Privacy Policy

As a Swiss company, we are subject to the Swiss Data Protection Act (DSG). For users in the EU, we comply with the General Data Protection Regulation (GDPR).

3.1 Registration and Account Data:

• Email address
• Full name
• Password (encrypted)
• Account type (private/business customer)
• Creation and update timestamps

3.2 Image Data:

• Photos you upload
• AI-generated images
• Processing metadata (tool type, timestamps)

3.3 Usage and Transaction Data:

• Credit balance and usage
• Subscription status
• Payment information (via external payment provider)
• Ratings and feedback (NPS ratings)

3.4 B2B-Specific Data:

• Company name
• Employee email addresses
• Consent declarations (timestamp, IP address)
• HR dashboard activities

3.5 Technical Data:

• IP address
• Browser type and version
• Operating system
• Access times
• Referrer URL
• Session data (cookies)

4.1 Contract Performance (Art. 6(1)(b) GDPR):

• Platform and service provision
• AI-powered image processing
• Account management and credit system
• Payment processing

4.2 Consent (Art. 6(1)(a) GDPR):

• Processing of employee photos (B2B)
• Marketing communications (if consented)
• Analytics cookies

4.3 Legitimate Interests (Art. 6(1)(f) GDPR):

• Service improvement
• Security and fraud prevention
• Error analysis and system stability

4.4 Legal Obligations (Art. 6(1)(c) GDPR):

• Retention of invoices (tax law)
• Compliance with legal disclosure requirements

4.5 Email Marketing and One-Time Follow-Up / Offer Emails:

If you have provided your email address in the B2C order process without completing a purchase, we may send you one email with a personalised offer (e.g. a discount code). The purpose is a context-specific follow-up (“win-back” offer).

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Our interest is in contacting users who have started but not completed the purchase process; data subjects may object at any time (opt-out in each email or by email to support@profilebakery.com).

Retention / Objection: We record which email addresses have already received such a follow-up email in order to avoid duplicate sends. You may object to the use of your email for such emails at any time; we will then not send any further offer emails of this kind.

Recipients: Emails are sent via our service provider Resend; see the section “Disclosure to Third Parties”.

We use AI technology for automated image processing. This applies to both paid orders and our free demo previews.

Processing is performed by specialized AI services (Cloudflare, Inc./Replicate, USA). When you upload a photo for a free demo, it is immediately transmitted to these services to generate the result. Your images are used exclusively for order fulfillment and not for training AI models.

We disclose personal data only to the extent necessary for service delivery. Recipients are:

• Cloud hosting & delivery: Vercel, Inc. (USA)
• Database & data storage: Supabase, Inc. (EU, Frankfurt)
• AI image processing: Cloudflare, Inc./Replicate (USA)
• Payment processor: Stripe, Inc. (USA)
• Email delivery: Resend / Plus Five Five, Inc. (USA)
• Error tracking: Sentry / Functional Software, Inc. (USA)
• Web analytics (with consent): PostHog, Inc. (EU, Frankfurt)
• Web analytics & advertising (with consent): Google Ireland Ltd. / Google Analytics, Google Ads (EU/USA)

All recipients are contractually obligated to comply with data protection regulations.

Some of our service providers (particularly AI processing, hosting and analytics services) have server locations outside the EU/EEA, primarily in the USA.

Transfers are based on adequacy decisions by the EU Commission (EU-U.S. Data Privacy Framework) or Standard Contractual Clauses pursuant to Art. 46 GDPR. By using the free demo feature, you explicitly consent to the transfer of your images for image generation purposes pursuant to Art. 49(1)(a) GDPR.

• Account data: As long as your account is active
• B2B upload process: Uploaded original photos are deleted after completion of processing, at the latest within 48 hours
• B2C generated images: Automatically deleted after 30 days (subject to change)
• Demo photos (B2C): Generally deleted after 48 hours; exceptionally retained for a short period for technical bug analysis, then fully deleted
• Selected images: Stored permanently until manual deletion
• Payment data: According to tax retention requirements (10 years)
• Log files: Automatic deletion after 90 days

9.1 For B2B customers, we act as a data processor pursuant to Art. 28 GDPR. The customer is the controller for employee data.

9.2 The customer is responsible for obtaining employee consent. We provide a GDPR-compliant template for this purpose.

9.3 For compliance purposes, we record: consent timestamp and IP address.

10.1 Technically necessary cookies:

• Session management and authentication
• Security features
• Preferences (e.g., language)

Legal basis: Art. 6(1)(b)/(f) GDPR — no consent required.

10.2 Error tracking (no consent required):

We use Sentry (Functional Software, Inc., USA) for system stability. Sentry captures pseudonymized error data and IP addresses. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

10.3 Analytics cookies (consent required):

Only if you accept in the cookie banner, we use:

• PostHog, Inc. — usage analytics (EU servers, Frankfurt)
• Google Analytics 4 / Google Ads — usage analytics and ad measurement (Google Ireland Ltd.)

Legal basis: Art. 6(1)(a) GDPR / § 25 TDDDG. You may withdraw consent at any time by reopening the cookie banner or clearing cookies in your browser.

AI-powered image processing is automated. However, there is no profiling within the meaning of Art. 22 GDPR that has legal effects on you.

ProfileBakery embeds machine-readable metadata (C2PA standard) in all generated images. Users who publish AI-generated images have their own disclosure obligation under Art. 50(4) EU AI Act (Regulation (EU) 2024/1689) to indicate that the content is AI-generated. This obligation rests with the user as deployer, not with ProfileBakery.

You have the following rights:

• Right of access (Art. 15 GDPR): Information about your stored data
• Right to rectification (Art. 16 GDPR): Correction of incorrect data
• Right to erasure (Art. 17 GDPR): Deletion of your data
• Right to restriction (Art. 18 GDPR): Restriction of processing
• Right to data portability (Art. 20 GDPR): Transfer of your data in structured format
• Right to object (Art. 21 GDPR): Object to processing
• Right to withdraw consent (Art. 7 GDPR): Withdraw given consents

Contact: support@profilebakery.com

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data.

Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
Germany: State data protection officer of your federal state

We implement technical and organizational measures to protect your data:

• Encrypted data transmission (SSL/TLS)
• Encrypted data storage
• Access restrictions and authorization concepts
• Regular security updates

Providing your data (email, name, images) is required to use our services. Without this data, we cannot provide our service.

To provide our free demo previews in a cost-efficient manner, demo photos may be transferred to and processed by AI service providers and their subprocessors in third countries, particularly the USA (including processing in data centers operated by providers such as Google Cloud and Amazon Web Services).

By uploading a photo for the demo and using the demo feature, you explicitly consent to this third-country transfer pursuant to Art. 49(1)(a) GDPR. Where available, we additionally rely on appropriate safeguards (in particular Standard Contractual Clauses).

Your photos are not used for AI model training. Demo photos are generally deleted after 48 hours. If temporary retention is required to analyze and resolve technical bugs or errors, demo photos may be kept for a short period and then deleted completely.