Privacy Policy
How we collect, use, and protect your data.
Face Privacy (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains how we collect, use, store, and protect your personal and biometric data when you use our services.
1. Information We Collect
We collect information you provide directly: account details (email, name), identity information (legal name, photo) for removal requests, and payment information processed by our payment provider. We may also collect usage data (e.g. how you use our site) and technical data (e.g. IP address, browser type).
2. How We Use Your Information
We use your information to provide our removal service, to create and manage your account, to process payments, to communicate with you, and to improve our services. We use your photo and identity details only to submit removal requests to third-party databases where you have requested removal.
3. Biometric and Facial Data
Your facial image and related biometric data are sensitive. We store them securely and use them solely for the purpose of submitting opt-out or removal requests to facial recognition databases. We do not sell your biometric data. We retain data only as long as needed to provide the service and as required by law.
4. Sharing of Information
We may share your information with service providers (e.g. hosting, payment processing) under strict agreements. When we submit removal requests, we share only the information necessary with the relevant databases or their agents, in line with their removal processes. We do not sell your personal information to third parties.
5. Security
We use industry-standard measures to protect your data, including encryption and access controls. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.
6. Your Rights
Depending on your location, you may have rights to access, correct, delete, or port your data, or to object to or restrict processing. You may also have the right to withdraw consent. Contact us to exercise these rights. EU/UK users have additional rights under GDPR.
7. Cookies and Tracking
We may use cookies and similar technologies for essential site function, analytics, and preferences. See our Cookie Policy (when available) for more detail.
8. Changes
We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the “Last updated” date. Continued use of our services after changes constitutes acceptance of the updated policy.
9. Contact
For privacy-related questions or to exercise your rights, contact us through our website or at the contact details provided there.
10. Face Privacy for iOS — App-Specific Information
This section applies in addition to the rest of this Privacy Policy when you use the Face Privacy iOS application (the “App”) downloaded from the Apple App Store. In any conflict between this section and a general section above, this section controls for iOS-specific behavior.
10.1 Data the App Collects
The App collects the same categories of information described in Section 1, plus the following items that exist because of the iOS platform:
- Account data: your email address and a hashed password, or an Apple-issued user identifier if you sign in with Apple. We never receive your Apple ID password.
- Identity and biometric data: the face and side photographs you upload, and any government-issued identity document you upload when a database asks for proof of identity, as described in Section 3.
- Subscription state: whether you hold a valid subscription, the subscription tier, and an opaque Apple transaction identifier returned by StoreKit. Apple processes the payment; we do not receive your credit card number, the last four digits of your card, your billing address, or your Apple ID password.
- Push notification token: if you grant push permission, iOS issues us a device token used solely to deliver in-app status notifications (for example, “an engine has asked for an ID”). We do not use the token for advertising.
- Diagnostic and usage data: crash reports and basic interaction analytics, kept in a form that does not identify you to us. We do not use the App’s IDFA and do not present an App Tracking Transparency prompt because we do not track you across other companies’ apps or websites.
10.2 Camera and Photo Library Access
The App requests permission to use your device’s camera and, optionally, your photo library only when you initiate an action that needs them — capturing your face or side photo, or attaching an identity document to a removal request. Captured images are uploaded over TLS to our servers and used for the same purposes described in Section 3. No image is uploaded in the background, none is uploaded without your explicit confirmation, and none is shared with third parties outside the scope of fulfilling a removal request you have asked us to make.
10.3 Push Notifications
Push notifications are off by default. If you grant permission, we deliver service notifications related to your account — an engine has requested action from you, a removal has been confirmed, a payment has failed, and similar operational events. You can revoke notification permission at any time in iOS Settings → Notifications → Face Privacy.
10.4 In-App Purchases and Subscription Data
All in-app purchases on iOS are processed by Apple through the App Store and StoreKit. Apple is responsible for the payment transaction and the storage of payment instruments associated with your Apple ID. We receive only a non-financial transaction receipt that confirms your subscription status. Your right to a refund of an in-app purchase is governed by Apple’s App Store policies; refund requests for App Store purchases must be made to Apple, not to us, at reportaproblem.apple.com.
