Privacy Policy

1. Who we are

FaceSculpt ("we," "us," "our," or "the app") is a mobile application developed and operated by FaceSculpt Technologies. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the FaceSculpt mobile application and related services (collectively, the "Service").

For the purposes of the EU General Data Protection Regulation ("GDPR"), the data controller is FaceSculpt Technologies. For the purposes of the California Consumer Privacy Act ("CCPA"), we are the "business" that collects your personal information.

If you have questions about this policy or our practices, contact us at privacy@facesculpt.app.

2. What we collect

We collect information in the following categories:

Information you provide directly

• Account information: name, email address, password (stored as a salted hash), age confirmation
• Profile responses: answers to our 12-question clinical assessment
• Facial photographs: images you capture for scan analysis (front view, left profile, right profile)
• Communication: messages you send to support, feedback, survey responses

Information collected automatically

• Device information: device model, operating system version, unique device identifiers, mobile network information
• Usage data: features used, screens viewed, time spent, interaction patterns (anonymized)
• Diagnostic data: crash reports, performance metrics, error logs
• Approximate location: derived from IP address only (we do not access GPS)

Information we do NOT collect

• Precise GPS location
• Contacts, calendar, or device files outside the app
• Health data from Apple Health or Google Fit
• Financial information (payments are processed by Apple App Store and Google Play; we never see your payment details)
• Government IDs or social security numbers

3. Biometric data

This section is critical. Read carefully.

FaceSculpt uses computer vision to analyze 468 facial landmark points across your facial photographs. Under various biometric privacy laws (including the Illinois Biometric Information Privacy Act / BIPA), the measurements derived from your face may constitute "biometric identifiers" or "biometric information."

What we capture

• Facial photographs you choose to upload (front, left profile, right profile)
• Mathematical measurements of facial geometry derived from those photographs (the "468-point landmark mesh")
• Computed scores across five categories: symmetry, jawline, skin clarity, eye area, proportions

How we handle it

• Explicit consent: Before any scan, we present a clear consent screen explaining what we capture and how we use it. You must affirmatively consent before any biometric processing occurs.
• Secure transmission: All facial photographs are transmitted using industry-standard TLS 1.3 encryption. We securely transmit facial photos to Face++ (Megvii) for biometric AI analysis. Photos are not permanently stored.
• Photo discard policy: We discard your facial photographs immediately after the analysis process is complete and results are generated. Only the derived numerical measurements and scores are retained.
• No biometric sale: We do not sell, lease, trade, or otherwise profit from your biometric identifiers or biometric information.
• No third-party biometric sharing: We do not disclose biometric data to third parties for their own commercial purposes.

Retention schedule for biometric data

• Original photographs: Discarded immediately after the analysis results are generated.
• Derived measurements and scores: Retained for the duration of your account to enable progress tracking. Permanently deleted within 30 days of account deletion.
• Aggregate, anonymized statistics: May be retained indefinitely but cannot be linked back to you.

BIPA-specific compliance (Illinois residents)

If you are an Illinois resident, the following applies in addition to the rest of this policy:

• We obtain your written, informed consent before collecting biometric identifiers or biometric information.
• We will permanently destroy your biometric data when the initial purpose for collecting it has been satisfied or within 3 years of your last interaction with us, whichever occurs first.
• We do not sell, lease, trade, or otherwise profit from your biometric identifiers or biometric information.
• We do not disclose your biometric data without your consent unless required by law or court order.

4. How we use your information

We use information you provide and information collected automatically for the following purposes:

• To provide the Service: generate facial analysis reports, calculate scores, create personalized protocols
• To maintain your account and authenticate you
• To process subscriptions and manage in-app purchases (in cooperation with Apple App Store and Google Play)
• To send transactional communications (account confirmations, security alerts, important service updates)
• To improve our service: train and refine our AI models on anonymized data, identify bugs, optimize features
• To provide customer support
• To prevent fraud, abuse, and unauthorized access
• To comply with legal obligations

We do NOT use your information for: targeted advertising, sale to third parties, behavioral profiling for marketing purposes, or training third-party AI models.

5. Legal basis for processing (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, we process your personal data under the following legal bases:

6. Data sharing

We share information only in the limited circumstances described below. We do not sell your personal data.

Service providers (data processors)

We share data with vendors who help us operate the Service, under strict contractual terms requiring them to protect your information and use it only for our specified purposes. Categories include:

• Cloud infrastructure: Amazon Web Services (AWS) for encrypted storage and compute
• AI Analysis: We securely transmit facial photos to Face++ (Megvii) for biometric AI analysis. Photos are not permanently stored.
• Analytics: Privacy-respecting, anonymized analytics for product improvement
• Crash reporting: Diagnostic services to identify and fix bugs
• Email delivery: Transactional email services for account communications
• Customer support: Help desk software for support ticket management

Other than our AI analysis partner, none of these service providers receive your raw facial photographs.

