Privacy Policy – Kirkify

Last updated: 15 November 2025

This Privacy Policy explains how Kirkify (“we”, “us”, “our”) processes personal data when you use our website and service at kirkify.nl (the “Service”).

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Belgian data protection law.

1. Who we are (Data Controller)

The data controller responsible for the processing of your personal data is:

Charlie Kirkton
Based in Belgium
Email: oegaboega8@gmail.com

If you have any questions about this Privacy Policy or about your personal data, you can contact us at the email address above.

2. What this policy covers

This Privacy Policy applies to:

• Your use of the website kirkify.nl

• Your use of our AI face swap tool (“Kirkify”), including the upload of images to be processed

• Any related communication between you and us (for example, via email)

This Privacy Policy does not cover third-party websites, apps, or services that you may access via links from our Service.

3. What data we process

3.1. Images you upload (input images)

When you use Kirkify, you can upload an image for face swapping:

• Content: the image file you upload (which may include your face or the face of another person)

• Potential personal data:

  • Facial features and other information that may be considered personal or even biometric data

  • Background information visible in the image (e.g. location, other people)

We do not require you to create an account and we do not ask for your name, email address, or other identification when you use the tool.

3.2. Generated images (output images)

When processing is successful, our system generates a “kirkified” image:

• Content: an image where the face is swapped using our AI model

• Storage: we stream the result back to your browser; we do not intentionally store the generated image on our servers beyond the technical processing period.

3.3. Technical data and logs

When you visit the site, certain technical data may be processed automatically by our infrastructure and providers, for example:

• IP address

• Browser type and version

• Operating system

• Date and time of the request

• Referrer URL (if any)

• Basic device information

• Error messages and debug information (in logs)

We do not build profiles, connect this to your identity, or use this for marketing.

Our hosting and infrastructure providers (for example Contabo, Vast.ai, and Cloudflare) may log traffic for security, abuse prevention, and service reliability in line with their own policies.

3.4. Cookies and similar technologies

We do not intentionally set any cookies or tracking technologies for analytics, advertising, or user profiles in the current version of Kirkify.

Our providers (for example, Cloudflare) may use strictly necessary technical cookies to deliver the service and protect against abuse or attacks.

4. For what purposes we use your data (and legal bases)

Under the GDPR, we must have a legal basis for each processing activity. Below is an overview.

4.1. Providing the AI face swap service

Data:

• Image you upload

• Temporary copies required for processing

• Technical data necessary to deliver the result

Purpose:

• To receive your image, run the face swap with our model, and return the kirkified image to you.

Legal bases:

• Performance of a contract (Article 6(1)(b) GDPR): processing is necessary to provide the service you request (face swapping).

• Your explicit consent (Article 6(1)(a) GDPR): by uploading an image and using Kirkify, you clearly ask us to process that image for face swapping and temporary storage.

Because uploaded images may include facial features, which can be considered sensitive or biometric information in some situations, we rely on your explicit consent to process this data. You can withdraw this consent at any time by no longer using the service and contacting us to request deletion of any remaining data we still hold.

4.2. Operating and securing our infrastructure

Data:

• IP address and technical data

• Basic logs and error logs

Purpose:

• To keep the Service online and stable

• To protect the Service against abuse and attacks

• To debug errors and improve reliability

Legal basis:

• Legitimate interests (Article 6(1)(f) GDPR): we have a legitimate interest in operating a secure, stable, and reliable website and AI service.

We balance this interest against your rights by keeping technical data limited and not using it to profile you or track you across the web.

4.3. Communication and support

If you contact us by email:

Data:

• Your email address

• Any information you include in the message

Purpose:

• To respond to your questions

• To handle data subject rights requests

Legal bases:

• Performance of a contract (if your request relates to using the Service), and/or

• Legitimate interests (our interest in answering questions and running Kirkify), and/or

• Legal obligation (when we respond to GDPR requests).

4.4. Future analytics and advertising (not currently used)

At the time of this Privacy Policy, we do not use:

• Google Analytics, or

• Any similar analytics tool, or

• Any advertising network (e.g. Google Ads / AdSense, Meta ads, etc.).

If we decide to add such tools in the future, we will:

• Update this Privacy Policy, and

• Where required, ask for your consent through a cookie / consent banner before placing cookies or using non-essential tracking.

5. Data storage and retention

5.1. Input images

• Input images are stored temporarily on the GPU instance (Vast.ai) as part of the technical processing workflow.

• We do not keep a long-term archive of images.

• We regularly delete temporary image files, and in practice we aim to remove them within about one week, mainly to free up disk space and ensure system stability.

• We do not use these images for:

  • training AI models,

  • manual review for content, or

  • any purpose other than providing the face swap result and maintaining the service.

5.2. Generated images

• Generated (“kirkified”) images are not intentionally stored by us once the processing and delivery to your browser are complete.