We use RevenueCat, Inc. as a sub-processor to validate the App Store transaction receipt and to deliver real-time subscription lifecycle events (renewal, cancellation, billing issue) to our backend. RevenueCat receives the opaque App Store transaction identifier, the product identifier you purchased, the country code of the App Store account, and an internal user identifier that we generate for you — never your name, email, photographs, or any biometric data. RevenueCat acts as a data processor under our instructions and is contractually bound to retain the data only as long as needed to provide the subscription service. Their full privacy policy is linked above.
10.5 Sign in with Apple and Google
If you choose Sign in with Apple, Apple supplies us a unique account identifier and, depending on the option you choose at sign-up, either your real email address or an Apple-relayed forwarding address that masks it. We treat the relayed address with the same care as a direct email address and use it only for transactional service messages and, with your separate consent, marketing email.
If you choose Sign in with Google, the App routes the OAuth handshake through Google’s Firebase Authentication service, which we use as a sub-processor for identity verification only. Firebase returns to us your Google account email address and a stable Firebase user identifier. We never receive your Google password, your contacts, your calendar, your Drive content, or any other Google profile data beyond your email. Firebase Authentication is configured without analytics SDKs in the App, so Google does not receive in-App behavior data from us.
10.6 Data Stored On Your Device
The App stores a session token in the iOS keychain so you remain signed in between launches, and a small cache of removal status data to render the dashboard offline. No biometric template, government ID, or payment data is stored on your device beyond the lifetime of an upload screen.
10.7 Account and Data Deletion
Apple App Store Review Guideline 5.1.1(v) requires that accounts created in an app can be deleted from within that app. You can delete your Face Privacy account — including all uploaded photographs, identity documents, and removal history — from the iOS app under Settings → Account → Delete Account, or from the web dashboard at any time. Deletion is permanent and removes the underlying records from our production database within thirty (30) days. Backup copies are overwritten on our normal rotation cycle and are not restorable on request after that window.
10.8 Children
The App is not directed to children and is rated 17+ on the App Store because facial-recognition opt-out paperwork is an adult-only workflow. We do not knowingly collect personal information from anyone under 18. If you believe a minor has submitted information through the App, contact us and we will delete the account.
10.9 Third-Party Services and Sub-Processors
The App uses Apple frameworks (StoreKit for purchases, UserNotifications for push, AuthenticationServices for Sign in with Apple) and our own backend at faceprivacy.ai. In addition, the App relies on the following named sub-processors, each of which receives only the specific data described and is contractually bound to use it solely to provide their part of the service:
- RevenueCat, Inc. — receives the App Store transaction identifier, product identifier, country code, and an internal user identifier so we can verify your subscription status across reinstalls and devices. Does not receive your photographs, identity documents, or removal history. See Section 10.4.
- Google LLC (Firebase Authentication) — processes the Sign in with Google OAuth handshake only when you choose that sign-in method. Receives your Google account email and returns a stable user identifier. Does not receive any other Google profile data, does not receive in-App behavior data, and is not embedded as an analytics SDK. See Section 10.5.
- Cloudflare, Inc. — operates the network edge, the application worker, and the R2 object store where your photographs and identity documents are kept encrypted at rest. Cloudflare is a passive infrastructure provider and does not access the content of the data we store with them outside of network delivery.
- Amazon Web Services (AWS Lightsail MySQL) — hosts the relational database that records your account, subscription state, and removal history. AWS does not access the content of the database outside of operating the host.
- Mailgun Technologies, Inc. — delivers the transactional and reminder emails the App sends on your behalf. Receives your email address and the body of the message being sent.
The App does not embed any third-party advertising SDK, third-party tracking SDK, third-party crash reporter that shares data with the SDK vendor, or analytics SDK that calls home. We do not use the App’s IDFA and we do not present an App Tracking Transparency prompt because we do not track you across other companies’ apps or websites. The forwarding addresses used by the App when filing removal requests go directly to the relevant facial-recognition database operators — these are listed in Section 4 of this Privacy Policy and on our public Database List.
10.10 Apple’s Role
Apple distributes the App but is not a party to your relationship with us. Questions about how we process your data should be directed to us using the contact information in Section 9, not to Apple. Questions about how Apple processes data it collects about you through the App Store, your Apple ID, and Apple Pay should be directed to Apple under Apple’s Privacy Policy.