GDPR information

1. Introduction

VESTIGE SA(“we”, “us”) operates faceperfect.co and is committed to protecting personal data in line with the EU General Data Protection Regulation (“GDPR”) and applicable national laws. This page summarizes your GDPR rights in our context and how we apply them. It supplements our Privacy Policy, which remains the primary description of what we collect and why.

2. Legal basis for processing

Depending on the activity, we rely on one or more of the following grounds (GDPR Art. 6):

• Contract — processing needed to deliver the heritage report, account, and paid subscription you request (for example account creation, photo analysis, payment confirmation emails).
• Consent — where we ask for optional consent (for example certain marketing messages or non-essential cookies when we introduce a consent banner).
• Legitimate interests — for example securing the service, debugging, aggregated usage metrics that do not identify you, and limited fraud prevention, where those interests are not overridden by your rights.
• Legal obligation — where we must retain or disclose information to comply with tax, accounting, or regulatory requirements.
• Vital interests— only in rare situations where processing is necessary to protect someone’s life or physical safety.

3. Your rights under GDPR

3.1 Right to information

You have the right to clear information about processing. We provide this through our Privacy Policy, this page, and our Cookie Policy.

3.2 Right of access

You may request a copy of the personal data we hold about you. There is no self-service “export my data” bundle in the product yet; submit a request by email or post (Section 4) and we will provide your information in line with GDPR timelines.

3.3 Right to rectification

You may ask us to correct inaccurate or incomplete data. Some fields (such as onboarding answers stored with your account) may be updated when we add profile editing; until then, contact us and we will correct records where appropriate.

3.4 Right to erasure (“right to be forgotten”)

You may request deletion where, for example:

• the data is no longer needed for the purposes we collected it;
• you withdraw consent and there is no other lawful basis;
• you object to processing and we have no overriding grounds;
• the data was processed unlawfully.

Statutory retention (for example accounting records) may limit how quickly certain billing metadata can be erased.

3.5 Right to restrict processing

You may ask us to restrict processing in situations foreseen by GDPR (for example while we verify accuracy or the lawfulness of processing).

3.6 Right to data portability

Where processing is based on your consent or contract and is carried out by automated means, you may receive certain personal data in a structured, commonly used, machine-readable format and ask us to transmit it to another controller where technically feasible.

3.7 Right to object

You may object to processing based on legitimate interests, including profiling based on those interests. You may always object to direct marketing (we will stop if we ever send optional marketing without a separate lawful basis).

3.8 Automated decision-making (Art. 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. faceperfect.co provides an illustrative AI heritage-style report for personal curiosity; it does not determine legal rights, credit, employment, insurance, or comparable outcomes. If that ever changed, we would update this policy and provide a meaningful human review process where required.

4. How to exercise your rights

You can reach us as follows:

• Email — hello@faceperfect.co (please include the email address on your account and a short description of your request).
• Postal mail — VESTIGE SA, Rue de la Grotte 6, c/o DYN SA, 1003 Lausanne, Switzerland.
• Stripe Customer Portal — when logged in, use My Accounton the dashboard to open Stripe’s billing portal for subscription and payment-method management (this covers billing data held by Stripe, not all categories of personal data we hold).

We will respond to GDPR requests without undue delay and in any event within one month of receipt, unless the request is complex or we receive multiple requests from you, in which case we may extend by up to two further months and will tell you why.

5. Sensitive categories and photos

5.1 Photos and inferred characteristics

A face photo can reveal biometric or ethnic appearance in a broad sense. We process your photo only to generate the heritage-style experience you sign up for, based on contract performance and, where applicable, explicit consent through clear affirmative actions (upload + checkout). Outputs are estimates for entertainment, not medical or genetic diagnoses.

5.2 Living individuals

GDPR protects living individuals. Do not upload a photo of another living person without permission that satisfies applicable law. If you believe someone uploaded your image without authority, contact us and we will assess removal where appropriate.

6. International data transfers

We and our sub-processors (for example Google for Gemini, Neon for the database, Stripe for payments, Vercel for hosting) may process data in the EEA, Switzerland, the United Kingdom, and the United States. Where personal data is transferred from the EEA/UK/Switzerland to countries without an adequacy decision, we rely on mechanisms recognized by GDPR, such as the EU Commission’s standard contractual clauses and supplementary measures where appropriate. Sub-processors are listed in our Privacy Policy.

7. Data retention (summary)

Retention follows the purposes described in our Privacy Policy. In summary:

• Account and report content — kept while your account is active; reports for the duration of your subscription plus a short grace period (see Privacy Policy).
• Photos — kept while your account is active and removed on request where technically possible, subject to backups cycling out.
• Billing and tax — Stripe retains payment records according to its policies; we retain invoice and subscription metadata for as long as required for tax, accounting, and dispute handling (often several years).
• Analytics — we do not operate first-party analytics cookies today; if we add them, retention will be described in the Privacy and Cookie policies.

8. Data protection contact

VESTIGE SA has not appointed a statutory Data Protection Officer under Article 37 GDPR. For questions about your rights, processing, or complaints, contact our privacy team at hello@faceperfect.co or at the postal address in Section 4. If we designate a DPO in the future, we will update this page.

9. Personal data breach notification

If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where feasible, and communicate with affected users without undue delay when GDPR requires it, describing the nature of the breach, likely consequences, and measures we are taking.

10. Supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU authorities is maintained by the European Data Protection Board: https://edpb.europa.eu.

11. Children’s data

We do not knowingly collect personal data from anyone under 16. If you believe a child has provided data, contact us and we will take appropriate steps to delete it, subject to legal exceptions.

12. Contact

GDPR and privacy requests: hello@faceperfect.co

Postal address
VESTIGE SA
Rue de la Grotte 6, c/o DYN SA
1003 Lausanne
Switzerland