Privacy Policy

Last updated: February 27, 2026

1. Introduction

ProHeadshot is an AI-powered service that generates professional headshot photographs from user-uploaded photos. The service is available to individuals (credit purchases, with optional LoRA add-on) and businesses (credit packs with team management and LoRA model included). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service at proheadshot.ch.

We are committed to protecting your privacy in accordance with the Swiss Federal Act on Data Protection (nFADP) and the EU General Data Protection Regulation (GDPR).

2. Data Controller

Company: ProHeadshot

Operator: Charles Kombi

Address: Chemin des Lentillières 3b, 1023 Crissier, Suisse

Country: Switzerland

Contact: privacy@proheadshot.ch|🔒 proheadshot@proton.me

Supervisory authority: PFPDT (Préposé fédéral à la protection des données et à la transparence)

3. Data We Collect

  • Account data: email address, name, language preference
  • Uploaded photos: images you submit for AI processing
  • Generated images: AI-produced headshots
  • Payment metadata: transaction references processed by Stripe (we never store card numbers)
  • Technical data: IP address pseudonymized via irreversible hashing, browser user-agent
  • Consent records: timestamps and versions of your consent
  • Team data (Enterprise): team name, member list, roles, usage statistics
  • LoRA training data: training selfies, custom LoRA model, unique identifier (trigger word) and captioning metadata

4. Purpose of Processing

  • Provide AI headshot generation from your uploaded photos
  • Account creation and management
  • Process payments and issue invoices
  • Prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations under Swiss and EU law
  • Team administration and Enterprise plan management
  • Custom LoRA model training from your selfies (all users with LoRA access)

5. Biometric Data

Important: Uploaded photographs containing facial features are considered biometric personal data and are treated as sensitive data under both the Swiss FADP and the EU GDPR. We process this data exclusively based on your explicit consent, which you provide at the time of upload. You may withdraw this consent at any time.

6. International Data Transfers

Certain processing operations involve a temporary transfer of data to service providers located outside Switzerland:

  • GPU processing (AI image generation) may be performed by providers located in the United States (Fal.ai, RunPod) or in the EU.
  • These transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by a Swiss-specific addendum ('Swiss Rider') in accordance with FDPIC requirements.
  • Images submitted for standard generation are processed in memory and deleted immediately. However, custom LoRA models — trained biometric representations — are persistently stored by our GPU subprocessor (Fal.ai, EU) for the duration of your plan, then deleted in accordance with our retention policy.
  • For transfers to the United States, we have verified that our providers adhere to the Swiss-U.S. Data Privacy Framework or offer equivalent safeguards.

7. Data Protection Impact Assessment (DPIA)

In accordance with Art. 22 Swiss FADP, we have conducted a Data Protection Impact Assessment (DPIA) to evaluate the risks associated with processing facial biometric data. This assessment covers the necessity and proportionality of processing, implemented security measures, retention periods, and residual risks for data subjects. The DPIA is regularly updated and is available upon request from our data protection officer.

8. No Profiling

ProHeadshot does not perform any profiling within the meaning of Art. 5(f) Swiss FADP. The processing of your biometric data is strictly limited to one-time generation of professional portraits. No behavioral analysis, personality categorization, biometric scoring, or persistent facial recognition is performed. The AI models used retain no memory of your face after generation.

9. Storage & Retention

We minimize data retention. All image data is automatically and permanently deleted according to the following schedule:

Data TypeRetention Period
Uploaded source photos24 hours
Preview images24 hours
Final generated images7 days
Custom LoRA modelDuration of plan + 30 days
Backups48 hours maximum

10. Hosting & Data Location

  • Primary infrastructure is hosted in Switzerland (Infomaniak)
  • GPU processing is performed in EU data centers. Custom LoRA models are persistently stored at Fal.ai (EU) for the duration of the plan
  • No personal data is permanently stored outside Switzerland or the EU

11. Subprocessors

ProviderPurposeLocation
InfomaniakHosting & object storageSwitzerland 🇨🇭
Fal.aiGPU inference (fallback) + LoRA training and model storage + image analysis (AI captioning)EU 🇪🇺
SightengineContent moderationEU 🇪🇺
StripePayment processingEU / US (PCI-DSS)
BrevoTransactional emailsEU 🇪🇺

12. Cookies

We use only strictly essential cookies required for authentication and session management. We do not use any advertising, analytics, or tracking cookies.

13. Your Rights

Under the Swiss FADP and the EU GDPR, you have the following rights:

  • Right of access: Request a copy of all personal data we hold about you
  • Rectification: Correct inaccurate or incomplete personal data
  • Deletion: Request permanent deletion of your data
  • Restriction: Limit how we process your data
  • Data portability: Receive your data in a structured, machine-readable format
  • Withdrawal of consent: Withdraw your consent at any time without affecting prior processing

14. Exercising Your Rights

To exercise any of the above rights, please contact us at privacy@proheadshot.ch. We will respond to your request within 30 days.

15. Security Measures

  • Encryption in transit (TLS) and at rest
  • Strict access controls and role-based permissions
  • Audit logging of all data access and processing events
  • IP addresses are pseudonymized via irreversible hashing — never stored in plain text
  • Automated data deletion via scheduled cleanup jobs

16. Data Breach Notification

In accordance with Art. 24 of the Swiss Federal Act on Data Protection (nFADP), in the event of a data security breach presenting a high risk to the personality or fundamental rights of data subjects, we will notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible. We will also inform affected individuals when necessary for their protection or when requested by the FDPIC. The notification includes the nature of the breach, its likely consequences, and the measures taken or planned.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website.

Questions? privacy@proheadshot.ch

Terms of Service