Biometric Data Policy
Last updated: January 5, 2026
This Biometric Data Policy explains how Lukas Vaičiulis, operating as Mend ("Mend," "we," "us," or "our"), handles photos containing faces when you use the Mend: AI Photo Editor mobile application ("App"). This policy is designed to provide transparency about how your photos are processed by third-party AI services, in compliance with the Illinois Biometric Information Privacy Act (BIPA), GDPR Article 9 (special categories of data), CCPA/CPRA (sensitive personal information), and other applicable data protection laws.
Important Notice About Photos Containing Faces
When you upload photos containing human faces to Mend for AI transformation, your photos are sent to third-party AI services (Replicate and OpenAI) for processing. These AI services may analyze facial features as part of applying the visual effects you requested. This processing only occurs with your explicit, informed consent, which you provide before your first AI generation.
You may withdraw your consent at any time by contacting us or deleting your account (see Section 7).
Quick Summary
- What we process: Photos you upload, which may contain faces, are sent to third-party AI services for transformation
- What we do NOT do: We do NOT extract, store, or create biometric identifiers, templates, or facial geometry data ourselves
- Third-party processing: AI services (Replicate/OpenAI) may process facial features as part of applying visual effects
- Purpose: Solely to apply AI effects to your photos (e.g., style transfers, transformations)
- Consent: Required before first use; you must explicitly agree in-app
- Retention: Original photos deleted within 24 hours from our storage; generated images kept until you delete them
- No identification: Neither we nor our AI providers use your photos for facial recognition or identification
- No sale: We NEVER sell, lease, trade, or profit from your photos or any derived data
- Withdrawal: You can withdraw consent without deleting your account
1. Definitions
For purposes of this policy:
- "Biometric Data" or "Biometric Information" means facial geometry, facial features, or other characteristics derived from photographs that could potentially be used to identify an individual, as defined under applicable laws including BIPA, GDPR, and CCPA.
- "Biometric Identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.
- "Special Category Data" (GDPR) means biometric data processed for the purpose of uniquely identifying a natural person.
- "Sensitive Personal Information" (CCPA/CPRA) includes biometric information as defined under California law.
2. How We Handle Photos Containing Faces
2.1 What Mend Does
When you upload photos for AI transformation, Mend:
- Temporarily stores your photo: We store your uploaded photo in secure cloud storage for up to 24 hours to complete the AI processing job
- Sends your photo to AI services: Your photo is transmitted to third-party AI services (Replicate and OpenAI) for visual transformation
- Stores the result: The AI-generated output is stored until you delete it or your account
2.2 What Mend Does NOT Do
Mend explicitly does NOT:
- Extract, measure, or store facial geometry data
- Create biometric identifiers, templates, or embeddings
- Build or maintain face recognition databases
- Perform facial recognition or face matching
- Analyze photos for identification purposes
- Collect iris or retina scans, fingerprints, voiceprints, or hand geometry
2.3 What Third-Party AI Services May Do
The AI services we use (Replicate and OpenAI) may process facial features as part of applying visual effects to your photos. This processing is:
- Performed solely to generate the AI transformation you requested
- Not used for facial recognition or identification
- Subject to their respective privacy policies (see Section 8)
3. Purpose of Photo Processing
Limited Purpose
We process your photos (which may contain faces) solely for the following limited purposes:
- Applying AI-powered visual effects and transformations to your photos
- Generating stylized or modified versions of your images
- Content moderation to prevent prohibited content
Neither Mend nor our AI service providers use your photos for:
- Identification or verification of individuals
- Facial recognition or face matching
- Building databases or profiles
- Training AI models (see Section 5)
- Targeted advertising or marketing
- Any purpose other than delivering the AI photo editing service you requested
4. Consent and Authorization
4.1 Explicit Consent Required
Before sending any photos to AI services for processing, we obtain your explicit, informed consent through our in-app consent flow. This consent:
- Is presented before your first AI generation
- Is separate from general Terms of Service acceptance
- Clearly explains that your photos (including any facial features) will be sent to third-party AI services
- Explains the purpose of processing
- Identifies third parties who will process your photos
- Is recorded with a timestamp for our records
- Can be withdrawn at any time (see Section 7)
4.2 Consent Records
We maintain records of your consent including:
- The date and time consent was provided
- The version of the consent disclosure shown
- Your user identifier
- Any withdrawal of consent
Consent records are retained for the duration of your account plus 7 years for legal compliance purposes (consistent with our Privacy Policy).
