Privacy Policy
Last updated: April 19, 2026 · GDPR and CCPA compliant
Summary: We respect your privacy. We don't sell your data. Biometric data (facial recognition) is encrypted and you can request its deletion at any time.
1. Who we are
Pronto is a SaaS platform operated under the theimpactguidance.com domain. For privacy inquiries: privacy@theimpactguidance.com
2. Data we collect
If you're a photographer (registered account):
- Name, email, password (hashed)
- Profile photo, bio, social media (optional)
- Uploaded photos and metadata
- Payment information (managed by Stripe, not stored by us)
If you're a client (tourist using facial recognition):
- A selfie photo used only for match searching
- Facial prints extracted from album photos (biometric)
- Email only if you make a purchase (to send download links)
3. Biometric data (facial recognition)
How it works: When a client uploads a selfie, we send it to AWS Rekognition which extracts a mathematical "face print" (not the photo) and compares it with prints already generated from the album's photos. The selfie is deleted immediately after the match.
- Legal basis (GDPR Art. 9): explicit user consent when uploading the selfie
- Retention: album photo prints are stored while the album exists
- Deletion: you can request deletion by contacting the photographer or privacy@theimpactguidance.com
- Processor: AWS Rekognition Collections (servers in us-east-1)
4. How we use your data
- Provide the service (upload, processing, photo delivery)
- Process payments via Stripe
- Send transactional emails (confirmations, download links)
- Prevent fraud and abusive use
5. Who we share data with
- AWS: S3 storage and Rekognition facial recognition
- Stripe: payment processing
- Imgix: image optimization and delivery (CDN)
- Anthropic Claude: image quality analysis (enhancement AI) — photos are sent temporarily and not stored by Anthropic
We do not sell your data to third parties.
6. Your rights (GDPR/CCPA)
- Access: request a copy of your data
- Rectification: correct inaccurate data
- Deletion: ask us to delete your account and associated data
- Portability: export your data in JSON format
- Opposition: object to facial recognition processing
To exercise any of these rights: privacy@theimpactguidance.com. We respond within 30 days.
7. Data retention
- Active accounts: while you use the service
- Deleted accounts: 30 days (for legal compliance and error reversal)
- Server logs: 90 days
- Photos and biometric prints: while the album exists
8. Security
We use HTTPS throughout the service, passwords stored as bcrypt hash, payments processed by Stripe (PCI DSS compliant), and encrypted storage on AWS S3.
9. Cookies
We use only essential cookies (PHP session, language preference). We don't use advertising tracking or Google Analytics.
10. Minors
The service is not directed at minors under 18. If you're a photographer, it's your responsibility to obtain parental consent for photographing minors.
11. Changes to this policy
Updates will be notified by email 30 days in advance for material changes.