AI providers to generate headshots. When you upload a photo and request generation, your photo is transmitted to one of the following providers for processing:
7.1 OpenAI
We use OpenAI's image generation API as our primary AI provider. According to OpenAI's API data controls documentation and business data commitments:
- Data sent through the API is not used to train or improve OpenAI models by default unless the customer explicitly opts in to share data.
- OpenAI states that abuse monitoring logs may retain certain API content for up to 30 days by default, unless longer retention is legally required.
- Some API features may retain application state when needed to provide the requested service.
For full details, see OpenAI API data controls and OpenAI business data privacy commitments.
7.2 Google Gemini
We use Google's Gemini API as a fallback AI provider. Google publishes different data-use terms for paid and unpaid Gemini API services. For production use, our intent is to use Gemini through a billing-enabled project so that paid-service terms apply. Under Google's current Gemini API terms and logging documentation:
- For paid Gemini API services, Google states that prompts, uploaded files, and responses are not used to improve Google's products.
- Google also states that billing-enabled projects may have Gemini API logs available for up to 55 days by default, and that developers may separately opt in to logging or dataset sharing features in Google AI Studio.
- If Gemini were used through unpaid service terms instead of a billing-enabled paid service, Google's data-use terms may be different.
For full details, see Gemini API Terms, Gemini API logging policy, and Google Privacy Policy.
7.3 Facial and Biometric Data
Our Service processes photographs that may contain facial features. Please be aware of the following:
- We do not extract, store, or sell biometric identifiers or facial geometry data ourselves.
- All AI image analysis and generation is performed by our third-party AI providers (OpenAI and Google). These providers process your images according to their own privacy policies and applicable data protection laws.
- You should only upload photos of yourself or of individuals who have given their explicit consent to have their likeness processed by AI.
- We do not share biometric or facial data with unaffiliated third parties for commercial purposes.
8. Third-Party Services
The following table lists all third-party services we use, the data shared with each, and links to their privacy policies:
| Service | Provider | Data Shared |
Purpose | Privacy Policy |
|---|---|---|---|---|
| AI Generation (Primary) | OpenAI | Uploaded photos, text prompts | Headshot generation | Link |
| AI Generation (Fallback) | Google (Gemini) | Uploaded photos, text prompts | Headshot generation | Link |
| Cloud Hosting | Google Cloud Platform | All service data | Infrastructure and storage | Link |
| Payment Processing | Stripe | Email, payment method, transaction details | Secure payment handling | Link |
| Analytics | Google Analytics 4 | Anonymized usage data, IP (anonymized) | Service improvement | Link |
| Font Delivery | Google Fonts | IP address, browser information | Typography rendering | Link |
| Email Delivery | Gmail SMTP | Recipient email, photo attachment | Purchased photo delivery | Link |
We use Google Fonts to deliver our typeface. When you load any page on our site, your browser makes requests to Google's servers (fonts.googleapis.com and fonts.gstatic.com), which may transmit your IP address and browser information to Google.
We use Google's SMTP service to deliver purchased photos to your email address. Your email address and the attached photo are transmitted through Google's mail servers.
9. Data Security
We implement appropriate technical and organizational security measures to protect your data:
- Encryption in transit (HTTPS/TLS) for all communications
- Encryption at rest for stored data (Google Cloud Platform)
- UUID-based file naming to prevent guessable URLs
- Path traversal validation to prevent unauthorized file access
- Input validation and sanitization
- Rate limiting to prevent abuse (10 requests/minute for uploads, 5/minute for generation)
- Bcrypt password hashing for administrative access
- Stripe webhook signature verification for payment security
- HTTPS-only session cookies with SameSite protection
However, no method of transmission over the Internet is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.
10. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by GDPR)
- Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms
- Provide details of the nature of the breach, the data affected, and the steps we are taking to mitigate it
To report a suspected security vulnerability or breach, please contact us immediately at support@getmyaiphoto.com.
11. Your Rights
Regardless of your location, you have the following rights concerning your personal data:
- Access your personal data
- Correct inaccurate data
- Request deletion of your data, including uploaded photos where applicable
- Withdraw consent where processing depends on consent, such as analytics cookies
To exercise these rights, contact us at support@getmyaiphoto.com. We will respond within the time required by applicable law.
12. GDPR Compliance (EU/EEA Users)
If you are located in the European Economic Area (EEA) or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR:
- Data portability
- Objection to processing based on legitimate interests
- Restriction of processing in certain circumstances
- Rights relating to automated processing, where applicable
- The right to lodge a complaint with your local supervisory authority
We aim to respond to GDPR and UK GDPR rights requests without undue delay and, in most cases, within one month of receipt.
Legal basis for processing: see Section 4.
For any GDPR-related requests, contact us at support@getmyaiphoto.com.
13. California Privacy Rights (CCPA/CalOPPA)
California residents may have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and the California Online Privacy Protection Act:
13.1 For California Residents (CCPA)
- The right to know the categories of personal information we collect, use, disclose, sell, or share, and in some cases the specific pieces of personal information we hold
- The right to request deletion of personal information, subject to applicable exceptions
- The right to request correction of inaccurate personal information
- The right to opt out of the sale or sharing of personal information, if applicable
- The right not to be discriminated against for exercising applicable privacy rights
We do not sell your personal information, and we do not share personal information for cross-context behavioral advertising.
13.2 Under CalOPPA
- You may visit our site anonymously without creating an account
- This Privacy Policy is accessible from our homepage via a clearly labeled link
- You will be notified of privacy policy changes on this page
- You can request changes to your personal information by emailing us at support@getmyaiphoto.com
- We honor Do Not Track browser signals (see Section 14)
14. Do Not Track Disclosure
Our Service honors the "Do Not Track" (DNT) browser signal. When we detect that your browser has DNT enabled, we do not load Google Analytics or set any analytics cookies, regardless of your cookie consent banner choice.
You can enable DNT in your browser's privacy settings. For more details on cookie controls, see our Cookie Policy.
15. Children's Privacy
Our Service is intended only for individuals who are at least 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a minor, please contact us immediately and we will delete it promptly.
16. International Data Transfers
Your information may be transferred to and processed in the United States, where our service and certain third-party providers, including OpenAI, Google, and Stripe, operate. If you are located outside the United States, your data may be transferred across international borders.
We rely on safeguards made available by our providers and on technical and organizational measures designed to protect transferred data, including:
- Contractual and policy commitments offered by our service providers, where applicable
- Provider security and privacy controls
- Technical measures (encryption in transit and at rest) regardless of data location
17. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to analyze usage and improve user experience. For full details on the cookies we use, how to control them, and your opt-out options, please see our Cookie Policy.
18. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will update this page and provide any additional notice required by applicable law.
We will notify you of changes by:
- Posting the new Privacy Policy on this page
- Updating the "Effective Date" and "Last Updated" date
- Sending you an email notification for significant changes (where we have your email)
Your continued use of the Service after the updated policy takes effect constitutes acceptance of the revised Privacy Policy to the extent permitted by law. If you do not agree with the changes, you should discontinue use of the Service.