Legal requirements

We may disclose information when required to do so by law, in response to valid legal process (such as a subpoena or court order), or to protect the rights, property, or safety of FaceSculpt, our users, or others.

Business transfers

If FaceSculpt is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal data, and any acquirer will be bound by this Privacy Policy or provide you with an equivalent level of protection.

7. Data retention

8. Security

We implement industry-standard technical and organizational measures to protect your data:

• TLS 1.3 encryption for all data in transit
• Secure, isolated production environments with restricted access
• Multi-factor authentication required for employee access to systems containing user data
• Regular security audits and penetration testing
• Salted password hashing (bcrypt)
• Continuous monitoring for unauthorized access attempts
• Incident response plan with breach notification procedures

While we use commercially reasonable efforts to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

If we discover a data breach affecting your personal information, we will notify you and applicable regulators in accordance with applicable law (typically within 72 hours under GDPR).

9. Your rights

Regardless of where you live, you have the following rights:

• Access: request a copy of the personal data we hold about you
• Correction: request that we correct inaccurate or incomplete data
• Deletion: request that we delete your personal data and biometric information
• Portability: request a machine-readable copy of your data
• Withdrawal of consent: withdraw consent at any time (without affecting prior lawful processing)
• Complaint: file a complaint with your local data protection authority

To exercise any of these rights, use the in-app data deletion feature (Profile → Account Settings) or email privacy@facesculpt.app. We will respond within 30 days.

10. California rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know: categories and specific pieces of personal information we collect, sources, purposes, and recipients
• Right to delete: request deletion of personal information we collected from you
• Right to correct: request correction of inaccurate personal information
• Right to opt out of sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising
• Right to limit use of sensitive personal information: we only use sensitive personal information (such as biometric data) for the express purpose of providing the Service
• Right to non-discrimination: we will not discriminate against you for exercising your privacy rights

To submit a CCPA request, email privacy@facesculpt.app with subject "CCPA Request" or use our data deletion page.

"Shine the Light" (Civil Code §1798.83): California residents may request information about disclosures of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for direct marketing.

11. Illinois rights (BIPA)

The Illinois Biometric Information Privacy Act provides specific rights for Illinois residents whose biometric data is collected. Per Section 3 above, we comply with BIPA's written consent, retention, destruction, and non-disclosure requirements. Texas and Washington residents have similar protections under state law.

12. European rights (GDPR)

If you are in the EEA, UK, or Switzerland, you also have these rights under GDPR:

• Object to processing based on legitimate interests
• Restrict processing in certain circumstances
• Lodge a complaint with your local supervisory authority
• Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects

You can find a list of EU data protection authorities at edpb.europa.eu/about-edpb/about-edpb/members_en.

13. Children's privacy

FaceSculpt is not intended for children under 13. We do not knowingly collect personal information from children under 13. Users between 13 and 18 must have parental or guardian consent.

For users in the EU, the minimum age may be higher (16 in some countries) per GDPR Article 8.

For users in the United States, we comply with the Children's Online Privacy Protection Act (COPPA). If we discover that we have collected information from a child under 13 without proper parental consent, we will delete that information immediately.

If you are a parent or guardian and believe your child has provided personal information without your consent, contact us at privacy@facesculpt.app.

14. International data transfers

FaceSculpt operates globally. Your information may be transferred to, stored in, and processed in countries other than your own, including the United States and India. These countries may have different data protection laws than your country.

For transfers from the EEA, UK, or Switzerland to countries not deemed to provide adequate protection, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement / Addendum
• Swiss-US Data Privacy Framework principles where applicable

You may request a copy of these safeguards by contacting us.

15. Cookies and tracking technologies

The FaceSculpt mobile app does not use cookies (cookies are a web browser concept). However, the app does use mobile equivalents:

• Local storage: for caching app data and preferences
• Device identifiers: to recognize your device for analytics and security
• Push notification tokens: if you enable notifications

Our website (facesculpt.app) uses minimal cookies for essential site functionality and privacy-respecting analytics. See our Cookie Policy for details.

16. Third-party services

The Service integrates with third-party services that have their own privacy policies:

• Apple App Store: for iOS distribution and in-app purchases — Apple Privacy Policy
• Google Play Store: for Android distribution and in-app purchases — Google Privacy Policy
• Sign in with Apple / Google: if you choose social authentication

We are not responsible for the privacy practices of these third parties. Review their policies separately.

17. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

• Email to your registered address (at least 30 days before changes take effect)
• In-app notification
• Updating the "Last updated" date at the top of this page

Continued use of the Service after changes take effect constitutes acceptance of the revised policy. If you do not agree to the changes, you must stop using the Service and may delete your account.

18. Contact us

For privacy-related questions, requests, or concerns:

• Privacy email: privacy@facesculpt.app
• General support: support@facesculpt.app
• Postal: FaceSculpt Technologies, Bhubaneswar, Odisha, India

For EU/UK residents, you may also contact our EU representative at eu-rep@facesculpt.app.

We aim to respond to all privacy inquiries within 30 days.