Headshot Hero

Privacy Policy for Headshot Hero

Effective Date: September 21, 2025

1. Introduction

Welcome to Headshot Hero ("we," "us," "our"). We are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our application and services (the "Service").

This policy is written in accordance with the General Data Protection Regulation (GDPR).

2. Data Controller

The person responsible for your personal data (the "Data Controller") is:

Marius Klein
Hammerschmiede 3
85567 Grafing bei München
Germany
Email: privacy@headshot-hero.app

3. What Personal Data We Collect and Our Legal Basis for Processing

We collect different types of data to provide and improve our Service to you.

a. Data You Provide Directly to Us

  • Account Information: When you create an account, we collect your email address and a hashed password.
    • Purpose: To create your account, provide you with access to the Service, and communicate with you about your account.
    • Legal Basis: Performance of a contract with you (Article 6(1)(b) GDPR).
  • Uploaded Photographs and Generated Headshots: To use our Service, you must upload a photograph of yourself. Our AI then processes this image to create your headshots.
    • Purpose: To provide the core functionality of our Service – creating AI-generated headshots.
    • Important Note: Photographs of your face are considered "special categories of personal data" (biometric data) under GDPR. We handle this data with the highest level of care.
    • Legal Basis: Your explicit consent (Article 9(2)(a) GDPR). You provide this consent when you choose to upload your photo and agree to our Terms of Service before generation. You can withdraw this consent at any time by deleting your photos or your account.
  • Refinement Prompts: If you use our refinement feature, we collect the text prompts you enter.
    • Purpose: To modify your generated headshots based on your instructions.
    • Legal Basis: Your explicit consent (Article 9(2)(a) GDPR), as the prompts are directly related to processing your biometric data.
  • Payment Information: When you purchase credits, our third-party payment processor will collect your payment card information. We do not store your full payment card details ourselves.
    • Purpose: To process payments for the Service.
    • Legal Basis: Performance of a contract with you (Article 6(1)(b) GDPR).

b. Data We Collect Automatically

  • Usage and Technical Data: We may collect information about how you interact with our Service, your IP address, browser type, device information, and approximate location.
    • Purpose: To maintain the security of our Service, to analyze usage for service improvement, and to prevent fraud.
    • Legal Basis: Our legitimate interest (Article 6(1)(f) GDPR) to ensure the proper functioning and security of our app.

4. How We Share Your Data

We do not sell your personal data. We only share it with trusted third-party service providers ("Data Processors") who help us operate our Service.

  • Cloud Hosting Providers: We use cloud infrastructure to host our application and store your data.
  • AI Service Providers: We use third-party AI models to process your photographs and generate your headshots. Your uploaded photograph is sent to them for processing.
  • Payment Processors: We use secure payment processors (e.g., Stripe) to handle transactions.
  • Analytics Providers: We may use services to help us understand user behaviour and improve the Service.

We have Data Processing Agreements (DPAs) in place with all our providers, ensuring they are also committed to protecting your data in line with GDPR standards.

5. International Data Transfers

Some of our service providers may be located outside the European Economic Area (EEA), particularly in the United States. When we transfer your personal data outside the EEA, we ensure a similar degree of protection is afforded to it by using specific contracts approved by the European Commission, known as Standard Contractual Clauses (SCCs), or by ensuring the provider is part of a framework that guarantees an adequate level of data protection.

6. Data Retention

We only keep your personal data for as long as necessary to fulfil the purposes we collected it for.

  • Uploaded Photographs: Your original uploaded photographs are automatically deleted from our active systems within 24 hours of the successful generation of your headshots.
  • Generated Headshots and Refinement Prompts: These are stored in your account for as long as your account is active, allowing you to download them at any time. You can delete them manually at any point.
  • Account Information: We retain your account information for as long as your account is active. If you delete your account, we will permanently delete your information in accordance with our data deletion cycle, typically within 30 days.

7. Your Rights Under GDPR

You have several rights concerning your personal data:

  • The right to be informed: To know how we are using your data.
  • The right of access: To request a copy of the personal data we hold about you.
  • The right to rectification: To have inaccurate personal data corrected.
  • The right to erasure (the "right to be forgotten"): To have your personal data deleted.
  • The right to restrict processing: To limit how we use your personal data.
  • The right to data portability: To receive your personal data in a structured, commonly used, and machine-readable format.
  • The right to object: To object to the processing of your personal data.
  • The right to withdraw consent: You can withdraw your consent for us to process your photographs at any time by deleting them from the app or deleting your account.

To exercise any of these rights, please contact us at privacy@headshothero.com.

8. Data Security

We have implemented appropriate technical and organizational security measures to protect your personal data from accidental loss, unauthorized access, alteration, or disclosure. This includes encryption of data in transit (TLS) and at rest.

9. Children's Privacy

Our Service is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16.

10. Right to Lodge a Complaint

If you have any concerns about our use of your personal data, you have the right to lodge a complaint with your local data protection authority. The competent authority for us is the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht - BayLDA).

11. Changes to This Privacy Policy

We may update this policy from time to time. We will notify you of any significant changes by email or through a notification in the app. The "Effective Date" at the top of this policy will indicate when it was last revised.