Legal · Privacy policy

Privacy Policy.

Your privacy is foundational to how Neovace is built. This policy explains what we collect, why, how long we keep it, and the rights you have over it — under the GDPR and applicable laws.

Last updated: 1 May 2026 Version: 1.0

Summary

This Privacy Policy explains how Neovace ("we", "us", "our") collects, uses, shares, and protects the personal data of visitors and customers of neovace.com (the "Service").

It applies to everyone who interacts with the Service, regardless of their country of residence. For users in the European Union, we comply with the General Data Protection Regulation (GDPR) as the standard framework, since it offers among the strongest protections worldwide.

Privacy by design

Three commitments worth knowing upfront: (1) we never sell your data; (2) we never use your photos to train any public model; (3) your photos and AI model are automatically deleted within 30 days.

01Data controller

The data controller responsible for the personal data processed through the Service is:

Neovace, sole proprietorship operated by Younes Bouhouri;
Address: 12 Frankenberry Drive, Georgetown, DE 19947, United States;
Contact: support@neovace.com.

For all questions about your personal data — access, deletion, rectification, portability, complaint — please write to the address above.

02Data we collect

We collect only the data strictly necessary to deliver our Service. Specifically:

Data you provide directly

Identification data: full name, email address (when you create an account);
Photos: the selfies you upload to generate your portrait gallery;
Billing data: billing address (the card data itself is processed by Stripe and never reaches our servers);
Communications: messages you send to support@neovace.com or via our contact form.

Data automatically collected

Technical data: IP address, browser type, operating system, screen resolution;
Usage data: pages visited, time spent, click events (only via essential analytics);
Cookies: see section 9 and our Cookie Policy.

03How we use your data

Your data is processed exclusively for the following purposes:

Delivering the Service: training your private AI model, generating and delivering your portrait gallery;
Account management: identifying you, securing your access, communicating about your orders;
Billing: invoicing, accounting compliance, prevention of fraud;
Customer support: responding to your inquiries and resolving issues;
Improving the Service: aggregated analytics, exclusively non-identifying;
Legal compliance: meeting our legal obligations (tax, regulatory, judicial requests).

04Legal bases for processing

Under Article 6 of the GDPR, each processing operation rests on at least one of the following legal bases:

Processing	Legal basis (GDPR Art. 6)
Service delivery, training of your AI model	Performance of a contract — Art. 6(1)(b)
Account creation and management	Performance of a contract — Art. 6(1)(b)
Billing and tax compliance	Legal obligation — Art. 6(1)(c)
Customer support	Legitimate interest — Art. 6(1)(f)
Service improvement and analytics	Legitimate interest — Art. 6(1)(f)
Marketing emails (newsletter)	Consent — Art. 6(1)(a)

05AI training & your photos

Because our Service relies on artificial intelligence applied to your selfies, we want to be especially clear about what we do — and what we never do.

What we do

We train a private AI model, dedicated solely to you, on the selfies you upload;
This private model is used exclusively to generate your portrait gallery;
Once your gallery is delivered, the model and your selfies enter a 30-day retention period, after which they are automatically and permanently deleted.

What we never do

We never use your photos to train any public, shared, or commercial AI model;
We never share, sell, or transfer your photos to a third party (other than the technical service providers strictly necessary for the operation of the Service);
We never use your photos for marketing, advertising, or any purpose other than delivering your order.

06Data retention periods

Data	Retention period
Uploaded selfies (Inputs)	Maximum 30 days after order delivery, then automatic deletion
Private AI model	Maximum 30 days after order delivery, then automatic deletion
Generated portraits (Outputs)	Available in your dashboard until you delete them or close your account
Account data (name, email)	Until you request closure of your account
Invoices and billing data	10 years (legal obligation: tax and accounting)
Support communications	3 years after the last interaction
Server logs	12 months maximum

We share your data only with the trusted technical service providers ("processors") strictly necessary for the operation of the Service. Each one is bound by a contract requiring GDPR-compliant data protection.

Processor	Purpose
Stripe Payments Europe Ltd. (Ireland)	Payment processing, fraud prevention
Cloudflare, Inc. (USA, with EU edge)	Hosting, CDN, DDoS protection
EU-based GPU compute provider	AI model training and inference (servers in the European Union)
Email-delivery provider	Sending transactional emails (order confirmations, magic links)

We do not sell or transfer your data to any third party for marketing purposes. We may also disclose your data when required by a competent legal authority (court order, judicial request).

08International data transfers

Although the bulk of personal data is processed within the European Union, certain processors are based outside the EU (notably in the United States).

For each transfer outside the European Union, we rely on the appropriate safeguards provided by the GDPR, in particular:

The Standard Contractual Clauses (SCCs) issued by the European Commission;
The EU-U.S. Data Privacy Framework certification, where the processor is enrolled.

You may request a copy of the safeguards in place for any specific transfer by writing to support@neovace.com.

09Cookies and tracking technologies

We use a limited number of cookies to operate the Service correctly and to measure its audience. Detailed information is provided in our dedicated Cookie Policy.

10Your rights under the GDPR

If you are located in the European Union (or a country with similar protections), you have the following rights regarding your personal data:

Right of access (Art. 15): obtain a copy of the data we hold about you;
Right to rectification (Art. 16): correct any inaccurate or outdated data;
Right to erasure ("right to be forgotten", Art. 17): request deletion of your data;
Right to restriction (Art. 18): request that processing be limited;
Right to portability (Art. 20): receive your data in a structured, machine-readable format;
Right to object (Art. 21): object to a processing based on legitimate interest;
Right to withdraw consent at any time, where applicable;
Right to lodge a complaint with your local supervisory authority (in France, the CNIL; equivalent body in other Member States).

To exercise any of these rights, send an email to support@neovace.com. We respond within thirty (30) days at the latest. To prevent fraud, we may ask you to confirm your identity before processing the request.

11No minors

The Service is reserved for users aged 18 and over. We do not knowingly collect personal data from anyone under 18 years of age.

If you become aware that a minor has provided us with personal data without parental authorization, please contact support@neovace.com so we can delete the data immediately.

12Security

We apply technical and organizational measures appropriate to the level of risk to protect your data:

Encryption in transit: all communications between your browser and our servers use HTTPS/TLS;
Encryption at rest: your photos and AI models are encrypted on the servers where they are stored;
Restricted access: data access is limited to the strictly necessary technical staff;
EU-only data residency: photos and AI models are stored exclusively in the European Union;
Automatic deletion: photos and models are programmatically deleted after 30 days;
Logging and audit: all access to sensitive data is logged for security purposes.

In the unlikely event of a personal-data breach, we will notify the affected users and the relevant supervisory authority within 72 hours, in accordance with Articles 33 and 34 of the GDPR.

13Changes to this policy

We may update this Privacy Policy from time to time, in particular to reflect changes in our processors, applicable law, or our internal practices. The current version is always accessible at neovace.com/privacy.

For significant changes, we will notify registered users by email at least 30 days before the changes take effect.

14Contact

For any question about this Privacy Policy, to exercise your rights, or to file a complaint, please contact us:

By email: support@neovace.com
By phone: +1 (302) 560-6453 (Mon–Fri, 9 AM – 6 PM EST)
By post: 12 Frankenberry Drive, Georgetown, DE 19947, United States

We respond to every inquiry within 30 days at the latest, and most often within 24 hours.