Privacy Policy

This policy is published by Afterlight, Inc., a Delaware corporation operating in San Francisco, California (“Afterlight,” “we”). Afterlight is the data controller for the personal information described below. You can reach our privacy team at privacy@tryafterlight.com.

We collect only what the product needs to function:

• Account information. Name, email, role (creator or brand), and the social handles you choose to link.
• Reference photos. The image(s) creators upload so brands can generate campaigns with their likeness.
• Campaign records. Briefs, generated drafts, approval timestamps, channel, geography, and active dates. This is the consent ledger.
• Customer billing information. Processed by our payments partner (Stripe) for customer subscriptions and usage charges. We store the last four digits and a token, never the full card or bank number.
• Communications. Messages between brands, creators, and our team that pass through Afterlight.
• Product telemetry. Pages visited, features used, errors encountered. Used to debug and improve.

A reference photo is not the same as a biometric template. Afterlight processes the photo to generate campaign assets for the specific brand approved by the creator. We do not extract, derive, or store a portable biometric template that could identify the creator across other datasets, and we do not feed reference photos into general-purpose model training.

In jurisdictions with specific biometric-information statutes (including Illinois BIPA, Texas CUBI, Washington H.B. 1493, and applicable provisions of the CCPA/CPRA as amended), you are entitled to the rights set out in those laws. We honor them globally.

Afterlight does not sell personal information as that term is defined by the California Consumer Privacy Act, nor do we share it with third parties for cross-context behavioral advertising. We do not license your likeness to third parties outside the specific campaign you approved. If this ever changes, we will give you direct, plain-English notice and an explicit opt-in before any such use begins.

We use the data we collect to:

• Generate campaign drafts at the licensee’s request, using only reference photos belonging to the creator who accepted that brief.
• Run the approval gate and store the consent record for audit.
• Bill customers for platform usage.
• Detect fraud, impersonation, and platform abuse.
• Communicate with you about your account and campaigns.
• Improve the product through aggregate, de-identified analytics.

We use a small set of vetted vendors to operate the platform. Each is bound by a data processing agreement that prohibits independent use of your data:

• Amazon Web Services — hosting and storage (United States).
• Cloudflare — edge delivery and DDoS protection.
• Stripe — payment processing for customer subscriptions and usage charges.
• Postmark — transactional email.
• Generation providers — the AI providers that render approved campaign assets. They process reference images and prompts under contracts that prohibit them from retaining inputs beyond the request lifecycle or training their models on them.

We publish the current list at privacy@tryafterlight.com on request and notify customers when a sub-processor is added or removed.

Reference photos and campaign drafts are stored for as long as your account is active or a campaign you approved is still running. When you close your account or revoke a license, we delete the affected reference assets and generated drafts from active systems within thirty (30) days and from backups within ninety (90) days.

Consent records (who approved what, when, and for which channel) are retained for seven (7) years for audit and regulatory purposes, in de-identified form once the underlying assets are deleted.

Wherever you live, you have the right to:

• Access the personal information we hold about you.
• Correct anything that is inaccurate.
• Delete your reference photos and account on request.
• Revoke any campaign license you previously approved.
• Port your data to another service in a structured, machine-readable format.
• Object to processing or restrict it where applicable law allows.
• File a complaint with your local data-protection authority.

To exercise any right, write to privacy@tryafterlight.com. We respond within thirty (30) days.

Reference photos and consent records are encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to production systems requires hardware-key MFA and is logged. We run regular vulnerability scans and a responsible-disclosure program. Report suspected vulnerabilities to security@tryafterlight.com.

Afterlight is operated from the United States. If you access the platform from outside the US, your information is transferred to and processed in the US under Standard Contractual Clauses (for EEA, UK, and Swiss residents) or equivalent safeguards.

Afterlight is not for anyone under 18. We do not knowingly collect information from children. If you believe a minor has created an account, contact us and we will remove it.

We will update this policy as the product evolves. Material changes will be announced by email at least fourteen (14) days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

Afterlight, Inc.
San Francisco, California
privacy@tryafterlight.com