Privacy Policy

We collect account information such as your email address and authentication credentials. Password hashes and authentication flows are managed through Supabase Auth.

We collect the selfie you upload in JPEG, PNG, or WebP format and the headshots generated from that upload.

Payment information is processed by Stripe. We do not store your full card number or other complete payment card details on our own systems.

We may collect usage data such as page views and feature usage through PostHog, but PostHog analytics are planned and not yet active at this time.

We use Rewardful for cookie-based referral attribution when you arrive through an affiliate link.

We use your uploaded photo to generate AI headshots and deliver those results to you.

We use account and order information to process payments and send service-related transactional emails such as order confirmations and delivery notifications.

When analytics are active, we may use aggregated product usage information to improve product quality, identify bugs, and understand how customers use the service.

We use referral attribution information to track affiliate referrals and support commission reporting through Rewardful.

HeadshotCanvas currently sends only service-related transactional emails such as order confirmations and "headshots ready" notices. We do not send marketing or promotional emails at this time. If we introduce marketing emails in the future, we will handle them in accordance with applicable consent requirements, including Canada's Anti-Spam Legislation (CASL).

Your uploaded selfie is stored in Cloudflare R2 and sent to Replicate, a third-party AI inference provider, so headshot outputs can be generated on our behalf using models such as PuLID and GFPGAN.

We do not use your photos to train AI models.

HeadshotCanvas automatically deletes uploaded photos and generated headshots from our own storage after 30 days.

Replicate's handling of data is governed by its own privacy policy, available at replicate.com/privacy.

If you want your data deleted earlier, you can request early deletion by contacting our privacy contact listed below.

Face photos may be considered biometric data under certain laws, including BIPA in Illinois and the GDPR in the European Union.

By uploading your photo, you consent to its use for AI headshot generation as described in this policy.

We do not sell, lease, or trade biometric data.

Biometric data stored by HeadshotCanvas is deleted from our storage within 30 days.

We use commercially reasonable technical and organizational safeguards to protect your personal information, including HTTPS, access controls, and secure third-party infrastructure.

If a data breach affects your personal information, we will notify affected individuals and report to applicable regulatory authorities as required by law, including the Office of the Privacy Commissioner of Canada where applicable.

Photos and generated headshots are automatically deleted from our storage after 30 days.

Account data is retained until you request deletion of your account.

Payment records are retained as required by tax, accounting, and legal obligations.

You may request access to your personal information.

You may request correction or deletion of your data.

You may withdraw consent for processing, subject to legal or contractual limits.

For Canadian residents, PIPEDA provides rights that include access to personal information, the ability to challenge its accuracy, and the ability to file a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, contact our privacy contact below.

Our service is not intended for users under 16.

We do not knowingly collect personal information from children.