Privacy Policy

Effective June 6, 2026 · Last updated June 6, 2026

This Privacy Policy explains how [FACET LABS — LEGAL ENTITY ON FORMATION] (“Facet,” “we”) collects, uses, and shares personal data when you use Facet, our forensic media-attribution service. It is written with the EU/UK General Data Protection Regulation (GDPR) and similar laws in mind.

1. Our role: controller and processor

For personal data about your account and use of the Service (for example, your contact details and usage logs), Facet is the controller. For personal data contained in the Customer Content you submit — including recipient identifiers and any media depicting people — Facet generally acts as a processor on your behalf, and you are the controller responsible for having a lawful basis for that processing. [DATA PROCESSING ADDENDUM (DPA) REFERENCE] governs that processing.

2. Data we collect

You provide

  • Account & contact data — name, email, organization, and credentials.
  • Customer Content — media you register and distribute, and recipient identifiers you associate with issued copies (which may be personal data, such as a name or email).
  • Suspect media you submit for detection.

Collected automatically

  • Usage & log data — requests, timestamps, IP address, device/browser information, and diagnostics.
  • Cookies / similar [COOKIE & ANALYTICS DETAILS] (strictly-necessary cookies for sign-in; analytics only where permitted).

3. How we use personal data

  • to provide, operate, secure, and support the Service;
  • to embed identifiers, generate copies, perform detection, and produce evidence reports at your direction;
  • to prevent abuse and enforce our terms;
  • to comply with legal obligations; and
  • to communicate with you about the Service. We do not sell personal data.

4. Legal bases (GDPR Article 6)

Where GDPR applies, we rely on:

  • Contract — to provide the Service you request;
  • Legitimate interests — to secure, improve, and prevent abuse of the Service, balanced against your rights;
  • Legal obligation — to comply with law; and
  • Consent — where required (you may withdraw it at any time).

Where Facet acts as processor for your Customer Content, you are responsible for establishing the legal basis for that processing.

5. A note on the embedded identifier

Facet’s embedded identifier is a technical signal embedded into media for provenance and attribution. It is not a biometric identifier, and Facet does not perform facial recognition or biometric profiling of individuals. Attribution links a recovered copy to the issuance record you created, not to any biometric characteristic of a person.

6. Your rights

Subject to applicable law, you may have the right to access, correct, delete, restrict, or object to processing of your personal data, to data portability, and to withdraw consent. You may also lodge a complaint with your data-protection supervisory authority ([LEAD SUPERVISORY AUTHORITY]). To exercise your rights, contact [PRIVACY CONTACT EMAIL]. Where Facet processes data on behalf of a customer, we will refer your request to that customer.

7. Sharing & subprocessors

We share personal data only with service providers that help us run the Service, under contracts that require appropriate protection, and where required by law or to protect rights and safety. Current categories of subprocessors include [HOSTING / CLOUD PROVIDER], [EMAIL PROVIDER], and [ANALYTICS / ERROR-MONITORING]. A current list is available at [SUBPROCESSOR LIST URL]. We may also disclose personal data to an affected copyright owner or rights holder in connection with an infringement claim, and to comply with legal process or to establish, exercise, or defend legal claims.

8. International transfers

We may process personal data in [COUNTRIES / REGIONS]. Where we transfer personal data out of the EEA, UK, or Switzerland, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK Addendum, plus supplementary measures where needed.

9. Retention

We keep personal data only as long as needed for the purposes above and to meet legal requirements. Indicative periods: [ACCOUNT DATA RETENTION], [CUSTOMER CONTENT RETENTION], [LOG RETENTION]. You can request deletion as described above, subject to legal retention obligations.

10. Security

We use technical and organizational measures appropriate to the risk, including [ENCRYPTION IN TRANSIT / AT REST], access controls, and confidential handling of keys. No method is perfectly secure; we cannot guarantee absolute security.

11. Children

The Service is not directed to, and we do not knowingly collect personal data from, children under [16 / 18].

12. U.S. state privacy rights (e.g., California)

Depending on your state, you may have rights to know, access, delete, correct, and opt out of certain processing, and not to be discriminated against for exercising them. We do not sell or “share” personal data as defined by California law. To exercise these rights, contact [PRIVACY CONTACT EMAIL]. [OTHER STATE-LAW DISCLOSURES].

13. Changes

We may update this Policy and will post the new version with an updated effective date; material changes will be notified where required.

14. Contact

Privacy questions or requests: [PRIVACY CONTACT EMAIL]. [DATA PROTECTION OFFICER / EU–UK REPRESENTATIVE, IF APPLICABLE]. [LEGAL ENTITY & REGISTERED ADDRESS ON FORMATION].