Privacy Policy
Effective date: June 15, 2026 Last updated: June 15, 2026
This Privacy Policy explains how Juan Ignacio Molfino ("we", "us", "our") collects, uses, shares, and protects your personal information when you use Pic Your AI (the "Service") at https://picyourai.com/. We are the data controller for the personal data described here. If you have questions, contact us at privacy@picyourai.com.
1. A Note on Facial / Biometric Data
The core of our Service involves uploading photographs of your face and training a personalized AI model on them. Photographs of faces and the models derived from them may qualify as biometric or facial data under certain laws (for example, the EU GDPR treats them as a "special category" of data, and some U.S. states regulate biometric identifiers).
We process this data only with your explicit, informed consent, which we collect at the point you upload photos for training, and only to provide the Service to you — that is, to train your model and generate your images. We do not use your facial data to train models for other users, sell it, or use it for advertising. You can withdraw consent and delete this data at any time (see Section 8).
2. Information We Collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email address; name/profile info (if provided via Google sign-in) | You / your sign-in provider |
| Consent records | Dates and versions of Terms, Privacy, and facial-processing consent | Collected when you accept |
| Photographs you upload | Selfies/source photos used to train your model | You |
| Derived AI assets | Your trained model (LoRA) and generated/edited images | Generated by the Service |
| Job and prompt data | Generation requests, prompts, status, errors | You / the Service |
| Billing data | Stripe customer ID, plan/pack purchased, credits, transactions | You / Stripe |
We do not store your full payment card details. Card data is handled directly by Stripe.
3. How We Use Your Information
We use your information to:
- Provide the Service: train your model, generate and edit your images, and deliver results.
- Process payments, manage subscriptions and credits, and prevent fraud.
- Send transactional emails (welcome, purchase confirmation, "your images are ready", failure/refund notices).
- Maintain security, enforce our Terms, and comply with legal obligations.
- Operate and improve the reliability of the Service.
4. Legal Bases for Processing (EEA/UK users)
Where the GDPR applies, we rely on:
- Consent — for processing your facial/biometric data and for marketing (if any). You may withdraw consent at any time.
- Performance of a contract — to provide the Service you signed up for.
- Legitimate interests — to secure the Service, prevent abuse, and operate our business, balanced against your rights.
- Legal obligation — to retain transaction records for tax/accounting.
5. How We Share Information (Sub-Processors)
We share data with third-party providers who process it on our behalf, only as needed to run the Service:
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase | Authentication, database, storage of generated images | Email, profile, jobs, generated images |
| Cloudflare R2 | Storage of trained models (LoRAs) | Your trained model files |
| Fal | Model training and image generation/editing | Source photos, training ZIP, prompts, outputs |
| OpenAI (via Fal) | Quick-edit generation | Prompts and reference images |
| Google (Gemini) | Fallback image editing | Prompts and reference images |
| Stripe | Payments and subscriptions | Email, customer/billing data, plan/credit metadata |
| Resend | Transactional email delivery | Email address and message content |
| Upstash | Rate limiting / concurrency | Internal user identifier |
| Inngest | Background job orchestration | Job IDs, events, statuses |
| Telegram (if enabled) | Internal sales notifications | Customer name/email, purchase details |
We do not sell your personal information. We may also disclose information if required by law or to protect our rights and users.
6. International Data Transfers
Our providers may process data in the United States and other countries. Where we transfer personal data out of the EEA/UK, we rely on appropriate safeguards (such as Standard Contractual Clauses) where required.
7. Data Retention
| Data | Retention |
|---|---|
| Source photos (selfies) | Short-lived. Requested to expire within ~48 hours via the provider, and removed/redacted after successful training. Used only to create your model. |
| Training ZIP (intermediate) | Short-lived (~48 hours), used only as training input. |
| Trained model (LoRA) | Kept while your account exists and consent stands; deleted when you delete your account. |
| Generated/edited images | Kept while your account exists; deleted on account deletion (or individually for quick edits). |
| Account & consent data | Kept while your account exists; deleted on account deletion. |
| Transactions | Retained for accounting/tax compliance, but unlinked from you (anonymized) when you delete your account. |
8. Your Rights
Depending on where you live (e.g., under the GDPR or California's CCPA/CPRA), you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data ("right to be forgotten").
- Withdraw consent to facial-data processing at any time.
- Object to or restrict certain processing.
- Data portability.
- Not be discriminated against for exercising your rights (CCPA).
How to exercise them. You can delete your account and associated data directly in the app using the "Delete my data" feature, which removes your profile, trained model, and generated images, and anonymizes your transaction records. For any other request, contact privacy@picyourai.com. We may need to verify your identity before acting.
If you are in the EEA/UK, you also have the right to lodge a complaint with your local data protection authority.
9. Security
We protect your data using authenticated, time-limited (signed) URLs for stored images and models, access controls scoped to each user, and private storage buckets. No system is perfectly secure, but we take reasonable measures to protect your information.
10. Children's Privacy
The Service is for adults (18+). We do not knowingly collect data from anyone under 18, and you may not upload photographs of minors. If we learn we have collected such data, we will delete it.
11. Changes to This Policy
We may update this Policy from time to time. We will post the new version with an updated date and, for material changes, notify you. Where required, we will request renewed consent.
12. Contact
Juan Ignacio Molfino Florida, United State Privacy contact: privacy@picyourai.com
This document reflects the Service's actual data practices as documented in our internal data inventory as of the effective date. It is provided as a strong starting point, not legal advice. Because the Service processes facial/biometric data and serves a global audience, we recommend review by a qualified privacy attorney before publishing, especially regarding GDPR special-category data and U.S. biometric laws such as Illinois BIPA.