The short version: We only collect what we need to process your order. Your photo is deleted 72 hours after delivery. We never sell your data. We use Stripe for payments so we never see your card details. That's it.
Caricature.online is an AI-powered caricature e-commerce service. When this policy refers to "we", "us" or "our", it means the operator of caricature.online, who acts as the data controller for the personal data described in this policy.
Contact: privacy@caricature.online
| Data | When collected | Why |
|---|---|---|
| Email address | Checkout | To deliver your caricature and send your receipt |
| Full name | Checkout | To personalise your delivery email |
| Photo(s) of people | Order flow | To generate your caricature — deleted 72h after delivery |
| Personalisation answers | Order flow | Hair colour, occasion details, etc. — to improve the caricature result |
| Free-text notes | Order flow | Any extra instructions you provide |
| Data | Source | Why |
|---|---|---|
| IP address (truncated) | Server logs | Security and fraud prevention — not stored in full |
| Browser & device type | Server logs | To ensure the site displays correctly |
| Pages visited, time on site | Google Analytics (anonymised) | To improve the website — only with your consent |
| Referral source | URL parameters | To understand which channels bring visitors — only with your consent |
| Cookie preferences | localStorage | To remember your consent choices |
We use Stripe to process payments. We never see, receive or store your card number, CVV or banking details. Stripe is PCI-DSS Level 1 certified. The only payment-related data we store is the Stripe payment intent ID (a reference number) and the amount charged.
We do not use your data for: advertising profiling, automated decision-making that affects you legally, selling to third parties, or any purpose other than those listed above.
| Processing activity | Legal basis |
|---|---|
| Generating and delivering your caricature | Contract performance (Art. 6(1)(b)) |
| Sending your receipt and delivery email | Contract performance (Art. 6(1)(b)) |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) |
| Analytics cookies (anonymised) | Consent (Art. 6(1)(a)) |
| Marketing/referral tracking | Consent (Art. 6(1)(a)) |
| Keeping financial records | Legal obligation (Art. 6(1)(c)) |
Your photo is the most sensitive data we handle. Here is exactly what happens to it:
We do not use your photo to train AI models. We do not share your photo with anyone except the AI processing services strictly necessary to generate your caricature. fal.ai and Anthropic process your photo as data processors under our instructions and are contractually prohibited from using it for any other purpose.
We use the following data processors. All are bound by data processing agreements and GDPR-compliant contractual clauses:
| Processor | Role | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, name, order amount | US / EU |
| Google Cloud Platform | Hosting, database, file storage | All order data, photos (temporarily) | EU (us-central1) |
| SendGrid / Twilio | Transactional email | Email address, name, download links | US (SCCs) |
| fal.ai | AI image generation (face swap) | Your photo (temporarily, for generation) | US (SCCs) |
| Anthropic | AI prompt enhancement | Your photo (temporarily, for analysis) | US (SCCs) |
| Google Analytics | Anonymised analytics | Anonymised usage data (consent only) | US (SCCs) |
SCCs = EU Standard Contractual Clauses, which provide adequate protection for transfers outside the EEA.
We will disclose data to law enforcement or regulatory authorities if required by law. We will notify you where legally permitted to do so.
| Data type | Retention period | Reason |
|---|---|---|
| Your photo (original upload) | 72 hours after delivery | Automatically deleted — no longer needed |
| Generated caricature file | 72 hours after delivery | Download link expires, file deleted |
| Order record (email, name, template, amount) | 7 years | Legal / accounting obligation |
| Personalisation answers & notes | 90 days | Customer support window |
| Analytics data | 26 months | Google Analytics default (anonymised) |
| Cookie consent record | 1 year | To avoid showing banner repeatedly |
Under GDPR, you have the following rights. To exercise any of them, email privacy@caricature.online. We will respond within 30 days.
In Greece: Hellenic Data Protection Authority (HDPA) — www.dpa.gr
We implement appropriate technical and organisational measures to protect your personal data:
No system is 100% secure. In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.
Our service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@caricature.online and we will delete it promptly.
Caricatures featuring children may be ordered by adults (parents, guardians) on behalf of children — in this context, the adult ordering is the data subject for purposes of this policy.
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of significant changes by displaying a notice on our website for at least 30 days before the change takes effect.
The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review it periodically.
For any privacy-related questions, data subject requests, or concerns:
Last updated: 11 May 2025