Privacy and Data Protection Policy (GDPR)

At FotoFast, protecting the privacy and security of our users' personal data is our top priority. This policy explains how we collect, process, store, and safeguard your personal information. It is designed in accordance with the General Data Protection Regulation (GDPR).

1. Data Controller & Processing Information

Controller Details

Data Controller: Fast AI Labs Ltd.
Registration Number: 16054440 Registered Address: Orion House Office 746, Bessemer Road, Welwyn Garden City, AL7 1HH, United Kingdom
Data Protection Officer (DPO): Privacy Team DPO Contact: [email protected]

Our activities fall under the jurisdiction of the UK Information Commissioner's Office (ICO).

Processing Activities Register

We maintain detailed records of our processing activities as required by Article 30 of GDPR. This register is available for inspection by relevant supervisory authorities upon request.

2. Personal Data We Collect

We collect the following types of personal data to provide our services effectively:

• Name
• Email address
• IP address
• Selfies and personal photos (10-15 photos are required for AI model training purposes)

Data Minimization Commitment

We only collect and process data that is:

• Necessary for the specific purpose
• Relevant to the service provided
• Limited to what is required

3. Purpose of Data Processing

We process your personal data for the following specific purposes, each supported by appropriate legal bases under GDPR Article 6:

Core Service Delivery

• Training personalized AI models using your uploaded photos
• Providing access to our AI photo processing features
• Managing your user account and preferences Legal basis: Contract performance & Legitimate interests

Technical & Service Optimization

• System performance monitoring and optimization
• Service improvement through anonymized data analysis
• Security and fraud prevention
• Technical issue resolution and debugging Legal basis: Legitimate interests

AI Training & Development

• Anonymous processing of uploaded photos for AI model training
• Improving algorithm accuracy and performance
• Development of new features and capabilities Legal basis: Explicit consent & Legitimate interests

Communications & Support

• Responding to your inquiries and support requests
• Sending service-related notifications
• Account security alerts Legal basis: Contract performance

Marketing & Promotions

• Sending newsletters and promotional content
• Product updates and new feature announcements
• Personalized recommendations Legal basis: Explicit consent (opt-in required)

Legal & Regulatory Compliance

• Maintaining required business records
• Responding to legal requests
• Fulfilling regulatory obligations Legal basis: Legal obligation

Each of these purposes is:

• Clearly defined and specific
• Essential for service delivery or business operations
• Supported by appropriate security measures
• Subject to regular review and update

You can withdraw consent for marketing communications at any time through your account settings or by contacting us at [email protected].

Lawful Basis Matrix

4. Data Retention Period

Your personal data is stored and deleted according to the following criteria:

a) Account Data (name, email, etc.):

• Active accounts: As long as your account remains active
• After account deletion: Completely deleted within 30 days
• When required by legal obligations: For the duration required by law

b) Photos and AI Model Data:

• Unprocessed photos: Deleted within 7 days after AI model training completion
• Anonymized model data: Retained for service improvement purposes
• User-generated content: As long as the account remains active

c) Usage Data (log records, IP addresses):

• Security logs: 90 days
• Transaction records: 1 year

Users have the right to request deletion of their data. However, minimum data required for core service functionality will be retained as long as the service is being used. In case of deletion requests:

• Account and personal data will be deleted within 30 days
• Data required to be kept due to legal obligations will be retained until the end of the relevant legal period
• Anonymized data, not being personal data, may remain in the system

5. AI Training Consent & Processing

Model Training Process

• Our service's primary purpose is to create personalized AI models using user-provided photos
• Users explicitly opt into this process by uploading their photos for AI training
• Each user's photos are used to create their personal AI model using Lora training technology
• The trained model enables users to generate images of themselves in various scenarios using Flux technology

Consent Mechanism

• Consent is obtained through active user participation
• Users explicitly acknowledge that their photos will be used for AI training during:
  1. Account registration
  2. Photo upload process
  3. Model training initiation

Third-Party Processing & Anonymization

Replicate Integration

• Only photo data is shared with Replicate for model training purposes
• No additional personal data (name, email, etc.) is transmitted to Replicate
• The integration is limited to:
  1. Photo processing for model training
  2. Model generation
  3. Receiving model identification links
• All other user data remains exclusively within our systems

6. Legal Basis for Data Processing

We process your personal data based on the following legal grounds:

• User consent: Explicit consent provided during the registration and use of our services
• Legitimate interests: Ensuring the functionality, improvement, and security of our services
• Contractual necessity: Data required for the performance of our services and agreements

7. Security Measures for Data Protection

To protect the personal data of our users, we have implemented various technical and administrative measures, including:

• Use of strong SSL certificates to encrypt data transmission
• Peer-to-peer viewing of uploaded files, ensuring that only the user has access
• Storing data on secure servers and restricting access to authorized personnel only
• Regular security audits to identify and address potential vulnerabilities
• Implementing robust data encryption standards for stored data

8. Use of Cookies

Cookie Types and Retention

• Essential Cookies

  • Purpose: Website functionality
  • Retention: Session only
  • Required: Yes

• Performance Cookies

  • Purpose: Analytics and performance
  • Retention: 90 days
  • Required: Optional

• Marketing Cookies

  • Purpose: Advertising optimization
  • Retention: 180 days
  • Required: Optional

Cookie Management

• Clear opt-in/opt-out choices
• Easy access to cookie preferences
• Option to modify consent at any time
• Browser-level control instructions

Cookie Retention Details

• Session Cookies: Deleted when browser closes
• Persistent Cookies: Maximum 180 days
• Authentication Cookies: 30 days

For detailed cookie information, visit our Cookie Policy

9. User Rights

Under GDPR, users have the following rights regarding their personal data:

• Right to Access: Users have the right to access their personal data.
• Right to Rectification: Users can request corrections for inaccurate or incomplete data.
• Right to Erasure: Users can request the deletion of their personal data.
• Right to Restriction of Processing: Users can request the restriction of processing under certain conditions.
• Right to Data Portability: Users can obtain a copy of their data in a commonly used format.
• Right to Object: Users can object to the processing of their personal data.

To exercise these rights, please contact us at [email protected].

10. International Data Transfers

We transfer data to the following international partners:

Data Processors

• Replicate (US)
  • Purpose: AI model training
  • Data transferred: Photo data only
  • Legal basis: Standard Contractual Clauses (SCCs)
• Cloudflare (US)
  • Purpose: Secure data storage
  • Data transferred: User content and metadata
  • Legal basis: Standard Contractual Clauses (SCCs)

All international transfers are protected by:

• EU-approved Standard Contractual Clauses (SCCs)
• Additional technical safeguards
• Regular security assessments
• Data Processing Agreements (DPAs)

11. Automated Decision-Making and Profiling

We do not use any automated decision-making or profiling based on the data we collect from users.

12. Data Relating to Children

Our services are strictly intended for users aged 16 and above. We enforce this through:

• Age verification during registration
• Account termination if underage use is discovered
• Immediate deletion of any data collected from users under 16
• Parent/guardian consent requirement for users aged 16-18

13. Geographical Scope

Our services are available globally without geographical restrictions, allowing users from all over the world to access our platform.

14. Mobile App Data Collection

Our mobile app, currently in development, collects the same type of data as our website. Data protection measures are consistent across all platforms.

15. Marketing and Newsletters

Upon registration, users are requested to confirm their email address, thereby consenting to receive newsletters and marketing emails. We utilize tools like Hotjar, Google Analytics, and GetRewardful to improve our marketing strategies.

16. Data Breach Notification

In the event of a data breach, we will:

Timing

• Notify supervisory authorities within 72 hours
• Inform affected users without undue delay

Communication Channels

• Direct email notification to affected users
• Website security advisory
• Official social media channels (X/Twitter)

Notification Content

• Nature of the breach
• Categories of data affected
• Likely consequences
• Measures taken or proposed
• Contact point for additional information

High-Risk Breach Additional Information

• Technical details of the incident
• Time and duration of the breach
• Steps taken to prevent future occurrences

17. Analytics and Social Media Integrations

Analytics Tools

• Hotjar

  • Purpose: User behavior analysis
  • Data collected: Usage patterns, heatmaps
  • Retention: 365 days

• Google Analytics

  • Purpose: Traffic analysis
  • Data collected: Usage statistics, demographics
  • Retention: 14 months

• GetRewardful

  • Purpose: Affiliate tracking
  • Data collected: Conversion data
  • Retention: 90 days

Social Media Integration

• Google Sign-in
  • Purpose: Authentication
  • Data accessed: Email, basic profile
  • Storage: Account duration

18. Cookie Management

We offer users the option to manage their cookie preferences through our website. Users can enable, disable, or delete cookies at any time using their browser settings.

19. Social Media and Third-Party Services

We may include links to third-party social media platforms and services. These third parties may collect data in accordance with their privacy policies. We recommend users review these policies before interacting with such platforms.

20. Policy Updates

We reserve the right to update this GDPR policy whenever necessary to reflect changes in our data processing practices or to comply with legal requirements. Any significant changes will be announced on our website, and users will be notified.

Contact Information

For any questions or concerns regarding this GDPR policy, please contact us at:

• Email: [email protected]
• Website: https://www.fotofast.ai

We are committed to ensuring that your privacy is protected and respected.