Privacy Policy

Last updated: 2026-05-02

1. About this policy

This privacy policy explains how Poseur (the “Service”) handles personal information. It applies to:

The marketing site at poseur.io and its subdomains.
The product application(s) at portraits.poseur.io (and any successor subdomains used to deliver the Service).
Any communication we have with you about the Service, including email, support requests, and beta invitations.

Poseur is operated by William Laffin (the “Operator”), an individual based in the United States, until such time as a successor legal entity is formed; see § 17 below. Contact: [email protected].

If you have any question about this policy, your data, or your rights — write to that address. We aim to acknowledge within 72 hours and act within 30 days.

2. What we collect

We collect personal information in several broad categories. The exact fields we collect within each category depend on what part of the Service you use; we collect the minimum needed for the purpose at hand.

Identifiers

Email address, name (where you provide it), and account login identifiers (such as the unique IDs returned by an authentication provider). For users in the private-beta intake stage, this is typically only the email address you write to us from.

Authentication and account data

When the Service offers user accounts, we hold session tokens, API keys you create, and metadata such as last-sign-in time. Authentication tokens are stored in encrypted form where the underlying technology supports it.

Technical data

IP address (at the moment of a request), country (derived from IP at the network edge), browser User-Agent, device characteristics needed to render the page correctly, and similar standard server-log data. We use this for security, fraud prevention, and basic operational diagnostics.

Communication data

The contents of any email or message you send us, and our reply.

Usage data

Records of which features of the Service you use, when, and at what scale. This may include audit logs of administrative actions you take in the Service.

Customer-controlled content

If you use the Service to scan a website or evaluate a flow, the content the Service observes during that work — URLs you submit, the contents of those pages, screenshots, and narrations the Service produces from those observations. We process this content only to perform the task you asked us to perform, return the results to you, and (when applicable) bill you for the work. We do not use this content to train models, build advertising profiles, or share it with third parties beyond the service providers described in § 6.

Billing data

If and when you become a paying customer, our payments processor handles your card or bank details directly. We do not store your card number or banking credentials. We receive from the processor: customer ID, subscription status, and invoice metadata.

Information we do not collect

We do not buy or rent personal information from data brokers or third-party marketing lists.
We do not require government-issued ID, biometric data, or precise geolocation for the Service.
We do not knowingly collect information about children under 16 (see § 12).

3. How we collect it

Directly from you — when you email us, sign up for an account, configure the Service, or submit content for the Service to act on.
Automatically from your device — server logs, cookies (see § 10), and edge-network metadata such as the country derived from your IP.
From third parties you use to sign in — authentication providers (such as Google) return a stable identifier and the email address associated with your account at that provider. We rely on the provider's own privacy practices for the data we don't directly observe.

We do not receive personal information about you from data brokers, marketing-list providers, or surveillance vendors.

4. Why we process it

We process personal information for these purposes:

To deliver the Service. Authenticate you, run the synthetic-user evaluations you ask us to run, return results, bill you if you're a paying customer.
To communicate with you about the Service. Beta invitations, transactional notifications, security incident notices, account-management notices, and replies to support requests.
For security and abuse prevention. Detect and respond to fraud, account compromise, abuse of the Service against third parties, and threats to the Service's integrity.
To comply with legal obligations. Tax records, regulatory inquiries, court orders.
To improve the Service. Diagnose problems, understand how features are used in aggregate, and inform product decisions. We do not use individual-level profiling for advertising; we do not have advertising.

Marketing emails outside what is necessary to deliver the Service (newsletters, product announcements at large) are sent only with your consent and only with a working unsubscribe means.

5. Lawful basis (GDPR / UK-GDPR / similar)

We rely on the following lawful bases under Article 6 of the GDPR (and the equivalent provisions of UK-GDPR and other regimes):

Consent (Art. 6(1)(a)) — for marketing communications, optional features, and any processing for which consent is the appropriate basis. You may withdraw consent at any time without affecting the lawfulness of past processing.
Contract (Art. 6(1)(b)) — to deliver the Service you have signed up for or purchased.
Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, network and information-systems integrity, basic operational analytics, and the day-to-day administration of the Service. Where we rely on legitimate interests, we balance our interest against your rights and interests; you may object as set out in § 9.
Legal obligation (Art. 6(1)(c)) — for tax records, regulator responses, and similar.

