Privacy Policy

1. Data Controller

ION Solutions GmbH Ing. Edvin Kuric, BSc Vienna, Austria Email: info@passphoto-labs.at

2. Overview of Data Processing

We only process personal data to the extent necessary for the provision of our services. Processing is based on the GDPR (General Data Protection Regulation) and the Austrian Data Protection Act (DSG).

3. Processing of Biometric Photos

3.1 Purpose of Processing

We process the photos you upload exclusively for the purpose of creating or validating biometric passport photos.

3.2 Type of Processing

  • Face detection & segmentation: Detection of facial positions and contours for correct positioning
  • Background removal: Automatic removal and replacement with a compliant background
  • Biometric verification: Checking compliance with official requirements (head size, eye position, lighting)
  • Affine transformations: Alignment and cropping of the photo — no morphological alteration of the face

3.3 No Image Manipulation

We do not perform face regeneration or morphing. Only affine transformations (rotation, scaling, translation), masking and color corrections are applied.

3.4 Data Minimization

  • EXIF data is completely stripped from the uploaded photo
  • No geolocation: Location data is neither stored nor processed
  • No profiling: No facial models or biometric templates are stored

4. Storage Duration and Deletion

  • Uploaded original photos are deleted immediately after processing
  • Created passport photos are available for download for a maximum of 24 hours and then automatically deleted
  • Payment data is stored in accordance with legal retention periods (7 years)
  • You can request immediate deletion of all your data at any time

Processing is based on:

  • Art. 6(1)(b) GDPR: Performance of a contract (creation of the passport photo)
  • Art. 6(1)(a) GDPR: Consent (for analytics cookies)
  • Art. 6(1)(f) GDPR: Legitimate interest (fraud prevention, security)

6. Recipients of Data

Your data is not shared with third parties, with the following exceptions:

  • Payment service provider: For payment processing (Stripe)
  • Hosting provider: For the technical operation of the website (servers in the EU)

All service providers are contractually obligated to comply with GDPR (data processing agreements pursuant to Art. 28 GDPR).

7. Your Rights

You have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR): You can request information about your stored data
  • Right to rectification (Art. 16 GDPR): You can request correction of inaccurate data
  • Right to erasure (Art. 17 GDPR): You can request deletion of your data
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to lodge a complaint with the Austrian Data Protection Authority (dsb.gv.at)

8. Contact Form

8.1 Purpose of Processing

When you use our contact form, we process your information (name, email address, subject, message) to handle your enquiry.

Processing is based on Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries).

8.3 Storage Duration

Contact enquiries are stored for a maximum of 12 months and then deleted, unless a legal retention obligation exists.

8.4 Anti-Spam Measures

To protect against automated submissions, we use technical measures (honeypot fields, timestamp validation). IP addresses are hashed with SHA-256 before storage — the original IP is not stored.

9. Newsletter

9.1 Purpose of Processing

When you subscribe to our newsletter, we process your email address to send you regular information about passport photo tips, requirement updates, and offers from PassphotoLabs.

9.2 Double Opt-In

We use a double opt-in process: after entering your email address, you will receive a confirmation email with an activation link. Your subscription only becomes active after clicking this link. The confirmation link is valid for 48 hours.

Processing is based on your consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time.

9.4 Data Stored

  • Email address
  • Date and time of subscription and confirmation
  • Consent timestamp and source
  • Unsubscription date (if applicable)

No IP addresses, names, or other personal data are stored in connection with the newsletter.

9.5 Unsubscription

You can unsubscribe from the newsletter at any time:

  • Via the unsubscribe link at the bottom of every newsletter email (one-click unsubscribe)
  • By email to info@passphoto-labs.at

9.6 Storage Duration

Your email address is stored for as long as you are subscribed to the newsletter. After unsubscribing, your data will be completely deleted within 30 days.

9.7 No Third-Party Providers

Newsletter delivery is handled via our own infrastructure (self-hosted). No external newsletter services (such as Mailchimp, Sendinblue, etc.) are used. Servers are located in the EU.

10. Cookies

10.1 Essential Cookies

Technically necessary cookies for operating the website. These cannot be disabled.

10.2 Analytics Cookies

We use analytics tools to understand and improve the use of our website. These cookies are only set with your explicit consent.

10.3 Marketing Cookies

Marketing cookies are only set with your explicit consent and are used to display relevant content.

You can change your cookie settings at any time via the cookie banner at the bottom of the screen.

11. Data Security

  • Encryption: All data transfers are encrypted with 256-bit TLS/SSL
  • Server location: Our servers are located exclusively in the EU
  • Access control: Strict access restrictions and regular security audits

12. Changes to This Privacy Policy

We reserve the right to update this privacy policy to adapt it to changes in the legal situation or changes to our services. The current version can always be found on this page.

Effective: March 2026