Privacy Policy
Last updated: July 2, 2026
1. Who we are
Photora ("we", "us") operates photora.fun, an AI photo transformation service. This policy explains what personal data we collect, why, how long we keep it, and the rights you have over it. For questions or requests, email privacy@photora.fun.
Because the Service processes photographs of faces, some of the data we handle is sensitive. We designed the Service to keep that processing to the minimum necessary, as described below.
2. Data we collect
- Account data: email address, display name (optional), and a salted hash of your password. If you sign in with Google, we receive your Google account ID, verified email, and name; we never see your Google password.
- Photos: the selfies you upload (Input Images) and the AI-generated results (Output Images).
- Billing data: our payment provider Paddle (merchant of record) processes your payment details. We never receive your full card number — only transaction metadata such as amount, currency, plan, and a customer reference.
- Usage and technical data: generation counts, timestamps, credit balances, and standard server logs (IP address, user agent, requested URL) kept for security and rate-limiting.
- Cookies: a single strictly-necessary session cookie (
photora_sid) to keep you logged in, plus a CSRF token. We do not use advertising or cross-site tracking cookies.
3. How we use your photos
- Your uploaded selfie is re-encoded, stored in a private, non-web-accessible directory, and transmitted over TLS to an AI model provider (via OpenRouter) solely to generate your headshot.
- The uploaded selfie is deleted from our servers immediately after processing completes.
- Generated results (previews and HD files) are stored privately in your account so you can view and download them. They are visible only to you.
- We do not use your photos to train AI models, we do not sell them, and we do not publish them. Our infrastructure providers process them only as needed to deliver the Service.
4. Legal bases (EEA/UK users)
Where the GDPR/UK GDPR applies, we process your data on these bases: performance of a contract (account, photo processing, payments), legitimate interests (security logging, fraud and abuse prevention, service improvement), consent (any optional marketing emails — which you can withdraw anytime), and legal obligation (tax and accounting records held via Paddle).
5. Who we share data with
- OpenRouter, Inc. and the underlying AI model provider (Google) — receive the Input Image and the transformation prompt to generate your result.
- Paddle.com Market Ltd — payment processing, invoicing, and tax compliance as merchant of record.
- Google LLC — only if you choose "Continue with Google" for sign-in.
- Hostinger — our hosting provider, which stores our database and files.
We never sell personal data. We may disclose data if required by law or to protect our rights, users, or the public. Some providers are located outside your country; where required, transfers rely on adequacy decisions or standard contractual clauses.
6. Retention
- Uploaded selfies: deleted immediately after processing.
- Generated images: kept while your account is active, or until you delete them or ask us to.
- Account data: kept while your account exists; deleted within 30 days of account deletion, except where retention is legally required.
- Payment records: retained by Paddle and by us as required by tax law (typically 6–10 years).
- Server logs: rotated and deleted within 90 days.
7. Security
All traffic is encrypted with TLS. Passwords are stored only as modern salted hashes. Photos are stored outside the web-accessible directory and served only to their authenticated owner. Access to production systems is restricted and secrets are stored outside the web root. No system is perfectly secure; if a breach affecting your data occurs, we will notify you and the relevant authority as required by law.
8. Your rights
Depending on your location, you may have the right to access, correct, delete, or export your data, to restrict or object to processing, and to withdraw consent. You can exercise these rights by emailing privacy@photora.fun from your account email; we respond within 30 days. EEA/UK users may also lodge a complaint with their data-protection authority. California residents have equivalent rights under the CCPA/CPRA; we do not "sell" or "share" personal information as defined there.
9. Children
The Service is not directed to children and may not be used by anyone under 18. We do not knowingly process images of minors; if we become aware of such content we delete it and may terminate the account.
10. Changes
We may update this policy from time to time. Material changes will be announced by email or in-app notice before taking effect. The "Last updated" date at the top reflects the current version.