Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

Close Enough does not have a Data Protection Officer (DPO). For any privacy-related inquiries, please contact us at the email address above.

2. What Data We Collect

2.1 Facial Photographs (Selfies)

When you use our service, you upload selfie photographs of yourself. These photos contain your facial features, which may constitute special category data under GDPR Article 9. We process these photos solely to generate professional portrait images for you.

2.2 AI-Generated Portrait Images

Our service creates professional portrait photographs using your uploaded selfies as reference. These generated images are stored temporarily and made available for you to download.

2.3 Email Address

We collect your email address when you make a purchase, join our waitlist, or otherwise provide it to us. We use your email to deliver your session and results links, send purchase confirmations, and communicate service updates.

2.4 Session Data

We create an anonymous session when you use the service. This session stores data related to your use of the service, such as your configuration choices, generation status, and timestamps. Sessions are not linked to a user account — they are identified by a random session ID.

2.5 Payment Information

Payments are processed entirely by our payment provider, LemonSqueezy. We do not collect, store, or have access to your credit card details or banking information. LemonSqueezy acts as the Merchant of Record and handles all payment data under their own privacy policy.

2.6 Analytics Data

We use PostHog for anonymized product analytics, such as page views, feature usage, and general device information. PostHog operates in cookieless mode — it does not set any cookies or store data in your browser. Users are counted using a privacy-preserving server-side hash that cannot identify individuals.

2.7 Browser Storage

We store your session ID in your browser's local storage so you can return to your session. This data never leaves your browser and is not transmitted to our servers.

3. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Articles 6 and 9):

• Facial photographs & AI generation — Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)). By uploading your selfies and initiating generation, you provide explicit consent for us to process your facial images through our AI system to create portrait photographs.
• Session management & service delivery — Performance of a contract (Art. 6(1)(b)). Processing your session data is necessary to provide the portrait generation service you requested.
• Transactional emails — Performance of a contract (Art. 6(1)(b)). We send you session links, results notifications, and purchase confirmations as part of delivering the service.
• Email waitlist — Consent (Art. 6(1)(a)). You voluntarily provide your email to join our waitlist.
• Analytics — Legitimate interest (Art. 6(1)(f)). We use cookieless, anonymized analytics to understand how the service is used and improve it. No cookies or client-side identifiers are used, and no consent banner is required.
• Payment processing — Performance of a contract (Art. 6(1)(b)). Payment data is processed by LemonSqueezy to fulfill your purchase.

4. How We Use Your Data

• To generate portrait photos — Your selfies are sent to a third-party AI system to create professional portraits. The AI processes your facial features to produce images that resemble you.
• To deliver the service — We store your photos and generated images temporarily so you can review and download them.
• To communicate with you — We send transactional emails such as session links and results notifications. If you join the waitlist, we may also send service updates and launch notifications.
• To improve the service — Anonymized analytics data helps us understand how the service is used and where to improve.

5. Data Sharing & Sub-Processors

We do not sell, rent, or trade your personal data. We share data with the following service providers (sub-processors) as necessary to operate the service. This list may be updated as we add or change providers:

6. International Data Transfers

Some of our sub-processors are located in the United States. When your personal data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place:

• EU-US Data Privacy Framework — Our US-based processors participate in the EU-US Data Privacy Framework, which has been recognized by the European Commission as providing adequate data protection (adequacy decision of July 10, 2023).
• Standard Contractual Clauses (SCCs) — Where applicable, we rely on the European Commission's Standard Contractual Clauses as an additional transfer mechanism.

7. Data Retention

• Uploaded selfies & generated portraits — Automatically deleted 30 days after your most recent session activity (such as generation completing). Image files are permanently removed from our storage provider, and all file references are cleared from our database. Cached copies on our CDN expire within 24 hours of deletion.
• Session metadata — Session records (without photo data) are retained indefinitely for service analytics and abuse prevention. These records do not contain any images or personal identifiers after the 30-day cleanup.
• Email addresses — Retained only as long as necessary to deliver the relevant communication. Waitlist emails are deleted after the notification has been sent. You may also request removal at any time.
• Analytics data — Retained according to our PostHog configuration. Since analytics are fully anonymized and cookieless, no individual-level data is stored.
• Payment records — Retained by LemonSqueezy according to their privacy policy and applicable tax/legal requirements.

8. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR) and the Spanish Organic Law 3/2018 (LOPDGDD), you have the following rights:

• Right of access (Art. 15) — Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — Request correction of inaccurate personal data.
• Right to erasure (Art. 17) — Request deletion of your personal data. Note that photos are automatically deleted after 30 days; you may request earlier deletion at any time.
• Right to restriction (Art. 18) — Request that we limit how we process your data.
• Right to data portability (Art. 20) — Receive your data in a structured, commonly used format.
• Right to object (Art. 21) — Object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)) — Withdraw your consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email us at support@closeenough.ai. We will respond within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):

9. Cookies & Tracking Technologies

Essential Storage

We use browser local storage (not cookies) to store your session ID so you can return to an ongoing session. This is strictly necessary for the service to function and does not require consent.

Analytics

We use PostHog in cookieless mode for product analytics. PostHog does not set any cookies or use browser local storage for tracking purposes. No consent banner is required because no cookies or client-side identifiers are used.

No Third-Party Tracking

We do not use advertising cookies, social media trackers, or any third-party tracking pixels.

10. Security

We implement appropriate technical and organizational measures to protect your personal data. These measures include:

• All data transmitted over HTTPS (TLS encryption in transit)
• Signed and time-limited upload tokens for photo uploads
• Session-based access controls — only someone with the session ID can access the photos
• Automatic deletion of all photos after 30 days
• Sub-processors with SOC 2 Type II certification and/or equivalent security standards

No system is 100% secure. If you become aware of any security issues, please contact us immediately at support@closeenough.ai.

11. Children's Privacy

Close Enough is intended for users aged 18 and older. We do not knowingly collect personal data from anyone under 18 years of age. If you believe a minor has used our service, please contact us and we will promptly delete all associated data.

12. Automated Decision-Making

Our service uses third-party AI to automatically generate portrait photographs from your selfies. This processing is based on your explicit consent and is necessary to provide the service. The AI generates images based on your uploaded photos and your chosen settings — no decisions with legal or similarly significant effects are made about you based on automated processing.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. For material changes that affect how we process your data, we will make reasonable efforts to notify you (e.g., via a notice on our website).

We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: