Privacy Policy

1. Who We Are

PassportPic.ai (“we,” “us,” or “our”) operates the website at passportpic.ai. We are the data controller for the personal data described in this policy. For privacy questions or data requests, contact [email protected].

2. Our Privacy Commitment

PassportPic.ai is built so that your photo never leaves your device. Photo processing happens entirely in your browser. We cannot see, access, or store the images you process.

3. Photos Are Never Uploaded

When you use PassportPic.ai:

• Your photo is processed entirely in your browser using WebAssembly and WebGPU
• The photo never leaves your device or browser memory
• We have no server endpoint that receives your photo
• No photo data is transmitted to us or to any third party

4. Face Detection and Biometric Data

To check whether your photo meets passport specifications, we run face-landmark detection using Google’s MediaPipe model. This runs entirely in your browser on the device you are using.

• No biometric identifier or biometric information template is created on our servers.
• Face-landmark coordinates are used in-memory to position and crop your photo and are discarded when you leave the page or refresh.
• We do not transmit, store, sell, lease, trade, or otherwise profit from any biometric data.
• We do not retain face-landmark data after your session ends.

This applies to all users, including residents of Illinois (BIPA), Texas (CUBI), and Washington.

5. Information We Do Collect

We collect a limited set of information to operate the service:

• Usage analytics (PostHog): page views, clicks, the country and document type you select, device type, browser, approximate location derived from IP address, and session replays of your interactions with our pages. Replays mask all form inputs and never include the photos you are processing.
• Payment information: if you make a purchase, our payment processor (Lemon Squeezy) handles your payment details. We never see or store card numbers. We receive an order record and your email address from Lemon Squeezy.
• Local browser storage:we store your country selection and analytics identifiers in your browser’s localStorage so the app works between visits. This data stays on your device.

6. Cookies and Tracking Technologies

We use cookies and similar technologies (localStorage, sessionStorage) for two purposes:

• Strictly necessary: remembering your country selection and the AI models cached in your browser so the app loads faster.
• Analytics (with your consent in the EU/UK): PostHog uses cookies and localStorage to recognise repeat visits and produce session replays. You can withdraw consent at any time using the cookie settings link in our footer.

7. Legal Bases for Processing (EU/UK Users)

• Contract (Art. 6(1)(b) GDPR): processing payment information to fulfil your order.
• Legitimate interest (Art. 6(1)(f) GDPR): security, fraud prevention, and basic site functionality.
• Consent (Art. 6(1)(a) GDPR): non-essential analytics and session replay (PostHog).

8. Service Providers and Sub-Processors

We share data with the following processors:

• Vercel (USA) — website hosting and content delivery.
• PostHog (USA) — product analytics, heatmaps, and session replay.
• Lemon Squeezy (USA) — payment processing and merchant of record for paid plans (not yet active).

None of these processors receive your photos. Data may be transferred to and stored in the United States. Where you are in the EU/UK, transfers rely on the EU Standard Contractual Clauses or the UK International Data Transfer Addendum.

9. Data Retention

• Photos and face-landmark data: never stored — discarded when you close or refresh the page.
• Analytics data (PostHog):retained according to PostHog’s default retention (typically 12 months for events, 30 days for session replays).
• Order records: retained for 7 years to meet tax and accounting obligations.
• Email correspondence: retained for 2 years from last contact.

10. Your Rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (“right to be forgotten”)
• Restrict or object to processing
• Data portability
• Withdraw consent for analytics at any time
• Lodge a complaint with your local data protection authority

California residents (CCPA/CPRA):you have the right to know what personal information we collect, to delete it, to correct it, and to opt out of any “sale” or “sharing” of personal information for cross-context behavioural advertising. We do not sell personal information. Use the cookie settings link in our footer to opt out of analytics “sharing.”

To exercise any of these rights, email [email protected].

11. Children’s Privacy

PassportPic.ai is not directed at children under 13. A parent or guardian may use the service to create a passport photo of their child; in that case the photo is processed entirely on the parent’s device and is never transmitted to us. We do not knowingly collect personal information from children under 13. If you believe we have, contact us at [email protected] and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be highlighted on this page. The “Last updated” date at the top of this policy reflects the most recent revision.

13. Contact Us

For privacy questions, data requests, or to exercise any of the rights above, contact: [email protected]