Privacy Policy

Passready is a web service for generating spec-compliant passport, visa, and ID photos. It is operated by Appwide OÜ, a private limited company incorporated in Estonia. For the purposes of the General Data Protection Regulation (GDPR), Appwide OÜ is the data controller for personal data processed through passready.photo.

You can reach us at privacy@passready.photo for any privacy question or data-subject request.

Uploaded photos. When you use the photo-generation service you upload a photo of yourself. This is treated as biometric data under GDPR Article 9.

Order and billing data. Email address, payment reference, the country and document type of your order, timestamps.

Technical data. IP address, browser user-agent, pages visited. Used for security, fraud defence, and aggregate product analytics.

Consent records. Timestamped acceptance of these Terms, this Privacy Policy, and — for Illinois residents — the additional BIPA consent text.

• Render your photo to the spec you selected (GDPR Art 6(1)(b) — contract performance; Art 9(2)(a) — explicit consent for biometric processing).
• Deliver your order — email receipts, download links, and (for printed SKUs) shipping confirmations.
• Comply with legal obligations — tax records and chargeback evidence.
• Security — detecting and preventing misuse of the service.

• Uploaded photos and rendered outputs: deleted within 24 hours of delivery (hard lifecycle rule on storage).
• Order metadata(SHA-256 hashes, order ID, T&C timestamp, compliance-check JSON): two years, for chargeback defence and audit.
• Billing records: seven years, as required by Estonian accounting law.

Payment processing. Stripe processes card payments and calculates applicable taxes (Stripe Tax) on our behalf. Stripe is an independent controller for card and billing data collected during checkout, with its own privacy policy. We receive only the non-sensitive order references (customer email, amount, tax summary, payment status) needed to fulfil and support the order.

Infrastructure. Cloudflare (object storage and delivery) and Vercel (application hosting) process data as our sub-processors under Data Processing Agreements, with EU-region storage for EU users where available.

We do not sell or rent personal data, we do not run advertising or tracking cookies, and we do not disclose data to third parties for marketing purposes.

You have the right to:

• Access — request a copy of the personal data we hold on you.
• Rectify — correct inaccurate data.
• Erase — request deletion. Order records required for legal compliance may be retained.
• Restrict processing.
• Portability — request your data in a machine-readable format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time by emailing privacy@passready.photo.

You may also lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or with the supervisory authority in your country of residence.

The Biometric Information Privacy Act applies when residents of Illinois submit a photo that is processed for facial geometry. We process only the minimum geometry required to validate photo composition against the published spec; we do not use it for identification or authentication; we do not disclose it to third parties for profit. Uploaded photos and any derived geometry are deleted within 24 hours. Illinois residents provide explicit written consent to this processing via the checkbox at upload.

When data is transferred outside the European Economic Area we rely on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. EU-region storage is the default for EU users.

We do not train machine-learning models on user photos. This rule is codified in our internal engineering standards and is non-negotiable. Render pipelines use models we licence from third parties; your uploaded photo is an input to those pipelines, not training data for them.

Passready uses session cookies strictly necessary for the service to function (authentication of the checkout flow, CSRF protection). We do not run advertising, analytics, or tracking cookies.

We will notify material changes by email to active customers and by publishing the revised text on this page with a new “Last updated” date.

Privacy and data-subject requests: privacy@passready.photo

Operator: Appwide OÜ, registered in Estonia.