📜 ModelMask Privacy Policy

Last updated: 2025-04-27

Welcome to ModelMask (“we”, “our”, “us”).
We help creators locate and remove unauthorized copies of their images online.
This policy explains what data we collect, why, and how you can control it.


1. Scope

  • Applies to app.modelmask.com, modelmask.com, and any mobile/PWA clients.
  • Governing law: California, USA.
  • We comply with the GDPR (EU) and CCPA (California) where applicable.

2. What We Collect & Why

| Category | Examples | Purpose | Legal Basis* | |----------|----------|---------|--------------| | Account Data | Email, password hash, 2-FA secret | Create & secure your account | Contract | | KYC Data (optional) | Government-ID selfie | Verify ownership of copyrighted images | Consent | | Reference Images | Originals you upload | Generate perceptual hashes & embeddings | Contract | | Embeddings / Hashes | pHash, CLIP vector | Match leaks without storing raw nudity | Legitimate Interest | | Match Evidence | URLs, thumbnails, similarity score | Draft DMCA notices | Contract | | Billing Data | Card token, invoices (via Stripe) | Process payments | Contract | | Log Data | IP, user-agent, API events | Security, debugging | Legitimate Interest |

*“Legal basis” terms per GDPR Art. 6.

3. Cookies & Analytics

We use:

  1. A session cookie for authentication.
  2. Plausible Analytics (self-hosted, cookie-less, anonymized).
    No profiling or third-party advertising cookies.

4. How We Store & Secure Data

  • Supabase Postgres (AES-256 at rest, TLS in transit).
  • Reference images stored encrypted in Supabase Storage; embeddings stored in pgvector.
  • Access is role-based; all actions logged in an immutable audit table.

5. Retention Schedule

See Data-Retention Statement. Key points:

  • Reference images → deleted 90 days after account deletion.
  • Candidate thumbnails → deleted 30 days after takedown removed.
  • Audit log → kept 6 years for legal defence.

6. Your Rights

Wherever applicable, you may:

  • Access or export your data.
  • Rectify inaccurate data.
  • Delete your account & data (except immutable audit log).
  • Object to processing (e.g., analytics).
    Email privacy@modelmask.com to exercise these rights.

7. Sub-Processors

| Provider | Purpose | Location | |----------|---------|----------| | Supabase | Database, Auth, Storage | USA / EU (user-selectable) | | Vercel | Hosting & CDN | USA / EU | | Stripe | Payments | USA | | SendGrid | Transactional email | USA | | Plausible | Analytics | EU (DE) |

8. International Transfers

Data may be processed in the United States.
We rely on Standard Contractual Clauses (SCCs) for EU→US transfers.

9. Updates

We may update this policy. Material changes are emailed 30 days in advance.

10. Contact

ModelMask, LLC
2319 Ocean Front Walk, Venice, CA 90291
đź“§ privacy@modelmask.com

📬 Contact for Privacy Questions or Concerns

If you have any questions, concerns, or requests regarding your personal data, you may contact us at:

Privacy Contact: ModelMask, Inc. Email: privacy@modelmask.com

We will respond to verified consumer requests in accordance with applicable data protection laws, including the GDPR, CCPA, and CPRA.

🛡️ No Sale of Personal Data

We do not sell, rent, lease, or otherwise disclose your personal data to third parties for monetary or other valuable consideration. ModelMask is fully committed to protecting your privacy and ensuring your data remains under your control.

If our data sharing practices change in the future, we will update this policy and provide advance notice as required by law.