Legal

Privacy Policy

Asif Iqbal · Effective 2 June 2026

Asif Iqbal, an individual operating as Hapto ("Hapto") respects your privacy. This policy explains what we collect, why, how long we keep it, and the rights you have — with particular care for the face photos you upload.

1. The short version

  • We process the photos you upload only to generate the image you asked for, and then delete them.
  • We never use your photos to train AI models.
  • We never sell your photos or generated images.
  • Uploaded photos are deleted within 30 days, and sooner on request.
  • You can ask us to delete your data at any time at [email protected].

2. Face photos are special-category data — and we treat them that way

A photo of a person's face can constitute biometric / special-category personal data under laws such as the EU/UK GDPR (Art. 9), the Illinois Biometric Information Privacy Act (BIPA), and the CCPA/CPRA. We process such photos only with your explicit, opt-in consent, given when you upload them, and only for the single purpose of producing your requested image. By uploading, you confirm you have the right and consent to do so (see our Acceptable Use Policy). Before we generate, we also automatically screen the photos you upload for prohibited content — recognizable public figures, apparent minors, and explicit imagery — and block anything that violates our rules (see §6).

3. What we collect

  • Photos you upload (Inputs) and the images you generate (Outputs).
  • Account & usage data — your account identifier, credit balance, generation history, and basic device/log data needed to run and secure the service.
  • Payment data — handled by our Merchant(s) of Record (see §7); we do not store full card details.
  • Email, if you give it to us for support or a waitlist.

4. How long we keep it (retention & deletion)

Uploaded input photos are stored in a private, access-controlled bucket and are automatically deleted within 30 days of your generation (and we will delete them sooner on request). Generated outputs are retained so you can re-access them, and are deleted when you delete them or close your account. Account and transaction records are kept only as long as needed for the service and to meet legal/tax obligations.

5. We do not train AI on your photos

Your uploaded photos and generated images are not used to train, fine-tune, or improve any AI model — ours or anyone else's. They are used only to fulfil the specific generation you requested.

6. Who processes your data for us (subprocessors)

We use a small set of vetted providers strictly to operate the service, each bound by data-processing terms:

  • Cloud storage & delivery (e.g. Amazon Web Services) — to store inputs/outputs in a private bucket and deliver them to you over short-lived secure links.
  • Content-safety screening (Amazon Rekognition) — to screen the photos you upload for prohibited content (recognizable public figures, apparent minors, and explicit imagery) before generation. Images are analysed transiently for this safety check; the screening service is not permitted to retain them or use them for any other purpose.
  • AI model providers (e.g. Replicate and the underlying image models) — to perform the generation. We send only the inputs needed for your request, and under these providers’ terms your content is not used to train their models.
  • Payment Merchants of Record (e.g. Creem internationally and Razorpay in India) — to take payment.

7. Payments

Payments are processed by our authorised Merchant(s) of Record, who are the seller of record, handle taxes, and process your card details under their own privacy policies. We receive confirmation of payment and the credits to grant — not your full card number.

8. International transfers

We are based in India and our providers may process data in other countries. Where personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses.

9. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict your personal data, to withdraw consent, and to object to certain processing. To exercise any right — including deleting your uploaded photos — email [email protected]. You may also complain to your local data-protection authority.

EEA/UK (GDPR). If you are in the European Economic Area or the UK, our legal basis for processing the face photos you upload is your explicit consent (GDPR Art. 9(2)(a)), which you may withdraw at any time; you also have the rights listed above and may lodge a complaint with your supervisory authority.

California (CCPA/CPRA). If you are a California resident, you have the right to know, access, delete, and correct your personal information and to opt out of its sale or sharing. We do not sell or share your personal information, and we do not use it for cross-context behavioural advertising.

10. Children

Hapto is not for anyone under 18, and we do not knowingly collect data from minors. You must not upload photos of minors. If you believe a minor has used Hapto, contact us and we will delete the data.

11. Security

We protect data with encryption in transit and at rest, private storage, access controls, and short-lived, signed links for media delivery. No system is perfectly secure, but we work to keep your data safe.

12. Contact

Data controller: Asif Iqbal, Kolkata, West Bengal, India. Privacy questions or requests: [email protected].