Terms & Conditions

Terms and Conditions and Privacy Policy for TinyTography.com

09.05.25

Terms and Conditions

1. Introduction

These Terms and Conditions (“Terms”) govern your access to and use of TinyTography’s Services, which allows users to upload photos and receive studio style portrait images. By using the Service, you agree to be bound by these Terms and all applicable laws and regulations. If you do not agree with any part of these Terms, you must not use the Service.

For the purposes of these Terms, “Company”, “we”, “us”, or “our” refers to the operator of the Service. “You” or “User” refers to the individual creating an account and using the Service. You represent that you are the parent or legal guardian of any child whose photo you upload, or that you have the authority and permission from the child’s parent/guardian to use the Service.

2. Eligibility and Age Restrictions

Adult Account Holders: You must be 18 years or older (or the age of legal majority in your jurisdiction) to create an account and use this Service. The Service is intended to be used by adults (such as parents or guardians) on behalf of children. We do not knowingly permit children under 13 to create accounts or use the Service directly, in compliance with the U.S. Children’s Online Privacy Protection Act (COPPA) and applicable laws.
Parental Responsibility: By creating an account and uploading a baby’s photo, you confirm that you are the child’s parent or legal guardian (or have express authorization from them) and that you consent to the child’s image and data being processed by the Service. If we discover that an account has been created by a minor or that child data was provided without proper parental consent, we will suspend or terminate the account and delete the data (see Section 5 below).
Accuracy of Information: You agree to provide truthful, current, and complete information about yourself (and your child, if applicable) during account registration. Maintaining accurate contact information (such as a valid email) is required for important notices.

3. Account Registration and Security

When you register for an account, you will be asked to create login credentials. You are responsible for maintaining the confidentiality of your account password and for restricting access to your account:

Account Security: You agree to keep your login credentials confidential and not share them with anyone. You are responsible for all activities that occur under your account. If you suspect any unauthorized use of your account or a security breach, you must notify us immediately.
Account Use: You agree not to allow any other person to use your account. If you are a parent, you may allow a co-parent or legal guardian to access the account for the same child, but you remain responsible for all account activity.
Multiple Accounts: You should not create multiple accounts to bypass any restrictions or to abuse the Service. Each account should be tied to a single individual or family.

4. User Responsibilities and Appropriate Use

By using our Service, you agree to use it responsibly and only for its intended purpose (generating personal baby portraits). You are solely responsible for all content you upload and for your use of the Service. In particular, you agree to the following responsibilities:

Proper Content Uploads: You will only upload photographs of babies/children that you have the legal right to use. This means the photos are of your own child or a child for whom you are the parent or guardian (or you have obtained explicit permission from the child’s parent/guardian). You will not upload images of any child if you do not have authority to do so.
Consent for Others in Photos: If any other individuals (e.g., other children or adults) appear in the photos you upload, you must have their (or their parent’s) permission to upload and use those images on the Service. However, we strongly encourage only uploading images focusing on the intended child to protect privacy.
No Harmful or Illegal Content: You must not upload any content that is illegal, harmful, or exploitive. In particular, you are strictly forbidden from uploading any images of child nudity, sexual content involving minors, or any form of child abuse or exploitation. Uploading such content is a severe violation and will result in immediate termination of your account and possible reporting to law enforcement. You also agree not to upload content that is hateful, harassing, defamatory, obscene, or that violates any law or regulation.
Accuracy and Quality of Photos: The quality of the generated portraits may depend on the quality of photos you provide. You are responsible for uploading clear and appropriate images (as guided by the Service instructions). You should not upload any files that contain viruses, malware, or harmful code.

5. Parental Consent and Child Protection

We take child privacy and safety seriously. The Service is designed to comply with child protection laws including COPPA in the United States and the UK Age Appropriate Design Code (Children’s Code) under UK data protection law:

Verifiable Parental Consent: By using this Service and uploading a child’s photo, you as a parent/guardian are providing verifiable consent for us to collect and use your child’s image and personal data as described in these Terms and our Privacy Policy. We will not knowingly collect personal information from a child under 13 without parental consent.
No Child Accounts: We do not permit children to use the Service on their own. All interactions (including account creation, photo uploads, and payments) must be made by an adult. You agree not to allow a minor to independently access the Service.
Child’s Best Interests: We design and operate the Service with the best interests of children in mind. We do not use children’s data for any purpose beyond providing the requested portraits to the parent/guardian. We do not serve advertising to children or present any inappropriate content. All data practices are transparent to parents (see Privacy Policy for details).
If Consent is Revoked or Violated: If at any time you, as a parent, withdraw your consent for us to use your child’s data (for example, by requesting deletion of photos as described in the Privacy Policy), we will honor that (though it may result in inability to continue providing the Service). If we become aware that child data has been provided without proper consent or in conflict with these Terms, we will delete that data and may terminate the associated account.

6. User Content – License of Photos to Us

Users may upload images and associated content (“User Content”) to the Service in order to generate AI portraits. You retain all ownership rights to the original photos and content you upload. We do not claim ownership of your raw images. However, by uploading or submitting photos to our Service, you grant the Company a license to use that content solely for the purpose of providing the Service to you, as follows:

License Grant for Service Provision: You grant us a non-exclusive, worldwide, royalty-free license to host, store, transfer, display, reproduce, and process your uploaded photos and any derived data only as needed to create AI-generated portraits of your child and provide them to you. This license allows us, for example, to temporarily copy your photos to our servers, to use them to train an AI model specific to your child, and to generate new images (portraits) from that model. We will not use your photos or derived models for any other purposes outside of providing you with the Service you requested.
No Commercial or External Use: We will not sell, publish, or share your uploaded photos with any third parties except as described in our Privacy Policy (for instance, with service providers processing the data on our behalf, or if required by law). We will not use your photos to develop or train any general artificial intelligence models that are used for customers or for public research; the training is limited internally for your own portraits.
Your Promises (Warranties): By uploading any User Content, you represent and warrant that: (a) you own or have obtained all necessary rights and permissions to upload the photos and grant the above license; (b) our use of the photos as permitted by these Terms will not infringe or violate the rights of any third party (such as copyright, privacy, or publicity rights); and (c) the photos comply with these Terms (e.g. no prohibited content as per Section 4). You agree that you will be responsible for any losses, claims, or legal consequences that result from your uploading of content in violation of these promises.
Content Moderation: We reserve the right (but do not assume the obligation) to review the photos you upload for compliance with these Terms. We may use automated filters or manual review to detect prohibited content (such as illegal images). Any content that violates Section 4 or appears to exploit a child will be removed and may be reported to appropriate authorities. We are not responsible for any loss of data if we remove or delete content that violates our policies.

7. Generated AI Portraits – License to You

When you use the Service, our AI will generate portrait images of your child (“AI Output” or “generated portraits”) based on the photos you provided. We strive to create high-quality personalized images. Ownership and rights to these AI-generated portraits are defined as follows:

Ownership of AI Outputs: As between you and the Company, the Company (and its licensors, if any) retain ownership of all intellectual property rights in the AI technology and algorithms that generate the portraits. The specific portraits generated for you are deeply personalized to your provided content. We consider these generated images to be derivative works created by our AI model using your photos under your instruction. To avoid confusion about usage rights, we grant you a license to use the outputs as described below.
Personal Use License: The Company grants you a limited, non-exclusive, non-transferable, royalty-free license to download, use, and display the AI-generated portraits for personal, non-commercial purposes only. This means you may save the images, print them for yourself or family, share them privately with friends and family, or display them on personal social media accounts for non-commercial use (for example, posting the portrait of your child on your personal Facebook/Instagram, or using it as a screensaver).
No Commercial Exploitation: You may not use the generated portraits for any commercial purpose or redistribute them for profit. Prohibited commercial uses include, but are not limited to: selling the AI-generated images or licensing them to others; using the images in advertisements, merchandise, or any for-sale product; or using the images to promote a business, product, or service without our explicit written permission. If you wish to obtain commercial rights, you must contact us and negotiate a separate agreement (which we are under no obligation to grant).
No Misrepresentation or Illicit Use: You agree not to misrepresent the origin of the AI portraits or claim that they were human-created artworks. You must not use the AI outputs in any unlawful, offensive, or privacy-violating manner. For example, you should not use the portraits to defame someone, create false identities, or attempt to exploit the likeness of the child in inappropriate ways. The images are intended as personal keepsakes and artistic renderings, and should be used respectfully.
No Right to Use Outputs: The portraits we generate for you are considered your private content. We may retain copies internally (as needed for storage or backup) for a limited time which is no greater than 90 days for the purposes of customer service, but we will not use your child’s portraits for any other purpose unless you separately consent to such use.
Terms of service disclaimers: The company is not responsible for your use of the pictures or for the consequences of such use.
Relinquishing ownership: The company disclaims ownership of the pictures from the time of file deletion, no greater than 90 days from the time of final client work

8. Intellectual Property Rights (Service Content and IP)

Aside from your content and the personal outputs granted to you above, all rights in and to the Service and its content are owned by the Company or its licensors:

Service IP: The Service (including all software, code, algorithms, AI models, tools, design, and architecture) and all content provided by the Company on the Service (such as text, graphics, logos, trademarks, and any templates or sample images) are protected by intellectual property laws (including copyright, trademark, and patent laws). The Company retains all rights, title, and interest in and to the Service and all associated intellectual property not expressly granted to you in these Terms.
License to Use Service: Subject to your compliance with these Terms, we grant you a perpetual, limited, revocable license to access and use the Service and its materials for your personal, non-commercial use only. This license allows you to use our website or app interface to upload photos and receive portraits, and to temporarily download or print the content you are allowed to (such as your generated portraits or receipts) for personal use. No other use of the Service or its content is authorized.
Restrictions: You agree that you will not copy, modify, distribute, or create derivative works from any part of the Service or content provided by the Company, except as explicitly allowed by these Terms. You must not reverse engineer, decompile, or attempt to extract the source code or underlying algorithms of any part of the Service (except to the limited extent that applicable law expressly permits such activities despite a contractual prohibition). You may not remove or alter any copyright, watermark, or trademark notices that appear on any content from the Service.
Trademarks: The Company’s name, logo, and any product or service names or slogans included in the Service are trademarks or registered trademarks of the Company (and/or its licensors) in the U.S., UK, and other jurisdictions. You must not use any of these trademarks without our prior written permission. All other marks and logos not owned by the Company that appear in the Service are the property of their respective owners and are used for identification purposes only.

