This policy describes how AiHeadshots (operated by Studio Pod, in Houston, Texas) manages data across its full lifecycle — from the moment it is created or collected, through storage and retention, to secure deletion. It applies to all AiHeadshots employees, contractors, and third parties with access to AiHeadshots data.
1. Data classification
We classify data into four sensitivity levels so that handling and controls match the risk:
- Public — no disclosure risk (marketing material, published help content). May be shared freely.
- Internal — limited impact if exposed (internal docs, directories, policies). Kept within the organization.
- Confidential — moderate-to-high risk (customer accounts, uploaded photos, financial records). Access is limited to a legitimate business need and protected with encryption.
- Critical — severe impact if exposed (credentials, encryption keys, secrets). Strictest controls, including multi-factor authentication and audit logging.
2. Data inventory & flow mapping
We maintain records of the data we hold — its type, owner, storage location, format, classification, and retention requirement — and review them regularly. We also document how data moves internally and to sub-processors, and update those maps when a process or vendor relationship changes.
3. Retention periods
We keep data only as long as it serves a clear purpose. Default retention timelines:
- Uploaded selfies (model input) — deleted within 7 days of your headshots being generated, or sooner on request.
- Generated headshots — retained for 30 days after delivery so you can re-download them, then deleted. Download what you want to keep within that window.
- Customer account data — kept for the duration of the customer relationship plus a short wind-down period.
- Financial & tax records — retained for 7 years to meet legal and accounting obligations.
- Security & access logs — retained 1–5 years, then securely deleted.
- Backups — rotated and securely destroyed on a rolling schedule, generally within 1 year.
4. Secure deletion
Data that is no longer required is securely deleted or irreversibly anonymized. Electronic data is permanently erased; physical records, where any exist, are shredded. Deletion extends to sub-processors who held the data on our behalf.
5. Legal & regulatory compliance
We operate in line with the GDPR, the CCPA, and other applicable data protection laws. We honor data-subject rights including the right of access and the right to erasure. A valid litigation hold or legal obligation may temporarily extend a retention period.
6. Data minimization & accuracy
We collect only the data we need to generate your headshots and run the service, and we keep it accurate and current. We do not use your uploaded photos to train public or general-purpose models.
7. Breach notification
We maintain procedures to identify, contain, and respond to security incidents. If a breach affects your personal data, we will notify affected customers and the relevant authorities without undue delay.
8. Your rights & contact
You can request access to, correction of, or deletion of your data at any time. Email hello@aiheadshots.ai and we will respond promptly. See also our Privacy Notice and Security Policy.
9. Review
This policy is reviewed at least annually and whenever the regulatory landscape or our processing materially changes.