Privacy Policy
Privacy Policy
Welcome!
This Privacy Policy explains what information Xpose collects, how it’s used, and how we protect your data. If you have any questions, feel free to contact us at [support@fortyfour.co].
When you use Xpose, we may collect certain types of information to ensure the secure and optimal functioning of the app. This includes both technical and voluntary data, as outlined below:
Basic Device Data: Such as device model, operating system version, and app version. This helps us identify compatibility issues, optimize performance, and resolve bugs.
Usage Data: We may collect anonymous statistics about feature usage (e.g., which features are most commonly accessed) to improve user experience and prioritize future updates.
Subscription Status: We collect your in-app purchase or subscription status (via Apple’s API or RevenueCat) to unlock premium features and verify entitlements.
Diagnostic Logs: In rare cases, crash logs or performance reports may be automatically sent (with your permission) to identify technical issues and improve stability.
User Feedback & Support Queries: If you contact us for support or feedback, we may collect your email address and message content to assist you properly.
We do not collect any personal identifiers (such as name, email, phone number, or precise location) unless you explicitly provide them for support or legal requests.
All data is collected in accordance with applicable data protection regulations, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). We only process data that is necessary for delivering our services, preventing fraud, or fulfilling legal obligations.
Additionally, we may request your consent for specific optional data collection, such as for improving features through anonymous analytics. In such cases, consent is always voluntary, and you can opt out at any time within the app settings.
2. Facial Data Usage
Xpose uses facial data strictly for the purpose of generating visual outputs such as AI-enhanced photos, filters, or face swaps. We do not use facial data for identification, facial recognition, or biometric profiling of any kind.
Here is exactly how face data is handled:
- Face data (user photo) is **temporarily uploaded to Firebase Storage for 5–6 seconds** solely for the purpose of forwarding it to our AI provider (Replicate) for image generation.
- Once the image is forwarded, **it is immediately deleted from our storage.**
- Our third-party AI provider, Replicate, **automatically deletes all prediction data (including the image) within 1 hour**, as outlined in their [official data retention policy](https://replicate.com/docs/privacy).
- We **do not retain any face data** beyond the brief processing period.
- We **do not share face data with any other third parties**.
- Replicate, our only AI partner, **does not store face data beyond 1 hour**, and it is used only for the temporary purpose of generating your requested image.
Face data is never used for analytics, marketing, or training AI models. All face processing is triggered manually by the user and only occurs when they initiate a feature. Our system is designed to delete and forget all image content immediately after use.
Xpose does not collect or store metadata related to user-generated content (such as timestamps, GPS coordinates, file properties, or embedded technical data) unless explicitly required for core functionality and only with the user's consent.
Our AI systems do not use user images or associated metadata for training machine learning models. All content is processed on-demand and is not stored, analyzed, or repurposed for profiling or optimization.
We prioritize user privacy by ensuring that user-generated content is handled securely, temporarily, and only for the intended purpose of generating visual outputs.
Xpose may generate and store system logs that include technical and operational information essential for ensuring secure, smooth, and optimized functionality of the application. These logs may include—but are not limited to—the following types of data:
Access Logs: Timestamped records of when the app was launched, closed, or entered a specific feature area. This helps us understand session patterns and detect unusual or suspicious activity.
Subscription Verification Logs: Periodic checks confirming a user's subscription status and entitlement rights. This is critical for enforcing feature access policies and preventing unauthorized usage.
Action Logs: Logs indicating specific user-triggered actions such as saving a photo, sharing an image, or initiating an AI generation task. These logs are non-identifiable and help track usage trends.
Performance Logs: Information about app responsiveness, loading times, and server latency. These logs help our development team identify bottlenecks and deploy stability improvements.
All logs are stored in secure environments and are not linked to any personally identifiable information. We use them strictly for diagnostic, analytical, fraud prevention, and operational purposes.
We implement layered safeguards to protect log data, including encryption-in-transit and at-rest, restricted access controls, and automated cleanup protocols. Log data is stored for a limited duration and is automatically deleted when it is no longer needed.
We do not use logs to track individual user behavior across other apps or services, and no log data is sold, shared, or repurposed for advertising or profiling.
We do not share your personal information with third parties without your explicit, informed consent. Xpose does not engage in the sale, trade, or unauthorized disclosure of any user data under any circumstances.
In limited and strictly controlled situations, we may share anonymized, aggregated data (such as the total number of generated images or general usage trends) to help us analyze performance, evaluate app features, or report general usage statistics. This data contains no personally identifiable information and cannot be traced back to any individual user.
Additionally, in the rare case of legal obligations (e.g., law enforcement request, fraud prevention investigation), we may be required to share limited user information in full compliance with applicable laws and only when legally obligated to do so.
Our commitment is to uphold your privacy and data security at all times. Any third party we may interact with (e.g., analytics or hosting providers) is required to comply with strict data protection standards and is contractually prohibited from using your data for any purpose other than supporting Xpose’s core services.
We take data protection and security very seriously. Xpose implements a comprehensive set of technical and organizational safeguards designed to protect your information from unauthorized access, loss, alteration, or misuse.
Our infrastructure relies on trusted partners such as Firebase (by Google) and Replicate, both of which employ industry-leading security measures, including:
End-to-end encryption: All data transfers are secured via SSL/TLS encryption to prevent interception or tampering during communication between your device and our servers.
Access control: Strict access permissions and role-based restrictions ensure that only authorized personnel can access sensitive data, and only when absolutely necessary.
Isolated environments: Data is processed in secure, isolated containers or environments to prevent cross-contamination or unintended exposure.
Automatic deletion protocols: Data, especially user-uploaded images and logs, are deleted automatically after processing, ensuring minimal retention windows.
Regular audits and monitoring: Our systems undergo continuous monitoring and periodic audits to detect, mitigate, and prevent potential security threats.
In addition, we employ security best practices such as rate limiting, IP filtering, two-factor authentication for admin systems, and server-side validation. All third-party services we use are contractually bound to maintain security and privacy standards equivalent to or stronger than ours.
While no system can guarantee absolute security, we are committed to continually improving our defenses to protect your trust and your data.
You have the right to request deletion of your personal data at any time, in accordance with global privacy regulations such as GDPR and CCPA. At your request, we will initiate the data deletion process and ensure that any data associated with your account is securely erased.
However, please note that in the following specific scenarios, we may be legally or contractually obligated to delay or decline a deletion request:
Fraud or illegal account activity under investigation.
Ongoing transactions or licensing matters that require retention of certain data for billing, verification, or operational integrity.
Outstanding debts, payment disputes, or refund claims involving your account.
Compliance with applicable laws or regulatory requests that mandate the retention of specific records.
To request deletion, please contact us at [support@fortyfour.co] using the email address associated with your account. We will verify your identity through a secure method and process your request within a reasonable time frame, typically within 7–14 business days.
Upon successful deletion, all user-related content and associated metadata will be irreversibly removed from our systems, and you will receive a confirmation email. We do not retain backups of deleted user data unless required for legal compliance.
We may update this Privacy Policy periodically to reflect changes in our services, legal requirements, or user feedback. When we make significant updates, we will notify users through appropriate channels, such as in-app messages, app store update notes, or email (if applicable).
All changes will be clearly marked with an updated "Last Updated" date at the bottom of this policy. We encourage users to review this policy regularly to stay informed about how we are protecting their data and privacy.
Contact Us
If you have any questions about this policy or our data practices, please email: [support@fortyfour.co]
Last Updated: May 2, 2025