Skip to content

Privacy Policy

Last updated: April 2026

SuitYourFace (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) as applied in the European Union (EU) and United Kingdom (UK), the Australian Privacy Act 1988, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable laws.

1. Who We Are

SuitYourFace is an AI-powered professional headshot service. When you use our platform you upload photos of your face so that we can fine-tune an AI model and generate studio-quality portraits for you. Our contact email is privacy@suityourface.com.

2. Data We Collect

We collect the following categories of personal data:

  • Account data — email address and hashed password when you register.
  • Face photographs (biometric data) — the photos you upload for AI training. These are transmitted to our AI processing partner (Astria, Inc.) and not retained on our servers beyond the upload request. See our Biometric Data Policy for full details including retention schedules and jurisdiction-specific rights (Illinois BIPA, Texas CUBI, Washington).
  • Payment data — we do not store card numbers or payment details. All payments are processed by Stripe, Inc. We receive only a non-sensitive transaction reference.
  • Generated images — the AI-produced headshot(s) associated with your account.
  • Usage data — standard server logs (IP address, browser type, pages visited) for security and analytics.
  • Analytics data — aggregate usage events collected via PostHog (with your consent). See Section 5 for details.
  • Cookies — session, authentication, and analytics cookies (analytics with consent only). See our Cookie Policy for details.

3. Legal Basis for Processing (GDPR)

  • Contract performance — processing your photos and generating your headshot is necessary to fulfil the service you purchased.
  • Explicit consent (Art. 9(2)(a)) — processing facial photographs (special category / biometric data) relies on your explicit consent, given via the biometric consent checkbox at the point of upload. You may withdraw this consent at any time.
  • Consent — analytics cookies (PostHog) are set only after you accept via the cookie consent banner.
  • Legitimate interests — server logs for security, fraud prevention, and service improvement.

4. How We Use Your Data

  • To fine-tune a personal AI model and generate your headshot(s).
  • To send transactional emails (order confirmation, password resets).
  • To prevent fraud and abuse.
  • To understand aggregate product usage (analytics, with consent).
  • To comply with legal obligations.

We do not sell your personal data. We do not use your photos to train shared or public AI models. Your custom AI model is private to your account.

5. Data Sharing & Sub-processors

We share data only with the following sub-processors:

  • Astria, Inc. (astria.ai) — AI model training and image generation. Your photos are sent to Astria solely to produce your headshot. We apply contractual safeguards to ensure Astria processes your data only on our instructions and for no other purpose. Transfers from the EEA to the US rely on Standard Contractual Clauses (SCCs) or equivalent protections.
  • Stripe, Inc. — payment processing. Stripe’s privacy policy applies to payment data.
  • Neon, Inc. — hosted PostgreSQL database (AWS us-east-2 region).
  • Google Cloud Platform — application hosting (Cloud Run) and image storage (Cloud Storage).
  • PostHog, Inc. — analytics and product telemetry. Only activated with your cookie consent. PostHog processes data per their privacy policy (posthog.com/privacy). You can opt out at any time via the cookie consent banner.
  • Cloudflare, Inc. — CDN and DNS for serving generated headshot images.

We will disclose data if required by law, court order, or to protect the rights and safety of our users.

6. Data Retention

  • Uploaded photos — sent to Astria for training and not stored on our servers beyond the upload request. See our Biometric Data Policy for Astria’s retention schedule.
  • Generated headshots — stored in your account until you delete them or close your account.
  • Account data — retained while your account is active and for up to 90 days after deletion for backup purposes.
  • Payment records — retained for 7 years to comply with financial regulations.

7. International Transfers

Our sub-processors operate primarily in the United States. Where data is transferred outside the EEA or UK we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards.

Australian residents: your data may be transferred to and processed in the United States by sub-processors listed in Section 5. We take reasonable steps to ensure overseas recipients handle data consistently with the Australian Privacy Principles (APP 8). Contact privacy@suityourface.com with questions about overseas transfers.

8. Your Rights (GDPR / UK GDPR)

Depending on your location you may have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your data (“right to be forgotten”).
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Restriction — request that we restrict processing of your data.
  • Withdraw consent — withdraw consent to biometric or analytics processing at any time. This does not affect the lawfulness of prior processing.

To exercise any right, email privacy@suityourface.com. We will respond within 30 days (or the timeframe required by applicable law). You also have the right to lodge a complaint with your local data protection authority (e.g. ICO in the UK, your national DPA in the EU, OAIC in Australia).

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the third parties with whom we share it.
  • Right to Delete: request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: request correction of inaccurate personal information.
  • Right to Opt Out of Sale/Sharing: we do not sell or share your personal information for cross-context behavioural advertising.
  • Right to Limit Use of Sensitive Personal Information: we process sensitive personal information (biometric data) only for the purpose of performing the service you requested.
  • Right to Non-Discrimination: we will not discriminate against you for exercising your privacy rights.

To exercise California rights, email privacy@suityourface.com. We will respond within 45 days. We do not respond to Do Not Track signals at this time.

10. Australian Privacy

If you are located in Australia, this policy is intended to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

  • We collect personal information directly from you when you register and use our service.
  • We will not use or disclose your personal information for a purpose other than the primary purpose of collection without your consent, subject to exceptions under the Privacy Act.
  • You may request access to, or correction of, your personal information by contacting privacy@suityourface.com.
  • If you believe we have breached the APPs, you may complain to us first. If not satisfied, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
  • Notifiable Data Breaches: in the event of a data breach likely to cause serious harm, we will notify you and the OAIC as required under Part IIIC of the Privacy Act.

11. Quebec (Law 25)

If you are a resident of Quebec, Canada, additional protections apply under Quebec’s Act respecting the protection of personal information in the private sector (Law 25). We have conducted a Privacy Impact Assessment (PIA) before transmitting your photos to Astria, Inc. as required by Law 25 for transfers of personal information outside Quebec. You may request information about our PIA or exercise your privacy rights by contacting privacy@suityourface.com.

12. AI Processing and Automated Decision-Making

SuitYourFace uses artificial intelligence to process your facial photographs and generate portrait images. This processing involves biometric data (facial geometry) as defined under GDPR Article 9 and applicable biometric privacy laws.

  • Our AI system is used solely for generating personalised portrait images at your explicit request. It does not make automated decisions with legal or similarly significant effects on you (GDPR Article 22 does not apply to this processing).
  • The gender field you provide is used only to generate gender-appropriate clothing styles. It is not used for profiling, targeting, or any other purpose.
  • This system is not used for real-time remote biometric identification in publicly accessible spaces and is not within the prohibited or high-risk categories under EU AI Act Articles 5 and 6 as currently interpreted.
  • In accordance with EU AI Act Article 13 transparency requirements, we inform you that your portraits are AI-generated and that biometric data is used in their production.
  • You have the right to request human review of any AI-related processing by emailing privacy@suityourface.com.

13. Security

We implement industry-standard security measures including TLS encryption in transit, hashed passwords (bcrypt), and access controls on our database. No system is 100% secure; we encourage you to use a strong, unique password.

14. Children

Our service is not directed to anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, contact us immediately at privacy@suityourface.com and we will delete it promptly.

15. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by email or by posting a notice on our website. The date at the top of this page reflects the most recent revision.

16. Contact Us

For any privacy-related questions or requests: privacy@suityourface.com

For biometric data deletion requests, see our Biometric Data Policy.