Skip to content
Rated 4.8 out of 5 with 3,475 reviews
Log in
SnapSuited iconSnapSuited.

Legal

Privacy Policy

Last updated:

SnapSuited is committed to protecting your personal data. This policy explains what information we collect when you use our AI headshot generation service, how we use it, and what rights you have under the General Data Protection Regulation (GDPR) and applicable laws.

1. Who We Are

SnapSuited is operated by DGMA Limited, a company incorporated in Hong Kong ("we", "us", "our"). For data protection enquiries, please contact us at support@snapsuited.com.

Our service is hosted on EU-based servers operated via Coolify. Your data does not leave the EU/EEA except as described in Section 8 (International Transfers).

2. Information We Collect

We collect and process the following categories of personal data when you use SnapSuited:

  • Selfie photographs: The 1–3 photographs you voluntarily upload to generate AI headshots. These are used solely to produce your output images and are not shared with third parties for their own purposes.
  • Generated headshots: The AI-produced headshot images associated with your account.
  • Account email address: Collected at registration for authentication, transactional communications, and account management.
  • Payment transaction data: Processed entirely by Stripe, Inc. We receive a transaction reference and confirmation only — we never store card numbers, bank details, or full payment credentials.
  • Analytics data: Anonymised usage data collected via Google Analytics 4 (GA4) through Google Tag Manager, subject to your cookie consent. This includes pages visited, session duration, and device type — no personally identifiable information is included.
  • Technical log data: IP addresses, browser type, and timestamps, retained for security and fraud prevention for up to 90 days.

3. How We Use Your Information

We process your personal data for the following purposes and on the following legal bases:

  • To deliver the AI headshot generation service — lawful basis: performance of a contract (GDPR Art. 6(1)(b)).
  • To process payment and issue receipts via Stripe — lawful basis: performance of a contract.
  • To send transactional emails (order confirmation, download ready, account actions) — lawful basis: performance of a contract.
  • To detect and prevent fraud and abuse — lawful basis: legitimate interests (GDPR Art. 6(1)(f)).
  • To analyse aggregate usage patterns and improve our service — lawful basis: legitimate interests, subject to your cookie consent for analytics tracking.
  • To comply with applicable legal obligations — lawful basis: legal obligation (GDPR Art. 6(1)(c)).

4. AI-Generated Photos Disclosure

All headshot images produced by SnapSuited are AI-generated. They are stylised professional portraits created by a machine learning model trained on licensed photographic data. They are not real photographs.

This disclosure is provided in our product interface before you generate any headshots and again at the point of purchase. By using our service, you acknowledge that the output images are AI-generated.

Free-tier preview images include a visible watermark identifying them as AI-generated. High-definition watermark-free images require a paid plan.

5. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

  • Selfie uploads: Automatically and permanently deleted within 30 days of your headshot generation session. This window allows you to request re-runs within the same order period. After 30 days your source photos are irrecoverably deleted from our systems.
  • Generated headshots: Retained in your account indefinitely until you delete them manually, or until your account is closed.
  • Account email address: Retained for the duration of your account and for a period of up to 36 months after account closure for legal and audit purposes, then permanently deleted.
  • Payment records: Retained for 7 years to comply with EU accounting and tax obligations.
  • Analytics data: Aggregated and anonymised; retained per Google Analytics default retention settings (14 months per event).
  • Security log data: Retained for up to 90 days.

6. Your Rights Under GDPR

If you are located in the EU, EEA, or UK, you have the following rights in relation to your personal data:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to restriction of processing (Art. 18): Ask us to limit how we process your data in certain circumstances.
  • Right to object (Art. 21): Object to processing based on our legitimate interests.
  • Right to withdraw consent: Where processing is based on consent (e.g. analytics cookies), you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email support@snapsuited.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

7. Third Parties We Share Data With

We do not sell, rent, or trade your personal data. We share data only with the following carefully selected service providers, each bound by data processing agreements:

  • Stripe, Inc. — payment processing. Stripe receives billing information necessary to process your transaction. Stripe is PCI-DSS Level 1 certified. See stripe.com/privacy.
  • Google LLC (Google Analytics 4 via Google Tag Manager) — anonymised usage analytics, subject to your cookie consent. Data is processed under Standard Contractual Clauses. See policies.google.com/privacy.
  • Resend, Inc. — transactional email delivery (order confirmations, account emails). Resend receives your email address and email content only. See resend.com/privacy.
  • Coolify / server infrastructure provider — EU-based server hosting. Infrastructure provider; no access to application-level data beyond server operations.

8. International Data Transfers

Our primary data processing infrastructure is located within the European Union. However, some of our third-party service providers (including Stripe and Google) are headquartered in the United States.

For any transfer of personal data to a country outside the EU/EEA that does not have an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the appropriate safeguard. Each of our US-based providers has entered into SCCs or participates in the EU–US Data Privacy Framework.

9. Cookies

We use cookies and similar tracking technologies on our website. A full description of the cookies we use, their purpose, and how to control them is available in our Cookie Policy at snapsuited.com/cookies.

10. Children's Privacy

SnapSuited is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are under 13, please do not use our service or provide any personal information.

If we become aware that we have inadvertently collected personal data from a child under 13, we will delete it promptly. Parents or guardians who believe their child has submitted data to us should contact us at support@snapsuited.com.

Users between 13 and 16 years of age in EU member states may require parental or guardian consent under applicable national law implementing GDPR Article 8.

11. Illinois Residents — Biometric Information (BIPA)

The Illinois Biometric Information Privacy Act (BIPA) imposes specific requirements on entities that collect, use, or store "biometric identifiers" such as scans of face geometry.

SnapSuited's position for Phase 0: Our AI model processes uploaded selfie photographs to generate stylised artistic portrait images. We do not create or store mathematical representations of facial geometry (biometric templates) as a distinct data element. The photographs themselves are processed and deleted within 30 days as described in Section 5.

Phase 0 operational option under consideration: We may implement geo-detection to present Illinois residents with an explicit opt-in consent notice prior to any upload processing, consistent with BIPA requirements, or alternatively restrict service access from Illinois until a formal legal review is complete.

TODO (CEO): Obtain formal legal opinion from a US attorney qualified in Illinois law before serving Illinois residents. Decision required: (a) implement BIPA-compliant opt-in consent flow, or (b) geo-block Illinois for Phase 0. Do not launch to Illinois traffic without this decision documented.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, service features, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email.

We encourage you to review this policy periodically. Continued use of SnapSuited after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have a complaint about our data practices, please contact us:

  • Email: support@snapsuited.com
  • Entity: DGMA Limited (Hong Kong)
  • EU GDPR supervisory authority: You may also contact the data protection authority in your country of residence.

Have questions? Email us at support@snapsuited.com