Privacy Policy - VESTO

Last updated: March 23, 2026 

1. Introduction

Welcome to Vesto ("we", "our", "us"). Vesto is an AI-powered mobile application that transforms your selfies into professional studio-quality headshots. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have.

By using Vesto, you agree to the practices described in this policy.

2. Data We Collect

2.1 Account & Profile Data

• First name — used to personalize your experience

• Gender — used solely to generate more accurate AI headshots (men/women)

2.2 Photos & Images

• Input selfies — you upload 5 to 10 selfies to train the AI model for your session. These are stored securely on our servers.

• Generated headshots — AI-generated images produced from your selfies. These are stored on our servers and accessible via your gallery.

2.3 Usage & Generation Data

• Style selections, generation history, output counts, and generation status (pending, processing, completed, failed)

• Total number of headshots generated

2.4 Purchase & Subscription Data

• Subscription plan and status, credit pack purchases, and transaction history. Payment processing is handled entirely by Apple App Store / Google Play via RevenueCat — we never see or store your payment card details.

2.5 Device & Preferences

• Theme preference (light/dark), language choice, and onboarding completion status, stored locally on your device only (never sent to our servers).

3. How We Use Your Data

Purpose   -    Legal Basis

Creating and managing your account   -  Contract

Generating AI headshots from your selfies   -   Contract

Processing AI retouch requests   -  Contract

Managing subscriptions and credits   -   Contract

Improving AI accuracy and app performance -   Legitimate interest

Sending transactional notifications (generation complete, errors)    - Contract

Complying with legal obligations   -    Legal obligation

We do not use your photos to train general AI models or share them for marketing purposes.

4. Data Retention

Data   -   Retention Period

Generated headshots (server)   -    Automatically deleted after 30 days from the date of generation

Input selfies   -   Retained while your account is active; deleted upon account deletion

Account & profile data   -    Retained while your account is active; deleted within 30 days of account deletion request

Purchase & transaction records   -    Retained for up to 5 years for legal and accounting compliance

Important: Generated headshots are permanently and automatically deleted from our servers 30 days after creation. We strongly recommend downloading your images before this deadline.

5. Third-Party Services

We work with the following third-party providers. Each operates under its own privacy policy.

Provider Role Privacy Policy

Supabase   -    Database, authentication, and file storage    -   supabase.com/privacy

RevenueCat   -   Subscription & in-app purchase management   -   revenuecat.com/privacy

Sentry -   Error monitoring and crash reporting (no photos transmitted) -   sentry.io/privacy

Apple App Store / Google Play   -   Payment processing and app distribution  - Their respective privacy policies

Your photos and personal data are never sold to any third party.

6. Data Security

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted via TLS/HTTPS

• Images are stored in access-controlled, private cloud storage

• Authentication uses secure JWT tokens via Supabase Auth

• Access to the database is restricted to authorized services only

7. Your Rights (GDPR & Privacy Laws)

Depending on your country of residence, you may have the following rights:

• Access — request a copy of your personal data

• Rectification — correct inaccurate data

• Erasure ("Right to be forgotten") — request deletion of your account and all associated data

• Portability — receive your data in a machine-readable format

• Restriction — request that we limit how we process your data

• Objection — object to processing based on legitimate interest

• Withdraw consent — at any time, where processing is based on consent

To exercise any of these rights, contact us at: vesto.support@gmail.com

We will respond within 30 days.

8. Children's Privacy

Vesto is not directed at children under the age of 13 (or 16 in the EU). We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, please contact us and we will delete it promptly.

9. International Data Transfers

Your data may be processed in countries outside your own (including the United States) by our third-party providers. Where required, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses).

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via the app or by email. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the app after changes constitutes acceptance.

11. Contact

For any questions, requests, or concerns regarding this Privacy Policy:

Vesto

Email: vesto.support@gmail.com