Create headshots for free

Privacy Policy

Last updated: May 4, 2026

This Privacy Policy describes how Orz, LLC (operator of the Savvy Headshot service; “Savvy Headshot,” “we,” “us”) collects, uses, and protects your information when you use our website and AI portrait generation service (the “Service”).

1. Summary in plain English

  • We collect the photos you upload, your name and email, and basic usage analytics — only what we need to give you your Headshots.
  • To create your Headshots we train a private per-user model from your selfies. That model is unique to you and is used only to generate your Headshots. We do NOT use your photos or that model to train any general-purpose AI system, and we do NOT share them with any model provider for training.
  • We delete your uploaded photos, your per-user model, and your generated Headshots after 30 days of inactivity. We email you 7 days before deletion so you can re-download anything you still need.
  • Image generation runs on Google’s image-generation models; payments through Stripe; storage on Cloudflare R2; email via Resend; auth and database on Supabase. Each provider only sees the minimum data needed to do its job.
  • You can request deletion of your account and all associated data at any time by emailing support@savvyheadshot.com.

2. Definitions

  • Service. The Savvy Headshot website, applications, and AI portrait generation system operated by us.
  • Personal Data. Information that identifies or can reasonably be used to identify you, including your name, email address, payment information, and the photographs of you that you upload.
  • Input Photos. The selfies and other photographs you upload to the Service.
  • Per-User Model. A private, fine-tuned AI model trained from your Input Photos for the sole purpose of producing Headshots that depict you.
  • Headshots. The portrait images generated for you by the Service using your Per-User Model.
  • Usage Data. Data automatically collected about your interactions with the Service (pages visited, actions taken, generation outcomes, and similar diagnostics).
  • Cookies. Small text files stored on your device by your browser when you visit the Service.
  • Data Controller. Orz, LLC determines the purposes and means of processing your Personal Data and acts as Data Controller for the Service.
  • Data Processor. Third-party service providers that process Personal Data on our behalf under contractual restrictions.

3. Information we collect

3.1 Information you provide

  • Account information. Your name and email address when you sign up (via Google OAuth or email one-time passcode).
  • Input Photos. The selfies you upload to generate Headshots, plus any related metadata your camera or phone embedded in them (such as device model and timestamp).
  • Payment information. Card details and billing address are collected directly by Stripe; we never see or store your full card number. We do see the fact and amount of your purchase, the email address used at checkout, and the last four digits of the card.
  • Support correspondence. Any messages you send us via email or a support form.

3.2 Information we collect automatically

  • Usage Data. Pages visited, buttons clicked, generation outcomes, and similar product analytics events. Stored in our own database and used to improve the Service.
  • Device data. IP address, browser user-agent, screen size, and similar diagnostics needed to render the Service and debug issues.

4. How we use your information

  • To train your Per-User Model and generate, store, and deliver your Headshots.
  • To process your payment, send your receipt, and notify you when your photos are ready or about to be deleted.
  • To detect and prevent fraud, abuse, and violations of our Terms of Service.
  • To diagnose technical problems and improve the Service.
  • To respond to your support requests and to comply with legal obligations.

5. AI training — what we do and what we don’t do

Honest disclosure matters here. The Service is built on AI that requires a model to learn what you look like before it can generate portraits of you, so this section spells out exactly what training takes place and where the boundaries are.

What we do. When you start a photoshoot, we use your Input Photos to train a Per-User Model — a private, fine-tuned AI model that learns your facial likeness. That Per-User Model is then used to generate your Headshots, and only your Headshots. It exists for you and nobody else.

What we do NOT do.

  • We do not use your Input Photos, your Per-User Model, or your Headshots to train any general-purpose AI model or any model that serves other users.
  • We do not contribute your Input Photos or your Per-User Model to Google, our infrastructure providers, or any third party for use in training their models.
  • We do not sell, license, or otherwise share your Input Photos, your Per-User Model, or your Headshots with advertisers or data brokers.

What we use Google for.Image generation for the Service runs on Google’s image-generation models. Inference calls send your inputs only as the prompt material that produces your Headshots; the call is contractually scoped so the data is not retained by the provider for model training.

6. Data retention & deletion

We delete your Input Photos, your Per-User Model, and your generated Headshots automatically 30 days after your last activity on the related photoshoot (download, edit, sign-in, or other interaction). Seven (7) days before deletion we will email the address on your account so you can re-download anything you still need.

Mechanically, deletion happens on the following surfaces:

  • Object storage (Cloudflare R2): Input Photos and generated Headshots are removed by a lifecycle rule on the 30-day cutoff.
  • Per-User Model weights: the trained model file is deleted from our model store on the same 30-day cutoff. We do not keep a copy.
  • Database (Supabase / Postgres): the corresponding rows are hard-deleted; a few non-identifying accounting fields (e.g. anonymised counts of generations) may be retained for billing reconciliation.
  • Backups: our database backups rotate on a rolling 30-day schedule, so deleted rows age out of all backups within that window.