5. AI Training and Model Development
No Training on Your Biometric Data
Mend does NOT use your photos, facial data, or biometric information to train AI models.
Regarding our AI service providers:
- Replicate: Provides the API infrastructure to host and run OpenAI's GPT-Image model for image generation. See their Privacy Policy for data retention details.
- OpenAI: Provides the GPT-Image model for AI image generation (accessed via Replicate's API) and content moderation APIs for safety filtering. Does not use API data to train models by default (since March 2023). Data may be retained up to 30 days for abuse monitoring.
For the most current information, see the Replicate Privacy Policy and OpenAI Privacy Policy.
6. Data Retention and Destruction
6.1 Retention Schedule
We follow strict retention limits for your photos:
| Data Type | Maximum Retention | Destruction Method |
|---|---|---|
| Original uploaded photos (which may contain faces) | 24 hours after job completion | Automatic deletion from Mend storage; third-party processor retention per their policies (see Section 8) |
| Generated images (AI outputs) | Until you delete them or delete your account | Deletion upon user request or account deletion |
| Thumbnails of generated images | Until you delete them or delete your account | Deletion upon user request or account deletion |
| Consent records | Account duration + 7 years | Secure destruction after retention period |
6.2 Destruction Standards
When photos are deleted from Mend systems:
- Files are permanently removed from Mend's primary storage
- Cached copies are invalidated
Third-Party Retention: Please note that our AI service providers have their own retention periods before deletion:
- OpenAI: May retain data up to 30 days for abuse and misuse monitoring
- Replicate: See their Privacy Policy for retention details
We cannot guarantee deletion from third-party systems faster than their stated retention periods. For the most current information, see the provider Privacy Policies linked in Section 5.
6.3 Initial Purpose Fulfillment
Even if the retention periods above have not elapsed, we will permanently delete photos when the initial purpose for processing has been satisfied. Specifically:
- Original photos are deleted as soon as the AI generation job completes (within minutes), but no later than 24 hours
- Generated images are retained only to allow you to view and download your creations
7. Your Rights and How to Exercise Them
7.1 Right to Withdraw Consent
You may withdraw your consent for photo processing at any time. Withdrawal options:
Option 1: Withdraw Photo Processing Consent (Keep Your Account)
Email us at support@usemend.app with subject line: "Withdraw Photo Processing Consent"
Include your account email address in the request. Upon processing:
- You will no longer be able to use AI photo generation features
- Your account and existing generated images will remain accessible
- You can view and download your previous creations
- To use AI features again, you would need to provide new consent
Option 2: Delete Your Account (Delete All Data)
Use Settings > Delete Account in the App
This will:
- Permanently delete your account
- Permanently delete all your generated images
- Permanently delete all associated photos and data
- Permanently delete your consent records (after required retention period)
Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal.
7.2 Right to Access
You have the right to request a copy of the data we have about you. To request access, email support@usemend.app with subject line: "Data Access Request"
7.3 Right to Deletion
You have the right to request deletion of your data. Options:
- Delete individual generated images in-app
- Delete your entire account in Settings > Delete Account
- Email us at support@usemend.app
7.4 Response Time
We will respond to all data requests within 30 days, though complex requests may take up to 45 days. Response times may vary during peak periods or holidays. If additional time is needed, we will inform you of the reason and expected timeline.
8. Third-Party Processing
8.1 Service Providers
The following third parties process your photos when you use Mend's AI features:
| Provider | Purpose | Data Retention | Location |
|---|---|---|---|
| Replicate | AI processing infrastructure (hosts and runs AI models) | Per their data retention policy | United States |
| OpenAI | AI image generation (GPT-Image model via Replicate), content moderation, prompt processing, safety filtering | Up to 30 days (abuse monitoring) | United States |
| Supabase | Secure file storage | Per our retention schedule | EU / United States |
8.2 Provider Commitments
These third-party providers operate under their own terms of service and privacy policies, which include commitments to:
- Limit use of data to providing their services
- Implement appropriate security measures
- Delete data according to their stated retention periods
For specific details, please review each provider's privacy policy linked in Section 5 of our Privacy Policy.
