Legal Document

Privacy Policy

FaceRead AI (faceread.live)

Effective: January 11, 2026
Version 1.0

Quick Summary

Your Photos
Deleted within 24 hours after analysis
Your Results
Stored for 180 days, then auto-deleted
Your Data
Never sold or shared for marketing
Your Rights
Access, delete, export anytime

1. Introduction

FaceRead AI ("Company," "we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website faceread.live and related services.

Data Controller:

FaceRead AI, San Antonio, Texas, USA

Contact:
cimbolicproductions@gmail.com

2. Information We Collect

A. Information You Provide Directly

1. Facial Photographs (Biometric Data)

  • Photos you upload or capture
  • Facial features extracted for analysis
  • Purpose: AI personality analysis generation
  • Retention: Deleted within 24 hours

2. Account Information (If Applicable)

  • Email address
  • Device information
  • Geographic location (country-level, not precise)

3. Payment Information

  • Name (if required by payment processor)
  • Email address
  • Transaction ID and amount
  • Note: Credit card details are NOT stored by us; Stripe handles all payment data

B. Information Collected Automatically

Technical Data

  • IP address
  • Device type and operating system
  • Browser type and version
  • Pages visited and features used
  • Session duration and timestamps

3. How We Use Your Information

1. Service Provision (Primary Purpose)

  • Process your facial photo for analysis
  • Generate personality insights using AI
  • Deliver PDF reports and results
  • Facilitate payment processing

What We DO NOT Do

  • ❌ We do NOT sell your personal information
  • ❌ We do NOT share biometric data with third parties for marketing
  • ❌ We do NOT use your photos to train our own AI models
  • ❌ We do NOT use photos for targeted advertising
  • ❌ We do NOT disclose analysis to employers or background check services

4. Data Sharing & Third-Party Processors

OpenAI (GPT-4o) - Data Processor

Data Received: Facial photo + extracted features

Purpose: Generate personality narrative text

Retention: Up to 30 days (default policy), 0 days with ZDR option

Data Usage: Not used for AI training (Enterprise Terms) ✓

Security: Encrypted transmission & storage ✓

XAI (Grok-4) - Data Processor

Data Received: Facial photo

Purpose: Extract facial features and geometry

Retention: Up to 30 days (non-enterprise), Session-only (guest users)

Security: Encrypted transmission & storage ✓

Stripe - Payment Processor

Data Received: Payment information only (NOT photos or analysis)

Purpose: Process credit card payments securely

Compliance: PCI DSS Level 1 certified ✓

Note: You never directly share card info with us

Supabase - Database & Storage Provider

Data Received: User accounts, analysis results, session data

Purpose: Store user data and application state

Photo Storage: Temporary storage during analysis (deleted within 24 hours)

Security: Row-level security, encrypted at rest ✓

Compliance: SOC 2 Type II, GDPR compliant ✓

Railway - Application Hosting Provider

Data Received: All application data including uploaded photos, biometric features, analysis results, user accounts, and HTTP requests

Purpose: Host and serve the entire FaceRead web application

Data Location: US West (California, USA)

Infrastructure: Node.js 22.x runtime, up to 8 vCPU / 8GB memory

Security: Automatic HTTPS (faceread.live), encrypted transmission & storage ✓

Important: Railway hosts the application server that temporarily processes your photos before sending to AI services (OpenAI/xAI)

We DO NOT Share With:

❌ Marketing companies or data brokers
❌ Advertisers or advertising networks
❌ Employers or background check services
❌ Insurance companies
❌ Government agencies (except legal requirement)
❌ Any third party for direct marketing

5. Biometric Data Specific Disclosures

⚠️ What is Biometric Data?

Your facial geometry (facial features, proportions, patterns) extracted from your photograph qualifies as "biometric information" under:

  • Illinois BIPA (Biometric Information Privacy Act)
  • GDPR Article 9 (Special Category Personal Data)
  • CCPA/CPRA (Sensitive Personal Information)

Retention & Destruction Policy

DataRetentionDestruction Method
Original PhotoDeleted within 24 hoursSecure deletion (cryptographic erasure)
Facial FeaturesDeleted immediately after analysisAutomatic purge from all systems
Analysis ResultsRetained 180 daysThen automatically deleted

Illinois BIPA Compliance

For Illinois Residents:

  • Written Consent: You provide written consent by accepting these Terms
  • Purpose Limitation: Biometric data used ONLY for personality analysis
  • No Sale: We DO NOT sell, lease, or trade your biometric data
  • Public Policy: This retention/destruction schedule is publicly available
  • Penalties: $1,000 per negligent violation, $5,000 per intentional violation

GDPR Article 9 Compliance

For EU/EEA Residents:

  • Explicit Consent: Separate from general Terms consent
  • Lawful Basis: Explicit consent (Article 9(2)(a))
  • Purpose: Personality analysis for entertainment
  • Right to Withdraw: Anytime via cimbolicproductions@gmail.com

6. Data Retention Periods

Data TypeRetention PeriodPurpose/Reason
Facial photos24 hours maximumAnalysis processing only
Facial featuresImmediatelyTemporary extraction for analysis
Analysis results180 daysUser access to downloadable results
Transaction records7 yearsTax compliance and legal records
IP logs/access logs30 daysSecurity and abuse prevention

7. Your Privacy Rights

GDPR Rights (EU/EEA/UK Residents)

Right to Access

Request a copy of your personal data

Right to Rectification

Request correction of inaccurate data

Right to Erasure

"Right to be Forgotten" - Request deletion

Right to Data Portability

Receive data in machine-readable format

Right to Object

Object to processing based on legitimate interests

Right to Withdraw Consent

Withdraw biometric processing consent anytime

CCPA/CPRA Rights (California Residents)

Right to Know

Know what information is collected and how it's used

Right to Delete

Request deletion of personal information

Right to Opt-Out

Opt-out of sale or sharing (we don't sell data)

Right to Non-Discrimination

We cannot discriminate for exercising rights

How to Exercise Your Rights

Email Request: Send to cimbolicproductions@gmail.com

Response Timeline: Within 30 days (GDPR) or 45 days (CCPA)

Verification: We may request identity confirmation

8. Data Security

Encryption in Transit

  • TLS 1.3 (minimum) for all connections
  • HTTPS everywhere (SSL certificates)
  • Secure APIs with authentication tokens

Encryption at Rest

  • AES-256 encryption for stored data
  • Separate encryption keys per data category
  • Secure key management and rotation

Access Controls

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Multi-factor authentication for admin access

Monitoring & Testing

  • Regular penetration testing (quarterly)
  • Vulnerability scans (weekly)
  • 24/7 security monitoring

Data Breach Notification

In the unlikely event of a data breach, we will notify affected users and relevant authorities within the legally required timeframes (GDPR: 72 hours to supervisory authority, CCPA: without unreasonable delay).

9. Contact Us

For privacy inquiries, rights requests, or concerns:

Response Time
5 business days
Mailing Address
FaceRead AI, San Antonio, Texas, USA

Last Updated: January 11, 2026 • Version 1.0 • Effective Date: January 11, 2026

Also see our Terms of Service

← Back to Home