Privacy Policy

The controller of your personal data is FaceyIT FZ-LLC, registered in Ras Al Khaimah Economic Zone (RAKEZ), United Arab Emirates under [PLACEHOLDER — RAKEZ licence no.], with registered office at [PLACEHOLDER — RAKEZ registered address]. You can reach our privacy team at privacy@facey.it.

The personal data we process falls into four categories:

• Account data. Email address, hashed password, display name (optional), account status, timestamps for creation, last login, email verification, and age self-attestation. If you connect a Telegram account we store your Telegram user ID and session metadata — not your password.
• Face photo (Input). The photograph you upload to generate stickers. We treat your face photo as sensitive personal data and apply the additional safeguards described in section 4.
• Generated content (Output). The sticker images produced from your Input plus associated metadata (template used, timestamps, pack status).
• Technical data. IP address, user-agent, request logs, and error traces — used to operate the service and investigate abuse. Logs are retained for a rolling 30 days.

We process your personal data to:

• create and authenticate your account;
• generate sticker packs from your uploads;
• operate, monitor, and secure the service;
• process payments for paid features;
• send transactional email (sign-up verification, password reset, billing receipts);
• comply with legal obligations;
• enforce our Terms of Use.

Your face photo is processed only to generate the pack you request. It is stored in encrypted object storage and is accessible only to the generation pipeline.

Retention. Your uploaded photo is deleted automatically 90 days after upload, and you can delete it from your account at any time before that. Generated packs are retained in your library until you delete the pack or delete your account — we do not run a timed sweep on generated packs.

We do not use your photo to train or fine-tune our own or any third-party machine-learning model. We do not sell your photo and we do not share it for advertising purposes.

Our primary legal framework is the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL"), which governs the processing of your personal data by FaceyIT FZ-LLC. Under the PDPL, we process your data on the following bases:

• Your explicit consent (PDPL Art. 5(a)) — given at sign-up for the processing of your face photo (sensitive personal data under PDPL Art. 15) to generate sticker packs. You can withdraw consent at any time by deleting your account.
• Performance of a contract (PDPL Art. 5(b)) — to provide the Service you signed up for.
• Legitimate interests (PDPL Art. 5(g)) — for security, abuse prevention, and core service operation, balanced against your rights.
• Legal obligation (PDPL Art. 5(e)) — where processing is required by UAE law (for example, billing records for tax purposes).

Defensive note for EU/UK residents. Face.it is not offered to residents of the EEA, the United Kingdom, or Switzerland (see our Terms of Use §2). If, despite the geo-block, you reach the Service from one of those regions, we rely defensively on GDPR Art. 6(1)(a) / Art. 9(2)(a) (explicit consent for processing of biometric data, collected at sign-up) and Art. 6(1)(b) (contract performance) as the corresponding lawful bases.

To generate sticker images, your uploaded photo is transmitted to an AI image-generation provider. We currently use Google Gemini (gemini-2.5-flash-image), which processes the image to produce the Output and returns it to us. Under our agreement with the provider, your image is processed only to fulfil our request and is not used to train the provider's models.

Google may process data outside of the European Economic Area. Transfers are governed by Standard Contractual Clauses and, in relevant cases, the EU–US Data Privacy Framework.

Besides our AI provider we share data with carefully-selected sub-processors to run the service:

• Object storage (Hostinger Object Storage, S3-compatible) — storage of Input and Output;
• Email delivery (Resend) — transactional email;
• Payment processing — billing for paid features;
• Infrastructure hosting (Hostinger) — server hosting and logging.

We do not sell personal data to third parties.

We retain personal data only as long as is necessary for the purposes we collected it for or as required by law:

• Uploaded photo: 90 days after upload, or immediately on your request.
• Generated pack (images and metadata): retained in your library until you delete the pack or delete your account — no timed sweep.
• Account data: for as long as your account is active, plus a short period after closure to allow for account-recovery and dispute resolution.
• Consent / attestation records: 30 days of detailed audit rows, after which only the current consent state is retained on the account record.
• Technical logs (IP, user-agent, request and error traces): 30-day rolling window.
• Billing records: as required by applicable UAE tax and accounting law.

Under the UAE PDPL you have the right to:

• access the personal data we hold about you;
• have inaccurate data rectified;
• request erasure of your personal data;
• restrict or object to processing;
• receive a copy of your data in a portable format;
• withdraw consent where processing is based on consent, without affecting the lawfulness of past processing;
• lodge a complaint with the UAE Data Office.

To exercise any of these rights, email privacy@facey.it. We will respond within the period required by applicable law — generally within 30 days, extendable for complex requests.

Defensive note for EU/UK residents. If, despite our geo-posture, you are an EEA/UK data subject who reaches the Service, the same catalogue of rights applies under GDPR Art. 15–22 and you may lodge a complaint with your local data-protection authority.

You can delete your account from your account settings. Deletion removes your account, uploaded photos, and generated packs from our primary storage within 30 days. Residual copies in encrypted backups are purged on the backup-rotation schedule.

Face.it is an adult-only service. It is not directed at, and must not be used by, anyone under 18. We do not knowingly collect personal data from anyone below this age, and we prohibit the upload of photographs depicting any person under 18 (see our Terms of Use §4). If you believe a minor has created an account or that a photograph depicting a minor has been uploaded, email privacy@facey.it and we will investigate and, if confirmed, delete the account and the associated content promptly.

We use only strictly-necessary cookies to operate the service (sign-in session, CSRF protection). See our Cookie Policy for the full list.

We apply industry-standard technical and organisational measures to protect your data, including TLS in transit, encryption at rest for object storage, hashed passwords (bcrypt), role-based access controls, and logging of administrative actions. No system is perfectly secure — we cannot guarantee absolute security.

We may update this Privacy Policy. Material changes will be announced at least 14 days before they take effect via email or in-product notice. The "Last updated" date at the top of this page always shows the effective date.

Privacy questions or requests: privacy@facey.it.