Privacy Policy - Grimace Score

Version: 2026-05-24

This policy is written for the Grimace Score mobile apps for iOS and Android, the Grimace Score web fallback pages, and the Grimace Score API. It is designed for publication after the controller details below are completed and reviewed.

Controller And Contact

• Controller: FaceLab SAS
• Privacy contact: contact@facelab.me
• Public policy URL: https://staging.facelab.me/grimaces/privacy

If a Data Protection Officer, EU/UK representative, Quebec privacy officer, or Brazil encarregado is legally required for the final launch structure, their contact details should be published through the same privacy contact or added here before publication.

Age Restriction

Grimace Score is intended for users aged 13 and older. The app is not directed to children under 13.

If local law requires parental consent for a user above 13 but below the local digital consent age, the user must use the app only with parent or guardian permission. If Grimace Score is ever intentionally offered to children under 13, a separate child privacy flow, parental notice, and verifiable parental consent must be implemented before collection or sharing.

Short Version

• Photos and camera frames stay on the device. They are not uploaded to the backend.
• The backend receives only numeric face-movement values, locale, and a local capture ID.
• The app does not create user accounts.
• Result history, local photos, and optional nickname are stored on the device and can be deleted in the app.
• The backend does not keep a production database of user analyses.
• OpenAI receives only numeric face-movement values when AI comments are enabled.
• Ads and subscriptions are optional build modes. If enabled, AdMob, Apple, Google Play, and RevenueCat may process ad or purchase data, but Grimace Score does not send photos, nicknames, scores, or blendshape maps to those SDKs as custom metadata.
• Grimace Score does not sell personal information and does not use data brokers.

Data We Process

On The Device

• Camera frames used to detect a face and calculate face-movement values.
• A captured selfie photo used to generate the share card and local history.
• Result history, including score, comment, timestamp, and local image path.
• Optional nickname used only on the shared card.
• Local consent choices, such as age confirmation, face-movement consent, and privacy options where implemented.
• Subscription entitlement state when Grimace Plus is enabled.

Sent To The Backend

• Locale.
• A local capture ID.
• The normalized numeric scores for supported face movements.
• No photo, video, audio, EXIF data, or raw camera frame is sent to the backend.

Generated By The Backend

• Result type: normal, no face, or no grimace.
• Optional score.
• Short comment.
• Basic technical request logs such as method, route, status, duration, locale, and AI/fallback source.

Optional Monetization Data

If ads or subscriptions are enabled in a production build:

• AdMob may process technical ad request data, device identifiers, consent status, approximate location derived by ad infrastructure, and ad interaction data according to Google's policies and the user's choices.
• Apple App Store, Google Play, and RevenueCat may process purchase receipts, product identifiers, subscription status, and store account metadata needed to provide Grimace Plus.
• The application code must not send photos, result images, nicknames, face-movement maps, or scores to AdMob or RevenueCat as custom metadata.
• Grimace Plus commercial terms are published separately: https://staging.facelab.me/grimaces/subscription.

Purposes

We process data to:

• run camera-based face-movement detection on the device;
• generate a score and a comment;
• provide local result history and local deletion;
• let users voluntarily share a locally generated image card;
• provide Grimace Plus and restore purchases if subscriptions are enabled;
• show ads only when the selected build mode and consent rules allow it;
• protect, debug, and operate the API.

Legal Bases And Consent

The applicable legal basis depends on the user's region and the final release configuration.

Global App Consent

Before camera analysis, the app should ask the user to confirm:

• they meet the minimum age requirement;
• they understand camera frames and photos stay on the device;
• they understand numeric face-movement values are sent to the backend for scoring/comment generation;
• they consent to face-movement processing for this entertainment feature.

If the user does not consent, they should not be able to start camera analysis. The user can withdraw consent by stopping use, deleting local history, uninstalling the app, or contacting contact@facelab.me for questions. Because the app has no account and no durable server profile, most data is removed directly on the device.

EU, EEA, United Kingdom, And Switzerland

For GDPR, UK GDPR, Swiss FADP, and ePrivacy-style consent rules:

• camera access is based on OS permission and user action;
• face-movement analysis should be based on explicit consent or another legal basis confirmed by counsel, because face-derived data may be sensitive in context;
• service operation and security logs may rely on legitimate interests when logs are minimized;
• AI comment generation and scoring can be treated as performance of the requested service plus explicit consent for face-derived processing;
• non-essential advertising storage, personalized ads, and ad partner processing require a Google-certified CMP or the Google User Messaging Platform where applicable;
• the user must be able to reopen privacy options and withdraw ad consent when required;
• on iOS, App Tracking Transparency must be requested before any tracking as Apple defines it, and after regional consent where both are used.

Until the regional ad consent stack is complete, production builds should use no ads, limited ads, or non-personalized ads only where allowed.

