Privacy Policy

PoseLab is the controller of your personal data. For all privacy-related inquiries, contact us at hello@poselab.io.

We collect the following categories of personal data:

• Email address — provided when you enter it in the pricing form. Used to deliver your gallery link, order confirmation, and any follow-up service communications.
• Input Photos (selfies) — images you upload via your unique upload link. These are used solely as visual references for the AI image generation.
• Generated Images — the AI-produced headshots created from your Input Photos. Stored so you can download them again from your gallery.
• Payment metadata — order amount, currency, and Stripe transaction ID. We never see or store your card number, CVV, or full payment details; those are handled entirely by Stripe.
• Technical data — basic server logs including IP addresses and timestamps, collected by our hosting provider (Vercel) for operational purposes and security monitoring.

We do not collect name, address, phone number, or any other personal identifiers unless you voluntarily provide them in an email to us.

If you are in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:

• To process your order and deliver your Generated Images.
• To send you order confirmation and gallery delivery emails via Resend.
• To send your Input Photos to OpenAI's image-edit API as references for headshot generation. OpenAI says API data is not used to train or improve its models unless a customer explicitly opts in. See OpenAI's API data controls.
• To operate and maintain the Service, including fraud prevention and abuse detection.
• To respond to your support requests, refund claims, or data rights requests.

We do not sell your data. We do not use your photos or generated images for advertising, marketing, or model training of any kind.

We use only essential, session-level cookies necessary to provide the Service (e.g., to maintain your checkout session with Stripe). We do not use third-party analytics cookies or advertising trackers.

If we introduce optional analytics in the future, we will update this policy and obtain your consent where required.

We share your data only with the following sub-processors, strictly as necessary to provide the Service:

We do not share your data with any other third parties for marketing or commercial purposes.

Some of our sub-processors are located in the United States. Where data is transferred outside the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) as approved by the European Commission, or the UK International Data Transfer Agreement (IDTA), or the sub-processor's certification under an approved adequacy framework.

Input Photos and Generated Images are deleted automatically 30 days after your gallery is delivered. You may request earlier deletion at any time by emailing hello@poselab.io with your order email address.

Payment metadata is retained for as long as required by applicable financial regulations (typically 7 years).

Email addresses associated with completed orders are retained for 2 years to enable refund claims and support requests, then deleted. You may request earlier deletion.

Technical logs are retained for up to 90 days for security and operational purposes.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate data.
• Erasure — request deletion of your personal data ("right to be forgotten").
• Restriction — request that we limit processing of your data in certain circumstances.
• Portability — request your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

EEA residents also have the right to lodge a complaint with their local data protection authority (DPA).

Email hello@poselab.io with your request. Please include the email address associated with your order so we can locate your data. We will respond within 30 days (or sooner for simple requests). We may ask you to verify your identity before fulfilling the request.

All stored photos and images are encrypted at rest on Cloudflare R2. Data in transit is protected by TLS 1.2 or higher. Access to stored data is restricted to authorized systems only. We apply principle-of-least-privilege access controls to all sub-processors.

No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to hello@poselab.io.

The Service is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data to us, please contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Material changes will be communicated by a prominent notice on the Service. Your continued use after the effective date constitutes acceptance of the updated policy.

For any questions about this Privacy Policy or how we handle your data, email us at hello@poselab.io. We aim to respond within 2 business days.