complypic is built around a single privacy promise: we generate the compliant photo you paid for and then we forget you. Photos are processed in memory and discarded; we never use them to train models, never sell or share them, and never resell biometric data.
When you upload a selfie, the file is sent over HTTPS to our generation server. The image is held in memory long enough to validate it, generate the compliant version, and return both to your browser. We do not write the original or the generated image to disk on our application server.
An optional best-effort backup of generated photos is kept in object storage (DigitalOcean Spaces) for delivery resilience and is auto-purged on a short retention window. This is encrypted at rest. We do not index, search, or share these blobs.
We never use uploaded or generated photos to train any AI model. The image-generation model (gpt-image-2 from OpenAI) does not retain prompts or outputs for training under our API contract.
complypic does not require account creation. We do not store your name, address, phone number, passport number or any government identifier.
If you contact us via the contact form, we collect your email and your message so we can reply. Contact form messages are retained for support history.
If you complete a purchase, PayPal returns a transaction reference and the email address associated with the buyer. We use that email solely to send the receipt and to identify your order if you request a refund.
All payments are processed inside PayPal's checkout. PayPal handles card information end-to-end; complypic never sees your card number, CVV, or full billing address.
We receive only the transaction reference, the amount, and the buyer email — the minimum needed to confirm the order and process refunds.
complypic uses essential cookies only — required for the site to function (e.g., remembering your locale or rate-limiting abuse). We do not use third-party advertising or behavioral tracking cookies.
We use Cloudflare Turnstile for abuse protection on form submissions. Turnstile may set a temporary cookie scoped to the verification challenge; it does not track you across sites.
You can request a copy of any data tied to your email, request correction of contact-form messages, or request deletion. We respond within 30 days.
Because we do not store your photo or generate user accounts, the right-to-deletion request is usually completed by removing your contact-form history and the PayPal receipt email association.
EU and UK users have additional rights under GDPR / UK GDPR. California users have additional rights under CCPA. Contact us via the contact page to exercise any of these.
For any privacy question, data request, or to exercise a right under GDPR / CCPA, write to us via the contact form and select the topic 'Question'. We respond within 5 business days.
Open the contact form →