Faceover.ai – Privacy Policy

1. Introduction

Faceover.ai ("we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and application Faceover.ai (the "Service", including app.faceover.ai). By using the Service, you agree to the terms of this Policy. If you do not agree, you should not use the Service. For the rules governing the use of the Service, please see our Terms of Use.

This Policy is intended to comply in particular with:

the EU General Data Protection Regulation (GDPR),
the California Consumer Privacy Act (CCPA), where applicable,
and relevant platform and app store requirements.

2. Data Controller

The controller of your personal data is:

NA2 – Seweryn Maciejewski
M. Dąbrowskiej 13/44, 39-400 Tarnobrzeg, Poland
VAT ID: PL8672240878
Email (privacy / data removal / contact): hello@faceover.ai

3. Data We Collect

We may collect and process different categories of data, depending on how you use Faceover.ai.

3.1 Account and Identification Data

Name or username
Email address
Password hash or other login identifiers
Subscription or plan information
Communication preferences

3.2 Content You Provide

Images and other media you upload to use Faceover.ai features (e.g., AI-based generation or transformation)
Text prompts, settings, and other inputs you provide when interacting with the Service (including system or custom prompts prepared by our system)
Feedback about the Service or generated results (e.g., reporting content as inaccurate or inappropriate)

We do not use your uploaded images and content to identify you biometrically or verify your real-world identity. Content is processed solely to provide the Service.

Important: You must not upload content that includes special categories of data (such as health data, sexual content, religious beliefs, or other sensitive data) or any unlawful content. Such uploads are prohibited by our Terms of Use.

3.3 Third-Party Individuals in Your Content

If you upload images that include other people, you are responsible for ensuring you have a lawful basis (e.g., consent) to use their image and process their data in the Service. We do not have direct contact with those individuals and rely on you to satisfy your information obligations.

3.4 Usage and Technical Data

Device information (device type, operating system, browser type and version)
IP address and approximate location (derived from IP, where applicable)
Log data relating to your use of the Service (pages visited, features used, clicks, session duration, referral URLs)
Error logs and performance metrics
Session recordings and interaction data (e.g., mouse movements, clicks, scrolling), where session replay tools are enabled

These data are collected primarily via our analytics and error-logging tools, including Google Analytics, PostHog, Sentry, Microsoft Clarity, fraud0, and taggrs.io.

3.5 Payment and Billing Data

We do not store full payment card numbers on our own servers. Payments and subscriptions for Faceover.ai are processed by Polar.sh, which acts as Merchant of Record (MoR) and seller. We receive only limited information necessary to operate paid functionality (e.g., transaction ID, plan type, billing country, status, payment dates, amounts).

3.6 Communication and Email Data

When we send you emails (e.g., account notifications, password reset links, transactional messages), we use Postmark, which may process your email address and technical email metadata (such as delivery and open status) to ensure reliable delivery and prevent abuse.

3.7 Cookies and Similar Technologies

We use cookies and similar technologies (such as local storage, tags, and pixels) to:

maintain your session and remember your preferences (strictly necessary)
enable secure login and basic functionality (strictly necessary/security)
collect analytics and performance data (only with your consent in the EEA)
support advertising, tracking, and enhanced e-commerce (only with your consent in the EEA)

Cookie consent and preferences are managed via CookieYes.

4. Purposes and Legal Bases for Processing (GDPR)

Under the GDPR, we must have a legal basis for each processing activity. We process your personal data for the purposes and on the legal bases set out below:

4.0 Legal bases at a glance (GDPR)

We rely on the following legal bases under the GDPR, depending on the processing context:

Performance of a contract (Art. 6(1)(b)) – providing and operating the Service, account management, AI inference at your request.
Consent (Art. 6(1)(a)) – non-essential cookies/trackers (analytics/marketing) and any future optional model-training opt-in.
Legitimate interests (Art. 6(1)(f)) – security, product analytics and improvement (where consent is not legally required), error logging, fraud prevention, and establishing, exercising, or defending legal claims.
Legal obligation (Art. 6(1)(c)) – compliance with tax/accounting rules and lawful requests by competent authorities.

4.1 Service Delivery and Operation

We process data to:

provide access to Faceover.ai and its features
process uploaded images and content and generate results using AI models
create and manage your account, authentication, and user sessions

4.2 Customer Support and Communication

We process data to respond to your inquiries, support requests, and feedback, and to send important information about the Service.

