Privacy Policy
Last updated: April 9, 2026
1. Introduction
Kaptoria ("we," "us," or "our") is operated by Aevum Technology LTD, a company registered in England and Wales. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website at kaptoria.com and our AI headshot generation service.
We are committed to protecting your privacy and processing your data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA/CPRA).
2. Information We Collect
Account Data
When you create an account, we collect your email address and name. This data is stored in our database hosted on Supabase.
Photos
When you use our headshot generation service, you upload photos of yourself. These photos are temporarily stored in Supabase Storage and are deleted immediately after your headshot generation completes. We do not retain your original uploaded photos.
Generated Headshots
AI-generated headshots are stored in your account gallery and retained for as long as your account exists. You may delete them at any time.
Payment Data
Payment transactions are processed entirely by Stripe. We never receive, store, or have access to your full credit card number. Stripe may collect your payment card details, billing address, and related information directly under their own privacy policy.
Usage Data
We use Cloudflare Web Analytics to understand how our site performs. This is a cookieless, privacy-first analytics tool that does not collect any personal data, does not set cookies, and does not track individual users. See Section 10 for more details.
3. How We Use Your Information
We use your information for the following purposes:
- Account creation, authentication, and management
- AI headshot generation using Google's GenAI SDK
- Payment processing via Stripe
- Transactional emails (account confirmation, payment receipts)
- Service improvement through aggregate, anonymised analytics (Cloudflare Web Analytics)
We do not use your photos or personal data for AI model training, advertising, or any purpose beyond providing you with our service.
4. Third-Party Services
We share data with the following third-party services, each acting as a data processor on our behalf:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Auth, database, file storage | Account data, photos, headshots | US |
| Google GenAI | AI image generation | Uploaded photos (transient processing only) | US |
| Stripe | Payment processing | Payment details | US |
| Cloudflare | CDN and web analytics | Aggregate usage data (no personal data) | Global |
| Railway | Application hosting | Application data in transit | US |
Photos sent to Google GenAI are used solely for generating your headshots and are not used for AI model training. Google's data usage terms for their GenAI API apply to this processing.
5. Data Retention
- Original uploaded photos: Deleted immediately after headshot generation completes.
- Generated headshots: Retained while your account exists. Deleted within 30 days of account deletion.
- Account data: Retained until you request deletion.
- Payment records: Retained as required by UK tax law (typically 6 years).
- Analytics data: Cloudflare retains aggregate data per their own retention policy. No personal data is involved.
6. Your Rights Under UK GDPR / EU GDPR
If you are in the UK or European Economic Area, you have the following rights regarding your personal data:
- Right of access — request a copy of your personal data
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your personal data ("right to be forgotten")
- Right to data portability — receive your data in a structured, machine-readable format
- Right to restrict processing — request that we limit how we use your data
- Right to object — object to processing of your personal data
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, email us at [email protected]. We will respond within 30 days, which may be extended by up to 60 days for complex requests in accordance with GDPR Article 12.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or your local EU supervisory authority.
7. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following additional rights:
- Right to know — what personal information we collect and how it is used
- Right to delete — request deletion of your personal information
- Right to opt-out of sale — we do not sell your personal data to third parties
- Right to non-discrimination — we will not treat you differently for exercising your rights
To exercise these rights, contact us at [email protected].
8. International Data Transfers
Your data may be processed in the United States by our service providers (Supabase, Google, Stripe, Railway). We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and data processing agreements with each provider. UK adequacy decisions apply where available.
9. Children's Privacy
Our service is restricted to users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a user under 16, we will promptly delete their account and all associated data.
10. Cloudflare Web Analytics
We use Cloudflare Web Analytics to understand how visitors use our site and to improve performance. This tool is specifically designed with privacy in mind:
- It does not use cookies or any client-side state
- It does not collect personal data or personally identifiable information
- It does not track individual users across sessions
- It collects only aggregate metrics such as page views, referrers, and browser types
Because Cloudflare Web Analytics does not use cookies or collect personal data, it is compliant with GDPR, CCPA, and the UK Privacy and Electronic Communications Regulations (PECR) without requiring user consent.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by placing a prominent notice on our website. Your continued use of our service after notification constitutes acceptance of the updated policy. Previous versions are available upon request.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
- Email: [email protected]
- Entity: Aevum Technology LTD
- Registered in: England and Wales