Trust

Security at Face Privacy

We handle your face and identity — the most sensitive data there is. Here's exactly how we protect it.

Face Privacy exists to reduce your exposure to facial-recognition systems — so security isn't a feature for us, it's the product. This page describes the concrete measures we take to protect your account, your photos, and your identity data — what we actually do, not aspirational claims.

1. Security program & policies

Our security program is built on a few principles we apply consistently:

  • Least data. We collect only what's needed to file removals on your behalf — your reference photos and identity details — and nothing more.
  • Least access. Access to production systems and customer data is limited to the people who need it, and every privileged action is gated and revocable.
  • Encrypted by default. Data is encrypted in transit everywhere, and sensitive objects are encrypted at rest.
  • Defense in depth. Security is enforced at multiple layers — edge (WAF/TLS), application (auth + authorization), and storage (access-scoped keys) — so a single failure isn't a full compromise.

2. Encryption

  • In transit: all connections — browser ↔ site, app ↔ API, API ↔ database, API ↔ storage — use TLS 1.2+. We do not accept unencrypted traffic.
  • At rest (files): photos, redacted legal IDs, and documents in our object storage are encrypted at rest with AES-256.
  • Passwords: account passwords are never stored in plaintext or reversibly — they're protected with a salted, industry-standard one-way hash and can't be recovered, only verified.
  • Sessions: authentication uses signed, short-lived session tokens. One-time, purpose-scoped links (e.g. document-upload links) can't be replayed as full sessions.
  • Biometric note: we do not build or store a facial-recognition "faceprint" of you. Your photo is used to submit removal requests; it is not converted into a searchable biometric template by us.

3. Architecture overview

Face Privacy runs on modern, edge-first infrastructure with a deliberately small, auditable surface area:

  • Global edge delivery. Our website and API run on a globally-distributed edge network, fronted by DDoS protection and a web application firewall, so requests are filtered and served close to you.
  • Access-restricted database. Account, subscription, and removal records live in a managed database reachable only over encrypted connections — it is not exposed to the public internet.
  • Encrypted file storage. Your photos, redacted IDs, and documents are kept in encrypted object storage and are only retrievable through authenticated, access-scoped requests.
  • Payments stay with the processor. Card data is handled entirely by our payment providers (Stripe on the web, Apple on iOS) — full card numbers never touch our systems.
Running on managed, globally-distributed infrastructure keeps our attack surface small and our platform continuously patched and hardened.

4. Account security & two-factor authentication (2FA)

Your account is protected by several controls, and you can harden it further:

  • Two-factor authentication (TOTP). 2FA is available on every account and works with any standard authenticator app — Google Authenticator, Authy, 1Password, and others. When enabled, signing in requires your password and a 6-digit time-based code. Turn it on under Dashboard → Account → Two-Factor Authentication (and in the iOS app's Account tab). You can disable it any time with a current code or your password.
  • Strong password handling. Minimum length is enforced, passwords are salted + hashed (see above), and we return generic errors on login so an attacker can't tell whether an email exists.
  • Federated sign-in. You can sign in with Apple or Google; those providers handle their own multi-factor protections, and we only receive a verified identity token.
  • Sign-in visibility. Your dashboard shows your recent sign-ins (device, approximate location, time) so you can spot anything you don't recognize and tell us.
  • Anti-abuse. Sensitive endpoints are rate-limited, and abusive request patterns are throttled at the edge.

5. Access control practices

  • Role-based admin access. Administrative access is granted per-account via an explicit, database-backed admin flag that can be revoked instantly — a long-lived session can't keep admin rights after access is removed.
  • Scoped file access. Internal access to stored photos and IDs is tightly scoped — it can't be used to browse beyond the specific files in question.
  • Owner-only data. Your photos and account data are served only to you (authenticated as the owner) or to authorized staff acting on your removal case.
  • Production secrets (API keys, signing keys, database credentials) are stored as managed secrets, never in source code or client apps, and are rotated when warranted.
  • Auditability. Significant account and admin actions are logged so activity can be reviewed.

6. Subprocessors

We rely on a small set of vetted providers to deliver the service. We share only the data each one needs for its function:

ProviderPurposeData involvedRegionCertifications
Cloudflare Edge hosting, API delivery, encrypted object storage, DNS/CDN/WAF & DDoS protection Site & app traffic, photos & documents, API requests Global edge SOC 2 Type II · ISO 27001
Amazon Web Services Managed database hosting (account & removal records) Account, subscription & removal data United States (us-east-2) SOC 2 Type II · ISO 27001
Stripe Subscription billing & payment processing (web) Payment details, billing email United States / Global SOC 2 Type II · ISO 27001 · PCI DSS L1
Apple (App Store / StoreKit) In-app purchases & subscriptions (iOS) Purchase receipts (no card data reaches us) Global ISO 27001
RevenueCat iOS subscription state management Subscription status, anonymous app user ID United States SOC 2 Type II
Google Firebase Google / Apple sign-in token verification OAuth identity token (email, name) United States / Global SOC 2/3 · ISO 27001
Mailgun Transactional & support email delivery Email address, message content United States SOC 2 Type II
Clicky Privacy-respecting web analytics Aggregate, non-identifying usage United States

We do not sell your personal data, and we do not share it with third parties except the subprocessors above (to operate the service) or as required by law. See our Privacy Policy for full detail.

7. Data retention & deletion

  • We retain your account and removal data for as long as your account is active and as needed to provide the service.
  • You can delete your account at any time — from the dashboard or the iOS app. Deletion cancels billing and removes your account record, photos, redacted IDs, and associated data from our systems.
  • Original (un-redacted) identity documents, when provided for an "anonymize-for-me" request, are kept access-restricted and deleted on request or when no longer needed.
  • Backups and provider logs roll off on their own retention schedules.

8. Incident response plan

If a security incident occurs, we follow a structured process:

  1. Detect & triage. Investigate alerts and reports, and assign severity.
  2. Contain. Limit the blast radius immediately — revoke credentials/sessions, block traffic, or take affected components offline as needed.
  3. Eradicate & recover. Remove the root cause, restore from known-good state, and verify integrity before returning to normal operation.
  4. Assess impact. Determine what data, if any, was affected and which users are involved.
  5. Notify. Where a breach is likely to affect your rights, we notify affected users without undue delay, and notify the relevant supervisory authority within the legally required window (for example, within 72 hours under the GDPR where applicable).
  6. Review. Conduct a post-incident review and implement fixes to prevent recurrence.

9. Responsible disclosure

If you believe you've found a security vulnerability, we want to hear from you. Please email [email protected] with details and steps to reproduce. We ask that you give us a reasonable chance to fix the issue before public disclosure, and that you avoid accessing or modifying other people's data while testing. We're grateful for good-faith reports and will work with you in good faith.

10. Questions

Security or privacy questions? Reach us at [email protected] or via our Contact page. Also see our Privacy Policy, GDPR, and Terms of Service.

Independently verified

Don't take our word for it. Our TLS configuration and HTTP security headers are graded by independent third-party scanners — click either badge to run the test live, right now.

A+ Qualys SSL Labs TLS / SSL configuration & certificate Run the live test → A Security Headers HTTP response security headers (by Snyk) Run the live test →

Grades current as of June 19, 2026. Results may vary slightly as scanners and our configuration evolve.

Last updated: June 19, 2026