Privacy Policy
Last updated: February 1, 2026
1. What We Collect
Biometric Data
When you upload a photo, Pheno processes facial geometry data including facial landmarks (68 points), facial proportions, symmetry measurements, and other geometric features. This data is classified as biometric information under BIPA (Illinois), CCPA (California), and PIPEDA (Canada).
This biometric data is processed in real-time and deleted immediately after analysis. We do not store facial images, facial templates, faceprints, or any biometric identifiers after processing is complete.
Analysis Results
Numerical scores, grades, and textual analysis results are retained for up to 90 days for free-tier users and indefinitely for paid users (until account deletion). These results contain no biometric identifiers and cannot be used to reconstruct your facial image.
Account Data
If you create an account: email address, hashed password, date of birth (for age verification), and jurisdiction (auto-detected from IP, overridable).
Payment Data
Payment processing is handled by Stripe and PayPal. We do not store credit card numbers. We retain transaction IDs and amounts for accounting purposes.
2. How We Use Your Data
- Generate facial analysis reports (sole purpose of biometric processing)
- Process payments
- Provide analysis history and progress tracking
- Comply with legal obligations
We do not sell, lease, trade, or profit from your biometric data.
3. Image Deletion Policy
Uploaded images are stored temporarily (maximum 30 minutes) in an encrypted temporary storage bucket. Images are deleted from our systems immediately after analysis completes. A deletion audit log records the timestamp and confirmation of each image deletion. Only a SHA-256 hash of the image is retained for duplicate detection purposes.
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Uploaded images | Deleted immediately (max 30 min) |
| Facial geometry/biometric data | Deleted immediately after analysis |
| Numerical analysis results | 90 days (free) / until deletion (paid) |
| Consent records | 3 years (legal requirement) |
| Payment records | 7 years (accounting requirement) |
| Deletion audit logs | 3 years (compliance) |
5. Your Rights
Depending on your jurisdiction, you have the right to:
- Access: Request a copy of your data
- Deletion: Request deletion of all your data
- Portability: Export your analysis results
- Withdraw consent: Revoke consent at any time
- Opt-out of sale: We do not sell data, but you may exercise this right
To exercise these rights, contact: privacy@phenoface.com
6. Security
We implement industry-standard security measures including HTTPS encryption, secure server infrastructure, access controls, and regular security audits. Biometric data is never written to persistent storage.
7. Third Parties
- Stripe: Payment processing (PCI DSS compliant)
- PayPal: Payment processing
- Cloudflare: CDN, DDoS protection, temporary image storage
- Supabase: Database hosting (SOC 2 compliant)
We do not share biometric data with any third party.
8. Children
Pheno is not intended for use by anyone under 18 years of age. We do not knowingly collect data from minors. If we discover data from a minor has been collected, it will be immediately deleted.
9. Contact
Privacy inquiries: privacy@phenoface.com
Data Protection Officer: dpo@phenoface.com