9. Payment and Billing

Certain features of the Service may be offered for a fee (for example, purchasing a set of AI portraits, or a subscription for ongoing use). The following terms apply to payments:

Fees: You agree to pay all applicable fees as displayed to you at the time you purchase a product or service (e.g., a one-time payment for generating a batch of portraits, or a subscription fee for a number of generations per month). All fees will be clearly communicated in the ordering process, including any recurring charges if you choose a subscription plan. Prices may be listed in local currency and may not include taxes; if any sales, use, VAT, or similar taxes apply, we may add those at checkout as required by law.
Payment Process: When you provide payment information (such as credit card details or other payment method information), you represent that you are authorized to use the payment method and you authorize our payment processor to charge the full amount due for your order (plus any applicable taxes or fees) to that payment method. Payment Processing: We use secure third-party payment processors to handle payment transactions. We do not store your full credit card number on our own servers; such sensitive financial data is passed directly to our payment processor who is compliant with industry security standards. However, we may store certain billing information (like your billing name, address, last four digits of your card, and transaction identifiers) as needed for order records.
Subscription Billing: If you enroll in a subscription service, you authorize us to charge your chosen payment method automatically on a recurring basis (e.g., monthly or annually, as per the plan) without further approval from you, until you cancel the subscription. You can cancel a subscription at any time through your account settings or by contacting customer support. If canceled, you will still have access to the subscribed services until the end of the current paid period, but no refunds will be given for the remaining period except where required by law.
Refunds Policy: All purchases are final. If the 100% satisfaction guarantee is displayed on the website at the time of purchase then the company will, at its final discretion, provide a full refund in the event that you are unsatisfied. In the event of a refund all pictures provided to that time must be deleted by the customer and all ownership disclaimed. You agree to allow us to provide one further set of pictures for your review.

Due to the personalized and digital nature of the Service (each AI portrait is uniquely generated and cannot be “returned”), we generally do not offer refunds once a portrait has been generated or a service period has started. However, if you experience any issues or the Service fails to deliver the promised content, please contact us – we may, at our discretion, offer a fix, a replacement generation, or a refund according to consumer protection laws. Nothing in this policy affects any rights you may have under mandatory consumer protection laws (for example, the UK Consumer Rights Act or applicable state laws) regarding faulty digital content.
Failed Payments: If your payment method fails or an invoice is past due, we may attempt to re-charge the payment method. If payment remains unsuccessful, we reserve the right to suspend or terminate your access to the paid features of the Service. You agree to provide a valid payment method and promptly update your account with any changes (e.g., card expiration or new card number).
Pricing Changes: We reserve the right to change the fees or pricing for our Service, or to introduce new charges for features that may currently be free. If you are on a subscription, we will give you reasonable advance notice of any price increase and the opportunity to cancel if you do not agree. Continued use of the Service after the effective date of a pricing change constitutes your acceptance of the new prices.

10. Privacy and Data Protection

Your privacy is extremely important to us. Our collection, use, and storage of personal information (including baby photos and related data) are governed by our Privacy Policy (see below), which is hereby incorporated into these Terms by reference. By using the Service, you also agree to the terms of the Privacy Policy. In summary:

Compliance with Privacy Laws: We operate in compliance with applicable data protection laws, including the UK Data Protection Act / UK yand relevant U.S. privacy laws. For example, as noted, we adhere to COPPA for children’s data in the U.S. and the UK Children’s Code guidelines for providing a child-friendly service.
Use of Data: Any personal data you provide (such as account information, your child’s photos, and the generated portraits) will be used only for the purposes described in these Terms and our Privacy Policy – primarily, to provide the Service (creating your AI portraits) and to manage your account. We will not use personal data for unrelated purposes nor will we share it with third parties for their own marketing.
Security: We employ reasonable and appropriate security measures to protect your data (see Privacy Policy for details on security practices). However, you understand that no online service is 100% secure and you accept the inherent risks of providing personal data online.
Privacy Policy Agreement: You agree that you have read and understood our Privacy Policy. If you have any questions about how your data is handled, you can contact us at any time (see Contact Information at the end of these Terms or in the Privacy Policy).

11. Prohibited Activities

You agree to use the Service only for lawful purposes and in accordance with these Terms. Any misuse of the Service is strictly prohibited. In addition to the responsibilities listed in Section 4, you further agree that you will not:

Violate Laws or Rights: Use the Service in any manner that violates any applicable law or regulation, or that infringes the rights of any person or entity (including intellectual property rights and privacy rights). This includes not using the Service to distribute or store any content that is copyrighted, confidential, or personal to someone else without permission.
Interfere with the Service: Engage in any activity that could disrupt, damage, overburden, or impair the functioning of the Service or interfere with any other party’s use of the Service. Prohibited interference includes sending malicious code, viruses, or any harmful software; launching any automated system or script (like bots, scrapers, or spiders) that accesses the Service in a manner that sends more requests to our servers than a human can reasonably produce; or attempting to hack or gain unauthorized access to the Service, other user accounts, or our underlying systems.
Circumvent Security or Policies: Attempt to bypass or disable any security features or technological measures of the Service, including content filters or access controls. You must not attempt to probe, scan, or test the vulnerability of our systems or networks, or breach authentication measures.
Data Mining or Extraction: Use any manual or automated means (such as data mining, robots, or scraping tools) to systematically retrieve data or content from the Service (other than the content you have uploaded or generated for your personal use). You are also prohibited from extracting or harvesting any information from the Service for any commercial purpose.
Misuse of Outputs: Use the AI-generated portraits or any part of the Service for the creation of defamatory, deceptive, or otherwise harmful content. For example, you must not use an AI-generated image of a child to create fake identities or to perpetrate fraud or harassment.
Reverse Engineering: Copy, modify, or create derivative works based on any part of the Service (including the AI model) beyond what is allowed by these Terms. You must not reverse engineer or attempt to discover the source code or trade secrets of the Service.
Impersonation or False Accounts: Misrepresent your identity or affiliation in using the Service. You should not impersonate any person or organization, or attempt to access another user’s account.
Commercial Exploitation: Sell, resell, or commercially exploit the Service or its content (including generated images) without express permission from us, as already outlined. This includes running a competing service using our outputs or using the Service as part of any commercial venture outside the scope permitted.
Failure to Comply: Aid or encourage any third party to do any of the above. If you become aware of any unauthorized use of the Service or any content that violates these Terms, you agree to promptly notify us.

Engaging in any of the above prohibited activities is a serious breach of these Terms and may result in immediate termination or suspension of your account (without notice), and if appropriate, referral to law enforcement authorities.

12. Termination of Service

Both you and the Company have the right to terminate this agreement under certain circumstances:

By You (User Termination): You may stop using the Service at any time. You may also delete your account if you no longer wish to use the Service. To delete your account, you can use any self-service account deletion function (if available) or contact us to request deletion. Terminating your account will stop your access to the Service; however, certain data may be retained for a period as outlined in the Privacy Policy (e.g., transaction records or backups), or as required by law.
By Us (Suspension or Termination): We reserve the right to suspend or terminate your access to the Service (in whole or in part) at our discretion, with or without prior notice, if you violate these Terms or if we suspect any fraudulent, abusive, or unlawful activity that may affect the Service or other users. Specifically, any breach of Sections 4, 5, or 11 (regarding appropriate use, child protection, and prohibited activities) can result in immediate termination. We may also terminate the Service or your account if required to comply with law enforcement or a legal request, or if unexpected technical issues occur.
Effect of Termination: Upon termination of your account, your right to use the Service will cease immediately. We will disable your account and you will lose access to any features of the Service that require an account. Any licenses granted to you for content (such as the personal use license to the AI portraits) will also terminate, meaning you should cease any further use of the Service’s content except that which you have already lawfully obtained (e.g., copies of portraits you already downloaded can still be retained by you for personal use). We may delete your stored data, including any remaining photos or generated images associated with your account, as described in the Privacy Policy. Please ensure you have downloaded any portraits you want to keep prior to deleting your account or if we terminate your access, as we may not be able to recover them later.
Survival of Terms: Any provisions of these Terms that by their nature should survive termination (for example, provisions regarding liability, arbitration, intellectual property ownership, licenses granted to us, and any indemnification obligations) will remain in effect after your access to the Service has ended.

13. Disclaimers of Warranties

The service is provided “AS IS” and “AS AVAILABLE.” To the maximum extent permitted by law:

We (the Company) disclaim all warranties and representations, express or implied, regarding the Service and any content obtained through the Service. This includes, but is not limited to, implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement. We make no warranty that the Service will meet your requirements or expectations, or that the results (including the AI-generated portraits) will be satisfactory to you or free from errors.
Quality and Accuracy: While we strive to create accurate and pleasing portraits, you acknowledge that AI-generated images are inherently creative approximations and may not perfectly reflect reality. We do not guarantee the accuracy, completeness, or artistic quality of any generated image. You use the results at your own risk, and you should not rely on the Service for any purpose where inaccurate or unsuitable images could cause harm.
Availability: We do not warrant that the Service will be uninterrupted, timely, secure, or error-free. There may be occasions when the Service is unavailable (whether due to planned maintenance or unexpected outages). We are not responsible for any harm that might arise from such downtime or technical issues.
Data Integrity: While we employ measures to protect user content, we make no guarantee that any data (including uploaded photos or generated portraits) will not be lost, corrupted, or otherwise destroyed. It is your responsibility to maintain backup copies of the photos you upload and to save any portraits delivered to you.
No Advice or Information: No advice or information (oral or written) obtained from the Company or through the Service shall create any warranty not expressly stated in these Terms.
Jurisdictional Limitations: Some jurisdictions do not allow the exclusion of certain warranties. For example, in the UK, consumers have certain statutory rights that cannot be excluded, and in some U.S. states you may have specific legal rights. Nothing in these Terms will exclude or limit any warranty or condition that cannot be disclaimed under applicable law. To the extent such warranties cannot be disclaimed, we limit the duration and remedies of such warranties to the minimum permissible under law.

14. Limitation of Liability

To the fullest extent permitted by applicable law, the Company (and its parents, subsidiaries, affiliates, officers, employees, agents, partners, and licensors) shall not be liable for any damages or losses arising out of or in connection with your use of (or inability to use) the Service or these Terms. This includes:

Types of Damages Excluded: We are not liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, revenues, data, or use, incurred by you or any third party, whether in an action in contract, tort (including negligence), strict liability, or otherwise, even if we have been advised of the possibility of such damages. For example, we will not be liable for damages related to: your disappointment with the portraits’ appearance; any decision you make or action you take based on the Service’s output; unauthorized access to or alteration of your data; or any other intangible losses.
Liability Cap: In jurisdictions where liability limitations are allowed, the Company’s total cumulative liability to you for any claims arising from or related to the Service or these Terms shall not exceed the amount you paid us (if any) in the 12 months immediately preceding the event giving rise to the claim. If you have not paid the Company any amount (for example, if you used a free trial), the Company’s total liability shall not exceed a nominal sum (e.g., $50 or equivalent local currency).
Exceptions: Nothing in these Terms limits or excludes our liability for: (a) death or personal injury caused by our negligence; (b) our fraud or fraudulent misrepresentation; or (c) any other liability that cannot be limited or excluded by law. Additionally, because some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, the above limitations may not apply to you in their entirety.
Consumer Rights: You may have certain rights under local law. For instance, UK consumers have statutory rights regarding the provision of digital services (such as the right to expect reasonable care and skill). These Terms are not intended to limit or exclude any such rights that cannot legally be waived. Rather, these limitations apply to the extent allowed by law and no further.

15. Indemnification

You agree to indemnify, defend, and hold harmless the Company and its affiliates, officers, directors, employees, and agents from and against any and all claims, liabilities, damages, losses, or expenses (including reasonable legal fees and costs) that arise out of or relate to your content or use of the service. This also includes:

Your Content: Any claim that your uploaded photos or content, or the Company’s use of them in providing the Service, infringes any intellectual property, privacy, or other rights of any third party, or has caused harm to a third party.
Your Use of the Service: Any use of the Service by you (or by others using your account) that violates these Terms or any applicable law. This includes any breach of your representations and warranties in these Terms, and any prohibited activity in which you or your account engages.
Your Violation of Laws or Rights: Your violation of any law, regulation, or the rights of any third party in connection with your use of the Service.

We reserve the right to handle our legal defense as we see fit, including choosing our counsel, and you agree to cooperate with us in defending against any third-party claims at your expense. You may not settle any claim that imposes any liability or obligation on the Company without our prior written consent. (This indemnity does not require you to indemnify the Company for its own willful misconduct or gross negligence.)

16. Governing Law

Because we operate in multiple jurisdictions, we tailor this section based on where you reside:

If you reside in the United States (or any country outside the United Kingdom/European Economic Area): These Terms and any dispute arising out of or relating to these Terms or the Service shall be governed by the laws of the State of Delaware, USA, and, to the extent applicable, the federal laws of the United States, without regard to its conflict of law principles.
If you reside in the United Kingdom or European Union: These Terms and any dispute or claim arising out of or in connection with them (including non-contractual disputes or claims) shall be governed by the laws of England and Wales, under the UK legal framework.
International Application: Regardless of which law is stated above, nothing in these Terms will deprive you of any consumer protection rights or data protection rights you are entitled to under the law of your residence (this means if local law in your country provides you certain mandatory protections, those still apply). These Terms set out governing laws primarily for dispute resolution, but we acknowledge our obligations to comply with laws such as UK data protection law and US federal/state laws in operating the Service.

17. Jurisdiction and Dispute Resolution

We hope to resolve any issues you have with the Service quickly and amicably. If you have a concern or dispute, please contact us first. However, if a legal dispute arises, the following terms apply:

Informal Resolution: You agree to first attempt to resolve any dispute or claim relating to these Terms or the Service by contacting us in writing (see Contact Information below) and providing a description of your dispute and the relief you seek. We will attempt to address your dispute within a reasonable time (and no greater than 90 days ). If we are unable to reach an agreeable solution, then the formal dispute resolution processes below will apply.
For U.S. Residents – Arbitration Agreement: If you reside in (or assert a claim in) the United States, you and the Company agree that any dispute, claim, or controversy arising out of or relating to these Terms or the use of the Service shall be determined by binding arbitration on an individual basis. This means you are waiving the right to a trial by jury and the ability to participate in a class action for such disputes. The arbitration will be administered by a neutral arbitrator (for example, through the American Arbitration Association (AAA) under the AAA Consumer Arbitration Rules) and judgment on the arbitration award may be entered in any court having jurisdiction.

Arbitration Procedures: If arbitration is elected, it shall be conducted in English and, unless you and the Company agree otherwise, will occur virtually or in a convenient location for the company (if an in-person hearing is necessary). The arbitrator shall apply the governing law specified in Section 16. Each party will bear its own costs of arbitration (attorneys’ fees, etc.) unless the arbitrator finds that a claim was frivolous or brought in bad faith, in which case the prevailing party may be awarded its reasonable fees.
Exceptions: Either party may bring claims in small claims court if they qualify. Also, both parties retain the right to seek injunctive or equitable relief in a court to prevent (or stop) intellectual property infringement or misuse of the Service, without going through arbitration first.
Class Action Waiver: To the extent permitted by law, all disputes shall be resolved on an individual basis only, and not as part of any class, consolidated, or representative action. You agree that you will not participate in or seek to recover relief in any class or representative proceeding against us.

For UK/EU Residents – Court Jurisdiction: If you reside in the UK or EU, the above arbitration agreement does not apply. You have the option to resolve any dispute with us in the courts of your domicile or in the courts of England and Wales. By these Terms, we agree that the courts of England and Wales have non-exclusive jurisdiction. This means you can bring a claim in England, or in the country where you live, under the laws set forth in Section 16. If you are a consumer in the EU, you may also be protected by any provisions of the law of your country of residence that are more beneficial to you.
Time Limits: Any claim or cause of action arising out of or relating to the Service or these Terms must be filed within three (3) months after such claim arose; otherwise, the claim is permanently barred. (This one-year limitation may not apply for consumers in jurisdictions where such time limit is not permitted by law.)
Rights to Injunctive Relief: Notwithstanding the above, nothing in these Terms prevents either you or us from seeking urgent injunctive relief or other provisional remedies from a court of competent jurisdiction, if necessary, to protect our rights or your rights pending the completion of the dispute resolution process.

18. Changes to These Terms

We may revise or update these Terms from time to time to reflect changes in our Service or for legal, operational, or regulatory reasons:

Notification of Changes: If we make material changes to these Terms, we will provide you with reasonable notice through the Service or via email (if you have provided an email address) before the changes take effect. Minor updates (such as clarifications or changes that do not reduce your rights) may be posted with a new effective date and without specific notice, so please review these Terms periodically.
Acceptance of Changes: By continuing to use the Service after updated Terms have become effective, you agree to be bound by the revised Terms. If you do not agree to the updated Terms, you must stop using the Service and, if applicable, cancel any account or subscriptions you have with us.
Conflict Between Versions: In the event of a conflict between these Terms and any prior versions or statements, the most current version shall prevail. We will indicate at the top of the Terms the date of the last revision for your reference.

19. Contact Information

If you have any questions, concerns, or feedback about these Terms or the Service, or if you need to provide any notice under these Terms, please contact us at:

TinyTography
Email: hello@tinytography.com
Address: 71-75 Shelton Street, London
Attn: Legal Department / Terms of Service

We will do our best to respond promptly. Your communication with us does not waive any rights or obligations under these Terms unless we agree to such waiver in writing.

Thank you for reading our Terms and Conditions. By using our Service, you acknowledge that you understand and agree to all of the above terms. We are committed to providing a safe, enjoyable experience creating AI portraits of your little ones!

Privacy Policy

1. Introduction

TinyTography (“Company”, “we”, “us” or “our”) is committed to protecting your privacy and handling your personal data in an open and transparent manner. This Privacy Policy explains what information we collect through the The Services Provided (“Service”), how we use and share that information, and your rights regarding your information. We provide an AI-driven platform where parents/guardians upload baby photos to create portraits; in doing so, we collect both the parent’s and the child’s personal data under strict protections.

This Privacy Policy is designed to comply with applicable data protection and child privacy laws, including the UK General Data Protection Regulation (UK GDPR) and associated UK Children’s Code (Age Appropriate Design Code), as well as the U.S. Children’s Online Privacy Protection Act (COPPA) and other relevant U.S. privacy laws. We apply high standards of data protection to all users, and especially for children’s personal data.

By using the Service or by otherwise providing us with personal information, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please do not use the Service. We encourage parents or guardians to read this Policy carefully as it concerns the personal information of their children.

Data Controller: For the purposes of UK data protection law, TinyTography is the “data controller” of your personal data (this means we are responsible for deciding how and why the personal data is processed). Our contact details are provided at the end of this Policy for any questions or requests regarding your data.

2. Information We Collect

We collect personal information that you provide to us directly, as well as some information automatically when you use our Service. The types of information we collect include:

Account Information: When you create an account, we collect information such as:

Name – Your name (and optionally your child’s first name or nickname if you choose to provide it for personalization).
Contact Details – Email address (required for account verification, login, and communication). We may also collect a phone number or mailing address if you provide it (for example, if needed for customer support or billing receipts, though generally email is sufficient).
Login Credentials – A username (if different from email) and password that you set. (Passwords are stored in an encrypted form.)
Age Verification Info – We may ask for your date of birth or an affirmation that you are over a certain age (e.g., a checkbox confirming “I am 18 or older and the parent/guardian of the child in the photos”) to ensure compliance with age restrictions. We do not intentionally collect personal data directly from children under 13.

Baby Photos (Images of Children): The core of our Service is you uploading real photos of your baby/child. These images are personal data, and potentially sensitive as they depict a child’s likeness. We collect and store the photos you upload for the purpose of training our AI model and generating portraits. We do not require you to provide the child’s name, age, or any other identifying detail in the photo metadata, and we ask that you refrain from submitting such extra personal information in images (for instance, avoid images that have the child’s name visible or other people’s personal data).

Note: We strongly advise that you only upload photos of your own child (or a child you are authorized to represent). Do not upload photos of other children or any person for whom you do not have permission.

Generated Portraits: After processing, the Service will produce AI-generated images (“portraits”) of the child. These portraits are also stored (at least temporarily) on our servers to deliver them to your account. While these portraits are created by us, they are derived from your child’s image. (They are only available to you when logged in, and to our staff or systems as needed to operate the service.)
Payment Information: If you make a purchase on the Service (such as paying for a portrait package or subscription), you will provide payment details. We use a third-party payment processor to handle payments securely. The information collected for payments may include:

Billing Name and Address – to verify your payment method and for invoice records.
Payment Card Details (credit/debit card number, expiration, CVV) or other payment method details (e.g., PayPal). We do not store full card numbers or CVV on our systems. This information is transmitted securely to our payment processor in compliance with Payment Card Industry (PCI) standards. We may store a payment transaction ID or token returned by the processor, and possibly the last four digits of your card and expiration date for reference.
Transaction Records – date and time of purchases, the items or services purchased (e.g., “10 AI portraits package”), and the amount paid. We keep these records for accounting and legal purposes.

Communications: If you contact us (via email, support ticket, or social media), we will collect the information you provide in your inquiry, which may include your name, contact information, and the content of your message. This also includes feedback you provide or responses to surveys (if any) about the Service.
Usage Data (Automatically Collected): When you use the Service (especially our website or app), we automatically collect some technical information about your device and how you interact with the Service. This information may include:

Device and Browser Information: e.g., your device type, operating system, browser type, and version. If on a mobile device, we might collect device identifiers (like an advertising ID) — however, since our Service is child-focused, we do not use these for advertising tracking, only for analytics or troubleshooting.
IP Address: We log your IP address when you connect to the Service. This can indicate approximate location (country or state level) and is used for fraud prevention, security, and sometimes to display the appropriate regional content or comply with local requirements.
Cookies and Similar Technologies: We use cookies or similar technologies to remember your login session, preferences, and to gather analytics about usage. For example, a cookie saves your session ID so you remain logged in as you navigate the Service. We do not use cookies for advertising purposes on this Service, and any analytics cookies are used to improve functionality and user experience (see Section 8 on Data Security & Storage for more on cookies).
Activity Logs: We may log actions you take within the Service (e.g., uploading a photo, initiating an AI generation, downloading an image) along with timestamps. These logs help us provide the service (e.g., queueing your AI request) and maintain security (audit trails in case of abuse).

We aim to minimize the personal data we collect to what is necessary to provide our Service effectively and safely. We do not ask for or intentionally collect any of the following from you or your child: social security/national ID numbers, full date of birth of the child, precise GPS location, sensitive characteristics (like race, religion, or health information) unrelated to the images, or any content of communications not related to the Service. Please refrain from providing such information to us.

3. How We Use Your Information

We use the collected information for the following purposes, and we ensure that each use is supported by a valid legal basis (see Section 4 for legal bases):

To Provide and Operate the Service: We use your information so that you can create AI baby portraits. Specifically:

Image Processing: We use the baby photos you upload to train our internal AI model and generate the requested portraits of your child. This is the primary function of the Service. Our team review the content uploaded to achieve greatest quality in use of the technology and / or to ensure compliance (e.g., checking that uploaded images are appropriate and not in violation of rules).
Account Management: We use your account information (email, password, etc.) to create and maintain your account, authenticate you when you log in, and keep track of your portrait generation orders. We may also use your email to send you Service-related communications (e.g., confirmations that your portraits are ready, notifications of updates or issues with your account).
Delivery of Outputs: We store and make your child’s AI-generated portraits available in your account for you to view and download. We might also send them to you via email upon generation if that feature is offered.

Training the AI Model (Limited Scope): We use your child’s photos to train an AI model that is used only for generating portraits for your child. The model “learns” from your provided images to create new ones in various styles or poses. Importantly, each child’s data is used to train a unique model instance or profile: we do not commingle your child’s photos with other users’ data to create generalized models. This use is purely internal and for your benefit. (We do not use your child’s data to improve our general algorithm that would serve others, except potentially in aggregated ways that do not identify or use actual images – see below).
Service Improvement and Research: We strive to improve our AI and our service. We may use data in aggregated, de-identified form to understand usage patterns and performance. For example, we might analyze how long the AI generation process takes or the general success rate of generating portraits, or the number of active users, etc. We do not use personal data (like actual photos or portraits) in our research or development without your consent beyond what is needed to generate your portraits. If we ever wanted to use images to improve our algorithms beyond your individual model (for instance, to improve our general AI model’s ability to handle baby photos), we would only do so with explicit consent or by using images that have been irreversibly transformed or anonymized such that they are no longer identifiable.
Communication with You:

Service Communications: We will use your email (or provided contact method) to send you important information about the Service. This includes confirmation emails when you register, receipts or invoices for payments, notifications that your AI portraits are ready, and important service announcements (like changes to terms or privacy policy, security alerts, or updates on any outages). We may also contact you by telephone.
Customer Support: If you reach out with a question or issue, we will use the information you provided to respond and resolve your inquiry. We might ask for additional information if needed to troubleshoot (for example, if you say an upload isn’t working, we might ask about your device or a screenshot of an error).

Payment Processing and Order Fulfillment: We use payment information to complete transactions. For example, if you purchase a portrait pack, we use your provided payment details to charge the amount through our payment processor. We use your email to send payment confirmations and receipts. If there are any issues with billing (like an expired card), we may notify you to update payment info.
Ensuring Legal Compliance and Safety:

We may use personal data to enforce our Terms and Conditions and to prevent potentially illegal or harmful activities. For instance, if we suspect that an uploaded photo contains illegal content (such as child exploitation material), we will review and handle it per legal requirements (which may include reporting to authorities and preventing the generation of portraits from such content).
We use age verification information (such as your confirmation of being an adult) to comply with COPPA and ensure we are dealing with a parent/guardian, not the child directly.
We may monitor usage and investigate any misuse of the Service (as described in Terms) which may involve using logs and user data to identify the source of the problem.
If required by law, we might process data for compliance purposes (e.g., keeping transaction records for tax auditing, responding to government requests as allowed by law).

Data Security: Some information (like IP addresses, device info, and log-in attempts) is used in our security measures. For example, we might use your IP or device data to detect if an unknown device logs into your account and alert you, or to determine if multiple failed login attempts are occurring (potential brute force attack) and then take action like temporarily locking the account for safety.
Business Operations: We may use data in connection with routine business administration. This could include performing accounting, audits, and other internal functions; debugging and fixing errors in the Service; or for purposes of a business transaction (if we ever consider a merger or acquisition, as described in Section 5 below, your data would be evaluated as part of assets while still being protected by confidentiality).

We will not use your or your child’s personal data for any purposes that are incompatible with the above. Specifically:

We do not use personal data for targeted advertising or building marketing profiles, especially no profiling of children for marketing.
We do not sell or rent personal information to third parties.
We do not use your child’s likeness or data in any public-facing materials or AI models that generate content for others.
We do not contact your child directly or disclose their information publicly.

If we need to use your personal data for a new purpose not covered by this Privacy Policy, we will update this Policy and, if required by law, seek your consent or give you the opportunity to opt-out.

4. Legal Bases for Processing (UK & US Compliance)

We process personal data under different legal grounds depending on your jurisdiction. This section explains the lawful basis we rely on for UK (and EU) users under GDPR, and our compliance approach in the US (including COPPA):

4.1 UK/EEA Users – Legal Bases under GDPR:
Under the UK GDPR (and EU GDPR if applicable), we must have a valid legal basis to process your personal data. We have assessed our activities and believe the following bases apply:

Consent: We rely on your consent for certain types of processing, particularly in relation to children’s personal data (photos) and any optional data uses.

When you upload your child’s photo and use our Service, we interpret that as you (the parent/guardian) giving explicit consent to process your child’s personal data for the purposes described (creating AI portraits). This is in line with Article 6(1)(a) and Article 8 of GDPR (parental consent for information society services offered to a child).
If we ever seek to use your data for additional purposes (like using a portrait for marketing testimonials or using images for improving our general AI), we will explicitly ask for your consent and you have the right to decline.
You have the right to withdraw consent at any time (see Section 9 on Your Rights). Withdrawal of consent will not affect the lawfulness of processing before withdrawal, but it may mean we cannot provide certain services afterward.

Performance of a Contract: Many of our data uses are necessary for performing our contract with you (Article 6(1)(b) GDPR). When you agree to our Terms and request our Service, a contract is formed for us to provide AI portraits. We must process certain personal data to fulfill this contract:

We need your account data to create and maintain your user account and authenticate you.
We must process the photos and generate portraits as the core service you requested.
We handle payment information to process your orders for paid services.
Any related support or communications are also part of providing the service to you as agreed.
Without this data, we couldn’t provide the Service you expect. Therefore, this processing is deemed necessary for the contract.

Legal Obligation: In some cases, we process data to comply with a legal obligation (Article 6(1)(c) GDPR).

For example, retaining transaction records for the period required by tax law or financial regulations.
Complying with child protection laws: if we are required to report incidents of child exploitation images, we will process and disclose data as legally mandated.
Responding to lawful requests by public authorities (e.g., court orders) where we are legally compelled to provide data.

Legitimate Interests: We may rely on legitimate interests (Article 6(1)(f) GDPR) for certain processing that is not strictly required by contract but is within reasonable expectations of using the Service, and where our interests are not overridden by your data protection rights.

Our legitimate interests include: improving and ensuring the security of our Service, understanding how the Service is used (in aggregate) to improve functionality, preventing fraud and abuse, and marketing our services to adult users.
For instance, analyzing logs to detect fraudulent use is in our legitimate interest to protect our platform. Another example is using a parent’s email to send minor Service updates or offers—this can be a legitimate interest (direct marketing to existing customers), though we will always provide an opt-out.
When processing on this basis, we take into account any potential impact on you (especially any impact on children’s privacy) and will not proceed if we determine your interests or rights override ours. Generally, we do not rely on legitimate interests for any processing that involves a child’s sensitive data beyond what is necessary for safety or legal compliance.

Special Category Data: Note, the photos of a child could be considered biometric data if used for the purpose of uniquely identifying a person, which would be “Special Category” under GDPR. We do not use the photos for identification, but rather for image generation. However, out of caution, to the extent any biometric or sensitive inference could be drawn, we rely on your explicit consent for processing such data (Article 9(2)(a) GDPR).

4.2 U.S. Users – Compliance with COPPA and Other Laws:
In the United States, COPPA requires parental consent for collection of personal data from children under 13, and other federal or state laws provide privacy protections. Our compliance approach includes:

Parental Consent (COPPA): We obtain verifiable parental consent before collecting personal information from children. By creating an account and uploading your child’s photos, you (as the parent/guardian) are providing the required consent for us to collect and use that information for the Service. We do not collect personal info directly from children, nor do we allow children under 13 to interact with the Service without parental oversight.
Internal Operations Exemption: COPPA allows certain collections for “internal operations” of the service (like maintaining user authentication, analyzing how the service is used, etc.). We ensure that any information we collect from a child is used only for purposes permitted by COPPA, such as supporting the internal operation of the Service (which includes contextual personalization like generating the child’s portrait, and ensuring security). We do not use child info for anything that COPPA would disallow (like targeted advertising or disclosing to third parties for unrelated use).
State Privacy Laws: We comply with applicable state privacy laws (such as the California Consumer Privacy Act, CCPA/CPRA; though non-profit status or size thresholds may exempt us, we commit to privacy best practices). For example:

We do not “sell” personal information as defined by CCPA.
If you are a California resident, you have specific rights to access or delete personal information, which we honor (see Section 9 on Your Rights).
We treat sensitive personal information (like children’s data) with heightened protection.

Legitimate Interests / Necessity: In U.S. terms, much of our data use is based on the necessity to provide the service you requested, or our legitimate interests in running a safe, effective business, balanced with respect for privacy.
Contractual Commitments: Our Terms of Service constitute an agreement, and data is used to fulfill our obligations and provide what you paid for or signed up for.
Legal Requirements: Similar to above, we follow U.S. laws requiring data handling (for example, mandatory reporting laws for child abuse imagery, or complying with subpoenas).

In summary, regardless of jurisdiction, we handle personal data either with your consent or because it is necessary to provide our service and comply with laws. If you ever have questions about the legal justification for a particular data use, please contact us (Section 12).

5. How We Share Your Information

We understand that you trust us with your (and your child’s) personal information, and we do not sell or share it. We only share personal data in a few specific situations, all with appropriate safeguards:

Service Providers (“Processors”): We employ trusted third-party companies to perform certain functions on our behalf. They only receive the data necessary to perform their specific services and are contractually obligated to protect it and use it only for our instructed purposes. Key service providers include:

Cloud Storage and Computing: We may store your photos, portraits, and data on cloud servers or use cloud computing providers to run the AI model. These providers (e.g., AWS, Azure, Google Cloud, or similar) process data under strict security and confidentiality. We ensure any provider we use complies with data protection standards (and for UK/EU data, that transfers are legal – see Section 8 on International Transfers).
Payment Processors: As mentioned, a payment processing company (for example, Stripe, PayPal, etc.) will receive your payment details to process transactions. They are responsible for securing your financial info. We share with them the transaction amount, your billing info, and they inform us of success/failure. These processors are PCI-DSS compliant and are independent controllers of your payment data in many respects (meaning they have their own legal obligations to handle that data securely).
Email/Communication Services: We might use an email service provider or customer support platform to send communications (for instance, SendGrid for transactional emails or Zendesk for support tickets). They would process your email address and any message content under our instructions.
Analytics Services: If we use any analytics tools (like Google Analytics, etc.) they might collect usage data through tags or cookies. However, since our service is oriented around children’s data, we either avoid analytics that profile users or configure them in privacy-friendly ways (e.g., IP anonymization). Any analytics are used solely to improve our service performance and user experience, not for advertising.
Content Moderation or Safety Tools: We might use third-party software to help automatically detect prohibited content (like known illegal images, viruses, etc.). For instance, a tool that compares uploads against a database of illegal material (like PhotoDNA for child abuse content) – this could involve hashing and matching images. Such tools, if used, operate under strict privacy conditions and any findings of illegal content would be handled as required by law.

Within Our Corporate Group: If our company has affiliates, parent, or subsidiary companies we may share data between our entities as necessary to operate the service. All such entities will abide by this Privacy Policy and protect personal data to the same standards. For UK/EU data transferred to a U.S. affiliate, we implement lawful transfer mechanisms (again, see Section 8).
Legal Requirements and Safety: We may disclose personal information when required by law, or when we have a good-faith belief that doing so is necessary to:

Comply with the law or legal process – such as a court order, subpoena, or other legal demand. (We will try to notify you of such demands when allowed, unless we believe doing so is futile or illegal.)
Protect vital interests – e.g., to report information to law enforcement where a child may be in danger or a crime has been committed (especially relevant if we encounter child exploitation content).
Enforce our Terms or rights – e.g., to address fraud, security, or technical issues, or to collect unpaid fees, we might share data with our legal advisors or in litigation if necessary.
Protect others – e.g., exchanging information with other companies and organizations for the purposes of child protection, fraud protection, or to reduce credit risk (in accordance with data protection laws).

Business Transfers: If the Company is involved in a merger, acquisition, sale of assets, bankruptcy, or other business reorganization, your personal information may be transferred to or accessed by a successor entity or potential purchaser as part of evaluating the transaction. In such cases, we will ensure that your data remains subject to confidentiality obligations and, if actually transferred, that the successor will be bound by terms that are at least as protective of your privacy as this Policy. We will notify you (for example, via email or notice on our site) of any ownership change or data transfer and your rights in that context, especially if it results in a new entity handling your personal information.
With Your Explicit Consent: Apart from the scenarios above, we will only share your or your child’s personal data with third parties if you have given us explicit permission to do so. For example, if you wanted us to share a testimonial or success story with your child’s portrait on our social media or website, we would only do that with your written consent. (This is purely hypothetical; our default is not to share your child’s images publicly at all.)

No Selling of Personal Data: We do not sell personal information to third parties for monetary or other valuable consideration. This includes children’s data – we do not engage in any practice of selling or renting information about children or parents to data brokers or advertisers. If this ever were to change, we would comply with legal requirements including obtaining opt-in consent (particularly for minors’ data) and providing clear notice, but we have no plans to change this stance.

No Third-Party Advertising: We do not share data with ad networks or social media companies for advertising purposes. You will not see third-party ads on our Service tailored using your data, and we aren’t giving your data to advertisers.

In summary, information is shared externally only as needed to run our Service (under strict agreements) or as required by law. All service providers are carefully vetted for security and privacy standards. We remain accountable for the protection of your personal data when it is transferred to third parties under our instructions.

If you have questions about a specific third party’s access to your data, please contact us (Section 12), and we can provide more detail on any partners we use.

6. Children’s Privacy and Parental Controls

Protecting children’s privacy is at the core of our business. This section reiterates some key points specifically about children’s data and parental rights, in compliance with COPPA (in the US) and the Children’s Code (UK):

Intended Audience – Parents/Guardians: Our Service is directed to parents or guardians of children, not to children themselves. We expect that a parent or guardian is the one directly providing personal information (like photos and account details) and supervising the use of the Service. If a child (under 13) is ever found to be directly interacting with us (e.g., a child tried to create an account or contact us), we will refuse and advise that a parent must be involved.
No Child-Targeted Content: We do not display content in our Service that is harmful or inappropriate for children. The generated portraits are meant to be cute/fun images of the child. The website/app interface is designed to be family-friendly. We adhere to the UK Children’s Code standards by applying “high privacy default” and not including features that would negatively impact a child’s wellbeing or privacy. There is no social networking element where children might accidentally share information publicly.
Parental Access and Control: As a parent/guardian user, you have control over the personal information of your child that we collect. You can:

Review the child’s personal information that we have (this includes the photos you uploaded and the portraits generated). You can see the portraits in your account. If you want to know exactly what photos or data we still have stored, you can contact us for a comprehensive report (see Section 9 on Your Rights).
Delete or Correct the child’s personal information. You can delete photos from the Service (if functionality is provided) or request us to delete them. You can also ask us to delete the trained AI model and portraits. We will comply with such requests, as detailed in Section 7 (Data Retention & Deletion) and Section 9 (Your Rights). If any information is incorrect (though typically the only info about the child might be their name if you provided it), you can correct it by editing the account profile or asking for assistance.
Consent Withdrawal: You have the right to withdraw consent for further collection or use of your child’s information at any time. For instance, if after using the Service you decide you no longer want us to retain your child’s data, you can request deletion (which effectively withdraws consent going forward). Note: withdrawing consent will likely mean we cannot continue to provide the Service to you.

Verifiable Parental Consent Mechanism: At sign-up or before uploading any child’s photo, we take steps to ensure the person doing so is a parent or guardian. Our methods may include requiring a credit card payment (which implies adult status), an age gate (asking birthdate or confirmation of adulthood), or emailing back for confirmation. By successfully creating an account and uploading data, we treat that as verification that you are an adult authorized to consent. If we have doubts (e.g., we receive information suggesting the user might be underage), we may ask for additional verification or refuse service until satisfied.
If a Child’s Data is Provided Without Consent: If we learn that we have collected personal information from a child under 13 without a parent’s consent, or that a teenager under 18 has misrepresented their age to use the service:

We will delete that information as quickly as possible (except to the extent retaining it is required by law – for example, to report a violation).
We will terminate any account that was improperly created by an underage user.
If you believe we might have any information from or about a child under 13 that was collected improperly, please contact us immediately (Section 12) and we will promptly investigate and handle it.

Child-Friendly Explanations: As part of compliance with the Children’s Code, although our users are adults, we aim to be transparent. If we were to have any interface where a child might read about their data (perhaps if an older child is involved in the process), we would provide explanations suitable for children to understand what’s happening with their data, in a clear and age-appropriate way.
No Profiling or Automated Decisions Harmful to Children: We do not profile children beyond the purpose of creating the portrait. There are no automated decisions made about the child that would affect them legally or significantly – the AI simply creates images. We do not evaluate or categorize the child in any way (no facial recognition to identify them in real life, no scoring, etc.).
Education & Guidance: We encourage parents to educate themselves and their children about online privacy and to monitor the child’s online activities. While our Service is used by parents, any time children’s images are uploaded anywhere, it’s wise to consider the implications. We are available to answer any questions parents might have about our approach to child privacy.

In essence, children’s data on our Service is fully under parental control and used in a confined, parent-initiated manner. We consider it our duty to support and not undermine parental authority and child safety online.

7. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Below is our data retention policy for different categories of data:

Uploaded Baby Photos: The original photos you upload are stored on our servers temporarily and will be deleted when they are no longer needed for the portrait generation process. In practice:

We keep the photos at least until the AI model training and portrait generation is complete. This may take weeks. We might retain them slightly longer in case we need to re-process or if you request additional portraits without re-uploading.
By default, we plan to automatically delete or securely archive the original uploaded images no later than 90 days after your portraits have been generated and delivered and any customer service requirements that follow on are completed. (For example, we might retain them for 90 days to allow for any re-runs or in case a user accidentally deletes their portraits and needs regeneration, but not longer unless you request otherwise.)
You may also proactively delete your uploaded photos from the system via emailing us on hello@tinytography.co.uk

AI Model/Data Derived from Photos: The internal AI model or profile created from your child’s photos is also kept only as long as needed:

If the Service allows you to come back and generate more portraits of the same child without re-uploading photos (i.e., we save the model for convenience), we will retain the model data tied to your account while your account is active, so you can continue to use that feature.
However, if you choose to delete the child’s data or your account, we will delete the trained model as well, since it’s derived from your photos. We do not use it after your account is gone.
We will not retain model data beyond account deletion request, except in backups or archives as noted below or unless legally required.

Generated AI Portraits: The output images we create:

We typically keep these in your account for you to access and download at any time. If you have an account library or gallery, the portraits remain accessible to you until you delete them or delete your account.
Our policy is to auto purge your account after 90 days
You can delete specific portraits from your account at any time (if functionality allows), and they will be removed from our servers (again, aside from possible backup storage).

Account Information: We retain your account information (name, email, login credentials) for as long as your account exists, so that you can log in and use the Service. If you choose to delete your account, we will remove or anonymize your personal details from our active user database.

After account deletion, we may retain minimal information for record-keeping: for example, your email may be kept on a suppression list to make sure we don’t inadvertently contact you, or in our historical logs attached to actions (so those logs aren’t orphaned without context).
If you simply stop using the Service, we may eventually deem the account “inactive” and delete the data after a prolonged period of inactivity (for instance, if an account has not been accessed for over 2 years, we might remove personal data for privacy). We would try to notify you at your email before deleting an inactive account, giving you a chance to keep it if you want.

Payment and Transaction Records: We retain payment transaction records as required for financial auditing, tax, and compliance purposes. Typically, financial records are kept for 7 years (this may vary by jurisdiction’s accounting rules). However, this doesn’t mean we keep your credit card info – just the record of the transaction. Payment card details, if stored as token by the processor, are maintained by the processor according to their retention; we generally do not have the full card data to remove, aside from possibly deleting a saved payment method token if you remove it from your account.
Communications: Emails or support inquiries you send us may be retained for a period to help us manage your current or future inquiries. We might keep support tickets for a couple of years, for example, in case you reach out again on a related issue. If such communications contain personal data (like your email and name, or any info about your child), we will treat it as part of your data and delete upon request or when no longer needed.
Logs and Analytics: Server logs (which might include IP addresses and usage data) are generally retained for a short period for debugging and security (often 30 days to 1 year, depending on the log type). Aggregated analytics data (which no longer identifies any individual) might be kept longer for historical performance analysis.
Backup and Archive: It’s important to note that when we delete data from our active systems, it might still be stored in our backup systems for a certain period until those backups are cycled out. Our backups are kept securely and are only accessed if needed for disaster recovery. We typically have rolling backups that might retain data for additional 30-90 days beyond deletion from live systems. After that, data should be fully expunged. We do not use backup data for any active purpose; it’s just stored offline.
Deletion Upon Request: You have the right to request deletion of your data at any time (see Section 9 for how to request and any legal constraints). When you request deletion:

We will verify your identity (to prevent unauthorized deletions) and then proceed to remove your personal data from our systems within a reasonable timeframe. We will also instruct our processors to do the same if they have any of that data.
We will inform you when the deletion is completed. Keep in mind, deletion is irreversible – once done, we cannot recover the photos or portraits.
After deletion, if you needed to use the Service again, you’d have to start over as a new user with new uploads.

Anonymization: In some cases, instead of outright deletion, we may anonymize data so it’s no longer linked to you. For example, instead of deleting a record that a transaction occurred (which we need for financial records), we might strip it of personal identifiers (so it’s just a record “order #123 on date for $X” without your name). Anonymized data is no longer personal data and may be retained indefinitely since it has no privacy impact.
Legal Holds: If we are in the middle of a legal issue (like a dispute or a government investigation) that requires us to retain data, we will keep relevant information despite a deletion request until that issue is resolved. We will let you know if that is the case (unless legally we cannot inform you). For instance, if a law enforcement agency requires us to preserve certain data related to a user under investigation, we have to comply.

Our overarching principle is data minimization: keep personal data only for as long as truly necessary, then securely delete or anonymize it. If you have specific questions about our retention of some particular data, please reach out.

8. Data Security and Storage

We implement a variety of security measures to protect your and your child’s personal information from unauthorized access, use, alteration, or destruction. We understand the sensitive nature of the data (children’s photos) and treat security with utmost importance.

Encryption:

All data transfers are encrypted in transit using Secure Sockets Layer (SSL)/Transport Layer Security (TLS). This means when you upload photos or log in or make payments, the connection between your device and our servers is encrypted to prevent eavesdropping.
We also encrypt sensitive data at rest in our databases and storage. Photos and personal details are stored in encrypted form on our servers or cloud storage. Access to the encryption keys is restricted to authorized personnel and systems only.

Access Controls:

Internally, we restrict access to personal data strictly to employees and contractors who need that access to operate and improve the Service. For example, our AI processing servers access photos to generate portraits, and certain engineers or support staff might access data if needed for troubleshooting issues or fulfilling user requests. All such personnel are bound by confidentiality obligations and undergo training on data protection.
Administrative access to systems that contain personal data is protected by strong authentication (such as multi-factor authentication) and logging. We maintain an audit trail of who accesses sensitive data.

Network & System Security:

Our servers are protected by firewalls and network security monitoring to guard against external attacks. We regularly update our software and systems to patch vulnerabilities.
We utilize anti-virus and anti-malware protections, especially on any system that might handle file uploads. Uploaded images may be scanned for known threats (like malware hidden in image files) to ensure they don’t pose a risk to our infrastructure.
We separate environments so that production data is isolated. For instance, testing or development environments use dummy data, not real user data, to further reduce risk.

Data Minimization:

As discussed, we only store personal data that we need. By purging data when it’s no longer needed (Section 7), we limit what is available to be compromised in the unlikely event of a breach.
We avoid collecting highly sensitive personal data that we don’t absolutely require (like social security numbers, etc.), thus reducing risk.

Third-Party Security:

We choose reputable third-party service providers that have strong security practices. We vet them (where possible) and ensure they commit to protecting data via Data Processing Agreements. For example, our cloud provider and payment processor have high security standards (often certified by industry frameworks like ISO 27001, SOC 2, PCI DSS for payments, etc.).
If any third-party incident occurs (for example, if our payment processor had a breach that might affect our users), we will act swiftly to communicate and mitigate as needed.

Monitoring and Testing:

We monitor our systems for any suspicious activity. Unusual login patterns or system anomalies are flagged for investigation.
We conduct periodic security assessments and penetration testing (either internally or with external experts) to uncover and address potential vulnerabilities.
We maintain a security incident response plan so that if something does happen, we can respond effectively and notify users and authorities promptly.

Data Breach Procedures:

Despite best efforts, no system can be 100% secure. If a data breach occurs that affects your or your child’s personal data, we will follow all applicable laws in notifying affected users and authorities. For example, under UK GDPR, we would report certain breaches to the ICO (Information Commissioner’s Office) within 72 hours and inform individuals if there’s a high risk to their rights and freedoms. In the US, we comply with state data breach notification laws which often require notifying individuals of breaches involving personal info.
Notification would be via email or conspicuous posting, including information about what happened, what data was involved, what we are doing about it, and steps you might take to protect yourself (if relevant).

Location of Storage and International Transfers:

Depending on your location and our operations, your data may be stored on servers in the United States or in the European Union/United Kingdom. We strive to store data in the region most appropriate for the user (e.g., UK users’ data might be stored in data centers in the UK or EU when feasible).
However, as a global service, some data may be transferred across borders (for example, our main servers could be in the US, meaning UK user data goes to the US). US data may be moved across to the UK/EU for processing. When we transfer personal data from the UK/EU to the US or any other country that hasn’t been deemed to have “adequate” data protection by the UK/EU, we implement appropriate safeguards. These may include:

Standard Contractual Clauses (SCCs): We have agreements incorporating SCCs between our EU/UK entity and US entity or with any non-EU service providers, to contractually require protection of EU/UK personal data up to GDPR standards.
UK Addendum/IDTA: For UK data transfers, we include the UK’s specific approved clauses if needed.
Additional Measures: We assess on a case-by-case basis that the data will be protected (for example, our cloud provider in the US may have robust security that meets GDPR requirements). We also minimize sensitive data in transfers (e.g., maybe storing images in an EU-based service if possible).

For users outside of the UK/EEA, by using the Service you understand your data may be processed in countries which may have different data protection laws than your country, but we will always protect it as described in this Policy.

Data Segmentation: We keep each user’s data logically separate. For example, each user’s AI model is separate, preventing any mix-up or unauthorized generation using someone else’s data. Accounts are isolated so one user cannot access another’s data.
Cooperation with Regulators: We are prepared to cooperate with data protection authorities (like the ICO or FTC) in the event of inquiries regarding our privacy practices.

While we are confident in our security program, it’s also important for you to take precautions:

Keep your account credentials secure (do not share your password, and use a strong, unique password).
If using our app or site in a public setting, be mindful of logging out.
Only upload images through our official app or website. Be cautious of phishing attempts; we will not ask for your password via email, etc.
If you suspect any unauthorized access to your account or any suspicious activity, notify us immediately so we can investigate and help secure your account.

9. Your Rights and Choices

You have several rights regarding your personal data, and we are committed to honoring them. These rights may vary slightly depending on whether you are under UK/EU jurisdiction, US jurisdiction, or elsewhere, but we intend to give all users control over their information. Below we list your key rights and how you can exercise them:

Right to Access: You have the right to request access to the personal data we hold about you (and your child). This is sometimes called a “Data Subject Access Request.” Upon request:

We will confirm if we are processing your personal data and provide you with a copy of that data, as well as information about how we use it and who we share it with.
For parents, this includes the right to see what child data has been collected (photos, etc.). We can provide, for example, a list or archive of images you’ve uploaded (if still retained), and any other personal info on file.
We will provide this information free of charge, typically within one month of your request (or sooner if required by law). If the request is complex or numerous, we may extend this by an additional two months, but we will inform you of the need for an extension.

Right to Rectification: If any personal data we have is inaccurate or incomplete, you have the right to have it corrected.

For example, if your email or name is wrong in our records, or if by chance a child’s detail is recorded incorrectly, you can ask us to fix it.
You can also update many pieces of information yourself via your account settings (like changing your email or password).
We will act on correction requests as quickly as possible, generally within 1 month as well. If we have shared incorrect data with others (e.g., a processor), we will also instruct them to correct it.

Right to Deletion (Right to Erasure): Commonly known as the “Right to be Forgotten,” you can request that we delete your personal data.

You can delete certain data directly (for instance, removing an uploaded photo or deleting your account in settings). For anything you cannot remove yourself, you may ask us.
We will delete the requested data, provided we don’t have a compelling legal reason to keep it (see Data Retention section for possible exceptions like legal obligations).
Deletion will include your child’s images and generated portraits from our systems (unless you explicitly want to keep the account with those and perhaps just delete other info).
Note: If you request deletion of all data, that is effectively a request to delete your account as well (since we cannot provide the Service without any data).
We will also ensure our service providers remove the data from their systems where applicable.

Right to Withdraw Consent: Where we rely on your consent to process data (e.g., using your child’s photo), you may withdraw that consent at any time.

You can do this by deleting the relevant data or contacting us to do so on your behalf.
Once consent is withdrawn, we will stop the processing that was based on consent. For example, if you withdraw consent for processing your child’s photo, we will not use it further and will delete it. This might mean we can no longer generate new portraits without fresh consent.
Withdrawing consent does not affect the lawfulness of processing we did while we had consent.

Right to Object: In certain circumstances, you have the right to object to our processing of your personal data.

You can object to processing based on legitimate interests, on grounds relating to your particular situation. For example, if we were using your data for analytics or improvement (a legitimate interest) and you feel this impacts your privacy, you can object. We would then consider your objection and either stop processing or justify why our interest overrides yours (per GDPR standards).
You have an absolute right to object to direct marketing. If we ever send you promotional communications, you can opt out at any time (unsubscribe link in emails, or account preferences). Once you opt-out, we will cease marketing to you promptly.

Right to Restrict Processing: You can ask us to limit or “pause” the processing of your personal data in certain cases:

For example, if you contest the accuracy of data, you can request we restrict processing while we verify it.
Or if you need data preserved for a legal claim while we would otherwise delete it, we can mark it as restricted (only keeping but not using).
When processing is restricted, we will just store the data and not actively use it until the issue is resolved.

Right to Data Portability: Where applicable, you have the right to receive your personal data that you provided to us in a structured, commonly used, machine-readable format, and to have that data transmitted to another service provider (where technically feasible).

This typically applies to data processed by automated means under consent or contract. In our context, this could include your account info and possibly the photos you uploaded.
Practically, this right might allow you to get a digital copy of all your uploaded photos and portraits (which you likely already have, but we can supply if needed) and certain account data, so you could, for instance, move to a competing service or simply have your data for your own use.

Rights Related to Automated Decision-Making: We do not make any decisions about you that have legal or similarly significant effects based solely on automated processing (without human involvement). The AI generating an image is automated, but it does not have a legal effect on you. Thus, this might not apply strongly here. However, if you believe you’ve been subject to an unfair decision by an algorithm (not likely in our case, but for completeness), you have the right to ask for human review of that decision.
California Privacy Rights (if applicable): If you are a California resident, in addition to the rights above (many of which overlap with CCPA rights), you have the right to:

Request a notice identifying the categories of personal information we have collected, used, and disclosed in the past 12 months, and the categories of third parties to whom we have disclosed it.
Request specific pieces of personal information collected about you (which is essentially the access right).
Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights (meaning we won’t deny you service or give you different quality of service just because you exercised a privacy right).
As we do not sell data, the “right to opt-out of sale” is not applicable. We also don’t share data for cross-context behavioral advertising, so that opt-out is covered by default.

COPPA – Parents’ Rights for Children’s Data: As a parent, COPPA gives you the right to:

Review the personal information collected from your child.
Revoke consent and refuse further use or collection of your child’s information.
Request deletion of your child’s personal information.
We have already covered these in the above rights (access, deletion, withdraw consent). We emphasize that we will honor any request that comes from a verified parent regarding their child’s data.

Exercising Your Rights:

How to Contact Us for Rights Requests: Please see Section 12 (Contact Us) for how to reach us. You can email us at our designated privacy email hello@tinytography.com or mail us a request. To make it efficient, clearly state which right you want to exercise and provide relevant details (e.g., “I’d like a copy of all data you have on me and my child” or “Please delete the account under this email and all related data.”).
Verification: For sensitive requests (like access to data or deletion), we need to verify your identity to ensure we’re dealing with the correct person (especially important since it involves child data). We might ask you to confirm some account details or respond to an email verification. In some cases, we might ask for additional proof if needed (like an ID) but usually confirming via the account email is sufficient.
Authorized Agents: If you wish, you can designate an authorized agent to make requests on your behalf (applicable under CCPA for instance). We would need written proof of that authorization and still will verify with you directly for security.
Response Time: We aim to respond to all legitimate requests within one month. If it will take longer, we’ll inform you. For California requests, the timeline might be 45 days, extendable to 90 in some cases.
No Fee (Generally): We do not charge a fee to exercise your rights. However, if a request is manifestly unfounded or excessive (e.g., repetitive requests), data protection law might allow us to refuse or charge a reasonable fee. We rarely, if ever, foresee doing that for our users.

Your Choices:

Account Settings: Within your account, you may have settings to adjust what information you share or display. For example, you might choose whether to save payment info for future use or not, or whether to receive certain notifications.
Opting Out of Emails: As mentioned, you can unsubscribe from marketing emails easily. Transactional emails (like those about your orders or important updates) you cannot opt out of as they are part of service, but they are not marketing.
Cookie Preferences: If we use any non-essential cookies (for analytics), we will provide a cookie consent tool when you first visit, especially for EU/UK visitors. You can choose not to allow analytics or similar cookies. Essential cookies (for login, etc.) can’t be opted out of via the tool because the site wouldn’t function, but you can always control cookies via your browser settings too.
Do Not Track: Our Service currently does not respond to “Do Not Track” signals from browsers because we do not track users in a way that those signals typically aim to limit (i.e., we don’t track you across third-party sites). We focus on protecting data as described.

Complaints: If you have concerns about how we are handling your data or rights, please let us know and we’ll try to resolve it. If you are not satisfied with our response:

UK/EEA users have the right to lodge a complaint with a Supervisory Authority. In the UK, that’s the Information Commissioner’s Office (ICO). In the EU, you can contact your country’s data protection authority. We would appreciate the chance to address your concerns first, but you absolutely have the right to go to the regulators.
In the US, you can report issues to the FTC (Federal Trade Commission) or your state’s Attorney General if you believe your privacy rights have been violated. COPPA violations can be reported to the FTC.

We will not retaliate or penalize you for exercising any of these rights. Our goal is to be transparent and supportive in helping you control your information. If anything in this section is unclear or you want more information about your options, please contact us.

10. International Users and Data Transfers

Our Service is available to users in different countries, and personal data may be transferred or processed across international borders. We want to be clear about how we handle cross-border data flows:

Operating Locations: TinyTography is headquartered in London, United Kingdom and may have operations (servers or support teams) in the United States and the EU and possibly other jurisdictions. When you use the Service, your information may be processed in the country where it was collected and in other countries where our infrastructure (or our service providers) are located.
UK and EU Users: If you are in the United Kingdom or European Union, your personal data may be transferred to and processed in the United States (or other countries outside the UK/EU) where our servers may be located. The data protection laws in those countries may differ from those in your home country, and may not have been deemed “adequate” by the European Commission or UK authorities. However:

Adequacy and Safeguards: We rely on legal mechanisms to ensure lawful and secure transfers. As noted in Section 8, we use Standard Contractual Clauses (SCCs) in our contracts with non-EU service providers, and implement supplementary measures as necessary. These SCCs contractually bind the recipient of the data to protect it to EU GDPR standards.
We also monitor developments in international data transfer law. For example, if there are changes in the US-EU data transfer framework (like a new Privacy Shield or successor framework), we will adapt accordingly.
Your Consent for Transfers: By using the Service and providing us your personal data, you understand that it will be transferred to and processed in the United States (and potentially other countries with equivalent data security regulations). For particularly sensitive data (like children’s photos), we base the transfer on the safeguards above, but if required, you provide your explicit consent to transfer that data internationally when you agree to use the Service.

Users in Other Countries: If you are using our Service from outside the US or UK, know that your data will at least travel where our servers and operations are based. Many countries have their own requirements for international transfers:
No Matter Where: Regardless of where your data is processed, this Privacy Policy applies to it. We apply the same level of privacy protection described here whether your data is in the US, UK, or elsewhere.
Third-Party International Transfers: Some of our third-party processors might also transfer data:

For instance, if we use a European cloud provider, they may replicate data to a backup server in another country within Europe.
Or our payment processor (if global) might process in various regions. They will have their own compliance programs for cross-border transfers (e.g., Stripe and others have Binding Corporate Rules or SCCs in place).

User Responsibility: If you are accessing the Service from a jurisdiction with laws governing data collection and use that differ from US or UK law (such as stricter data protection rules), please be aware that you are transferring your personal data to us in the US/UK. By providing your personal data, you consent to that transfer (where the legal basis is consent) or acknowledge that one of the legal bases described in Section 4 covers the transfer and processing of your data.
Local Jurisdiction and Disputes: Our Terms of Service (Section 17) describes how disputes are handled depending on region. But from a privacy perspective, you may choose to reach out to local data authorities if concerned. We will consider ourselves under the jurisdiction of local data protection laws when applicable (for example, we have an EU representative if required under GDPR Article 27, who can be contacted by EU regulators, though given our likely size we might not need a representative; similarly, under UK law, if not established in UK, we’d appoint one – we will ensure compliance with those formalities if needed).
Language: We provide this Policy in English. If we need to provide it in other languages to comply with local law (like if we specifically target users in a non-English-speaking country), we will do so. In case of any differences in meaning between translated versions, the English version will control unless prohibited by local law.

Other terms

Your Data Protection Rights under the California Privacy Protection Act (CalOPPA)
According to CalOPPA we agree to the following:
(a) users can visit our site anonymously;
(b) our Privacy Policy link includes the word “Privacy”, and can easily be found on the page specified above on the home page of our website;
(c) users will be notified of any privacy policy changes on our Privacy Policy Page;
(d) users are able to change their personal information by emailing us at help@Tinytography.com.

Our Policy on “Do Not Track” Signals:
We honor Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place. Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

Service Providers
We may employ third party companies and individuals to facilitate our Service (“Service Providers”), provide Service on our behalf, perform Service-related services or assist us in analysing how our Service is used. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Analytics
We may use third-party Service Providers to monitor and analyze the use of our Service.

CI/CD tools
We may use third-party Service Providers to automate the development process of our Service.

Behavioral Remarketing
Tinytography may use re-marketing services to advertise on third party websites to you after you visited our Service. We and our third-party vendors may use cookies to inform, optimise and serve ads based on your past visits to our Service.

Payments
We may provide paid products and/or services within Service. In that case, we use third-party services for payment processing (e.g. payment processors).
We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

Links to Other Sites
Our Service may contain links to other sites that are not operated by us. If you click a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Usage Data

We may collect certain information automatically when you access or use our Service, either through a web browser or a mobile device. This type of data, often referred to as Usage Data, may include technical and diagnostic information such as your device’s Internet Protocol (IP) address, browser type and version, the pages of our Service you visit, the date and time of your visit, time spent on those pages, and unique device identifiers.

When accessing the Service via a mobile device, this data may also include your device type, operating system, mobile browser type, and similar technical identifiers. This information helps us understand how our Service is being used and allows us to improve performance and user experience.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to monitor activity on our Service and store certain user preferences. Cookies are small data files stored on your device, often containing a unique anonymous identifier. Other tracking methods may include web beacons, tags, and scripts, which help us analyze user behavior and improve our Service.

You can configure your browser to reject cookies or alert you when one is being sent. However, disabling cookies may affect your ability to access or use certain features of the Service.

Types of cookies we use include:

Session cookies, which are temporary and necessary for the operation of our Service.
Preference cookies, which remember your settings and choices.
Security cookies, which are used to support security features and prevent fraud.

Use of Data

We use the information we collect, including personal and usage data, for various legitimate business and operational purposes, including but not limited to:

Operating and maintaining the Service.
Informing you about updates or changes to the Service.
Enabling interactive features when you choose to use them.
Providing customer support and responding to inquiries.
Analyzing usage trends to improve functionality and performance.
Monitoring the overall use of the Service.
Detecting, preventing, and addressing technical issues or potential misuse.
Fulfilling any requests or transactions you initiate through the Service.
Enforcing contractual obligations, such as billing and collections.
Sending you account- or subscription-related notifications.
Offering you products, services, or events that are relevant to your previous interactions with us—unless you've opted out of such communications.
Any other purpose described at the time of data collection or with your explicit consent.