8.3 BIPA Disclosure Statement
Disclosure Regarding Photos Containing Faces (BIPA Compliance)
In accordance with the Illinois Biometric Information Privacy Act (740 ILCS 14), we provide the following disclosure about how photos containing faces are handled:
Mend's Role: Mend does not collect, capture, or store biometric identifiers or biometric information as defined under BIPA. Mend functions as an intermediary that transmits your photos to third-party AI services for visual transformation.
Third-Party Processing: When you use Mend's AI features, your photos (which may contain faces) are sent to:
- API Infrastructure (Replicate): Hosts and provides API access to OpenAI's GPT-Image model for image generation
- AI Provider (OpenAI): Provides the GPT-Image model for image generation (via Replicate) and moderation APIs for content safety filtering
- Cloud Infrastructure (Supabase): Temporary storage of your uploaded photos and generated results
Nature of Processing: These AI services may process facial features as part of applying the visual effects you requested. This processing is for creative transformation only—not for facial recognition, identification, or building biometric databases.
Consent: By using Mend's AI features after providing in-app consent, you acknowledge that your photos (including any facial features) will be sent to these third-party service providers for processing. You may withdraw this consent at any time (see Section 7).
9. No Sale or Profit from Your Photos
No Sale, Trade, or Profit
We do NOT and will NOT:
- Sell your photos or any data derived from them to any third party
- Lease your photos or facial data
- Trade your photos or facial data for value
- Otherwise profit from your photos (except by providing the service you requested)
- Share your photos for third-party marketing or advertising
- Use your photos for cross-context behavioral advertising
This commitment applies regardless of whether the data is identifiable or de-identified.
10. Data Security
We implement reasonable security measures to protect your photos from unauthorized access, disclosure, or misuse:
10.1 Technical Safeguards
- Encryption in Transit: All data transmitted using TLS 1.2 or higher
- Encryption at Rest: Stored files are encrypted
- Access Controls: Strict authentication and authorization; only you can access your images via signed URLs
- Private Storage: All user files stored in private buckets, not publicly accessible
- Row-Level Security: Database policies ensure users can only access their own data
10.2 Organizational Safeguards
- Limited access on need-to-know basis
- Regular security reviews of data processing practices
- Vendor security assessments
11. Legal Compliance
11.1 Illinois BIPA Compliance
While Mend does not directly collect biometric identifiers as defined under BIPA (we do not extract or store facial geometry, templates, or embeddings), we provide this policy for transparency about how photos containing faces are processed by third-party services.
This policy addresses BIPA principles including:
- Written policy explaining how photos containing faces are handled (this document)
- Informed consent before sending photos to third-party AI services
- Prohibition on sale or profit from photos or derived data
- Reasonable security measures
- Deletion of original photos within 24 hours
11.2 GDPR Article 9 Compliance
For users in the EEA, UK, and Switzerland: GDPR Article 9 defines biometric data as "special category data" only when processed for the purpose of uniquely identifying a natural person. Because Mend does NOT process photos to identify individuals—we only transmit them to AI services for visual transformation—our processing does not constitute special category data under Article 9.
Nevertheless, out of an abundance of caution, we treat all photos containing faces with heightened protection and obtain your explicit consent before processing (consistent with Article 9(2)(a) principles).
11.3 CCPA/CPRA Compliance
For California residents, while we do not collect biometric information as defined under CCPA (we do not extract biometric identifiers), we treat photos containing faces with care. We:
- Only process photos for the disclosed purposes
- Do not sell or share photos or derived data
- Honor your right to delete your data
12. Changes to This Policy
We may update this Biometric Data Policy from time to time. When we make material changes:
- We will update the "Last updated" date
- We will notify you through the App or by email
- We may request renewed consent if required by law
Your continued use of the App after changes become effective constitutes acceptance of the updated policy.
13. Contact Information
For questions, concerns, or requests regarding biometric data, please contact:
- Data Controller: Lukas Vaičiulis (Individual Developer)
- App Name: Mend
- Email: support@usemend.app
- Website: https://usemend.app
- Location: Vilnius, Lithuania, European Union
For data requests related to photos or facial data, please include "Photo Data Request" in your email subject line. We aim to respond within 30 days, though response times may vary during peak periods.
Related Policies:
By using Mend's AI photo features after providing consent, you acknowledge that you have read and understood how your photos (including any facial features) will be processed by third-party AI services as described in this policy.