Headshots.com LLC Privacy and Data Management Policy

This Privacy and Data Management Policy (the “Policy”) sets forth the manner in which Headshots.com LLC (“Headshots.com”) collects, uses, processes, manages, and protects personal data in connection with the provision of its Services.
Headshots.com maintains a security program aligned with SOC 2 Type II standards and applies industry-standard controls designed to safeguard client data throughout its lifecycle.

This Policy reflects Headshots.com’s commitment to data protection, contractual integrity, and compliance with applicable data protection laws, including, where applicable, the General Data Protection Regulation (GDPR).

1. Definitions

Client Data: Any information provided by, for, or on behalf of a client in connection with the Services, including submitted images, identifying information, organizational data, and related instructions or preferences. Client Data may include both Personal Data and non-personal data required to perform the Services.
Personal Data: Any information relating to an identified or identifiable individual, including images, likenesses, or other data that may be associated with an individual directly or indirectly.

Processing: Any operation or set of operations performed on Personal Data or Client Data, whether by automated or manual means, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, transmission, dissemination, alignment, restriction, deletion, or destruction.

Services: The image processing, editing, and delivery of professional headshots provided by Headshots.com, including retouching, standardization, formatting, quality control, and related production workflows performed by the Production Team or supported by image-enhancement technologies.

Submitted Image: Any image file provided by, for, or on behalf of a client or individual for purposes of processing, editing, or generating a Deliverable.

Production Files: Any intermediate or working files created in the course of providing the Services, including edited versions, layered files, AI-assisted outputs, and other derivatives used for processing and quality control.

Deliverable: The final image or set of images produced by Headshots.com and provided to the client as part of the Services.

Authorized Personnel: Headshots.com employees, contractors, and service providers who are granted access to Client Data strictly on a need-to-know basis for purposes of performing the Services, and who are subject to confidentiality and data protection obligations.

Subprocessor: Any third-party service provider engaged by Headshots.com to support the provision of the Services and that may process Client Data on behalf of Headshots.com under contractual obligations consistent with this Policy.

Data Retention Period: The period during which Client Data and associated Production Files are retained for purposes of service delivery, quality assurance, and operational support, after which such data is deleted in accordance with this Policy unless otherwise required by law or agreed in writing with the client.

2. Personal Data Collected

Headshots.com collects only the personal data necessary for the adequate performance of the contractual arrangement with its clients and users and to comply with applicable legal obligations.

Account and User Information. When an account is created, Headshots.com may collect certain identifying information, including name, surname, email address, and production data. Headshots.com may collect data relating to the user and their organization, including company or employer name, submitted images, and any editing instructions or preferences provided in connection with the Services.

Communications. When users communicate with Headshots.com through email or other channels, Headshots.com collects the content of such communications and any information voluntarily provided.

Payment information. To process payments, certain financial information may be required. Headshots.com relies on a third-party payment provider, Stripe, to process credit or debit card information, including card number, card type, expiration date, billing address, and name. Headshots.com does not have visibility into full payment card details and does not store credit card information. Stripe is a PCI-DSS Level 1 compliant processor, and all payment data is handled directly by Stripe.

3. Automatically Collected Data

When users access or interact with the Site or Services, certain information may be collected automatically. This information is necessary for the performance of the contractual relationship, compliance with legal obligations, and Headshots.com’s legitimate interest in maintaining and improving the functionality of its Services.

Log Data and Device Information. Headshots.com may collect log data and device-related information, including date and time of access, clickstream data, and referring or exit pages.

Tracking Technologies and Cookies. Headshots.com uses cookies and related technologies to support the operation of the Site. These may include tracking tags, click tracking codes, source tracking data, customer identifiers, and device-related information such as operating system or phone model.

Usage Information. Headshots.com uses analytics tools, including Google Analytics, to understand how users interact with the Site, including pages visited, content viewed, and user interactions. Such tools may place cookies to identify returning users. Users are encouraged to review Google’s privacy policy for additional information.

4. Use of Information

Headshots.com processes personal data in accordance with applicable data protection laws.

