Skip to content
Free US shipping over $75 · 30-day guarantee
portraits.
Start creating

Security

How we protect your data, your payment, and your prompts.

A clear accounting of what we do, what we don't, and who to contact when it matters. Plain English, short paragraphs.

Data protection

All traffic to Portraits is served over TLS 1.2+ with HSTS enabled. Customer data at rest — including photos you submit, generated artwork, and order metadata — is encrypted using AES-256 in our managed database and object-storage providers.

Access to production systems is restricted to a small set of engineers and requires hardware-backed multi-factor authentication. All production access is logged and audited.

Privacy

We collect only what we need to make and ship your piece: the photo or brief you submit, your email, your shipping address, and order-related analytics. We do not sell your data to third parties.

Submitted photos are retained for 90 days after order fulfillment so we can handle reprints and support questions. After 90 days they are automatically purged unless you opt in to keep them on file.

AI generation

Your prompts and submitted photos are not used to train public models. We use commercial image models via authenticated APIs under enterprise agreements that prohibit training on customer inputs. Outputs produced for you belong to you.

A human reviewer at Portraits inspects every generation before it enters the print queue. If a submission falls outside our content policy (e.g. requests to depict real third parties without consent), we'll reach out directly rather than silently fail the order.

Payment security

All payments are processed by Shopify, which handles full PCI-DSS Level 1 compliance on our behalf. Portraits never sees or stores your card number — payment details are tokenized by Shopify before they reach any of our systems.

Compliance

Portraits is working toward SOC 2 Type II certification, with an initial Type I report expected this year. In the meantime, we maintain the underlying controls — change management, access review, vendor review, incident response — and are happy to share our internal policy docs with enterprise buyers under NDA.

Bug bounty & responsible disclosure

If you believe you've found a security issue, please email security@portraits.com. We respond within one business day and pay bounties for valid reports, scaled to severity. We ask that you give us a reasonable window to fix issues before public disclosure.

Out of scope: social-engineering attacks on our employees, physical attacks on our print facility, and denial-of-service testing against production.