We do not process special-category data (Article 9) as part of the Service, and we ask that you do not submit such data to the Service (e.g., do not configure the synthetic-user evaluator to scrape pages whose content is health, religious, or biometric).

6. Sharing and sub-processors

We do not sell, rent, or share personal information with third parties for advertising, marketing list-building, or surveillance purposes. We share data only:

With service providers who help us deliver the Service. They fall into the following categories: cloud network and hosting infrastructure (DNS, edge filtering, static-site hosting, email forwarding); LLM inference; email and document storage; and — when the corresponding feature is live — payments processing, encrypted backup storage, and outbound transactional email. On written request to [email protected] we will identify the specific service providers we currently use. Replacing a service provider with another performing the same category of work is not a material change to this policy.
When legally compelled. Court orders, subpoenas, regulator inquiries. We respond to the minimum extent the law requires and notify affected users where the law allows.
In a business transfer. See § 17.

We do not share personal information with advertisers, data brokers, or marketing-list buyers under any circumstances.

For California residents specifically: we do not “sell” or “share” personal information as those terms are defined under the CCPA / CPRA. See § 13 for the formal disclosure.

7. International transfers

The Service is currently operated from the United States, and some sub-processors operate in other jurisdictions. When we transfer personal information of users in the EEA, the UK, or Switzerland out of those regions, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable, with each affected sub-processor.
UK Addendum to the SCCs for UK transfers.
Any successor or supplementary safeguards required by the responsible data-protection authority.

On written request to [email protected] we will identify the locations of the service providers we currently use.

8. Retention

We keep personal information only as long as necessary for the purpose for which it was collected. Specific retention periods may evolve as the Service grows; the table below describes our current targets and is updated when those targets change. Substantive changes to retention are reflected in the next update of this policy.

Category	Retention
Beta-intake email + correspondence	Until the founder invites you, you ask to be removed, or 90 days after the private-beta period closes — whichever is sooner.
Account identifiers and authentication data	For the life of your account. Deleted within 30 days of account closure.
Customer-controlled content (URLs, page captures, narrations)	Short-term. Active sessions and their results are kept for at most 90 days. Intermediate artifacts (per-step screenshots, raw page captures) are deleted within 24 hours of a session completing, unless retained longer for billing or audit purposes. Specific targets evolve with the product and are tightened over time, never loosened, without notice under § 18.
Audit logs (security and abuse)	30 days.
Server access logs	7 days.
Backups	7 days, encrypted. Deletion requests propagate to backups within this window.
Billing records (when applicable)	7 years, as required by tax law.

If you believe we are holding your information longer than necessary, write to [email protected] and we will investigate.

9. Your rights

You have the following rights with respect to your personal information. The list below covers the rights granted by GDPR / UK-GDPR; equivalent rights under California (CCPA/CPRA), Brazil (LGPD), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other state privacy laws are honoured through the same channel.

Right of access — you may request a copy of the personal information we hold about you.
Right to rectification — you may ask us to correct inaccurate information.
Right to erasure (“right to be forgotten”) — you may ask us to delete your personal information, subject to legal-retention exceptions.
Right to restriction of processing — you may ask us to limit how we use your information in certain circumstances.
Right to data portability — you may ask us to provide your information in a machine-readable format, or to transmit it to another controller where technically feasible.
Right to object — you may object to processing based on legitimate interests, including profiling. You may also object to direct marketing at any time, in which case we will stop.
Right to withdraw consent — where we rely on your consent, you may withdraw it at any time. This does not affect the lawfulness of past processing.
Right to opt out of “sale” or “sharing” (CCPA/CPRA, equivalent state laws) — we do not sell or share, but you have the right and we honour it preemptively.
Right to limit the use of sensitive personal information (CCPA/CPRA) — we do not process sensitive personal information for the secondary purposes the law requires us to limit.
Right to lodge a complaint with your local supervisory authority.

How to exercise any of these: email [email protected] from the address associated with your account or with enough detail for us to identify the records. We will acknowledge within 72 hours and act within 30 days, as required by GDPR (and equivalents); we may extend by up to 60 days in complex cases and will tell you why.

We do not charge a fee for handling reasonable requests. We may charge a reasonable fee or refuse to act if a request is manifestly unfounded or excessive.

10. Cookies and tracking

The marketing site at poseur.io does not set tracking cookies and does not use third-party analytics, advertising, or fingerprinting tools. Static pages may receive standard server-log data (IP, country, User-Agent) which is governed by § 2.

