Legal
Privacy Policy
Last updated: 14 July 2026 · Registered in England & Wales
Privacy at a glance
- ✓ You own your images. Every photo you upload and every headshot we generate belongs to you. We claim no rights.
- ✓ Your images are never used for AI training. Not ours, not anyone else's. This is a firm technical commitment.
- ✓ Your images are never made public. All uploads and outputs are stored privately and are only accessible to you.
- ✓ We do not sell or share your data. We do not sell, rent, or licence your personal data or images to any third party.
- ✓ You can delete everything. Request deletion of your account and all images at any time — no questions asked.
1. Who we are
Simply Headshot is a headshot enhancement service.
We are the Data Controller for personal data processed through this service. Contact us at [email protected] with any privacy questions.
2. What data we collect
Account information
When you create an account, we collect:
- Your name
- Your email address
- A hashed version of your password (we never store your password in plain text)
- Account creation date and time
Uploaded images
When you use the service, we collect:
- Photos you upload as input for headshot generation
- Headshot images we generate for you as output
- Metadata associated with those files (file size, format, upload timestamp)
These images are stored privately on our infrastructure. They are never shared publicly and never used for AI model training.
Job and usage data
- The options you choose for each headshot job (background style, lighting)
- Job status and processing history
- Error messages if a job fails
Technical and log data
- IP address at the time of requests
- Browser type and device information
- Page views and navigation events
- Application error logs
This data is collected automatically and is used only for operating and securing the service.
Payment data
Payments are processed by a third-party payment processor (Stripe). We do not store your card number, CVV, or full payment details. We receive a transaction reference and the amount paid for record-keeping.
3. Why we process your data and the legal basis
We process your personal data for the following purposes:
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Providing the headshot service you signed up for | Contract (Article 6(1)(b)) |
| Processing payments | Contract (Article 6(1)(b)) |
| Sending service-related emails (e.g. job completion) | Contract (Article 6(1)(b)) |
| Storing your uploaded photos and generated headshots | Contract (Article 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Maintaining application error logs | Legitimate interests (Article 6(1)(f)) |
| Sending marketing emails (if you opt in) | Consent (Article 6(1)(a)) |
| Complying with legal obligations | Legal obligation (Article 6(1)(c)) |
4. Where your data is stored
All personal data — including your account information, uploaded photos, and generated headshots — is stored on infrastructure operated by Simply Headshot or by trusted processing partners. Any processing partner is bound by a data processing agreement that prohibits using your images to train AI models or for any purpose other than delivering your headshots.
If we ever use a hosting or infrastructure provider whose servers are located outside the UK or EEA, we will update this policy and ensure appropriate safeguards are in place.
5. How long we keep your data
| Data type | Suggested retention |
|---|---|
| Account information (name, email) | For the life of your account, then 30 days after deletion request |
| Uploaded input photos | 90 days after job completion, or until you delete them |
| Generated headshot images | 365 days after generation, or until you delete them |
| Job and usage records | 2 years, for service improvement and support purposes |
| Payment transaction records | 7 years (UK legal/financial record-keeping requirement) |
| Application error logs | 90 days on a rolling basis |
| Access logs (IP, browser) | 30 days on a rolling basis |
These are the suggested defaults. You can request earlier deletion of your images or account at any time.
6. Who we share data with
We do not sell, rent, or licence your personal data or images to any third party.
We may share limited, necessary data with the following categories of infrastructure providers, solely to operate the service. Each is bound by a data processing agreement and may not use your data for any other purpose:
- Hosting and server infrastructure provider — stores and serves application data
- Image processing provider — processes your photos to generate your headshots, under a data processing agreement that prohibits use of your images for AI training or any other purpose
- Payment processor (e.g. Stripe) — processes transactions on our behalf
- Email delivery provider — sends service-related emails (e.g. job completion notifications)
We will not share your data with any advertiser, data broker, or any other third party for their own commercial purposes. We will not share your images with casting platforms, agents, or any other party without your explicit instruction.
We may disclose personal data if required to do so by law, court order, or to protect the safety, rights, or property of Simply Headshot or others.
7. Your rights under UK GDPR
As a data subject, you have the following rights:
- Right to access — You can request a copy of the personal data we hold about you.
- Right to rectification — You can ask us to correct inaccurate personal data.
- Right to erasure — You can ask us to delete your personal data. We will action this promptly, subject to any legal retention obligations.
- Right to restrict processing — You can ask us to pause processing your data in certain circumstances.
- Right to data portability — You can request your data in a portable, machine-readable format.
- Right to object — You can object to processing carried out on the basis of legitimate interests.
- Right to withdraw consent — Where processing is based on consent (e.g. marketing emails), you can withdraw consent at any time.
To exercise any of these rights, contact us at [email protected]. We will respond within one month.
8. Security
We take the security of your data seriously and apply the following measures:
- All data in transit is encrypted using TLS (HTTPS)
- Images are stored with private (non-public) access controls on our storage infrastructure
- Download links for your images are time-limited and signed — they cannot be guessed or shared indefinitely
- Passwords are hashed using bcrypt — we cannot recover your password
- Access to production systems is restricted to authorised personnel only
- We apply software updates and security patches regularly
No system can guarantee 100% security. In the event of a data breach that affects your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) as required by law.
9. Children
Our service is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has created an account, please contact us immediately and we will delete the account and associated data.
10. International data transfers
We currently store and process all data within [UK/EEA]. If this changes — for example, if we use an infrastructure provider with servers outside the UK or EEA — we will update this policy and ensure an appropriate transfer mechanism is in place (such as the UK International Data Transfer Agreement or EU Standard Contractual Clauses).
11. Cookies
We use only essential session cookies that are necessary for the service to function (for example, to keep you logged in). We do not use advertising cookies or third-party tracking cookies. You can disable cookies in your browser, but this may affect your ability to use the service.
12. Changes to this policy
We may update this policy from time to time. We will notify you of any significant changes by email or by displaying a notice on the service. The updated policy will be effective from the date shown at the top of this page.
13. How to contact us and make a complaint
For any privacy questions, to exercise your rights, or to raise a concern, contact us at:
[email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection regulator. The ICO helpline is 0303 123 1113.