4.3 Analytics, Error Logging, and Service Improvement

We use analytics and logging tools (e.g., Google Analytics, PostHog, Sentry, Microsoft Clarity, fraud0, taggrs.io) to understand usage, monitor performance, detect errors, and improve the Service.

4.4 Advertising, Tracking, and Enhanced E-Commerce

We may use pseudonymous and technical data with advertising and tracking partners including Google Ads, Meta Ads (Facebook/Instagram), TikTok Ads, Microsoft Ads, Snapchat Ads, Pinterest Ads, and taggrs.io to measure campaign effectiveness, perform retargeting and personalized advertising (where legally allowed and consented), and measure conversions.

We do not share uploaded images with advertising networks.

4.5 Payments and Billing (Polar.sh as Merchant of Record)

We use Polar.sh to process payments/subscriptions, handle invoicing/refunds, and maintain accounting records. Polar.sh acts as Merchant of Record and may act as an independent controller for certain payment data.

4.6 Email Delivery (Postmark)

We use Postmark for transactional and service-related emails.

4.7 AI Models and Training

We use your content only for real-time processing (inference) to provide the requested feature. We do not use your uploaded images/prompts to train models reused for other customers.

In the future, we may offer an optional opt-in to allow the use of your content to train your own or our models. If introduced, it will be clearly presented, disabled by default, and will require your explicit consent. You will be able to withdraw consent at any time without affecting processing carried out before withdrawal.

4.8 Legal Obligations and Protection of Rights

We may process data to comply with legal obligations (e.g., responding to lawful requests) and to protect our rights, property, or safety, and those of our users or others.

5. Third-Party Services and Data Sharing

We share personal data only to the extent necessary to provide, improve, and secure the Service, subject to appropriate safeguards.

Each third-party service processes data under its own privacy policy and terms. We do not control their independent practices; please see the linked privacy policies in this section for details.

5.1 Infrastructure and Hosting

We use cloud, hosting, storage, and content delivery network (CDN) providers to run our infrastructure, including Cloudflare (EU and US). These providers act as our processors under GDPR-compliant data processing agreements.

5.2 Analytics, Error Logging, and Session Replay

5.3 Advertising and Tracking Partners

These services may set and read cookies or similar identifiers to measure conversions, build audiences, and provide personalized or contextual advertising, depending on your consent and local law. Sensitive content such as your uploaded images is not shared with these advertising networks.

5.4 AI Providers and Model Inference

Depending on the features you use, we may send prompts and related inputs (including system/custom prompts prepared by our system) and, where necessary for the requested feature, images to third-party AI providers for processing:

We do not allow these providers to use your content to train models reused for other customers.

5.5 Payments – Polar.sh (Merchant of Record)

Payments and subscriptions are processed by Polar.sh, acting as Merchant of Record (MoR) and seller on your receipts. Polar.sh may act as an independent controller for certain payment data.

5.6 Email Provider – Postmark

We use Postmark to send transactional emails and service notifications.

5.7 Cookie Consent Management – CookieYes

We use CookieYes to display the cookie banner, manage your cookie consent, and store your preferences.

5.8 Legal and Other Disclosures

We may disclose your personal data to competent authorities, regulators, courts, professional advisors (such as lawyers and accountants), or in the context of a business transaction (e.g., merger or acquisition), where necessary and subject to appropriate safeguards.

We do not sell your personal data.

6. International Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA), including the United States, where some of our service providers (e.g., Cloudflare, AI and analytics providers) are located or operate globally.

When we transfer personal data outside the EEA, we ensure appropriate safeguards, such as:

adequacy decisions by the European Commission; and/or
Standard Contractual Clauses (SCCs) approved by the European Commission; and
additional technical and organizational measures where appropriate.

7. Data Retention

We retain personal data for as long as your account remains active and as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. We do not guarantee availability of your content. You are responsible for your own backups.

Account and profile data – kept while your account is active and for a reasonable period thereafter where needed.
Original uploads (images) – stored and processed as needed to provide the Service and related features. You may request deletion at any time.
Generated results (AI images) – available indefinitely while you have an active paid plan; for free accounts we may store them indefinitely but reserve the right to delete them at any time. We do not guarantee their availability.
Analytics, logs, and technical data – retained as necessary for security, performance, and improvement, then aggregated or anonymized where possible.
Payment and billing data – retained by Polar.sh as Merchant of Record in accordance with applicable financial, tax, and accounting regulations; we retain only limited related records necessary to operate paid functionality.

