← Back to home

Privacy Policy

Last updated May 6, 2026

1. Data We Collect

  • Account data: email, full name, password hash (managed by Supabase Auth), Google OAuth profile if you sign in with Google.
  • Photos: selfies you upload for AI training, room photos you upload for virtual staging, and the AI-generated images we produce for you.
  • Payment data: handled by LemonSqueezy. We store the order/subscription identifier and the customer ID; we do not see or store your card number.
  • Usage: request logs (route, status, anonymized IP), error reports (Sentry), and aggregated product analytics.

2. How We Use Your Data

  • To provide and operate the Service (training, generation, staging, billing);
  • To send transactional email (welcome, training started, headshots ready, staging ready, account deletion);
  • To investigate errors and improve reliability;
  • To prevent fraud and enforce these terms.

3. Photo Retention

Training inputs (the selfies you upload) are automatically deleted from our storage 90 days after your training run completes. You can also delete them at any time by deleting your account.

Generated headshots and staged rooms remain in your account until you delete them or your account.

4. Third-Party Subprocessors

We share necessary data with these subprocessors to deliver the Service:

  • Supabase — auth, database, and private storage of your photos and metadata.
  • fal.ai — runs LoRA training and FLUX inference on your photos. Photos are sent over signed URLs.
  • Decor8 AI — performs virtual staging on the room photos you upload.
  • LemonSqueezy — handles checkout, payments, subscriptions, and stores your billing details.
  • Resend — delivers transactional email.
  • Sentry — captures application error reports and a limited session replay (only after you grant analytics consent).
  • Inngest — runs background training and generation jobs.

5. Your Rights (GDPR / CCPA)

You have the right to:

  • Access the data we hold about you;
  • Delete your account and associated data via Settings;
  • Portability: download your generated images at any time;
  • Correct inaccurate account data;
  • Opt out of analytics and marketing cookies via the Cookie Settings link.

California residents (CCPA): we do not sell or share your personal information for cross-context behavioral advertising.

6. Cookies

We classify cookies in three categories:

  • Strictly necessary — required for sign-in (Supabase auth cookies) and CSRF protection. Always on.
  • Analytics & performance — Sentry error monitoring and session replay on errors. Loaded only after consent.
  • Marketing — conversion attribution. Off by default.

7. Security

All traffic is served over TLS. Supabase Storage buckets are private and accessed via short-lived signed URLs. We use row-level security on our database, and service-role keys are restricted to server-side code.

8. Children

The Service is not intended for users under 18. We do not knowingly collect personal data from children.

9. International Data Transfers

Our infrastructure and subprocessors operate primarily in the United States. By using the Service you consent to your data being processed in the United States.

10. Changes to this Policy

We'll post material changes here and notify you by email when appropriate. The “last updated” date at the top reflects the most recent revision.

11. Contact

For privacy questions or to exercise your rights, email privacy@agentportraits.ai.