Privacy Policy

Introduction

This privacy policy explains how Reader Digital Ltd ("Profyle", "we", "us") collects, uses, and protects your personal information when you use pro-fyle.co.uk and the Profyle headshot service. We process biometric data (your facial images) and treat that with the heightened care UK GDPR Article 9 requires.

Who We Are

Reader Digital Ltd is the data controller for the personal information we collect. Company number 17078748. Registered office: 4 Bader Close, Stratford-upon-Avon, Warwickshire, CV37 5AU. ICO registration: C1906880. Contact: [email protected].

Information We Collect

You give us: name and email at checkout via Stripe; your selfie photographs uploaded after payment (this is biometric special category data under UK GDPR Article 9); order preferences (tier, niche, optional notes).

We collect automatically: IP address and approximate location; browser, device and operating system information; pages visited, time on site, referring URL; cookies (see our Cookie Policy).

We receive from third parties: Stripe sends us your payment confirmation and last four digits of your card. We never see or store full card details.

Why We Use Your Information and the Legal Basis

To process your order, generate your headshots, deliver them to you — Contract performance (UK GDPR Art 6(1)(b)).

To process your facial images to generate headshots — Explicit consent (UK GDPR Art 9(2)(a)), given via the consent gate before upload.

To send order confirmation and delivery emails — Contract performance.

To detect and prevent fraud, abuse, payment disputes — Legitimate interest (UK GDPR Art 6(1)(f)).

To improve our service, anonymously analyse traffic — Legitimate interest, plus your consent for analytics cookies.

To show you relevant adverts on Google — Your consent for marketing cookies.

To comply with our legal obligations (tax, accounting) — Legal obligation.

You can withdraw your consent at any time. Withdrawing consent doesn't affect any processing we've already done lawfully.

How Long We Keep Your Data

Your selfie uploads — deleted within 30 days of order completion.

Generated headshots — available to you for 90 days via your delivery link, then archived for 12 months for support, then deleted.

Order records (name, email, tier, amount) — 6 years (HMRC requirement).

Email correspondence — 2 years.

Analytics data — 14 months (GA4 default).

Marketing cookies data — up to 2 years (or until you withdraw consent).

Who We Share Your Data With

We share your data only with the suppliers we need to deliver the service. Each is bound by a data processing agreement.

Stripe — payment processing (EU, UK, US — Stripe is GDPR-certified).

Cloudflare R2 — storing your selfies and generated headshots (EU).

Replicate — AI processing of your selfies into headshots (US, with EU-US Data Privacy Framework).

Resend — sending your order and delivery emails (EU).

Google Analytics 4 — anonymous traffic analytics (only with your consent, EU/US).

Google Ads — advertising effectiveness measurement (only with your consent, EU/US).

We do not sell your data. We do not use your selfies or headshots to train AI models.

International Transfers

Some of our suppliers (notably Replicate) process data in the United States. Where this happens, we rely on the EU-US Data Privacy Framework (suppliers self-certified), Standard Contractual Clauses approved by the European Commission, and additional safeguards including encryption in transit and at rest. You can request a copy of these safeguards by emailing [email protected].

Biometric Data and Consent

Your selfies are biometric data and are treated as UK GDPR Article 9 special category data. Before you upload, we ask for your explicit consent via a consent gate. We use the selfies only to train a personalised model that generates your headshots. Originals are deleted within 30 days. We do not use your selfies or generated headshots to train any general-purpose AI model.

Your Rights

Under UK GDPR you have the right to: access the personal data we hold about you; correct inaccurate or incomplete data; delete your data ("right to erasure"), subject to our legal retention obligations; restrict processing in certain circumstances; receive your data in a machine-readable format (portability); object to processing based on legitimate interest; withdraw consent at any time, including withdrawing consent for biometric processing; complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113.

To exercise any right, email [email protected]. We respond within one calendar month.

Cookies

See our Cookie Policy for the full list of cookies we use, how to manage them, and how to withdraw your consent. You can change your cookie settings at any time by clicking the Cookie preferences link in the footer of any page.

Security

We use HTTPS (TLS 1.3) on all connections; encryption at rest for stored selfies and headshots; time-limited, signed URLs for upload and delivery links; two-factor authentication on staff accounts; regular review of access logs. If we discover a personal data breach that's likely to result in a risk to your rights, we'll notify the ICO within 72 hours and tell you directly without undue delay.

Children's Privacy

Profyle is not intended for use by children under 18. We don't knowingly collect data from children. If you believe a child has used Profyle, contact [email protected] and we'll delete the records.

Changes to This Policy

We update this policy when our practices change. The "Last updated" date tells you when. Material changes will be flagged via email to active customers.

Contact Information

For any privacy question: email [email protected] or write to Reader Digital Ltd, 4 Bader Close, Stratford-upon-Avon, Warwickshire, CV37 5AU.

For complaints not resolved with us, contact the Information Commissioner's Office at ico.org.uk · 0303 123 1113 · Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.