FACESIFT — PRIVACY POLICY

§ 1. Definitions

• Controller — the operator of the FaceSift service, reachable at facesift@gmail.com.
• Policy — this Privacy Policy.
• User — any natural person who uses the Service.
• Personal Data — any information relating to an identified or identifiable natural person.
• Service / Website — the face reverse-image search service operated by the Controller.
• FaceCheck.ID — a third-party facial-search API provider used to perform image searches (facecheck.id).
• NOWPayments — a third-party cryptocurrency payment processing provider used to handle crypto payments on the Service (nowpayments.io).
• Lenso.ai — a third-party face reverse-image search service available as an alternative search engine on the /lenso page (lenso.ai).
• Google Analytics — a web analytics service provided by Google LLC that collects aggregate usage statistics via cookies and network requests.
• Browser Storage — the Web Storage API (localStorage) built into the User's browser, which stores data locally on the User's device only.

§ 2. General Provisions

This Policy applies to the processing of Personal Data in connection with the operation of the Service.

The Controller does not operate a server-side database and does not store any User data on its own servers. No uploaded photos, search results, IP addresses, or User identifiers are retained by the Controller beyond what is strictly necessary to fulfil a single search or payment request.

The Controller does not sell your Personal Data. Personal Data may only be shared with third parties in the situations described in this Policy.

The Service is not intended for use by individuals under the age of 16. The Controller does not knowingly collect Personal Data from minors. The Service must not be used to search for images of persons under the age of 18.

§ 3. Your Rights Regarding Personal Data

You have the right to:

1. access your Personal Data and receive a copy;
2. request rectification, deletion, or restriction of processing;
3. withdraw consent at any time — withdrawal does not affect the lawfulness of processing prior to withdrawal;
4. data portability;
5. object to processing where the legal basis is the Controller's legitimate interest.

To exercise any of these rights, contact facesift@gmail.com. The Controller will respond within 30 days.

§ 4. Image Upload and Facial Search

The core functionality of the Service requires the User to provide a photo containing a face. By submitting a photo the User grants explicit, personal, and voluntary consent to:

1. transmission of the photo to FaceCheck.ID for the purpose of performing a reverse facial-image search;
2. acknowledgement that the photo depicts only the User themselves, or a person for whom the User has lawful authority to perform such a search;
3. confirmation that the depicted person is 18 years of age or older;
4. acknowledgement that use of the Service (including sending a photo to FaceCheck.ID servers) is not prohibited in the User's jurisdiction.

If the User does not accept all the above conditions, the search cannot proceed.

The Controller acts solely as an intermediary: the photo is forwarded to the relevant third-party search engine, search results are received and displayed to the User, and no further processing of the photo is performed by the Controller. The Controller does not use uploaded photos for machine learning, advertising, or any other purpose.

On the main search page, photos are processed by FaceCheck.ID. For details on how FaceCheck.ID processes image data, please review their privacy policy at facecheck.id/privacy.

On the /lenso page, photos are processed by Lenso.ai. For details on how Lenso.ai processes image data, please review their privacy policy at lenso.ai/legal/privacy-policy.

§ 5. Browser Storage (Client-Side Cache)

To improve usability, the uploaded photo is temporarily cached as a Base64-encoded string in the User's browser localStorage for up to 24 hours. This data never leaves the User's device and is not accessible to the Controller or any third party.

Users can delete this data at any time by clearing their browser's site data or local storage for the Service domain.

§ 6. Payment Processing

The Service sells digital goods (access to unmasked search results). Unlocking full search results requires a one-time payment processed by NOWPayments (nowpayments.io), which accepts cryptocurrency (e.g. Bitcoin, Ethereum, and others). Blockchain transactions are publicly visible by nature; the Controller does not link on-chain addresses to your identity. NOWPayments may collect technical data necessary to process and verify the transaction. Please review NOWPayments' privacy policy at nowpayments.io/doc/privacy for details.

The Controller receives only a transaction status confirmation (success or failure) and the associated search session identifier — no financial data is retained beyond what is required for fraud prevention and legal compliance.