United States

For U.S. privacy laws:

• Grimace Score does not sell personal information.
• Grimace Score does not share personal information for cross-context behavioral advertising unless a future build explicitly enables such advertising after the required notices, opt-outs, and platform settings are implemented.
• California users may have rights to know, access, delete, correct, opt out of sale/share, and limit the use of sensitive personal information where the CCPA/CPRA applies.
• The app should treat face-movement values conservatively as biometric-like or sensitive data for notice and consent, even though it does not identify users and does not perform face recognition.
• For Illinois, Texas, Washington, and similar biometric laws, the release should provide prior notice, documented electronic consent, and this retention policy before collecting or transmitting face-geometry or face-movement values for a commercial purpose.

Canada And Quebec

For Canada and Quebec:

• the policy should be available in English and French;
• consent must be meaningful, and sensitive or biometric-like processing should use express consent where required;
• the controller must explain purposes, third parties, retention, safeguards, and user rights;
• Quebec Law 25 expectations should be treated conservatively by identifying a privacy contact, providing clear information, and assessing transfers outside Quebec where applicable.

Brazil

For Brazil's LGPD:

• the policy should be available in Brazilian Portuguese for Brazilian users;
• face-derived movement values should be treated conservatively as sensitive or biometric-like data;
• consent or another lawful basis confirmed by counsel is required for processing;
• users should be able to request confirmation, access, correction, anonymization, deletion where applicable, portability where applicable, information about sharing, and revocation of consent.

Facial And Biometric-Like Data Notice

Grimace Score does not identify people, verify identity, authenticate users, compare faces, or create face templates for recognition.

The app calculates numeric movement values from a face visible to the camera. Some laws may still treat this as biometric, face-geometry, or sensitive data. For that reason, the conservative release posture is:

• obtain prior in-app consent before camera analysis;
• send only normalized numeric movement values to the backend;
• do not send images or video;
• do not store face-movement maps in a production database;
• do not sell, lease, trade, or disclose face-derived data for unrelated purposes;
• delete local photos and results when the user deletes history;
• keep production logs free from raw request bodies and raw blendshape maps;
• keep the development monitor disabled in production.

Retention

• Camera frames: ephemeral on device.
• Captured photos: stored on the device only until the user deletes the result or clears history.
• Result history and optional nickname: stored on the device until deleted by the user.
• Backend API request body: used to answer the request and not stored in production.
• Production logs: minimized technical logs only, retained according to the hosting log retention settings.
• Local development monitor: disabled in production; if enabled in development, retention is configured by MONITOR_RETENTION.
• OpenAI API: governed by OpenAI API data controls and the selected account settings; requests use store: false.
• AdMob, Apple, Google Play, and RevenueCat: retained according to their own legal obligations, account settings, and platform policies.

Sharing And Recipients

Data may be processed by:

• Grimace Score backend hosting provider;
• OpenAI, when AI comment generation is enabled;
• Google AdMob, only if ads are enabled;
• Apple App Store, Google Play, and RevenueCat, only if Grimace Plus is enabled;
• infrastructure providers needed for hosting, logs, and security.

We do not provide photos, videos, nicknames, local result images, or full face-movement maps to ad or subscription SDKs as custom metadata.

International Transfers

The backend, OpenAI, ad partners, payment platforms, and infrastructure providers may process data outside the user's country or region. Where required, the controller should use appropriate transfer mechanisms such as standard contractual clauses, data processing agreements, data residency settings, or other lawful safeguards before launch.

User Rights

Depending on location, users may have rights to:

• access personal information;
• receive information about processing;
• correct inaccurate data;
• delete data;
• restrict or object to processing;
• withdraw consent;
• receive a portable copy where applicable;
• opt out of sale, sharing, or targeted advertising where applicable;
• limit use of sensitive personal information where applicable;
• complain to a supervisory authority.

Most user-visible data is stored only on the device and can be deleted in the app by deleting individual results or clearing history. For requests that cannot be handled on device, contact contact@facelab.me.

Advertising Choices

If ads are enabled:

• EEA, UK, and Swiss users must be shown the applicable consent message before personalized ads or other consent-requiring ad processing.
• Users should have a privacy options entry point where required.
• iOS users must receive the Apple App Tracking Transparency prompt before tracking if tracking is used.
• Users under the applicable age of consent must not receive behavioral advertising.
• If consent is missing or withdrawn, the app should use no ads, limited ads, or non-personalized ads only where allowed.

Security

Grimace Score uses data minimization as the primary safeguard. Photos remain on device, backend payloads are small and strictly validated, unknown image/base64 fields are rejected, production logs should avoid request bodies, and API responses use no-store cache headers.

No mobile or web app can be guaranteed perfectly secure. Users should keep their device and operating system updated.

Store Privacy Disclosures

Before release, the App Store Privacy Nutrition Labels and Google Play Data Safety form must match this policy and the exact production build:

• camera/photo access processed locally;
• face-derived numeric values sent for app functionality;
• purchase data if subscriptions are enabled;
• advertising data if AdMob is enabled;
• no sale of personal information;
• no photo upload;
• no account system in v1.

Changes

We may update this policy when the app, regions, vendors, or consent systems change. The version date above shows the latest policy draft date. Material changes should be reflected in the app, the website, and store disclosures before or at release.