Privacy policy

PhotoID AI (“we”, “us”) operates this website and the tool that converts your everyday portraits into ID-style headshots. This policy explains what personal information we process, why, and your choices. If you do not agree, please do not use the service.

We may process:

• Account details if you sign in (for example with Google through our authentication provider), such as your name, email address, and a stable user identifier.

• Photos and image files you upload when you ask us to generate a headshot.

• Technical information sent automatically by your browser and networks, such as IP address, device and browser type, general location inferred from IP (for example for abuse prevention and language routing), and request metadata.

• Limited, aggregated usage information if we enable privacy-oriented web analytics from our hosting provider.

When you generate a headshot, your image is sent to our servers over HTTPS. Our service holds the image in server memory to call a third-party image generation API (the implementation in our codebase uses an API compatible with Google Gemini image models; the exact network endpoint is configured by the site operator). We do not intentionally store your uploaded photo as a user-accessible “gallery” or long-term file on our infrastructure solely for this feature. After the request completes, our application does not keep the uploaded image for repeat download from our servers.

The third-party AI provider receives your image content to run the model and may log or retain data under its own policies and locations. You should review your AI provider’s documentation and terms. Generated output is sent back to your browser as the response; unless we ship a separate storage feature and update this policy, we do not keep your results on our servers as an archive.

We use information to: run the service you request (performance of contract / steps before contract); maintain accounts and security; detect and prevent abuse; comply with legal obligations; and, where we use minimal analytics, to understand reliability and usage (legitimate interests). Where required in your region, we will rely on consent—for example if we add non-essential tracking or marketing cookies—and you may withdraw consent where applicable.

Depending on configuration, typical technologies include: authentication session cookies (often via Supabase); a locale preference cookie for language; and Vercel Web Analytics, which is designed to collect high-level, aggregated usage metrics rather than building a marketing profile.

You can restrict cookies in your browser; signing in and remembering preferences may not work if you block essential cookies.

We use vendors to host and operate the product, including Supabase (authentication/session), Google (identity provider if you choose Google), Vercel (hosting and analytics), and the configured AI API provider. Those vendors process personal information on our behalf under contractual terms and may be located outside your country. Where EU/UK law applies, we aim to use appropriate safeguards for international transfers (for example Standard Contractual Clauses). We do not sell your personal information in the “data broker” sense.

We keep data only as long as needed for the purposes above. Account-related records follow the lifecycle of the authentication system. Hosting providers may retain short-term server logs for security and reliability. Our application path for uploads is not designed for long retention on disk; the AI provider’s retention policies are independent of us and may differ from our practices.

We use HTTPS for data in transit and follow common precautions for a small web application. No online service can guarantee perfect security.

Depending on your location, you may have rights to access, correct, delete, or export personal information, and to object to or restrict certain processing. You may also have the right to complain to a supervisory authority. California residents may have additional rights under the CCPA/CPRA to know, delete, and opt out of certain sharing.

The service is not aimed at children, and we do not knowingly collect personal information from children without appropriate authority.

We may update this policy. We will change the “Last updated” date when we publish a new version. If changes are material, we will provide notice if required by law.