Privacy Policy

Last updated: April 23, 2026 · Version v1

1. What we collect

Account data: your email address, account creation time, and the version of our terms you accepted.
Photos you upload:front selfie, optional side selfie, reference hairstyle image. Uploaded at a resolution of up to ~1024 px on the long side after client-side resizing.
Analysis content: the structured output our AI produces from your photos and any notes you provide, plus metadata like timestamps and status.
Payment metadata: Stripe payment intent IDs and basic status. We never see or store your card number — Stripe handles that directly.
Coupon redemptions: which code you used, if any, and when.

2. How we use it

To generate your analysis:your photos and notes are sent to OpenAI's multimodal API for the single call that produces your result. Per OpenAI's API terms, API content is not used to train their models.
To deliver the service: we store your photos and results so you can revisit them in your library.
To process payments: we forward a charge request to Stripe and record the outcome.
To improve reliability: minimal server logs (request IDs, route, latency, outcome) — no image bytes, no analysis content.

We do not sell your data. We do not use your photos or results to train AI models.

3. Who we share it with

We use these service providers to operate Can I Pull It Off?:

Supabase — authentication, database, and private image storage.
OpenAI — the one-off multimodal API call that produces your analysis.
Stripe — payment processing and card handling.
Vercel — web hosting for the app.

We don't share your data with other third parties except where required by law.

4. Retention

Uploaded photos for incomplete analyses: deleted within 24 hours if the analysis doesn't complete.
Completed analyses and their photos: retained so you can revisit them, until you delete your account.
Server logs: kept for up to 30 days, then rotated out.
Payment records: retained for at least 7 years as required by financial-records regulations.

5. Your choices and rights

Access: view your profile and analyses in the app at any time.
Export:email us and we'll send you your data in a readable format.
Deletion: email us to delete your account. Deletion removes your profile, your photos, and your analysis content. We retain minimal payment records where financial regulations require it.
Correction: email us with the change you need.

If you're in a jurisdiction with specific data rights (e.g., GDPR, CCPA), those rights apply and you can exercise them by contacting us.

6. Security

TLS in transit for all connections between your browser, our servers, and our providers.
At-rest encryption via provider defaults (Supabase, Stripe, Vercel).
Private storage buckets with short-lived signed URLs — your photos are never served via a public URL.
Access to production data is limited and audited. No secret keys are ever exposed to browser code.

7. Cookies

We use session cookies for authentication only. We do not use third-party tracking or advertising cookies.

8. Children

Can I Pull It Off? is intended for users 18 and older. We do not knowingly collect data from anyone under 18. If you believe a minor has uploaded photos, email us and we'll remove them.

9. Changes

We may update this policy. Material changes will prompt re-acceptance the next time you sign in.

10. Contact

Privacy questions or requests: hello@canipullitoff.com.