Privacy Policy

As a Swiss company, we are subject to the Swiss Data Protection Act (DSG). For users in the EU, we comply with the General Data Protection Regulation (GDPR).

3.1 Registration and Account Data:

• Email address
• Full name
• Password (encrypted)
• Account type (private/business customer)
• Creation and update timestamps

3.2 Image Data:

• Photos you upload
• AI-generated images
• Processing metadata (tool type, timestamps)

3.3 Usage and Transaction Data:

• Credit balance and usage
• Subscription status
• Payment information (via external payment provider)
• Ratings and feedback (NPS ratings)

3.4 B2B-Specific Data:

• Company name
• Employee email addresses
• Consent declarations (timestamp, IP address)
• HR dashboard activities

3.5 Technical Data:

• IP address
• Browser type and version
• Operating system
• Access times
• Referrer URL
• Session data (cookies)

4.1 Contract Performance (Art. 6(1)(b) GDPR):

• Platform and service provision
• AI-powered image processing
• Account management and credit system
• Payment processing

4.2 Consent (Art. 6(1)(a) GDPR):

• Processing of employee photos (B2B)
• Marketing communications (if consented)
• Analytics cookies

4.3 Legitimate Interests (Art. 6(1)(f) GDPR):

• Service improvement
• Security and fraud prevention
• Error analysis and system stability

4.4 Legal Obligations (Art. 6(1)(c) GDPR):

• Retention of invoices (tax law)
• Compliance with legal disclosure requirements

4.5 Email Marketing and One-Time Follow-Up / Offer Emails:

If you have provided your email address in the B2C order process without completing a purchase, we may send you one email with a personalised offer (e.g. a discount code). The purpose is a context-specific follow-up (“win-back” offer).

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Our interest is in contacting users who have started but not completed the purchase process; data subjects may object at any time (opt-out in each email or by email to support@profilebakery.com).

Retention / Objection: We record which email addresses have already received such a follow-up email in order to avoid duplicate sends. You may object to the use of your email for such emails at any time; we will then not send any further offer emails of this kind.

Recipients: Emails are sent via our service provider Resend; see the section “Disclosure to Third Parties”.

We use AI technology for automated image processing. This applies to both paid orders and our free demo previews.

Processing is performed by specialized AI services (e.g., Replicate, OpenAI). When you upload a photo for a free demo, it is immediately transmitted to these services to generate the result. Your images are used exclusively for order fulfillment and not for training AI models.

We disclose your data to the following categories of recipients:

• Cloud hosting providers: For storage and platform delivery (Server locations primarily EU)
• Database services: For secure data storage (Supabase)
• AI processing services: For image editing and generation (e.g., Replicate, OpenAI based in the USA)
• Payment processors: For payment and subscription management (Stripe)
• Email services: For transactional emails (Resend)
• Error analysis tools: For system stability and error handling (Sentry)
• Analytics services: For anonymized usage statistics (Google Analytics)

All recipients are contractually obligated to comply with data protection regulations.

Some of our service providers (particularly AI services like Replicate and OpenAI, as well as analytics services) have server locations outside the EU/EEA, primarily in the USA.

Transfers are based on adequacy decisions by the EU Commission (e.g., EU-U.S. Data Privacy Framework) or Standard Contractual Clauses according to Art. 46 GDPR to ensure an adequate level of data protection. By using the free demo feature, you explicitly consent to this transfer for the purpose of image generation.

• Account data: As long as your account is active
• B2B upload process: Uploaded images deleted after 1 hour
• B2C generated images: Automatically deleted after 30 days (subject to change)
• Selected images: Stored permanently until manual deletion
• Payment data: According to tax retention requirements (10 years)
• Log files: Automatic deletion after 90 days

9.1 For B2B customers, we act as a data processor pursuant to Art. 28 GDPR. The customer is the controller for employee data.

9.2 The customer is responsible for obtaining employee consent. We provide a GDPR-compliant template for this purpose.

9.3 For compliance purposes, we record: consent timestamp and IP address.

10.1 Technically necessary cookies:

• Session management and authentication
• Security features
• Preferences (e.g., language)

10.2 Analytics (with consent):

We use anonymized analytics tools to understand and improve platform usage.

10.3 Error analysis:

To ensure system stability, we use error tracking services that capture pseudonymized error data.

AI-powered image processing is automated. However, there is no profiling within the meaning of Art. 22 GDPR that has legal effects on you.

You have the following rights:

• Right of access (Art. 15 GDPR): Information about your stored data
• Right to rectification (Art. 16 GDPR): Correction of incorrect data
• Right to erasure (Art. 17 GDPR): Deletion of your data
• Right to restriction (Art. 18 GDPR): Restriction of processing
• Right to data portability (Art. 20 GDPR): Transfer of your data in structured format
• Right to object (Art. 21 GDPR): Object to processing
• Right to withdraw consent (Art. 7 GDPR): Withdraw given consents

Contact: support@profilebakery.com

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data.

Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
Germany: State data protection officer of your federal state

We implement technical and organizational measures to protect your data:

• Encrypted data transmission (SSL/TLS)
• Encrypted data storage
• Access restrictions and authorization concepts
• Regular security updates

Providing your data (email, name, images) is required to use our services. Without this data, we cannot provide our service.