We respect your privacy and are committed to protecting your personal data. This policy explains what information we collect, how we use it, and the rights you have under UK GDPR and the Data Protection Act 2018. Please read it carefully before using our services.
AI Headshot ("we", "us", "our") is a trading name registered in England and Wales. We operate the website aiheadshot.click and provide AI-powered professional headshot and corporate portrait photography services to individuals and organisations worldwide.
For the purposes of UK data protection law, we are the data controller responsible for your personal data.
Contact: [email protected]
Website: aiheadshot.click
We collect and process the following categories of personal data:
| Data Type | Examples | Collected When |
|---|---|---|
| Identity data | First name, last name | Placing an order or contacting us |
| Contact data | Email address, phone number | Placing an order or contacting us |
| Photo data | Photographs and selfies you upload — either via the contact/enquiry form before an order, or as part of fulfilling an order | Submitting your order |
| Payment data | Billing address, last 4 card digits | Completing a purchase (via Stripe) |
| Order & preferences | Package selected, style preferences, brief notes | Placing an order |
| Communications | Messages sent via our contact form or email | Contacting us |
| Data Type | Examples | Purpose |
|---|---|---|
| Technical data | IP address, browser type, device type, operating system. Your IP address is also explicitly recorded when you submit our contact form, for the purpose of spam and abuse prevention (rate limiting). IP-based rate-limit records are stored on our server for up to 1 hour, after which they are automatically purged. | Security, fraud prevention, analytics |
| Usage data | Pages visited, time on site, clicks, referring URLs | Website improvement and analytics |
| Cookie data | Session identifiers, preference cookies | See Section 9 — Cookies |
We do not intentionally collect sensitive special category data (such as racial or ethnic origin, political opinions, health data, or biometric identifiers). Photographs you submit may incidentally reveal such information; we process these solely to deliver your headshot order and will not use them for any other purpose.
We use your personal data for the following purposes:
Under UK GDPR, we rely on the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Processing your order and delivering services | Performance of a contract (Article 6(1)(b)) |
| Processing enquiry-stage photos submitted via the contact form (before any order exists) | Legitimate interests (Article 6(1)(f)) — necessary to assess and respond to your enquiry. Photos are deleted within 30 days if no order follows. |
| Recording IP addresses for spam and abuse prevention (contact form rate limiting) | Legitimate interests (Article 6(1)(f)) — necessary to protect our services from automated abuse. Data is held for a maximum of 1 hour. |
| Processing payment and preventing fraud | Legitimate interests / Legal obligation (Article 6(1)(c) & (f)) |
| Marketing emails (where opted in) | Consent (Article 6(1)(a)) — withdrawable at any time |
| Marketing to existing customers | Legitimate interests (Article 6(1)(f)) |
| Website analytics and improvement | Legitimate interests (Article 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Article 6(1)(c)) |
The photographs you upload are central to our service. Here is how we handle them:
We will never sell, licence, or share your photographs with third parties for marketing, advertising, or any purpose other than delivering your order — without your explicit written consent.
We may share your data with the following carefully selected third parties, all of whom are bound by appropriate data processing agreements:
| Third Party | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | USA (adequacy safeguards in place) |
| Google LLC | Analytics (Google Analytics), Ads, Email (Gmail/Workspace) | USA (adequacy safeguards in place) |
| Cloud storage provider | Secure file storage and delivery | EEA / UK |
| Email service provider | Transactional and marketing emails | EEA / UK |
| AI imaging platform | Generating your AI headshots | EEA / UK (or adequacy safeguards) |
We do not sell your personal data. We do not share your data with any other third parties except where required by law (e.g. in response to a court order or regulatory authority).
| Data Type | Retention Period | Reason |
|---|---|---|
| Enquiry-stage photos (uploaded before an order is placed) | 30 days from the date of submission | To assess your enquiry and prepare previews. Permanently deleted if no order follows. |
| Uploaded photographs (order placed) | 30 days after order completion | To allow for revision requests, then permanently deleted |
| IP address — contact form spam prevention (rate-limit files) | Maximum 1 hour | Automatically purged. Used solely to prevent automated abuse of our contact form. |
| IP address — contact form submission record (email log) | 6 years (within order/enquiry correspondence) | Legal and financial compliance; fraud prevention audit trail |
| Completed headshots (delivered files) | 90 days after delivery | Available for re-download from your online gallery; then deleted from our servers |
| Order records and correspondence | 6 years from order date | Legal and financial compliance obligations |
| Marketing consents and opt-outs | Until you withdraw consent or 3 years of inactivity | To honour your preferences and comply with PECR |
| Website analytics data | 26 months (aggregated) | Standard Google Analytics retention period |
As we serve clients worldwide, some of your data may be transferred to and processed in countries outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place, including:
You may request details of the specific safeguards in place by contacting us at [email protected].
Our website uses cookies and similar tracking technologies to improve your browsing experience and help us understand how visitors use our site. You can manage your cookie preferences at any time using the cookie banner on our website.
| Cookie Type | Purpose | Consent Required |
|---|---|---|
| Strictly necessary | Essential for the website to function (e.g. session management, security) | No — exempt |
| Analytics / performance | Google Analytics — helps us understand site usage to improve our services | Yes |
| Marketing / advertising | Google Ads conversion tracking and remarketing | Yes |
| Preference cookies | Remembering your cookie consent choices | No — functional necessity |
You can withdraw consent for non-essential cookies at any time by clicking "Cookie Settings" in the footer of our website, or by configuring your browser settings. Please note that disabling certain cookies may affect the functionality of our website.
Under UK GDPR, you have the following rights in relation to your personal data:
To exercise any of these rights, please contact us at [email protected]. We will respond within one month of receiving your request (or within three months for complex or multiple requests, with notification). There is no charge for exercising your rights.
We may need to verify your identity before processing a request.
Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from children under the age of 18. If you believe a child has provided us with personal data, please contact us immediately at [email protected] and we will take prompt steps to delete it.
We may update this Privacy Policy from time to time to reflect changes to our practices, services, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email.
We encourage you to review this policy periodically. Continued use of our services after any changes constitutes your acceptance of the updated policy.
If you have any questions about this Privacy Policy or our data practices, or if you wish to exercise your data rights, please get in touch:
📍 Registered in England & Wales
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection regulator: