UppMatchUppMatch

Legal

Privacy Policy

Last updated: April 2026

1. Introduction

UppMatch ("we", "us", "our") operates an AI-powered photo generation service at uppmatch.com. This Privacy Policy explains how we collect, use, store, and protect your personal information — including the photos you upload — and describes your rights regarding that information. Because our Service processes photos of your face to train a personal AI model, we handle biometric and sensitive personal data. We take that responsibility seriously.

2. Information We Collect

We collect the following categories of information:

  • Account information: Your email address and hashed password, stored via Supabase Auth.
  • Biometric and facial data: Photos you upload for AI model training contain biometric identifiers, including facial geometry and physical characteristics. This is sensitive personal data and is treated with heightened protections described in Section 3.
  • Generated images: AI-generated photos produced by the Service and stored in your account.
  • Prompts and settings: Text prompts, scene selections, and generation settings you submit.
  • Usage and technical data: Credits consumed, generation history, device type, browser, IP address, and feature usage — collected automatically when you use the Service.
  • Payment information: Handled entirely by Stripe. We receive a transaction confirmation and your billing country but never store card numbers or full payment details.
  • Communications: Any messages you send to our support email.

3. Biometric Data — Special Protections

Photos of your face constitute biometric data under laws including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), the Washington My Health MY Data Act, and equivalent regulations in other jurisdictions. In compliance with these laws:

  • By uploading photos and creating an account, you provide informed written consent to our collection and use of your biometric data for the sole purpose of training your personal AI model.
  • We will not sell, lease, trade, or profit from your biometric data.
  • We will not disclose or disseminate your biometric data to any third party except as necessary to operate the Service (specifically FAL.ai for model training — see Section 5), or as required by law.
  • Your biometric data is protected by reasonable security measures at least as protective as those we apply to other confidential data.
  • Your training photos and derived AI model (LoRA weights) are permanently deleted within 30 days of account deletion or upon your written request — whichever comes first.
  • We retain biometric data only for as long as necessary to provide the Service or as required by applicable law — not to exceed 3 years from your last active use.
  • You may withdraw consent and request deletion of your biometric data at any time by contacting us at info@uppmatch.com. Withdrawal of consent will require deletion of your AI model and associated training data, and will limit your ability to generate new photos.

4. How We Use Your Information

We use the information we collect to:

  • Create and manage your account and authenticate your identity
  • Train your personal AI model using the photos you upload
  • Generate AI photos in response to your prompts and settings
  • Process payments and manage your credit balance
  • Send transactional emails (account confirmation, model training completion, billing)
  • Moderate content submitted through the Service to prevent abuse
  • Analyze aggregate, anonymized usage patterns to improve the Service
  • Comply with legal obligations and enforce our Terms of Service

We do not use your photos or generated images to train any shared, public, or third-party AI models. We do not use your data for targeted advertising.

5. Third-Party Processors

We share data with the following third-party service providers solely to operate the Service. Each is bound by their own privacy policies and data processing agreements:

  • Supabase (supabase.com): Database, file storage, and authentication infrastructure. Your account data, training photos, and generated images are stored on Supabase-managed servers.
  • FAL.ai (fal.ai): AI model training and image generation. Your training photos are transmitted to FAL.ai for LoRA model training. FAL.ai processes this data as a data processor on our behalf. We have contractual obligations with FAL.ai that restrict their use of your data to performing services for us. We are not responsible for FAL.ai's independent data practices beyond our processing agreement.
  • OpenAI (openai.com): Text prompt moderation and enhancement. Text prompts you submit may be sent to OpenAI's API for content moderation. Your photos are never sent to OpenAI.
  • Stripe (stripe.com): Payment processing. Stripe collects and processes all payment information directly. We do not store your card details.
  • Resend (resend.com): Transactional email delivery. Your email address is shared with Resend solely to deliver account and notification emails.
  • Google Tag Manager / Google Analytics (google.com): Website analytics and tag management. See Section 7 for cookie details.

6. International Data Transfers

UppMatch is operated from the United States. Our third-party service providers (Supabase, FAL.ai, Stripe, Resend, OpenAI) primarily store and process data in the United States. If you access the Service from the European Union, United Kingdom, or other regions with data protection laws that differ from U.S. law, your data will be transferred internationally. Where required, we rely on standard contractual clauses (SCCs) and other approved transfer mechanisms to safeguard such transfers in compliance with GDPR and UK GDPR.

