Privacy Policy

Last updated: April 12, 2026

1. Information We Collect

We collect information you provide directly: your name, email address, and uploaded photos. We also collect usage data such as generation history, browser type, and IP address for rate limiting, fraud prevention, and abuse detection.

2. Lawful Bases for Processing (GDPR Art. 6)

Contract performance (Art. 6(1)(b)): processing photos and account data is necessary to deliver the portrait generation service you have purchased.
Legitimate interests (Art. 6(1)(f)): rate limiting, fraud prevention, security monitoring, and basic analytics.
Consent (Art. 6(1)(a)): non-essential cookies and optional marketing communications, where applicable.
Legal obligation (Art. 6(1)(c)): tax and accounting records related to payment processing.

3. Photo Privacy

Your uploaded photos are processed securely through our AI pipeline. Photos from paid accounts are stored privately and accessible only to you. Demo/free photos are automatically deleted after 24 hours. We never use your photos for training AI models, for advertising, or for sharing with third parties beyond the processors listed below.

4. Sub-Processors

Portrait Union uses the following processors to deliver the service. Each is bound by a data processing agreement and processes data only on documented instructions:

Stripe — payment processing (Ireland, EU)
Vercel — web hosting and edge functions (EU region for EU users)
Vercel Blob — encrypted image storage (EU region)
Google Gemini API — AI portrait generation via Google Cloud
Replicate — AI image upscaling (Recraft Crisp Upscale + Real-ESRGAN)
Gelato — print-on-demand fulfillment (worldwide network)
Google Analytics 4 — anonymized site analytics
NextAuth — authentication and session management (self-hosted)

5. Data Retention

Free preview photos: automatically deleted after 24 hours
Paid account portraits: retained for the lifetime of your account, deleted within 30 days of account closure
Account profile data: retained as long as account is active
Payment records: retained for the period required by applicable tax and accounting law (typically 7–10 years)
Server logs: retained for 30 days for security and abuse prevention

6. Your Rights (GDPR Articles 15–22)

If you are in the EU, EEA, or UK, you have the following rights regarding your personal data:

Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure / "right to be forgotten" (Art. 17)
Right to restriction of processing (Art. 18)
Right to data portability (Art. 20)
Right to object (Art. 21)
Right to withdraw consent at any time
Right to lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at hello@portraitunion.com. We will respond within 30 days as required by GDPR Article 12.

7. International Transfers

Some processors (notably Google Gemini API and Gelato's global production network) may process data outside the EU/EEA. Such transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary technical measures, and adequacy decisions where applicable.

8. Payment Processing

Payments are processed securely through Stripe. We never store your full credit card information on our servers. Stripe's privacy policy governs how your payment data is handled.

9. Cookies

We use essential cookies for authentication and session management. We also use Google Analytics 4 with anonymized IPs for basic site analytics. We do not use third-party tracking cookies for advertising.

10. Children

Portrait Union is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact hello@portraitunion.com and we will promptly delete it.

11. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page indicates when it was last revised. Material changes will be communicated via email or an in-app notice.

12. Contact

For privacy questions, data deletion requests, or to exercise any of your GDPR rights, contact us at hello@portraitunion.com.

2. Lawful Bases for Processing (GDPR Art. 6)

Contract performance (Art. 6(1)(b)): processing photos and account data is necessary to deliver the portrait generation service you have purchased.

Legitimate interests (Art. 6(1)(f)): rate limiting, fraud prevention, security monitoring, and basic analytics.

Consent (Art. 6(1)(a)): non-essential cookies and optional marketing communications, where applicable.

Legal obligation (Art. 6(1)(c)): tax and accounting records related to payment processing.

3. Photo Privacy

4. Sub-Processors

Portrait Union uses the following processors to deliver the service. Each is bound by a data processing agreement and processes data only on documented instructions:

Stripe — payment processing (Ireland, EU)

Vercel — web hosting and edge functions (EU region for EU users)

Vercel Blob — encrypted image storage (EU region)

Google Gemini API — AI portrait generation via Google Cloud

Replicate — AI image upscaling (Recraft Crisp Upscale + Real-ESRGAN)

Gelato — print-on-demand fulfillment (worldwide network)

Google Analytics 4 — anonymized site analytics

NextAuth — authentication and session management (self-hosted)

5. Data Retention

Free preview photos: automatically deleted after 24 hours

Paid account portraits: retained for the lifetime of your account, deleted within 30 days of account closure

Account profile data: retained as long as account is active

Payment records: retained for the period required by applicable tax and accounting law (typically 7–10 years)

Server logs: retained for 30 days for security and abuse prevention

6. Your Rights (GDPR Articles 15–22)

If you are in the EU, EEA, or UK, you have the following rights regarding your personal data:

Right of access (Art. 15)

Right to rectification (Art. 16)

Right to erasure / "right to be forgotten" (Art. 17)

Right to restriction of processing (Art. 18)

Right to data portability (Art. 20)

Right to object (Art. 21)

Right to withdraw consent at any time

Right to lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at hello@portraitunion.com. We will respond within 30 days as required by GDPR Article 12.