Privacy Policy

We process account and contact details, company and member records, source photos uploaded for a headshot workflow, generated headshots, review/export activity, support messages, usage signals, and billing records.

For company workspaces, source photos and generated headshots are used to provide the employee headshot workflow, identity setup, AI generation, review, export, support, security, and legal or accounting records.

For B2B employee workflows, the company usually decides why the headshot workflow is used and is responsible for employee notices and its lawful basis. Impressly processes workspace data to provide the service according to the company workspace configuration and our agreements.

Employees may still contact us about privacy requests, and we may route workspace-specific requests through the company administrator when appropriate.

Uploaded photos and generated outputs may be processed by AI generation providers, storage providers, payment processors, email providers, analytics tools, and support/security vendors needed to operate Impressly.

We do not sell personal data. We do not claim that photos are never shared with providers; provider processing is limited to delivering and securing the service.

For company headshots, source photos are removed from active storage after identity setup, with a 30-day hard cap unless a legal hold or enterprise exception applies.

Generated preview variants are available for up to 30 days unless the employee or company deletes them earlier. The company-approved official headshot may be retained longer for workspace use until it is deleted or the member/company is offboarded.

Deleted assets become unavailable in the product before asynchronous storage cleanup finishes. Backups and provider-side copies may follow provider backup and retention cycles.

We use private storage, authenticated access, TLS in transit, provider-managed encryption at rest, scoped signed URLs, short-lived provider access links, and application-level protection for sensitive provider source URLs.

No system is perfectly secure. Unless expressly stated in a signed agreement, we do not represent that Impressly is SOC2 certified or GDPR certified.

Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to processing of personal data.

For company workspace data, some requests may need to be handled with the company administrator because the company controls the employee workflow.