BlurFaces

Privacy Policy

Last updated: October 26, 2025

BlurFaces helps you hide faces and other sensitive details in photos and videos. We design for privacy from the start: wherever possible, detection and blurring run on your device in your browser. Originals are not uploaded to our servers except when you explicitly start a cloud video job (see below).

Where processing happens

  • Photos (and short previews): Detection and blurring run locally in your browser. Originals never leave your device.
  • Videos (optional compute service): For longer or hardware‑intensive video jobs that your device can’t comfortably handle, you may choose to process via our compute service. In that case, your video is uploaded only to a dedicated job workspace to create the blurred output.

Video via compute.blurfaces.org

  • Explicit action: Upload occurs only when you start a video job that uses compute. The UI clearly indicates cloud processing.
  • Ephemeral by default (≤24 h): Each job is stored in a per‑job spool directory and is automatically deleted within 24 hours of creation.
  • No reuse or training: Originals, blurred outputs, and any transient detection metadata exist only to fulfill your job and are not used for model training or advertising.
  • Detection metadata: During video processing we may generate temporary face/region tracks (e.g., a tracks.json) inside the job directory to apply masks accurately. These files are deleted with the job.

What we store server‑side

  • ShareLinks (you opt in): If you create a ShareLink, we store only the blurred result (or a pointer to it) plus an expiry. Links auto‑expire after 24 hours and are scheduled for deletion.
  • Payments: Stripe Checkout processes payments under its own policies. We do not store your payment details or customer PII on our servers.
  • Telemetry (optional): Aggregate counts only (e.g., feature usage). No per‑user profiles; you can use BlurFaces without analytics.

What we do not store

  • We do not keep original photos or videos beyond what’s necessary to process a chosen video job (≤24 h on compute) or to render an in‑browser session.
  • We do not store face embeddings or biometric identifiers, and we do not build user profiles.
  • We do not sell personal data.

When you opt in to a ShareLink, we store a short token and a pointer to the blurred asset. Links auto‑expire after 24 hours, and we schedule deletion. We do not store original images or videos for ShareLinks.

Payments

We use Stripe Checkout to process payments. Stripe acts as our payment processor and may handle limited personal and payment information under its own policies. We do not store customer personal information on our servers.

Telemetry

Any analytics are optional and aggregate‑only (e.g., feature usage counts). We do not create per‑user profiles. You can use BlurFaces without analytics.

Cookies & Storage

  • No tracking cookies.
  • We may store a short‑lived entitlement token in your browser after purchase to unlock features.
  • For cloud video jobs, the app stores a job token (JWT) and ID locally to authorize upload/processing; these expire automatically.

Data Retention

  • ShareLinks: blurred assets and metadata auto‑expire after 24 hours.
  • Video compute jobs: originals, blurred outputs, and transient detection tracks are stored only in the job workspace and are deleted within 24 hours.
  • Server logs: minimal and aggregate only; we avoid storing content or biometric data in logs.

Your Rights

If you have questions or requests about your data, contact us at support@blurfaces.org.

Changes

We may update this policy as the product evolves. We will update the date above and, when material, highlight changes in‑app.