Privacy Policy

We collect only what is necessary to provide the service:

• Account data — name, email address, and profile picture from your Google account (collected via Google OAuth at sign-in).
• Training photos — the selfies you upload to train your personal AI face model (JPEG, PNG, or WebP images).
• Generated portraits — images produced by your personal model, stored so you can access and download them.
• Usage data — pages visited, features used, error logs, and performance metrics (collected in aggregate; no cross-site tracking).
• Billing data — payment method details are handled exclusively by Stripe. We store only a Stripe customer ID and subscription status — never full card numbers.

• Training photos are used solely to train your personal AI face model. They are not shared with other users, not used to train any shared or third-party model, and not used for advertising.
• Generated portraits are stored so you can re-download them at any time. We do not use them for any purpose other than serving them back to you.
• Account data is used to authenticate you and send transactional emails (order confirmations, model-ready notifications, password resets).
• Usage data is used in aggregate to improve the service and diagnose issues.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

• Contract performance(Art. 6(1)(b) GDPR) — processing your account data, training photos, and generated portraits to deliver the service you signed up for.
• Legitimate interests(Art. 6(1)(f) GDPR) — aggregate usage analytics used to maintain and improve the service.
• Legal obligation(Art. 6(1)(c) GDPR) — retaining billing records as required by French accounting law.

Selfies and generated portraits may be classified as biometric data under Art. 9 GDPR. We process them on the basis of your explicit consent given at sign-up and confirmed before you start your first training session. You may withdraw consent at any time by deleting your model and account.

• Training photos — retained for as long as you have an active account and model. Deleted within 30 days of model deletion or account closure.
• Generated portraits — retained for as long as your account is active. Deleted within 30 days of account closure.
• Account data — retained for the duration of your account, plus 12 months after closure (to handle disputes or legal obligations).
• Billing records — retained for 10 years as required by French commercial law (Code de commerce, art. L123-22).

Under GDPR and French law you have the right to:

• Access — request a copy of all personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — request deletion of your data ("right to be forgotten").
• Portability — receive your data in a structured, machine-readable format.
• Restriction — ask us to limit how we process your data in certain circumstances.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — revoke consent for biometric processing at any time.

To exercise any of these rights, email hello@ohmyunicorn.com. We respond within 30 days. You may also lodge a complaint with the French data-protection authority: CNIL (cnil.fr).

We use a small number of sub-processors to operate the service. All are bound by Data Processing Agreements and handle your data only on our documented instructions:

• Stripe — payment processing (USA; EU Standard Contractual Clauses apply).
• Google — authentication via Google OAuth.
• Cloud infrastructure provider — server hosting within the EU.

We do not use third-party advertising networks or sell data to data brokers.