Residual copies may persist in backups and caches for a limited period. We perform best-effort purges of CDN caches and backups within operational constraints.

8. Your Rights under GDPR (EU/EEA Users)

If you are in the EU/EEA, you have the following rights with respect to your personal data:

Right of access – to know whether we process your data and obtain a copy
Right to rectification – to correct inaccurate or incomplete data
Right to erasure ("right to be forgotten") – to request deletion of your data in certain circumstances
Right to restriction of processing – to request that we limit processing in specific situations
Right to data portability – to receive your data in a structured, commonly used, machine-readable format
Right to object – to object to processing based on our legitimate interests, including profiling, and to processing for direct marketing
Right to withdraw consent – where processing is based on consent, you may withdraw it at any time

You can delete specific images from the UI. To delete your account or to request export/deletion of data, please contact hello@faceover.ai. We usually respond within 30 days. We may extend this by a further 30 days for complex requests and will verify your identity where needed.

You also have the right to lodge a complaint with your local data protection authority.

9. Your Rights under CCPA (California Users)

If you are a California resident, you may have rights under the CCPA, including the right to know, access, and request deletion of personal information, and to opt out of the "sale" or "sharing" of personal information. We do not sell personal data. We may share certain pseudonymous identifiers for cross-context behavioral advertising with your consent.

To exercise your CCPA rights, contact hello@faceover.ai. You can control cookies/advertising preferences at any time via the cookie settings link in this Policy (which serves as a "Do Not Sell or Share My Personal Information" control) or use: Do Not Sell or Share My Personal Information.

California residents may exercise rights via an authorized agent subject to identity verification. We do not use or disclose "sensitive personal information" for purposes that require a right to limit under the CCPA.

10. Children’s Privacy

The Service is not intended for children under the age of 13 (or under 16 in the EU/EEA where higher age thresholds apply). Where legally permitted, use by minors may require verifiable parental consent. We do not knowingly collect personal data from children in these age groups.

If we become aware that we have inadvertently collected personal data from a child in violation of applicable law, we will delete such information as soon as reasonably possible.

11. Content Moderation and Abuse Prevention

We may use automated systems and, in exceptional cases, limited manual review to detect and prevent abuse, including unlawful content (e.g., CSAM, hate speech, violent content) and violations of our Terms. In such cases, we may retain relevant data longer than usual where necessary to report to authorities or defend against claims. Accounts violating our policies may be suspended or terminated.

12. Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

encryption of data in transit (e.g., TLS/HTTPS)
secure infrastructure and access controls, least-privilege access
regular monitoring, logging, and reviews
limiting internal access to personal data to authorized personnel only

However, no system is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

13. Cookies and Similar Technologies

We use cookies and similar technologies for:

essential functionality (login, security, core features)
preferences and personalization
analytics and performance (with consent where required)
advertising, tracking, and enhanced e-commerce (with consent where required)

Cookie consent and preferences are managed by CookieYes. When you first visit Faceover.ai, you may see a cookie banner that allows you to accept all cookies, reject non-essential cookies, or configure specific categories. You can revisit cookie settings at any time: Cookie Settings · Do Not Sell or Share My Personal Information

13.1 Cookie Audit / List of Cookies

The following element is used by CookieYes to dynamically display the list of cookies and similar technologies used on the Service:

The actual cookies, providers, and lifetimes displayed in this table may change over time as we update our tools and integrations.

You can also control cookies at the browser level by blocking or deleting them; however, this may affect certain functionalities of the Service.

14. Changes to This Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our Service, applicable laws, or third-party providers. If we make material changes, we will inform you by appropriate means, such as a notice in the app/website, email, or updating the "Last updated" date below. Your continued use of the Service after such changes take effect signifies your acceptance of the updated Policy.

15. Contact

If you have any questions about this Privacy Policy or wish to exercise your rights, you can contact us at:

NA2 – Seweryn Maciejewski
M. Dąbrowskiej 13/44, 39-400 Tarnobrzeg, Poland
VAT ID: PL8672240878
Email: hello@faceover.ai

Last updated: 2025-11-20