Privacy Policy

Last updated: 25 May 2026

1. Who we are

KoSelfie (“we”) is the data controller for the personal data described below. Contact us at privacy@koselfie.com.

2. Data we collect

• Account data: your email and Google account identifier via Supabase authentication.
• Photos you upload: source selfies stored in Supabase Storage under a user-scoped path.
• Biometric data (special category under GDPR Article 9): face embeddings extracted from your uploads via InsightFace for the purpose of measuring facial similarity between your source selfies and generated outputs.
• Pro pack only — personalized AI model (LoRA): if you purchase the Pro pack, we train a small adapter model (a LoRA) on your uploaded selfies so the generated photos look more like you. The trained model file is itself biometric data under GDPR Article 9 and is stored at Supabase under your user-scoped path. It is deleted on the same 30-day schedule as your photos.
• Order and payment data: order status and Stripe session identifier. Card data is held by Stripe, not by us.

3. Legal basis for biometric processing (GDPR Article 9)

We process face embeddings only with your explicit consent (Article 9(2)(a) GDPR), collected as a separate checkbox at sign-up and at upload.

If you purchase the Pro pack, we additionally train a personalized LoRA model on your face data. This is a separate processing purpose under GDPR and requires its own explicit consent — collected as a separate, named checkbox immediately before payment.

You can withdraw consent at any time by deleting your account, which deletes your uploads, embeddings, generated images, and any trained LoRA.

We do not use face embeddings or LoRA models for advertising, profiling, cross-user identification, or training shared AI models. Each LoRA is private to a single order.

4. How long we keep your data

• Uploaded selfies: deleted 30 days after upload.
• Generated images: available to you for 30 days, then deleted.
• Face embeddings: deleted with the related uploads.
• LoRA models (Pro pack only): deleted 30 days after delivery, on the same schedule as your photos.
• Order metadata: retained as required by EU tax and accounting law.

5. Sub-processors

• Supabase — authentication, database, storage.
• Fal.ai — image generation, NSFW classification, face similarity.
• Stripe — payments and tax.
• Resend — transactional email.
• Vercel — hosting.
• Sentry — error monitoring.

6. International transfers

Some sub-processors operate outside the EU. We rely on Standard Contractual Clauses to safeguard transfers where applicable.

7. Your rights

You can request access, correction, deletion, restriction, or portability of your personal data, and withdraw consent at any time. Email privacy@koselfie.com. You also have the right to lodge a complaint with your local data protection authority.

8. Cookies

We use a cookie banner to obtain consent for analytics cookies. Strictly necessary cookies for authentication and security are always on.

9. Changes to this policy

Material changes will be communicated by email or by an in-product notice before they take effect.