If you want to delete your account and all associated data sooner, email support@savvyheadshot.com from the address on your account. We will action the request within seven (7) business days and confirm by email when the deletion is complete.

7. Cookies

We use a small number of essential cookies to keep you signed in, to remember your in-progress photoshoot, and to maintain basic security (CSRF protection, fraud detection). We do not use third-party advertising cookies on the website. Most browsers allow you to refuse or delete cookies; doing so may break sign-in and the photoshoot flow.

8. Analytics

We collect first-party Usage Data in our own database to understand how the Service is used, identify bugs, and prioritise improvements. We do not share individual-level analytics with third parties or use it for cross-site advertising.

9. Payments

All payment information is collected and processed by Stripe, Inc. (“Stripe”). Stripe is a PCI-DSS Level 1 certified payment processor; we never see, handle, or store your full card number. Stripe’s processing of your payment data is governed by the Stripe Privacy Policy.

10. Service providers

We do not sell your Personal Data. We share data with the following categories of service providers, only to the extent needed for them to perform their function:

  • Stripe, Inc. — payment processing, checkout, and invoice generation.
  • Google. — AI image-generation models that perform the inference producing your Headshots.
  • Cloudflare, Inc. — content delivery and object storage (Cloudflare R2) for Input Photos and Headshots.
  • Supabase, Inc. — authentication, authorisation, and database hosting.
  • Resend, Inc. — transactional email delivery (sign-in codes, photos-ready notifications, deletion warnings, receipts).

11. Disclosure of data

In addition to the service-provider sharing described above, we may disclose your Personal Data in the following limited circumstances:

  • Legal requirements. When required to comply with a valid legal obligation, court order, subpoena, or governmental request, or when we have a good-faith belief that disclosure is necessary to comply with law.
  • Protection of rights. To enforce our Terms of Service, investigate suspected fraud or abuse, or protect the rights, property, or safety of Savvy Headshot, our users, or others.
  • Business transfers. In connection with a merger, acquisition, financing, reorganisation, or sale of assets, in which case the acquiring entity will be bound by this Privacy Policy or will give you notice before your data becomes subject to a different policy.
  • With your consent. For any other purpose you have explicitly authorised.

12. Your rights — EU/EEA & UK (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to your Personal Data:

  • Access — obtain a copy of the Personal Data we hold about you.
  • Rectification — correct inaccurate or incomplete Personal Data.
  • Erasure— request deletion of your Personal Data (“right to be forgotten”).
  • Restriction — limit how we process your Personal Data.
  • Portability — receive your Personal Data in a structured, commonly used, machine-readable format.
  • Objection — object to our processing of your Personal Data.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.
  • Lodge a complaint — with your local Data Protection Authority.

Orz, LLC is the Data Controller for the Service. To exercise any of these rights, email support@savvyheadshot.com from the address on your account; we will respond within thirty (30) days.

13. Your rights — California (CCPA / CalOPPA)

If you are a California resident, the California Consumer Privacy Act (“CCPA”) gives you the following rights with respect to your Personal Information:

  • Right to know what categories of Personal Information we collect, the sources, the purposes, and the categories of third parties we share it with.
  • Right to access the specific pieces of Personal Information we hold about you.
  • Right to delete Personal Information we have collected from you, subject to legal exceptions.
  • Right to correct inaccurate Personal Information.
  • Right to non-discrimination — we will not deny service, charge a different price, or provide a lesser service because you exercised any of these rights.
  • Right to opt out of “sale” or “sharing”. We do not sell or share your Personal Information for cross-context behavioural advertising; there is nothing to opt out of, but you may always confirm this in writing.

To exercise these rights, email support@savvyheadshot.com from the address on your account. We honour the Global Privacy Control (“GPC”) signal as a request to opt out of sale/sharing where applicable.

14. Security

We use industry-standard security measures including TLS encryption in transit, encryption at rest for object storage, scoped access tokens, role-separated database credentials, and rate limiting on sensitive endpoints. No system is perfectly secure; if you believe your account has been compromised, contact us immediately at support@savvyheadshot.com.

15. Children

The Service is not intended for users under the age of 18, and we do not knowingly collect Personal Data from minors. If you are a parent or guardian and become aware that a child has provided us with Personal Data, please contact us and we will delete it.

16. International transfers

Savvy Headshot is based in the United States and our service providers operate in various jurisdictions. By using the Service, you understand that your Personal Data may be transferred to, stored, and processed in the United States and other countries where our service providers operate. Where required by applicable law, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.

17. Changes to this Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. For material changes, we will notify you by email to the address on your account before the change takes effect.

18. Contact

Questions or requests about this Privacy Policy or your data? Email support@savvyheadshot.com. The data controller is Orz, LLC.