Privacy Policy
Introduction
FaceDB ("we", "us") provides a B2B facial recognition database service. This Privacy Policy explains how we collect, use, store, and protect your personal and biometric data in compliance with Brazil's Lei Geral de Proteção de Dados (LGPD — Law No. 13.709/2018).
What we process
- Account data: email address, password hash, TOTP secret
- Biometric data: facial embedding vectors derived from subject photos you upload
- Subject metadata: names, notes, tags, and photo storage paths
- Usage data: query counts, plan limits, team membership records
- Consent records: timestamp and version of your biometric data consent
Legal basis and consent
Biometric data processing requires your explicit consent, captured at account registration. You may withdraw consent and request deletion of all data at any time through account settings.
Purpose of processing
We process facial embeddings solely to enable face matching within your private database. We do not use your data for training, marketing, or sharing with third parties beyond the subprocessors listed below.
Data we store
- Subject photos in private Supabase Storage buckets (encrypted at rest)
- 512-dimensional facial embedding vectors in PostgreSQL with pgvector
- Query photos are never stored — processed in memory only
Third-party processors
- Supabase (database, auth, storage) — US/EU
- DigitalOcean (embedding inference service) — US
- Stripe (billing, if applicable) — US
Retention and deletion
Data is retained for the duration of your account. Account deletion triggers complete cascade removal of all photos, embeddings, subjects, team data, and consent records within 30 days.
Your rights under LGPD
- Access your personal data
- Correct inaccurate data
- Request deletion (right to erasure)
- Withdraw consent at any time
- Data portability upon request
- Lodge a complaint with ANPD (Autoridade Nacional de Proteção de Dados)
Security measures
- Mandatory TOTP two-factor authentication on all accounts
- Row-level security (RLS) on all database tables
- Private storage buckets with signed URL access
- TLS encryption in transit
- Server-side rate limiting and plan cap enforcement
Changes to this policy
We may update this policy periodically. Material changes will be communicated via email or in-app notification. Continued use after changes constitutes acceptance.
Ready to create an account? Sign up