Privacy Policy

MeByFace — Extended Architecture-Aligned Version

Last updated: February 15, 2026

1. Data Controller

Data Controller:

Mebyface, MB

Company code: 307577192

Address: Peledu g. 28, Vilniaus rajonas, Republic of Lithuania

Email: info@mebyface.com

The Company acts as the data controller under GDPR and other applicable legislation.

Our data handling practices comply with GDPR (Regulation EU 2016/679), Illinois BIPA (740 ILCS 14), and the California Consumer Privacy Act (CCPA).

2. Systems Architecture and Data Flows

When using www.mebyface.com, personal data is processed within the following infrastructure:

2.1 Supabase (PostgreSQL)

Used for:

  • account data
  • analysis metadata
  • audit logs
  • push subscriptions
  • task and reflection data

Data is stored in the EU region (if configured for the EU project).

2.2 Vercel Blob Storage

Used for temporary storage of facial photographs. Important:

  • Blob URLs may be technically accessible with a direct link.
  • URLs are not publicly indexed.
  • Photos are automatically deleted within 48 hours.

2.3 Microsoft Azure Face API

Used for:

  • facial landmark detection
  • proportion calculation

The photograph is transmitted for processing via a secure connection (HTTPS).

2.4 OpenAI (ChatGPT 5.2)

Used for:

  • generating text-based personality insights
  • interpreting analysis results

Only structured proportion data is transmitted (not the full photograph, where technically separated).

2.5 Stripe

Used for payment processing. MeByFace does not store card details — only payment session information is received.

2.6 n8n (EU Region)

Used for:

  • automated workflow processes
  • email and system notifications

3. Categories of Data Processed

3.1 Account Data

  • email address
  • user name
  • account ID
  • subscription status
  • creation date

Legal basis: GDPR Art. 6(1)(b)

3.2 Biometric Data

Processed:

  • uploaded facial photograph
  • facial geometry data
  • proportion data

Purpose: analysis generation and report preparation. Biometric data is:

  • not used for identification
  • not used for authentication
  • not sold
  • not used for advertising

Legal basis: GDPR Art. 9(2)(a) and Art. 22(2)(c)

3.3 Automated Profiling

Analysis is performed using automated systems (Azure and OpenAI) and reviewed by human experts before final delivery. You have the right to:

  • request human review
  • contest results
  • express your position

3.4 Audit Log Data

Stored:

  • IP address
  • user agent
  • action type
  • timestamp
  • associated account ID

Purpose: security, incident investigation, fraud prevention. Retention period: up to 12 months.

3.5 Push Notification Data

Stored:

  • endpoint URL
  • p256dh key
  • auth token
  • device information

Used solely to send notifications to the user.

3.6 Reflection and Task Data

Stored:

  • task completion statuses
  • journal entries
  • progress metadata

4. Retention Periods

Data TypeRetention Period
Facial photographs≤ 48 hours
Account dataUntil account deletion
Account deletionCompleted within 30 days
Audit logs≤ 12 months
Financial dataUp to 7 years
Push subscriptionsUntil unsubscribed

5. International Transfers

Data may be transferred outside the EU (e.g., to Azure or OpenAI infrastructure). The following safeguards apply:

  • Standard Contractual Clauses (SCC), where applicable
  • encryption during transfer
  • access restrictions

6. Incident Management

In the event of a security breach:

  • an internal investigation is conducted;
  • the supervisory authority is informed within 72 hours, where applicable;
  • users are informed if there is a high risk to their rights and freedoms.

7. US Biometric Data Compliance

Illinois: A “written release” is obtained prior to collection, and a clear destruction policy is established.

California: Biometric data is treated as Sensitive Personal Information. It is not sold and not shared for advertising purposes.

Texas and Washington: Data is collected only with consent and destroyed within a reasonable period.

8. Data Subject Rights

Users have the right to:

  • access their data
  • rectify inaccuracies
  • request erasure
  • restrict processing
  • withdraw consent
  • object to processing
  • not be subject to solely automated decision-making

Response time: 1 month (may be extended to 3 months for complex requests).

9. Limitation of Liability

The Company applies reasonable security measures but does not guarantee absolute security.

Maximum liability, to the extent permitted by law, shall not exceed the amount paid within the previous 12 months.

10. Policy Changes

Material changes will be published on the website. Continued use of the Service after publication constitutes acceptance of the updated policy.

Contact

Mebyface, MB

Peledu g. 28, Didieji Gulbinai

Vilniaus rajonas, Lietuva

info@mebyface.com