Privacy Policy
[Your Business Name]
Effective Date: March 24, 2026
1. Introduction
This Privacy Policy describes how [Your Business Name] ("we," "us," or "our") collects, uses, stores, and protects your personal information when you use our photo restoration website and services (the "Service"). We are committed to protecting your privacy and handling your data with transparency.
By using the Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect the following information through our authentication provider, Clerk:
- Email address (provided directly or via Google authentication)
- Name (if provided through Google authentication)
- Google account identifier (if you use Google sign-in)
If you register with email and password, your password is managed and securely hashed by Clerk. We do not have access to or store your plaintext password.
2.2 Photos You Upload
When you use the Service, you upload photographs for restoration. These Photos may contain personal or sensitive imagery, including identifiable faces. We process these Photos solely to provide the restoration service.
2.3 Payment Information
When you purchase tokens, payment is processed by Stripe, Inc. We do not receive, store, or have access to your full credit card number, debit card number, or bank account details. Stripe may share with us a transaction identifier, the last four digits of your card, and the transaction amount for record-keeping purposes. Stripe's collection and use of your payment information is governed by the Stripe Privacy Policy.
2.4 Automatically Collected Information
We collect minimal technical information necessary to operate the Service, which may include your IP address, browser type, and device information transmitted in standard HTTP requests. We do not use analytics cookies, tracking pixels, advertising cookies, or any other tracking technologies beyond what is strictly necessary for the Service to function.
Clerk may set strictly necessary cookies or tokens for session management and authentication. These are functional cookies required for the Service to operate and are not used for tracking or advertising purposes.
3. How We Use Your Information
We use the information we collect for the following purposes and no others:
| Information | Purpose |
|---|---|
| Email address | Account creation, login authentication, and service-related communications (e.g., password resets) |
| Photos | Processing through Google Vertex AI for restoration; temporary storage for download availability |
| Payment data (via Stripe) | Processing token purchases and maintaining transaction records |
| Technical data (IP, browser) | Service operation, security, and abuse prevention |
| Authentication data (via Clerk) | Account management, session handling, and secure login |
We do not use your information for marketing, advertising, profiling, automated decision-making, or any purpose other than providing and securing the Service.
4. How We Share Your Information
We do not sell, rent, trade, or otherwise share your personal information or Photos with third parties for their own purposes. We share data only with the following service providers, solely to operate the Service:
- Google Vertex AI: Your Photos are transmitted to Google Vertex AI for processing. Per Google Cloud's data processing terms, customer data submitted to Vertex AI is not used by Google to train its AI models. Google processes this data as a data processor on our behalf.
- Stripe: Your payment information is transmitted directly to Stripe for transaction processing. We do not handle or store your full payment details.
- Supabase: Your account data and Photos are stored in Supabase-hosted infrastructure. Supabase acts as a data processor on our behalf.
- Clerk: Your authentication data (email, name, Google account identifier, session tokens) is processed by Clerk for account management and login functionality. Clerk acts as a data processor on our behalf. Clerk's privacy policy governs their handling of this data.
- Google Authentication: If you use Google sign-in (facilitated through Clerk), limited account information is exchanged with Google for authentication purposes.
We may also disclose your information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.
5. Photo Data and Facial Imagery
The Photos you upload may contain images of identifiable individuals, including facial imagery. We want to be transparent about how this data is handled:
- We do not perform facial recognition, facial geometry analysis, or biometric identification of any kind on your Photos.
- Photos are sent to Google Vertex AI solely for image restoration (enhancement, denoising, colorization, etc.) and not for any biometric processing.
- We do not extract, store, or create biometric identifiers or biometric information (as defined under laws such as the Illinois Biometric Information Privacy Act) from your Photos.
- We do not use Photos for AI model training, machine learning training, or any purpose beyond the restoration service you requested.
You represent that you have the consent of any identifiable individuals in Photos you upload, or that you otherwise have the legal right to submit those Photos for processing.
6. Data Retention and Deletion
6.1 Photo Retention
Both original and restored Photos are stored for thirty (30) days following processing to give you time to download your results. After 30 days, Photos are automatically and permanently deleted (hard delete). This deletion is irreversible and no copies are retained in backups or archives.
6.2 Account Data
Your account information (email address, authentication data) is retained for as long as your account remains active. Account data managed by Clerk is retained in accordance with Clerk's data retention policies for the duration of your account. You may request deletion of your account at any time.
6.3 Account Deletion
When you delete your account, the following occurs immediately and irreversibly: all Photos (original and restored) are permanently deleted regardless of the 30-day window, all unused tokens are forfeited, and your account information is removed from our active systems. We also initiate deletion of your data from Clerk's systems in accordance with their data processing agreement. Residual data in system logs may persist for up to 90 days for security and fraud-prevention purposes before being purged.
6.4 Payment Records
We retain transaction records (purchase date, amount, and Stripe transaction ID) for as long as required by applicable tax and accounting laws, typically up to seven (7) years. These records do not contain your full payment card details.
7. Data Security
We implement commercially reasonable technical and organizational measures to protect your personal information and Photos, including encryption of data in transit (TLS/SSL), access controls, and secure infrastructure provided by Supabase, Clerk, and Google Cloud.
However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.
8. International Data Transfers
Our Service is available globally. Your data may be transferred to and processed in the United States or other countries where our service providers (including Supabase, Google, Stripe, and Clerk) operate. These countries may have data protection laws that differ from those in your jurisdiction.
By using the Service, you consent to the transfer of your information to countries outside your country of residence, including the United States. Where required by applicable law, we rely on standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms to facilitate international data transfers.
9. Your Rights
Depending on your location, you may have certain rights regarding your personal information. We honor the following rights for all users, regardless of jurisdiction:
- Access: You may request a copy of the personal information we hold about you.
- Correction: You may request correction of inaccurate personal information.
- Deletion: You may delete your account at any time, which triggers permanent deletion of all associated data as described in Section 6.3.
- Data Portability: You may download your Photos at any time during the 30-day retention window.
- Withdraw Consent: You may withdraw your consent to data processing by deleting your account. Note that this will end your ability to use the Service.
9.1 Additional Rights for EEA/UK Residents (GDPR)
If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection authority. Our legal basis for processing your data is: contract performance (to provide the Service), legitimate interests (security and fraud prevention), and consent (where applicable).
9.2 Additional Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know what personal information we collect, the right to delete your information, and the right to opt out of the sale of personal information. We do not sell your personal information and have never done so.
9.3 Additional Jurisdiction-Specific Rights
Residents of other jurisdictions with applicable data protection laws (including but not limited to Brazil's LGPD, Canada's PIPEDA, and Australia's Privacy Act) may have additional rights. We will comply with applicable local laws. To exercise any such rights, please contact us using the information in Section 12.
10. Children's Privacy
The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will promptly delete that information and terminate the associated account.
If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via the email address associated with their account. The "Effective Date" at the top of this policy indicates when it was last revised.
Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.
12. Contact Information
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a privacy concern, please contact us at:
[Your Business Name] [Your Email Address] (Data Protection Inquiries) [Your Mailing Address]
For GDPR-related inquiries, we can be reached at the above contact information. If we appoint a Data Protection Officer in the future, their contact details will be published here.