Legal
Privacy Policy
This policy explains what data we collect, how we use it, and your choices.
Last updated: January 1, 2026
Effective Date: January 1, 2026
SmilePlease ("we," "us," or "our") is a California-based company. This Privacy Policy describes how we collect, use, share, and protect your information when you use our website and services.
Information we collect
- Uploaded photos: Images you upload, which may include photos of children, processed to generate AI portraits.
- Account information: Email address and authentication data provided via our authentication provider (Supabase).
- Order information: Shipping address, order history, and fulfillment details.
- Payment information: Processed securely by Stripe. We do not store credit card numbers on our servers.
- Usage data: Device information, browser type, IP address, and how you interact with our service.
Categories of personal information
Under the California Consumer Privacy Act (CCPA/CPRA), we collect the following categories of personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Email address, IP address, account ID | Yes |
| Personal records | Name, shipping address | Yes |
| Commercial information | Order history, products purchased | Yes |
| Internet/network activity | Browsing history, interactions with site | Yes |
| Biometric information | Facial features from uploaded photos (this just means the AI analyzes facial features to create your portrait—it doesn't create a permanent face scan or database) | Yes |
| Sensitive personal information | Photos of children, facial imagery | Yes |
We do not sell personal information. We do not share your data with advertisers.
How we use your information
We use your information to:
- Generate AI portraits using Google Gemini based on your uploaded photos.
- Fulfill print orders through our print partner, Finerworks.
- Process payments securely via Stripe.
- Send order confirmations and shipping updates.
- Provide customer support and respond to inquiries.
- Improve our service and fix technical issues.
- Comply with legal obligations.
Information sharing and service providers
We share limited information with trusted service providers who help us deliver the service:
- Google (Gemini): Processes uploaded images to generate AI portraits. Images are sent securely and not used to train Google's models.
- Supabase: Provides authentication and secure data storage.
- Stripe: Processes payments securely.
- Finerworks: Fulfills print orders and requires shipping addresses.
- Resend: Sends transactional emails (order confirmations, etc.).
- Vercel: Hosts our website and application.
We do not sell your personal information. We do not share your data for third-party advertising purposes.
Data retention
We keep different types of data for different periods:
Uploaded photos: 10 days
We keep your uploaded photo for 10 days after generating your portraits—just in case you want to quickly regenerate, work through improvements, or if we need to help you with any issues. After that, it's automatically deleted. We don't keep your original photos.
Generated portraits (not purchased): 30 days
Preview portraits are available for 30 days so you have time to decide. After that, they're automatically deleted. You can always upload again to generate new ones.
Generated portraits (purchased): 12 months
Your purchased portraits are saved for 12 months so you can re-order anytime, share with family, or build your school-years collection. You can request deletion anytime.
Share links: 30 days
Links you create to share with family expire automatically after 30 days. You can revoke access to any link instantly.
- Account data: Retained while your account is active. You may request deletion at any time.
- Order records: Retained for 7 years as required for tax and accounting purposes, then securely deleted.
- Payment data: Stripe retains payment records per their retention policy. We do not store card numbers.
Sharing controls
You have full control over who sees your portraits:
- Custom share links: Create separate links for different people—one for grandma, another for the school.
- Automatic expiration: Links expire after 30 days.
- Instant revocation: Revoke access to any link at any time.
- View tracking: See who has viewed your shared portraits.
- Recipient ordering: People you share with can order their own prints without accessing your account.
Your portraits, your rules. No public galleries, no one-size-fits-all sharing.
Data security
We protect your information using industry-standard security measures including:
- Encryption in transit (TLS/HTTPS) for all data transfers.
- Encryption at rest for stored data.
- Access controls limiting who can access your data.
- Regular security reviews and updates.
While we take reasonable precautions, no method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at security@smileplease.app.
Biometric information
In plain English: When you upload a photo, the AI analyzes facial features to create your portrait. This doesn't create a permanent face scan or database—it's just used to generate your school portraits.
When you upload a photo, our AI system (Google Gemini) may analyze facial features to generate portrait variations. This processing may involve technology that could be considered biometric analysis under certain state laws.
- We do not create, store, or retain facial templates beyond what is necessary to generate your portraits.
- Uploaded photos are deleted within 10 days of generation. Generated portraits are deleted within 30 days (or 12 months for purchasers who opt in).
- We do not sell, lease, or trade biometric information.
Illinois residents: Illinois law requires special consent for facial analysis technology. By uploading a photo and providing consent through our upload flow, you're giving us permission to use AI to create your portrait, as required by the Illinois Biometric Information Privacy Act (BIPA).
Cookies and tracking
We use cookies and similar technologies to keep you logged in, remember your preferences, and understand how you use our service. See our Cookie Policy for details on the cookies we use and how to manage them.
Children's privacy (COPPA compliance)
If you're uploading photos of children under 13, here's what you need to know about their privacy:
SmilePlease processes photos of children under 13 to generate school-style portraits. We take children's privacy seriously and comply with the Children's Online Privacy Protection Act (COPPA) as amended in 2025:
- Parental consent required: We require verifiable parental consent before processing photos of children under 13. See our Parental Consent page for the consent process.
- Separate consent for third-party sharing: We obtain separate parental consent before sharing children's photos with our AI provider (Google Gemini) and print fulfillment partner (Finerworks).
- No advertising use: We never use children's photos or data for advertising, marketing, or profiling purposes.
- Data minimization: We collect only the information necessary to provide the service.
- Auto-deletion: Uploaded photos of children are deleted within 10 days of generation. Generated portraits are deleted within 30 days (or 12 months for purchasers who opt in to Memory Keeper).
- Parental rights: Parents may review, request deletion of, or refuse further collection of their child's data at any time by contacting privacy@smileplease.app.
Your privacy rights
Depending on your location, you may have the following rights:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate information.
- Deletion: Request deletion of your personal information.
- Data portability: Request your data in a machine-readable format.
- Opt-out: Opt out of certain data uses (though we do not sell data or use it for targeted advertising).
- Limit sensitive data: Limit the use of sensitive personal information (photos, children's data) to what is necessary for the service.
To exercise these rights, visit our Data Request page or email privacy@smileplease.app. We will respond within 30 days.
California residents (CCPA/CPRA)
If you are a California resident, you have additional rights:
- Right to know what personal information we collect, use, and share.
- Right to delete your personal information.
- Right to opt-out of the sale of personal information (we do not sell your data).
- Right to non-discrimination for exercising your privacy rights.
To exercise these rights, email privacy@smileplease.app with subject line "California Privacy Request."
International data transfers
Your information may be transferred to and processed in the United States, where our servers and service providers are located. By using our service, you consent to this transfer. We ensure appropriate safeguards are in place when transferring data internationally.
Data breach notification
In the event of a data breach that affects your personal information, we will notify you via email and/or prominent notice on our website within 72 hours of becoming aware of the breach, as required by applicable law.
Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page, updating the "Last Updated" date, and sending you an email notification. Your continued use of the service after changes constitutes acceptance.
Contact us
For privacy questions or concerns, contact our privacy team at privacy@smileplease.app.