§ 7. Cookies and Tracking

The Service uses Google Analytics (provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to collect aggregate, anonymised statistics about how visitors interact with the Service — for example, which pages are viewed and how long sessions last. This helps the Controller understand usage patterns and improve the Service.

Google Analytics sets cookies (typically named _ga and _ga_*) in your browser. These cookies contain a randomly generated identifier and are used to distinguish unique visitors. The data collected is transmitted to and stored on Google's servers, which may be located outside the European Economic Area. Google processes this data in accordance with its Privacy Policy.

The Controller does not use Google Analytics to collect personally identifiable information such as names, email addresses, or precise location. IP addresses are anonymised before transmission where technically supported.

You can opt out of Google Analytics tracking at any time by:

• installing the Google Analytics Opt-out Browser Add-on;
• blocking cookies via your browser settings or a privacy extension; or
• using a browser in private/incognito mode (cookies are discarded when the session ends).

In addition, the Service stores a NEXT_LOCALE cookie to remember your language preference (English or Ukrainian). This cookie contains only the locale code (en or uk), expires after one year, and is not shared with any third party.

Technically necessary session data may also be stored in the browser to support the payment flow. The Controller does not set any advertising or cross-site tracking cookies.

§ 8. Data Security

All data transmitted between the User's browser and the Controller's servers is protected by TLS/SSL encryption (HTTPS). Server-side API routes are used exclusively to proxy requests to FaceCheck.ID, ensuring that API credentials are never exposed to the client.

Because the Controller does not maintain a persistent database, exposure risk from server-side data breaches is minimal. The primary data at risk remains the photo cached locally in the User's own browser.

§ 9. Recipients of Personal Data

Personal Data may be shared only with the following third parties, and only to the extent necessary:

1. FaceCheck.ID — receives the uploaded photo solely for performing the requested facial-image search (main search page);
2. Lenso.ai — receives the uploaded photo solely for performing a facial-image search when the User uses the /lenso page;
3. NOWPayments — receives transaction data solely for processing cryptocurrency payments for digital goods;
4. Google LLC (Google Analytics) — receives aggregate usage data via cookies for the purpose of web analytics; does not receive uploaded photos or payment data;
5. Hosting provider — stores and serves the application; does not have access to User-submitted photos.

These providers may be located outside the European Economic Area (EEA). Where data is transferred outside the EEA, the Controller ensures such transfers are subject to appropriate safeguards under applicable law.

§ 10. Retention Periods

• Uploaded photo (server): forwarded to FaceCheck.ID and not retained by the Controller.
• Uploaded photo (browser): cached locally for up to 24 hours, then automatically cleared.
• Search results (server): accessible via FaceCheck.ID for up to 24 hours after the search completes. After this period the session is expired and results are no longer retrievable through the Service.
• Downloaded JSON file:if the User downloads Search Results after completing the Unlock Payment, the resulting file is saved locally on the User's device only. The Controller does not retain a copy.
• Payment data: retained only as long as required by applicable financial regulations.
• IP addresses: not logged by the Controller.

§ 11. Additional Information for US Residents

Residents of California, Colorado, Connecticut, Virginia, Montana, Oregon, and Utah may have additional rights under their respective state privacy laws (CCPA/CPRA, CPA, CTDPA, CDPA, MTCDPA, OCPA, UCPA), including the right to:

1. know and access the categories and specific pieces of Personal Data collected;
2. request deletion of Personal Data;
3. correct inaccurate Personal Data;
4. opt out of the sale or sharing of Personal Data for targeted advertising. The Controller does not sell Personal Data.

To exercise any of these rights, contact facesift@gmail.com. The Controller will respond within 30 days. If your request is denied, you may appeal by contacting the same address. Further appeals may be directed to the relevant state Attorney General.

Illinois residents: The Service is not available to Illinois residents due to restrictions under the Illinois Biometric Information Privacy Act (BIPA).

§ 12. Updates

This Policy may be updated at any time. The current version will always be available on this page. Continued use of the Service after an update constitutes acceptance of the revised Policy.

§ 13. Contact

For any questions or requests relating to this Policy or your Personal Data, contact us at: facesift@gmail.com