FaceFix
Start scan

Legal

Privacy Policy

Last updated May 2026.

This Privacy Policy explains how FaceFix("we", "us") collects, uses, stores, and protects your data. Plain language, no dark patterns. You can write to hello@facefix.app with any question or request.

1. What we collect, and why

1.1 Scan photos

When you run a scan, the photos you took are transmitted once to our AI provider (OpenAI) for analysis. We do not store your scan photos on our servers. The photo data passes through the analysis pipeline, the resulting score and analysis are returned, and the photo bytes are discarded server-side at the end of the request.

A copy of your photos AND the AI-detected facial landmarks are saved locally in your browser (localStorage) so the result page can render the per-trait overlay on your own face. This data never leaves your device. Clearing browser storage removes it.

1.2 Account data

When you create an account we store the following in our authentication + database provider (Supabase, EU region):

  • Email address
  • Optional display name
  • Hashed password (only if you signed up with email + password)
  • OAuth provider linkage (only if you signed in via Google/Apple)
  • Account timestamps (created, updated)

1.3 Subscription & billing data

When you upgrade to a paid plan, Stripe handles the payment. We do not receive or store your card number, CVC, or any payment credentials — these stay entirely inside Stripe's PCI-DSS Level 1 environment. What we DO store after a successful payment, synced from Stripe via webhook:

  • Stripe customer ID (e.g. cus_...)
  • Stripe subscription ID (e.g. sub_...)
  • Current plan: free, pro, or lifetime
  • Subscription status (active, canceled, past_due, etc.)
  • Whether a cancellation is scheduled and on what date

1.4 Operational data

To protect the service from abuse and excessive cost, we log the following at the edge for the duration of a rate-limit window (max 24 hours):

  • Your IP address (or a forwarded equivalent)
  • Endpoint hit + timestamp
  • Your account plan (free/pro/lifetime/anonymous)

After the rate-limit window, this data is automatically deleted by our rate-limit provider (Upstash, EU region). It is never linked to your scan results.

2. Third-party processors

We use the following processors to deliver the service. All have signed Data Processing Agreements appropriate for EU data:

ProcessorPurposeData
OpenAIFace analysis (gpt-4o vision)Scan photos (transient, discarded after request)
SupabaseAuthentication + user databaseEmail, name, plan, Stripe IDs
StripePayment processing + billing portalCard data (in Stripe vault), billing info
VercelWeb hosting + edge runtimeIP + request metadata (standard server logs)
UpstashRate limiting (abuse prevention)IP + endpoint hits (≤ 24h retention)
Google / AppleOptional OAuth sign-inWhatever your provider chooses to share at sign-in

MediaPipe (the face-landmark detector) runs entirely in your browser. Your photo never leaves the device for that step.

3. Where we store data

Supabase data is hosted in the EU region. Stripe stores billing data according to its own multi-region infrastructure (US/EU). OpenAI processes requests in regions Stripe selects; we don't store any of it. Vercel runs request handlers in the fra1 (Frankfurt) region by default for this project.

4. How long we keep it

  • Scan results & photos in your browser: as long as you keep them. Clearing browser storage removes them instantly.
  • Account row: until you delete the account. Inactive accounts (no sign-in for 24 months) are subject to automatic deletion after an email warning.
  • Stripe billing records: retained by Stripe for the legally required period (typically 7 years for invoicing law).
  • Rate-limit logs: max 24 hours.

5. Your rights (GDPR)

If you are in the EU/EEA you have the right to:

  • Access (Art. 15) — request a copy of all data we hold about you
  • Rectification (Art. 16) — correct inaccurate data
  • Erasure (Art. 17) — delete your account and all associated data (your Stripe customer record will be retained per invoicing law but flagged as deleted)
  • Restriction (Art. 18) — pause our processing of your data
  • Portability (Art. 20) — receive your data in a machine-readable format
  • Object (Art. 21) — object to processing on legitimate-interest grounds
  • Lodge a complaint with your local supervisory authority (in the Netherlands: Autoriteit Persoonsgegevens)

Email hello@facefix.app from your registered address to exercise any of these. We respond within 30 days.

6. Cookies

We use a minimal number of cookies, all strictly necessary:

  • Supabase session cookies (sb-*) — keep you signed in. Expire on sign-out.
  • Stripe checkout cookies— set by Stripe's hosted checkout page during a payment session.

We do not use analytics, advertising, or tracking cookies. No third party uses our cookies for cross-site tracking.

7. Security

  • All traffic is encrypted in transit (HTTPS, HSTS preload).
  • Database connections use Row Level Security so users can only read their own row.
  • Payment data is tokenized via Stripe — we never see, store, or process your card number.
  • Our content security policy denies framing, third-party scripts, and inline payments.

8. Minimum age

You must be at least 16 years old to use FaceFix. We do not knowingly collect data from anyone younger. If you believe a minor under 16 has signed up, please email us and we will delete their account.

9. Changes to this policy

We will publish material changes on this page and (for account holders) send a notification. The "Last updated" date at the top of the page always reflects the current version.

10. Contact

Privacy questions, GDPR requests, complaints, or concerns: write to hello@facefix.app. We respond within 30 days. For urgent matters reply to a system email so we can verify your identity.