The product application(s) at portraits.poseur.io and successor subdomains may set strictly-necessary cookies for authentication, security (CSRF protection), and session management. We do not set advertising or cross-site-tracking cookies.

If we ever introduce optional analytics or other non-essential cookies, we will request your consent first and update this section accordingly.

11. Security

We take reasonable and appropriate measures to protect personal information from unauthorised access, alteration, disclosure, or destruction. Current measures include encrypted transit (TLS terminated at the network edge), encrypted backups, access controls limited to the Operator and any future authorised personnel, and ingress filtering at the network edge.

No system is perfectly secure. In the event of a security incident affecting your personal information, we will follow our internal incident-response procedures and notify affected users and regulators as required by applicable law.

12. Children

The Service is not directed at children. We do not knowingly collect personal information from anyone under 16 (or the equivalent minimum age in your jurisdiction). If you believe a child has provided us with personal information, write to [email protected] and we will delete it.

13. California (CCPA / CPRA) disclosures

This section provides the disclosures required by the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”). Definitions in this section are those used by the CCPA/CPRA.

Categories of personal information we collect. Identifiers; internet or other electronic-network activity information (limited to data needed to deliver the Service); commercial information (when you become a paying customer); inferences drawn from the above to personalise your view of the Service. We do not collect “sensitive personal information” for the purposes the law requires us to limit.

Sources. Directly from you, automatically from your device, and from authentication providers you use to sign in.

Business or commercial purpose. To provide the Service, communicate with you, and ensure security as described above.

Categories of third parties to whom we disclose. The categories of service providers described in § 6, and authorities when legally compelled.

“Sale” / “sharing”. We do not sell or share personal information for cross-context behavioural advertising or any other purpose. This statement is the formal disclosure California law requires us to make.

“Shine the Light” (California Civil Code § 1798.83). California residents may request information about disclosure of personal information to third parties for direct-marketing purposes. We do not disclose personal information for direct marketing.

California rights: as listed in § 9 above. Authorised-agent requests are honoured upon written authorisation.

14. Other US state-law disclosures

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with comprehensive privacy laws have rights similar to those listed in § 9 above. We honour those rights through [email protected]. We do not engage in targeted advertising, sale, or profiling that produces legal or similarly significant effects.

15. Brazil (LGPD)

For data subjects in Brazil, the Operator is the data controller (controlador) under the General Data Protection Law (Lei Geral de Proteção de Dados, Lei 13.709/2018). The Operator's contact for LGPD matters is [email protected]. Brazilian rights mirror those listed in § 9. A formal Encarregado / Data Protection Officer will be designated when the size of operations requires; until then, the Operator personally fulfils that role.

16. EU representative (Article 27)

Article 27 of the GDPR requires controllers without an EU establishment to designate a representative in the Union, with a derogation for occasional, low-scale processing that does not include special-category data. We currently rely on that derogation given the scale of the private-beta intake. As the Service grows, we will appoint an EU representative and update this section with their name, contact, and EU address.

17. Business transfers

The Service is currently operated by an individual (William Laffin). When a successor legal entity is formed (an LLC, C-Corp, or equivalent), the personal information held in connection with the Service will be transferred to that entity, which will become the new controller. The successor will inherit the obligations in this policy. We will notify users of this transfer by email at least 30 days in advance.

In the event of a merger, acquisition, sale of assets, bankruptcy, or other corporate event affecting ownership of the Service, personal information may be transferred as part of that transaction. Any such transferee will be required to honour the commitments in this policy, or to give affected users a meaningful opportunity to delete their data before the transfer.

18. Changes to this policy

We update this policy when our practices change. The “Last updated” date at the top reflects the most recent revision. Changes fall into two categories:

Material changes — anything that affects what categories of data we collect, why we process, who we share with at the categorical level, the lawful bases we rely on, the rights you have, or the structure of this policy. We will notify users by email at least 30 days before material changes take effect, and require renewed consent where the change requires it.
Non-material changes — clarifications, typo fixes, formatting changes, and updates to retention targets when individual targets are tightened. We update the “Last updated” date but do not separately email users.

If you want notice of every change, including non-material ones, write to [email protected] and we will add you to a manual notification list.

19. Contact

For all privacy matters: [email protected].

For general contact: [email protected].

For abuse reports (e.g., if you believe Poseur's synthetic users have visited a site against its owner's wishes): [email protected].