7. Cookies and Analytics

We use the following cookies and tracking technologies:

  • Essential cookies: Required for authentication and session management (Supabase Auth). These cannot be disabled without breaking the Service.
  • Preference cookies: Used to remember your display preferences (e.g., dark/light mode) via localStorage.
  • Analytics (Google Tag Manager): We use Google Tag Manager to collect anonymized usage data including pages visited, session duration, and general device information. This helps us understand how the Service is used and improve it. You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

8. Lawful Basis for Processing (GDPR)

If you are located in the EU or UK, we process your personal data on the following legal bases:

  • Contract: Processing necessary to provide the Service you have contracted for (account management, model training, image generation).
  • Explicit consent: Processing of biometric/facial data, which is special category data under Article 9 GDPR. You provide explicit consent when you upload training photos.
  • Legitimate interests: Analytics and service improvement, fraud prevention, and security monitoring — balanced against your rights and interests.
  • Legal obligation: Retention of financial records and compliance with applicable law.

9. Data Retention

  • Training photos: Retained while your account is active. Permanently deleted within 30 days of account deletion or upon written request.
  • AI model (LoRA weights): Retained while your account is active. Permanently deleted within 30 days of account deletion.
  • Generated photos: Retained in your account until you delete them or delete your account.
  • Account records: Retained for up to 30 days after account deletion to allow for error recovery, then permanently deleted (except as required by law).
  • Financial / billing records: Retained for 7 years as required by applicable tax and financial regulations.
  • Usage logs: Retained for up to 12 months for security monitoring and abuse prevention.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your account and all associated personal data, including biometric data and generated images.
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Portability: Receive a copy of your generated photos in a machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw consent for biometric data processing at any time (see Section 3).
  • Automated decisions: The AI generation process is automated, but no automated decisions are made about your legal rights or significant interests.

To exercise any of these rights, contact us at info@uppmatch.com. We will respond within 30 days (or as required by applicable law). EU/UK residents also have the right to lodge a complaint with their local data protection authority (e.g., the ICO in the UK, or a relevant EU supervisory authority).

11. California Privacy Rights (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • The right to know what personal information we collect, use, disclose, and sell.
  • The right to delete personal information we have collected, subject to certain exceptions.
  • The right to correct inaccurate personal information.
  • The right to opt out of the sale or sharing of personal information. We do not sell or share personal information with third parties for cross-context behavioral advertising.
  • The right to limit use and disclosure of sensitive personal information (including biometric data). We only use your biometric data to train your personal AI model.
  • The right to non-discrimination for exercising your privacy rights.

To submit a CCPA/CPRA request, contact us at info@uppmatch.com. We will verify your identity before processing your request.

12. Security

We implement industry-standard security measures including encrypted data storage (AES-256 at rest), TLS encryption for all data in transit, row-level security policies on all database tables, and access controls that limit who can access your data. Despite these measures, no internet-based service is completely secure. In the event of a data breach that affects your personal data, we will notify you and relevant authorities as required by applicable law (typically within 72 hours for GDPR-covered breaches).

13. Children's Privacy

UppMatch is strictly intended for users aged 18 and over. We do not knowingly collect personal information from minors. You may not upload photos of minors under any circumstances. If we become aware that a minor has used the Service or that photos of a minor have been uploaded, we will immediately suspend the account and permanently delete all associated data. If you believe this has occurred, contact us immediately at info@uppmatch.com.

14. AI-Generated Content and Synthetic Media

Images generated by UppMatch are synthetic — they are created by an AI model and may not accurately represent your actual appearance. We do not represent generated images as authentic photographs. You are solely responsible for how you use generated images and must comply with any platform-specific disclosure requirements (such as dating app policies regarding AI-generated photos). We reserve the right to apply content moderation to all prompts submitted to the Service and to refuse generation of content that violates our Terms of Service.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via email or an in-app notice at least 14 days before the change takes effect. For changes to how we handle biometric data, we will obtain your renewed consent where required by law. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

16. Contact

For privacy-related questions, requests, or concerns, contact us at info@uppmatch.com. We aim to respond to all requests within 30 days.