📜 ModelMask Privacy Policy
Last updated: 2025-04-27
Welcome to ModelMask (“we”, “our”, “us”).
We help creators locate and remove unauthorized copies of their images online.
This policy explains what data we collect, why, and how you can control it.
1. Scope
- Applies to app.modelmask.com, modelmask.com, and any mobile/PWA clients.
- Governing law: California, USA.
- We comply with the GDPR (EU) and CCPA (California) where applicable.
2. What We Collect & Why
| Category | Examples | Purpose | Legal Basis* | |----------|----------|---------|--------------| | Account Data | Email, password hash, 2-FA secret | Create & secure your account | Contract | | KYC Data (optional) | Government-ID selfie | Verify ownership of copyrighted images | Consent | | Reference Images | Originals you upload | Generate perceptual hashes & embeddings | Contract | | Embeddings / Hashes | pHash, CLIP vector | Match leaks without storing raw nudity | Legitimate Interest | | Match Evidence | URLs, thumbnails, similarity score | Draft DMCA notices | Contract | | Billing Data | Card token, invoices (via Stripe) | Process payments | Contract | | Log Data | IP, user-agent, API events | Security, debugging | Legitimate Interest |
*“Legal basis” terms per GDPR Art. 6.
3. Cookies & Analytics
We use:
- A session cookie for authentication.
- Plausible Analytics (self-hosted, cookie-less, anonymized).
No profiling or third-party advertising cookies.
4. How We Store & Secure Data
- Supabase Postgres (AES-256 at rest, TLS in transit).
- Reference images stored encrypted in Supabase Storage; embeddings stored in pgvector.
- Access is role-based; all actions logged in an immutable audit table.
5. Retention Schedule
See Data-Retention Statement. Key points:
- Reference images → deleted 90 days after account deletion.
- Candidate thumbnails → deleted 30 days after takedown removed.
- Audit log → kept 6 years for legal defence.
6. Your Rights
Wherever applicable, you may:
- Access or export your data.
- Rectify inaccurate data.
- Delete your account & data (except immutable audit log).
- Object to processing (e.g., analytics).
Email privacy@modelmask.com to exercise these rights.
7. Sub-Processors
| Provider | Purpose | Location | |----------|---------|----------| | Supabase | Database, Auth, Storage | USA / EU (user-selectable) | | Vercel | Hosting & CDN | USA / EU | | Stripe | Payments | USA | | SendGrid | Transactional email | USA | | Plausible | Analytics | EU (DE) |
8. International Transfers
Data may be processed in the United States.
We rely on Standard Contractual Clauses (SCCs) for EU→US transfers.
9. Updates
We may update this policy. Material changes are emailed 30 days in advance.
10. Contact
ModelMask, LLC
2319 Ocean Front Walk, Venice, CA 90291
đź“§ privacy@modelmask.com
📬 Contact for Privacy Questions or Concerns
If you have any questions, concerns, or requests regarding your personal data, you may contact us at:
Privacy Contact: ModelMask, Inc. Email: privacy@modelmask.com
We will respond to verified consumer requests in accordance with applicable data protection laws, including the GDPR, CCPA, and CPRA.
🛡️ No Sale of Personal Data
We do not sell, rent, lease, or otherwise disclose your personal data to third parties for monetary or other valuable consideration. ModelMask is fully committed to protecting your privacy and ensuring your data remains under your control.
If our data sharing practices change in the future, we will update this policy and provide advance notice as required by law.