HeadshotPro | Help Center
Home

Compliance and Privacy

HeadshotPro's GDPR compliance, data processing roles, photo retention policies, and your rights as a data subject.

Compliance and Privacy

HeadshotPro is operated by Headshot Pro Photography Pte. Ltd., incorporated in Singapore. The platform is fully compliant with the European General Data Protection Regulation (GDPR) and related laws in Singapore. This page explains how data is processed, how long it is retained, and what rights you hold over your personal information.

The privacy policy applies to all use of www.headshotpro.com and its services. All data collected — personal and non-personal — is handled under policies that treat your data as belonging to you.

How it works

  1. HeadshotPro acts as a data processor on behalf of business customers. Under the GDPR, the organization purchasing HeadshotPro's service is the data controller. HeadshotPro is the processor. HeadshotPro processes personal data only on documented instructions from the customer and never for its own purposes — including no use for marketing, advertising, or profiling without explicit written consent.

  2. Data is collected only when you explicitly provide it. Personal information is requested at the point where it is needed (e.g., payment information during signup, email address for account creation). Non-essential data collection (e.g., optional analytics cookies) can be declined without affecting access to core features.

  3. Uploaded photos are deleted 30 days after gallery generation. Input photos are automatically purged 30 days after your generated gallery is ready. You can request earlier deletion at any time by contacting support. Generated headshots remain available for the duration of your active account and are exportable within 30 days of account termination.

  4. Your data is not used to train AI models. Uploaded photos and generated headshots are processed solely to deliver the service. HeadshotPro explicitly prohibits the use of customer content for model training or retraining without opt-in consent.

  5. Standard data retention periods are defined and enforced.

    • Financial records: 7 years
    • Customer data: retained for the duration of the customer relationship, plus at least 30 days after expiry
    • Personal data (PII): retained per GDPR requirements or until the collection purpose is fulfilled
    • Security logs: minimum 1 year, maximum 5 years
    • Backup data: retained for 1 year, then securely deleted

  6. Account deletion triggers data erasure within 14 days. When you request account deletion or explicitly ask for your data to be erased, all personal identifiable information is deleted within 14 days of confirmation.

  7. Primary customer data is stored in the European Economic Area, with SCCs covering any onward transfers. Customer photos and generated headshots are stored in Western Europe via Cloudflare R2. Application servers and a secondary failover storage tier are hosted in the United States. For any transfers of personal data from the EEA, the UK, or Switzerland to countries without an adequacy decision, HeadshotPro relies on EU Commission SCCs (Module Two: Controller to Processor, Decision 2021/914). For UK transfers, the ICO's International Data Transfer Addendum (B1.0) applies. The competent supervisory authority for GDPR matters is the Data Protection Commission of Ireland. For UK data subjects, it is the UK Information Commissioner's Office (ICO).

  8. HeadshotPro has an EU representative. As required by Article 27 GDPR, HeadshotPro has appointed iuro Rechtsanwälte GmbH t/a Prighter (Schellinggasse 3, 1010 Vienna, Austria; support@prighter.com) as its EU representative. Data subjects and supervisory authorities can contact this representative on matters related to GDPR processing.

  9. Personal Data Breach notification occurs within 48 hours. If a Personal Data Breach (as defined under the GDPR) is confirmed that affects customer data, HeadshotPro notifies the affected customer without undue delay and in any event within 48 hours of becoming aware, including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and remediation measures taken or planned. This stricter SLA is set out in the Data Processing Agreement. Broader Security Incidents affecting customer data that do not rise to the level of a Personal Data Breach are notified within 72 hours under the Master Service Agreement.

  10. Data subject rights requests are supported. HeadshotPro provides tools and cooperation to help organizations respond to data subject rights requests, including access, rectification, erasure, restriction, and portability.

Good to know

  • Your rights under GDPR include: right of access (copy of all PII held), right to rectification, right to erasure, right to restriction of processing, right to data portability, and right to object to processing for direct marketing. Contact support@headshotpro.com to exercise any of these rights.
  • Photographs are processed as image data, not biometric data. HeadshotPro processes uploaded photos to generate AI headshots. Photos are not processed for the purpose of uniquely identifying a natural person and therefore do not constitute biometric data within the meaning of Article 9(1) GDPR.
  • A formal Data Processing Agreement (DPA) is available. Enterprise customers can enter into a separately executed DPA by contacting legal@headshotpro.com. The DPA governs processing roles, subprocessor authorizations, SCCs, audit rights, and breach notification obligations in detail.
  • Customer data is never shared with advertising networks. Personal identifiable information is not sold or shared with third parties for advertising purposes. Anonymous usage data may be shared with analytics partners in fully anonymized form.
  • HeadshotPro monitors for government and law enforcement access requests. If required by law to disclose customer data, HeadshotPro will notify the customer in advance where legally permitted, challenge requests it considers unlawful or disproportionate, and disclose only the minimum data necessary.
  • All data management activities comply with GDPR and CCPA in addition to Singapore's Personal Data Protection Act (PDPA). The data management policy was last reviewed March 12, 2025.
  • Policy changes require advance notice. HeadshotPro gives at least two weeks' notice before material changes to the privacy policy take effect. You can withdraw consent within that period.
Was this article helpful?
Previous
← Troubleshooting Login
Next
Data Security →
All articles