• They may exist in memory or short-lived caches for the duration of the process, but we do not keep a separate copy for ourselves.

5.3. Logs and technical data

• We do not intentionally store extensive application logs tied to individual users.

• Our infrastructure providers (Contabo, Vast.ai, Cloudflare) may keep server and network logs (including IP address) for security and operational reasons according to their own retention policies.

• We do not use those logs to identify you personally, except where it is strictly necessary to investigate abuse, attacks, or legal issues.

5.4. General rule

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy or to comply with legal obligations. After that, we delete or irreversibly anonymise the data.

6. Where your data is processed and international transfers

6.1. Infrastructure

Your data may be processed on the following infrastructure:

• A VPS hosted by Contabo in France (EU/EEA) – for API/control plane operations

• A GPU instance rented via Vast.ai, currently located in South Korea, for running the face swap model

• Reverse proxy and protection via Cloudflare, which may route traffic through various locations while applying security protections

6.2. Transfers outside the EU/EEA

When your image is sent to the Vast.ai GPU instance, your personal data is transferred from the EU/EEA to South Korea.

The European Commission has adopted an adequacy decision for South Korea, meaning that South Korea is considered to provide an adequate level of data protection comparable to the EU. This makes such data transfers permitted under Article 45 GDPR without additional transfer tools. (GDPR)

We only engage providers that offer appropriate guarantees for data protection and, where necessary, we rely on contractual and technical safeguards to protect your data.

7. Children’s privacy

Kirkify is a meme / fun tool and is not specifically directed at children.

• Our Service is intended for users who are at least 13 years old.

• If you are under 13, you must not use Kirkify or upload images to the Service.

• If you are between 13 and 16 and your use of the Service is based on consent as a legal basis, your parent or legal guardian may need to provide or authorise that consent under Belgian and EU rules. (Lexgo.be)

If we learn that we have processed personal data of a child under 13 without appropriate consent, we will take reasonable steps to delete that data.

Parents and legal guardians are responsible for supervising the online activities of children in their care.

8. How we protect your data

We take reasonable technical and organisational measures to protect your personal data, including:

• Using HTTPS to encrypt data in transit between your browser and our servers

• Restricting who can access servers and control panels (only the developer/owner)

• Limiting the retention of uploaded images to the shortest period reasonably necessary

• Relying on infrastructure providers (Contabo, Vast.ai, Cloudflare) that implement industry-standard security measures

However, no online service can guarantee 100% security. You use Kirkify at your own risk and should avoid uploading highly sensitive images.

9. No profiling or automated decisions with legal effects

We do not use your data for automated decision-making that produces legal or similarly significant effects on you under Article 22 GDPR.

Our AI model simply generates an edited image based on your input; we do not use it to judge or evaluate you as a person.

10. Sharing your data with third parties

We do not sell your personal data.

We only share data with third parties where necessary to provide and secure the Service:

• Infrastructure providers / processors

  • Contabo (VPS hosting)

  • Vast.ai (GPU hosting)

  • Cloudflare (reverse proxy, security, CDN)

These service providers act as processors and only process data on our behalf, under our instructions, and subject to contractual and legal obligations to protect your data.

We may also disclose data if required by law, court order, or request from a competent authority, or to protect our rights or the rights of others.

11. Your rights under GDPR

Because we are based in Belgium and process data of users in the EU/EEA, you have the following rights under the GDPR (subject to certain conditions and exceptions):

• Right of access – to know whether we process your personal data and to obtain a copy.

• Right to rectification – to correct inaccurate or incomplete personal data.

• Right to erasure (“right to be forgotten”) – to request deletion of your personal data, for example if it is no longer necessary for the purposes we collected it.

• Right to restriction of processing – to ask us to limit the processing of your data in certain cases.

• Right to data portability – to receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.

• Right to object – to object to processing based on our legitimate interests, on grounds relating to your particular situation.

• Right to withdraw consent – when we base processing on your consent (for example, processing of your images), you may withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, you can contact us at:

Email: oegaboega8@gmail.com

We may need to ask you for additional information to verify your identity before fulfilling your request.

12. Right to lodge a complaint with a supervisory authority

If you believe that we violate data protection laws when processing your personal data, you also have the right to lodge a complaint with the competent supervisory authority.

In Belgium, this is the:

Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD)
Website (citizen portal): [Data Protection Authority – Belgium] (dataprotectionauthority.be)

You can also contact the data protection authority of your usual place of residence or workplace within the EU/EEA.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example if:

• we change our infrastructure,

• we add analytics or advertising, or

• legal requirements change.

When we make changes, we will update the “Last updated” date at the top. In case of significant changes, we may provide additional notice on the website.

Continued use of the Service after an update means that you accept the revised Privacy Policy.