HeadshotMax

Biometric Retention & Destruction Policy

How we collect, use, retain, and destroy selfies in HeadshotMax — written in plain English and aligned to the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14).

Last updated: 2026-06-04 · Version 1.1

1. What this policy covers

HeadshotMax is an iOS app that takes a selfie you provide and uses an AI image-generation service to create stylized headshots. This policy explains what happens to that selfie. It is separate from our general Privacy Policy and applies only to biometric data.

BIPA defines "biometric identifier" to include "a scan of hand or face geometry" and "biometric information" as any information based on a biometric identifier used to identify an individual. See 740 ILCS 14/10.

2. What we collect

Selfies you capture in the app. Standard color photographs taken with your iPhone's camera, or photos you pick from your library when you choose the "use existing photo" option.
Derived data sent to the AI provider during generation. The selfie itself is sent as input to the generation model. If the model computes an internal face embedding (a mathematical representation of facial geometry), that embedding exists only inside the provider's inference process and is not returned to us, stored by us, or persisted by the provider after the generation job completes. We treat the possibility of an embedding existing as enough to bring this entire flow under BIPA, out of caution.

We do not collect: video, depth maps, Face ID data, voice prints, fingerprints, iris scans, or any other biometric modality.

3. Why we collect it

One purpose, narrowly: generating the stylized AI headshots you asked for. That is the only use we make of your selfie. We do not use it for:

Training AI models (ours or our provider's).
Advertising, marketing, or analytics targeting.
Identifying you to third parties.
Building a face-search index.
Selling, leasing, trading, or otherwise profiting from your biometric data.

The no-sale rule is a hard prohibition under 740 ILCS 14/15(c) — even with your consent, we cannot sell biometric data. We do not.

4. Who has access

Exactly two entities touch your selfie:

HeadshotMax (HiForrest): The app and our backend, which receives your selfie, forwards it to the AI provider, returns the generated headshots to your phone, and then deletes the inputs on the schedule below.
Our AI generation provider (Singapore): Our generation provider, Inference runs in Singapore via our provider's international model-serving endpoint. Your selfie does not enter mainland China. Our provider has publicly committed not to use customer data for model training.

No one else has access. We do not share with advertisers, data brokers, analytics vendors, or social networks. We do not use facial-mapping output for any purpose forbidden by Apple App Review Guideline 5.1.2(vi).

BIPA § 15(d) requires separate consent before disclosure to a third party. The specific named provider is identified in the in-app consent screen shown before your first generation, so disclosure is consented to in advance. You can also request the current processor name in writing at [email protected].

5. Retention schedule

We hold input selfies for as short a window as the generation pipeline allows:

On your phone: Until you delete the app, or until you delete the result. The selfie never leaves the photo picker / camera buffer until you tap Generate.
HeadshotMax backend: ≤ 24 hours after the generation job completes, or sooner if the job fails. Stored only for the time needed to retry on failure and to detect abuse.
Our AI generation provider (Singapore): Sent transiently to the provider's inference endpoint for the duration of the generation call only. Our integration does not request persistence and does not receive your selfie back from the provider after the call returns. Any residual operational logging on the provider's side is governed by their published international data-processing terms; the provider has publicly committed not to use customer data for model training.
Generated headshots: Stored on our backend only as long as you keep your HeadshotMax account. Deleted on account deletion. These are not biometric identifiers under BIPA — they are AI-generated images — but we treat them with the same care.
Face templates / embeddings: Never persisted. Not by HeadshotMax. Not by our provider (per their statement and our contractual requirement).

Our own systems hold your selfie for at most 24 hours from your generation. The upstream provider does not return or retain it for our use beyond the inference call itself. This sits well inside the 3-year statutory cap in BIPA.

BIPA § 15(a) requires destruction at "the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first." We sit well inside that bound.

6. Destruction schedule and verification

When a generation job completes, the input selfie is queued for deletion from our backend storage.
A background process deletes the input within 24 hours and writes a deletion-audit record (job ID, timestamp, storage path, deletion confirmation) to an immutable log.
For the upstream provider, our integration sends the selfie only for the duration of the inference call and does not request persistence. The provider's published international data-processing terms govern any residual operational logging on their side.
If you request immediate deletion (see Section 7), we expedite both steps within 30 days, which is the BIPA-aligned response window.
On account deletion, all generated outputs are also purged within 30 days from backups.

7. Your rights

You can exercise the following rights at any time by emailing [email protected] from the address on your account, or from the in-app Settings → Account screen:

Access. Request a copy of the biometric-related records we hold about you.
Correction. If anything is wrong, tell us and we will fix it.
Deletion. Request immediate destruction of your selfies, generated headshots, and account. We complete this within 30 days and confirm in writing.
Withdrawal of consent. Withdraw your BIPA consent. We stop processing immediately and delete on the deletion timeline above.
Opt-out of upstream processing. If you do not want your selfie sent to Our AI generation provider (Singapore), the app cannot generate headshots for you — but you can use the app for everything that does not require the AI provider (e.g., browsing styles).
Data portability. Receive your generated headshots in a common format (PNG/JPEG) via email or signed download link.
Non-discrimination. We will not penalize you for exercising any of these rights.

8. Contact for biometric-data requests

Email [email protected] with subject line "Biometric request — [your request]". We acknowledge within 5 business days and resolve within 30 days. If we need to verify your identity to protect against fraudulent requests, we will ask for a one-time confirmation from your account email.

9. Illinois residents — your additional rights under BIPA

If you are an Illinois resident, the Illinois Biometric Information Privacy Act (740 ILCS 14) gives you specific additional rights:

You must give written consent before any biometric data about you is collected, captured, purchased, or otherwise obtained. We obtain this through the consent screen shown before your first generation.
You can sue under BIPA for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation, capped at one violation per person per the August 2024 amendment. See 740 ILCS 14/20.
You can recover reasonable attorneys' fees and costs if you prevail.
Your separate consent is required before we disclose your biometric data to any third party. Our in-app consent screen names the specific provider for this purpose; the name is also available on request from [email protected].

If you believe we have not lived up to this policy, please email [email protected] before pursuing other remedies — we will try to fix it directly and quickly.

10. Changes to this policy

If we materially change how we collect, retain, share, or destroy biometric data, we will:

Update this page and bump the version number.
Re-prompt existing users for fresh consent inside the app before any selfie is processed under the new terms.
Not apply the new terms retroactively to data collected under the old terms.

11. Open items (transparency)

We believe in saying what is not yet finished:

Our annual third-party audit of the deletion pipeline begins after our first full year of operation.