Privacy Policy

This Privacy Policy describes how Stately Vows ("we," "us," or "our") collects, uses, retains, and discloses information when you use our website and AI portrait generation services. For details specific to biometric data, see our Biometric Data Policy.

1. Information We Collect

Information you provide

• Account information: email address, password (hashed), display name, year of birth
• Reference photographs you upload for portrait generation (processed transiently to generate your portraits and not stored on our servers — see Section 4 and our Biometric Data Policy)
• Order and shipping information: name, address, phone number, payment data (processed by Stripe; we do not store full card numbers)
• Communications, support emails, marketing preferences
• Consent records: version, timestamp, IP address, and user agent at each consent moment

Information collected automatically

• Device and browser information
• Usage data: pages viewed, generation timestamps, feature interactions
• IP address (for security, fraud prevention, and approximate region inference)
• Cookies and similar technologies (see Section 9)

2. Sensitive Personal Information

Photographs depicting facial features are classified as sensitive personal information under the California Consumer Privacy Act (as amended by CPRA) and as special-category data under the European General Data Protection Regulation. We process this information only with your explicit consent and solely to generate the AI portraits you have requested. We never sell or share this information for cross-context behavioral advertising. To limit our processing of your sensitive personal information, visit our Privacy Choices page.

3. How We Use Your Information

• Generate, deliver, and fulfill the portraits you request
• Maintain your account and provide customer support
• Process payments and fulfill physical orders through our print partners
• Detect, prevent, and respond to fraud, abuse, and violations of our Terms
• Comply with legal obligations and respond to lawful requests
• Send transactional communications; with separate opt-in, occasional marketing emails (unsubscribe anytime)

We do not use your reference photographs to train AI models, sell them to third parties, or use them for any purpose other than fulfilling your portrait request.

4. Data Retention

• Reference photographs: not stored on our systems. They are re-encoded in your browser (which strips EXIF metadata), processed in memory for your generation request, transmitted directly to OpenAI, and not retained by us after the request completes. OpenAI applies its own limited retention window (up to 30 days, abuse-monitoring only) outside our control. See our Biometric Data Policy.
• Generated portraits: stored in your account only if you are signed in and choose to save them; retained until you delete them. Temporary working copies are automatically purged.
• Account information: retained while your account is active and for up to 3 years after deletion for fraud prevention, tax, and legal compliance
• Order and transaction records: retained for 7 years for tax and accounting compliance
• Consent records: retained for the lifetime of your account plus 3 years

5. How We Share Information

We do not sell your personal information. We share information only as follows:

• AI processing partners. Your reference photographs are transmitted to OpenAI solely to generate your requested portraits. OpenAI's API data policy prohibits training on API-submitted images and provides 30-day retention for abuse monitoring only.
• Payment processors. Stripe receives the payment information necessary to process transactions. We do not store full card numbers.
• Fulfillment partners. If you order prints or merchandise, your shipping address and the final image file are shared with our print partner (Printful, Prodigi, or WHCC) solely to fulfill your order.
• Service providers. Hosting (Vercel), database and storage (Supabase), email delivery (Resend), and analytics (PostHog) providers receive limited information necessary to operate the Service.
• Legal compliance. We may disclose information when legally required (subpoena, court order, government request) or to protect our rights, property, or safety.

6. Your Rights & Choices

• Access & Portability: request a copy of the personal information we hold about you
• Correction: request that we correct inaccurate information
• Deletion: request that we delete your personal information, subject to legal retention requirements
• Opt-out of sale or sharing: we do not sell or share personal information, but you may file a formal opt-out via Privacy Choices
• Limit use of sensitive personal information: California residents may request limited processing of sensitive personal information
• Withdraw consent: revoke any consent (does not affect prior processing)
• Non-discrimination: we will not deny service or charge different prices for exercising your privacy rights

Exercise these rights via your account settings or by emailing nilehagen@gmail.com. We respond within 45 days (or longer where permitted by law).

7. Children

The Service is intended only for adults aged 18 and over. We do not knowingly collect personal information from anyone under 18. If we learn we have collected information from a person under 18, we will promptly delete it. Parents or guardians may contact us to request deletion.

8. International Visitors

The Service is operated in the United States. If you access the Service from outside the United States, you consent to transfer and processing of your information in the United States. For visitors from the EEA or UK, we rely on your explicit consent (GDPR Article 6(1)(a) and Article 9(2)(a)) as the lawful basis for processing.

9. Cookies & Tracking

We use first-party cookies necessary for authentication (session), security (CSRF prevention), and basic preferences. Limited third-party analytics (PostHog) help us understand aggregate usage. We respect the Global Privacy Control (GPC) signal: when GPC is sent by your browser, we treat it as an opt-out request for non-essential processing.

10. Security

We use industry-standard security measures including TLS encryption in transit, encryption at rest for the data we store (your saved portraits and account information), role-based access controls, and short-lived signed URLs for image access. Our strongest protection for your reference photographs is that we do not store them at all (Section 4). No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The updated policy will be posted on this page with a revised version and effective date. Material changes will be notified to registered users by email; renewed consent will be obtained where required.

12. Contact

For privacy questions or to exercise your rights, contact nilehagen@gmail.com.