Privacy Policy
Last Updated: March 2, 2026
Your privacy is important to us. This Privacy Policy explains how Prime Headshots (brand name), operated by Atlantic Media, collects, uses, discloses, and safeguards your information when you visit our website www.primeheadshots.com and use our AI headshot generation services.
1. Information We Collect
We collect information in the following ways:
1.1 Information You Provide
- Account Data: Name, email address, and profile picture when you sign in via Google OAuth.
- Payment Data: Payment details are processed by our Merchant of Record, Dodo Payments. We receive transaction IDs, amounts, and plan details — we never store your full card number.
- Image Data: Photos you upload for AI headshot generation. These are processed securely and deleted from our servers after generation, or upon your request.
- Team/Organization Data: Organization name, domain, member roles, and branding assets for enterprise customers.
- Communications: Any messages you send to us via email.
1.2 Information Collected Automatically
- Log Data: IP address, browser type, operating system, referring URL, pages visited, and access timestamps.
- Cookies: We use cookies as described in our Cookie Policy below.
- Analytics: Google Analytics (with IP anonymization) to understand site usage — only with your consent.
2. How We Use Your Information
- Provide, operate, and maintain our AI headshot generation service.
- Process payments and manage subscriptions.
- Manage team/enterprise accounts and member access.
- Improve, personalize, and optimize our website and services.
- Communicate with you about your account, orders, or support requests.
- Detect, prevent, and address fraud or technical issues.
- Comply with legal obligations.
We do not sell your personal data or photos to third parties.
3. Legal Basis for Processing (GDPR)
Under the EU General Data Protection Regulation (GDPR), we process your data based on:
- Contract Performance: Processing necessary to deliver the services you purchased.
- Consent: For analytics cookies, marketing cookies, and optional communications. You may withdraw consent at any time.
- Legitimate Interest: For fraud prevention, security, and service improvement.
- Legal Obligation: When required by law (e.g., tax records, law enforcement requests).
4. Data Sharing & Third-Party Processors
We share data only with the following categories of processors, all bound by data processing agreements:
| Processor | Purpose | Data Region |
|---|---|---|
| Google Cloud Platform | Database, file storage | US |
| Black Forest Labs (BFL) | AI headshot generation | EU |
| Dodo Payments | Payment processing (Merchant of Record) | EU |
| Firebase / Cloud Run | Website hosting | US |
| Google Analytics | Website analytics (consent-based) | US |
| Meta (Facebook) | Ad campaign tracking (consent-based) | US |
5. Data Retention
- Uploaded Photos: Deleted from our servers within 24 hours after headshot generation completes, or immediately upon your request.
- Generated Headshots: Retained for 90 days for re-download, then automatically deleted. Enterprise plans may retain longer.
- Account Data: Retained for as long as your account is active. Deleted within 30 days of account deletion request.
- Payment Records: Retained for 7 years as required by tax regulations.
- Consent Records: Retained for 3 years for audit compliance.
- Log Data: Retained for 90 days, then aggregated/anonymized.
6. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), UK, or similar jurisdictions, you have the following rights:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate data.
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to Data Portability (Art. 20): Request your data in a structured, machine-readable format.
- Right to Restrict Processing (Art. 18): Request limitation of processing in certain circumstances.
- Right to Object (Art. 21): Object to processing based on legitimate interest or for direct marketing.
- Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, visit your Account & Privacy page or email us at info@primeheadshots.com. We will respond within 30 days.
7. Your Rights Under CCPA (California)
If you are a California resident, under the California Consumer Privacy Act (CCPA) you have the right to:
- Know: What personal information we collect and why.
- Delete: Request deletion of your personal information.
- Opt-Out of Sale: We do not sell your personal information. No opt-out is required, but you may contact us for confirmation.
- Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, visit your Account & Privacy page or email info@primeheadshots.com.
8. Cookie Policy
We use cookies and similar technologies on our website. You can manage your cookie preferences via our consent banner or your Account settings.
| Cookie Name | Category | Purpose | Duration |
|---|---|---|---|
| ph-session | Necessary | Authentication session cookie | Session |
| ph_cookie_consent | Necessary | Stores your cookie consent preferences | 1 year |
| _ga, _gid | Analytics | Google Analytics visitor tracking | 2 years / 24h |
| _fbp, _fbc | Marketing | Meta Pixel campaign tracking | 90 days |
| affiliate_ref | Marketing | Affiliate referral attribution | 24 hours |
9. International Data Transfers
Your data may be transferred to and processed in countries outside the EEA, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, and we ensure recipients provide an adequate level of data protection.
10. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) and at rest for sensitive data.
- Row-level security (RLS) on our database ensuring users can only access their own data.
- OAuth 2.0 authentication — we never store passwords.
- Regular security reviews and access controls for administrative systems.
No method of transmission over the Internet is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.
11. Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at info@primeheadshots.com and we will take steps to delete such information.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. If changes are significant, we may also send an email notification. Continued use of our services after changes constitutes acceptance.
13. Contact Us / Data Protection Officer
If you have questions about this Privacy Policy, wish to exercise your data rights, or need to reach our Data Protection contact:
Prime Headshots (operated by Atlantic Media)
Email: info@primeheadshots.com
Website: www.primeheadshots.com
If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.