Privacy Policy

Introduction

Welcome to SuperHeadshot (superheadshot.com) operated by MindFuzz Media Pvt Ltd ("SuperHeadshot", "we", "our", "us"). We are incorporated in New Delhi, India and all primary data-centre infrastructure is located there. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website or use our AI-powered headshot generation service ("Service").

For the purposes of the Digital Personal Data Protection Act 2023 (DPDPA 2023) we are the Data Fiduciary; you are the Data Principal. Facial photographs you upload are classified as biometric sensitive personal data.

Information We Collect

  • Account & Contact Data – name, email, phone.
  • Payment Data – Handled by RBI-authorised payment gateways; we never store raw card numbers.
  • Uploaded Images (Biometric Data) – 1-5 selfies from different angles, collected after payment and only with your explicit consent.
  • Usage & Device Data – IP, browser type, OS, referring page, and interaction logs via cookies or similar tech.

Cookies & Tracking Technologies

We use strictly-necessary cookies plus optional analytics/marketing cookies (disabled by default for Indian IPs). Manage preferences in the cookie banner or your browser settings.

How We Use Your Data

  • Fulfil orders, process payments, and deliver AI headshots.
  • Operate, maintain, and secure the Service.
  • Respond to support requests and enforce our Terms.
  • Improve models (only on fully de-identified training sets, with separate consent).
  • Comply with applicable laws and resolve disputes.

Legal Basis for Processing

We process personal data on the following lawful grounds recognised under the DPDPA 2023 and the Information Technology Act 2000:

  • Consent (§ 6 DPDPA) – you grant explicit consent before uploading selfies or opting into marketing.
  • Performance of a Contract – to provide the Service you purchase.
  • Legitimate Uses (§ 7) – fraud prevention, network security, and compliance obligations.

Image Processing & Retention

Original uploads are encrypted at rest and deleted automatically 30 days after successful model generation unless you request earlier deletion. Generated headshots remain downloadable from your dashboard for 90 days and are then purged or anonymised. Off-site backups are held for a further 7 days.

Data Security

  • Controls aligned to ISO/IEC 27001:2022 and audited annually (SOC 2 Type II in progress).
  • Transport-layer encryption (TLS 1.3) and AES-256 at rest.
  • Role-based access, MFA for personnel, quarterly penetration testing, and Data Protection Impact Assessments where required.
  • We will notify the Indian Computer Emergency Response Team (CERT-In) within 6 hours of becoming aware of any personal-data breach and will alert affected users without undue delay.

Third-Party Processors

We engage vetted vendors for payment processing, cloud hosting, email delivery, and analytics. Each vendor signs a Data Processing Agreement (DPA) requiring them to follow equal or stronger safeguards.

Cross-Border Data Transfers

All primary storage and inference workflows are hosted in our New Delhi data centre. Where strictly necessary—for example, global CDN caching or email delivery—data may transit to jurisdictions that the Government of India has not prohibited under § 16 DPDPA. In such cases we:

  • Transfer only to countries deemed to provide "comparable protection" or otherwise whitelisted by the Ministry of Electronics & Information Technology (MEITY).
  • Execute industry-standard standard contractual clauses (SCCs) plus encryption keys resident in India.
  • Provide you with notice and, where law requires, seek fresh consent before such transfers.

We will halt or re-route transfers if the Central Government publishes a restricted-country list affecting any current processor.

Grievance Officer & Data Protection Officer

In accordance with Rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 and § 13 of the Digital Personal Data Protection Act 2023, we have appointed the following:

  • Grievance Officer: Mr Arjun Singh –[email protected] – +91 11 4000 1234
    Resolution within 30 days of receipt.
  • Data Protection Officer: Ms Priya Rawat –[email protected]
  • Registered Office: 4ᵗʰ Floor, Plot 12, Okhla Phase III, New Delhi 110020, India

Your Rights

  • Request access, correction, or deletion of your data.
  • Withdraw consent at any time (effect from withdrawal onwards).
  • Restrict or object to certain processing.
  • Nominate another individual to exercise your rights on your behalf (§ 11 DPDPA).
  • Lodge a complaint with our Grievance Officer; if unresolved, escalate to the Data Protection Board of India.

To exercise any right, please contact us or use the self-service tools in your account dashboard.

Children's Privacy

The Service is not directed to persons under 18. We do not knowingly collect personal data from children. If you are under 18, you must obtain verifiable parental consent before using the Service. If we discover we have processed a child's data without such consent, we will promptly delete it.

Changes to This Policy

We may update this Policy to reflect legal or operational changes. We will notify registered users by email and post a notice on the site at least 7 days before changes take effect, unless immediate update is required by law.

Contact Us

Questions about this Policy or our data practices? Contact our privacy team.

Last Updated: 03 May 2025