Accessibility Commitment

We are committed to ensuring that our platform is accessible to all users, including those with disabilities. If you experience any difficulty accessing any part of our service, please contact us at hello@tinytography.co.uk, and we will work with you to provide the information or service you need through an accessible communication method.

Disaster Recovery and Security Audits

We maintain a robust disaster recovery plan to ensure continuity of our services in the event of system failure or data loss. This includes regular, encrypted backups of essential data and architecture redundancy. In addition, we conduct periodic internal and external security audits to assess risks, test system defenses, and ensure that our data protection controls remain effective and up-to-date.

Copyright Infringement and DMCA Policy

If you believe that any content or images on our platform infringe upon your copyrights, you may submit a formal notice to us in accordance with the Digital Millennium Copyright Act (DMCA) in the U.S., or UK copyright law. Please send your notice, including your name, contact information, a description of the alleged infringement, and the original content you own, to hello@tinytography.co.uk. We will promptly investigate and, if appropriate, remove the infringing content and notify the user responsible.

Refunds & Complaints Resolution

If you are dissatisfied with the quality of a generated portrait or experience an issue with your order, you must contact us at hello@tinytography.co.uk within 14 days of receipt. We will attempt to resolve the matter. Our goal is to ensure you are fully satisfied with the memories we help you create.

11. Changes to this Privacy Policy

From time to time, we may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other reasons. It’s important to review the Policy periodically. Here’s how we handle changes:

Notification of Changes: If we make significant (material) changes to this Policy – especially any changes that would expand how we use or share personal data or affect your rights – we will provide clear notice of such changes. This could be through:

An email to the address associated with your account,
A prominent announcement on our website or within the app (such as a banner or pop-up notification),
Or any other appropriate method to ensure you become aware of the new Policy.

Consent for New Uses: If a change would require new consent (for example, if we ever wanted to use your child’s photos for a new purpose not covered by your original consent), we will obtain that consent before doing so.
Version History: We will update the “Effective Date” at the top of the Privacy Policy when it’s changed. If you’d like to see past versions of the Policy or understand the differences, you can contact us to request a copy of the previous policy.
Your Continued Use: Continued use of the Service after the updated Policy has become effective indicates that you have read and understood the current version of the Privacy Policy. If you do not agree with any changes, you should stop using the Service and may request deletion of your data.
Interim Updates: Minor changes that do not materially affect privacy (such as clarifications, grammatical edits, or updates to contact information) may be made without prior notice, but they will be reflected in the posted Policy. We aim for transparency, so even non-material changes can be communicated via our website’s policy page.
Archived Copies: For accountability, we may retain archived copies of each Policy version. If a dispute arises or if needed, we can refer to what Privacy Policy was in effect at a given time relating to your data.

We are dedicated to respecting and protecting your privacy. We will not reduce your rights under this Privacy Policy without your consent.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us. We are here to help and address any issues related to your privacy and the security of your personal data.

Contact Information for Privacy Inquiries:

Email: data@tinytography.co.uk
This is the dedicated email address for privacy-related matters (data access requests, deletion requests, etc.). Please include the nature of your request in the subject line (e.g., “Data Access Request” or “Child Data Deletion Request”) for quicker routing.
Postal Mail:
TinyTography – Privacy Team/Data Protection Officer
71-75 Shelton St, London WC2H 9JQ
(If you send a physical mail, please allow additional time for us to receive and process it. Include a way to contact you back, like your email or postal address.)
Data Protection Officer (DPO):
you can also direct your inquiries to the DPO at the above email or address, Attn: Data Protection Officer.

We will respond to your inquiries as soon as possible, generally within a few business days. If you are contacting us to exercise a specific privacy right, please refer to Section 9 on what information to include and how we will handle it.

Thank you for entrusting us with your child’s precious moments and personal data. We value your privacy and strive to make our Service not only fun and fulfilling but also safe and respectful of your rights. If there’s anything you’re unsure about in this Policy, or if you have suggestions for how we can improve our privacy practices, we warmly welcome your feedback.

End of Privacy Policy

EU ADDENDUM TO TERMS AND PRIVACY POLICY

Effective Date: 09.05.2025
Applies to: All users of the Service located in the European Union (EU) or whose personal data is processed in the context of offering services in the EU.

This EU Addendum supplements and, where applicable, overrides provisions in the main Terms and Conditions and Privacy Policy to the extent those documents apply to individuals in the European Union and to the processing of EU personal data under the EU General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679.

1. Scope and Applicability

This Addendum applies to you if:

You reside in or are located in the EU.
You are accessing the Service from the EU.
We process your personal data in the context of offering goods or services to individuals in the EU, regardless of where the Company is established.

In case of conflict between this Addendum and the Terms or Privacy Policy, this Addendum prevails for EU users.

2. Controller and Representative

For purposes of the EU GDPR:

The Data Controller and EU representative is as listed above.

This representative acts on behalf of TinyTography regarding GDPR compliance and is available for communication with EU data subjects and supervisory authorities.

3. Legal Bases for Processing (Article 6 and Article 9 GDPR)

We process your personal data under the following legal bases:

Consent (Article 6(1)(a)): For processing your child’s photo, any biometric data, and for optional features like marketing or showcasing portraits, we obtain your explicit consent.
Contractual Necessity (Article 6(1)(b)): To deliver the Service, including generating portraits from submitted images.
Legal Obligation (Article 6(1)(c)): For retaining transaction records, responding to legal requests, etc.
Legitimate Interests (Article 6(1)(f)): For fraud prevention, analytics, service improvement, and enforcing our Terms—balanced against your rights.
Special Category Data (Article 9(2)(a)): If your child’s image could be interpreted as biometric data, we rely on explicit consent.

4. EU Data Subject Rights (Chapter III GDPR)

You have the following rights under the GDPR:

Right of access (Art. 15): Request details about your or your child’s personal data we process.
Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.
Right to erasure (Art. 17): Request deletion of personal data (“right to be forgotten”).
Right to restriction of processing (Art. 18): Limit use of your data under certain conditions.
Right to data portability (Art. 20): Receive your data in machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interests.
Right to withdraw consent (Art. 7(3)): Withdraw consent at any time.
Right not to be subject to automated decision-making (Art. 22): You will not be subject to decisions based solely on automated processing.

You may exercise your rights by contacting us at privacy@[service].com or through our EU Representative.

You also have the right to lodge a complaint with your local supervisory authority, e.g., the CNIL (France), DPA (Germany), or DPC (Ireland).

5. Cross-Border Data Transfers (Chapter V GDPR)

If your data is transferred outside the EU (e.g., to our servers in the UK / US), we apply safeguards as per GDPR:

Standard Contractual Clauses (SCCs): Our contracts with US-based processors include the most recent European Commission-approved SCCs (2021).
Transfer Impact Assessments (TIAs): We conduct TIAs to assess risk and ensure adequate protection.
Supplementary Measures: These include encryption, access controls, and pseudonymization to mitigate any identified risks.
Data Localization: Where possible, EU data is stored in EU/EEA data centers.

6. Cookies and Tracking (ePrivacy Directive + GDPR)

We comply with the ePrivacy Directive (Directive 2002/58/EC) and GDPR regarding cookies:

Consent Banner: EU visitors see a consent banner before any non-essential cookies (e.g., analytics) are stored.
Cookie Categories:

Strictly Necessary Cookies: Essential for login/security (do not require consent).
Performance/Analytics Cookies: Used only with user opt-in consent.
No Marketing Cookies: We do not run advertising on this service.

You can manage preferences via the cookie banner or browser settings.

7. Processing of Children's Data (Articles 8 and 9 GDPR)

We follow Article 8 GDPR and national age-of-consent laws for children's data:

In most EU countries, parental consent is required for children under 16 (e.g., 13 in Spain, 14 in Austria).
By uploading images, you confirm you are the parent/legal guardian and consent to the processing of the child’s data.
We do not knowingly collect data directly from children.

If we discover improper collection, we will delete the data and notify the appropriate authority if necessary.

8. Data Protection Impact Assessments (DPIA)

For processing involving children’s images and AI modeling:

We have conducted a DPIA in accordance with Article 35 GDPR, given the sensitive nature and automated processing.
Our assessment concluded that with safeguards (limited retention, isolated models, non-reuse), risks are low and manageable.

9. Local Regulatory Considerations

We acknowledge stricter local implementations in Member States:

Germany: We treat biometric-like image processing as special category data and only process based on explicit consent.
France (CNIL): Our use of images is transparent, consent-driven, and not repurposed for surveillance, profiling, or third-party reuse.

We adapt practices where local DPAs (Data Protection Authorities) impose additional requirements.

10. Modifications to this Addendum

We may amend this EU Addendum to reflect changes in law or processing. All changes will be:

Communicated via our website and/or email.
Implemented with appropriate notice before taking effect.
Based on user consent where required by GDPR.

11. Contact Information

To exercise rights or ask questions under this Addendum see above for details

Terms & Conditions

Terms and Conditions and Privacy Policy for TinyTography.com

09.05.25 Terms and Conditions

1. Introduction

2. Eligibility and Age Restrictions

3. Account Registration and Security

4. User Responsibilities and Appropriate Use

5. Parental Consent and Child Protection

6. User Content – License of Photos to Us

7. Generated AI Portraits – License to You

8. Intellectual Property Rights (Service Content and IP)

9. Payment and Billing

10. Privacy and Data Protection

11. Prohibited Activities

12. Termination of Service

13. Disclaimers of Warranties

14. Limitation of Liability

15. Indemnification

16. Governing Law

17. Jurisdiction and Dispute Resolution

18. Changes to These Terms

19. Contact Information

Privacy Policy

1. Introduction

2. Information We Collect

3. How We Use Your Information

4. Legal Bases for Processing (UK & US Compliance)

5. How We Share Your Information

6. Children’s Privacy and Parental Controls

7. Data Retention and Deletion

8. Data Security and Storage

9. Your Rights and Choices

10. International Users and Data Transfers

Usage Data

Cookies and Tracking Technologies

Use of Data

Accessibility Commitment

Disaster Recovery and Security Audits

Copyright Infringement and DMCA Policy

Refunds & Complaints Resolution

11. Changes to this Privacy Policy

12. Contact Us

EU ADDENDUM TO TERMS AND PRIVACY POLICY

1. Scope and Applicability

2. Controller and Representative

3. Legal Bases for Processing (Article 6 and Article 9 GDPR)

4. EU Data Subject Rights (Chapter III GDPR)

5. Cross-Border Data Transfers (Chapter V GDPR)

6. Cookies and Tracking (ePrivacy Directive + GDPR)

7. Processing of Children's Data (Articles 8 and 9 GDPR)

8. Data Protection Impact Assessments (DPIA)

9. Local Regulatory Considerations

10. Modifications to this Addendum

11. Contact Information

Your Cart

09.05.25

Terms and Conditions