• • to create and manage user accounts
  • to manage and fulfill orders and deliver Services
  • to process billing and invoicing
  • to communicate with users
  • to provide technical support
  • to improve Services and analyze usage
  • to ensure data security and prevent fraud
  • to comply with applicable laws and regulatory requirements
  • to request feedback and, where consent is provided, to publish testimonials

Headshots.com will process personal data only where it has a lawful basis to do so, including where processing is necessary for the performance of a contract, compliance with legal obligations, legitimate business interests, or where consent has been obtained. Where consent is relied upon, it may be withdrawn at any time.

5. Data Management, Retention, and Use Restrictions

Headshots.com processes Personal Data and Client Data solely for the purpose of delivering the Services and in accordance with this Policy and applicable law.

Data Handling and Access. Personal data, including submitted images and related production files, is treated as confidential and is accessible only to authorized personnel and systems required to perform the Services. Access is restricted on a need-to-know basis and governed by the principle of least privilege. Personal data is not stored on unauthorized devices, personal storage systems, or removable media.

Storage Standards. Personal data is stored in secure, controlled environments used for professional operations. Headshots.com maintains internal controls to ensure that data is handled consistently and in accordance with defined data protection and classification standards.

Retention. Personal data and associated working files are retained only for a limited period necessary to deliver the Services and support quality assurance.

Deletion. Client images and related working files, including intermediate and production files, are permanently deleted from systems and storage environments one (1) month and one (1) day after delivery of the Services. This deletion includes removal from active systems, local devices, and applicable backup cycles.

Extended Retention. Data is retained beyond the standard retention period only where explicitly requested by the client and approved in writing.

Data Minimization. Headshots.com limits the collection and retention of personal data to what is necessary for the performance of the Services and applicable legal obligations. Personal data is deleted or de-identified when no longer required for a legitimate business purpose, in accordance with internal policy.

Use Restrictions. Personal data and client images are not used for training machine learning or artificial intelligence models, are not incorporated into shared datasets, and are not reused outside the scope of the Services.

6. Cookies

Cookies are small text files stored on a user’s device when accessing the Site. Headshots.com uses cookies to support functionality, improve usability, and enhance the user experience.

Strictly necessary cookies are required for the operation of the Site and support security and core functionality.

Functional cookies allow the Site to remember user preferences such as language and time zone.

Performance cookies enable analysis of how users interact with the Site and support improvements in functionality.

Marketing and advertising cookies may be used to make content more relevant and to measure effectiveness, including those set by third-party providers.

Users may control cookie settings through their browser. Additional information is available at allaboutcookies.org.

7. Information from Minors

Headshots.com Services are not intended for individuals under the age of 18. Headshots.com does not knowingly collect personal data from minors. If such data is identified, it will be deleted promptly.

8. Payment Information

Payment information is processed exclusively by third-party providers, including Stripe. Headshots.com does not store or have access to full payment card details. All payment processing is conducted in accordance with applicable security standards.

9. Third-Party Links

The Site may contain links to third-party websites. Headshots.com does not control and is not responsible for the data handling practices of such third parties. Users are encouraged to review the privacy policies of those websites.

10. Security

Headshots.com has implemented technical and organizational measures designed to protect personal data from unauthorized access, disclosure, loss, or misuse.
Such measures include restricted access based on the principle of least privilege, confidentiality obligations for personnel, system monitoring, and contractual safeguards with subprocessors. These measures extend to the handling, storage, retention, and secure deletion of personal data throughout its lifecycle.
While reasonable safeguards are in place, the transmission of data over the internet cannot be guaranteed to be fully secure.

11. Data Subject Rights and RequestsUnder applicable data protection laws, including the GDPR, individuals may have certain rights with respect to their personal data, including the right to access, correct, erase, restrict, or object to processing, withdraw consent where applicable, request data portability, and lodge a complaint with a supervisory authority.
In a team or enterprise context, personal data is typically processed by Headshots.com on behalf of a client organization. In such cases, requests to exercise these rights should, where appropriate, be directed to the relevant client organization, which acts as the primary controller of the data. Headshots.com will support such requests in accordance with its contractual obligations and applicable law.
Where Headshots.com acts as a controller, or where requests are submitted directly to Headshots.com, such requests may be directed to hello@headshots.com. Identity verification may be required prior to fulfilling any request. Headshots.com will respond to valid requests within the timeframes required under applicable law.

12. Contact

Questions regarding this Policy may be directed to:

Kateryna Pyatybratova
COO, Headshots.com
kateryna@headshots.com
+1 (202) 817-9176