arabface.ai
العربية

Privacy

Privacy Policy

We collect the minimum. We do not sell. We do not train general AI on what you upload. You can ask for deletion at any time.

1. Summary in plain English

We collect the minimum information we need to give you the service. We do not sell your personal information. We do not use what you upload to train general-purpose AI models. You can ask us to delete your data at any time. The full text below explains exactly how this works.

2. Who we are

This Privacy Policy describes how the operators of arabface.ai(hereafter “we,” “us,” or “arabface.ai”) collect, use, and share information about you when you visit arabface.ai, sign in, request early access, or use our tools (collectively, the “Service”).

For privacy questions, write to legal@arabface.ai with the subject line “Privacy.”

3. Scope

This Privacy Policy applies to:

  • The arabface.ai marketing website (arabface.ai).
  • The arabface.ai authentication system (sign-in, magic link, account).
  • Tools we operate under the arabface.ai brand, including Aamen (aamen.arabface.ai).
  • Any future product surfaces operated by us under the arabface.ai brand.

It does not apply to third-party websites linked from our pages, or to services operated by other entities even if mentioned by name on our site.

4. Information we collect

We collect three categories of information.

4.1 Information you provide

  • Account information: your email address, and any name or display preferences you supply when you create an account or sign in via Google.
  • Inputs to our tools: photos, text descriptions, and any other content you upload or submit while using a tool. For Aamen specifically, this includes the photo you upload, the claim you enter, and any associated notes.
  • Communications: the contents of any message you send to us by email or contact form, including your name, email address, and the subject of your inquiry.
  • Early-access submissions: your email address, locale preference, and an optional referral source.

4.2 Information we receive automatically

  • Device and connection data: IP address, browser type, operating system, screen size, language, and approximate location derived from IP.
  • Usage data: which pages you visit, the time and duration of visits, links you click, and basic interaction events (form submissions, sign-in attempts).
  • Cookies and similar technologies: see §12.

4.3 Information we do NOT collect

We do not collect:

  • Government-issued identifiers (national ID, passport).
  • Payment-card numbers (no payments are processed at the time of this Policy’s effective date; this paragraph will be revised when payments are introduced).
  • Health, biometric, or genetic data.
  • Precise GPS location.

5. How we use information

We use the information we collect to:

  1. Provide the Service — including authentication, running tools, returning results, and communicating with you about your account or your inquiry.
  2. Improve the Service — including diagnosing failures, monitoring quality, and refining the behaviour of individual tools within isolated processing environments. We do not use your inputs to train general-purpose AI models or to improve models used outside the specific tool you submitted them to.
  3. Communicate with you about early access, account events, security notices, and material changes to this Policy.
  4. Enforce our Terms of Service and protect the Service against abuse, fraud, and misuse.
  5. Comply with applicable law.

6. Legal bases (EEA, UK, Switzerland)

Where the General Data Protection Regulation (GDPR) or equivalent law applies, we rely on the following legal bases:

  • Performance of a contract— to provide the Service you have requested (e.g., running a tool you submit a photo to, sending you a magic-link sign-in email).
  • Legitimate interests— to operate, secure, and improve the Service in ways that are reasonable and proportionate, balanced against your rights.
  • Consent— for analytics cookies, optional newsletter-style communications (when introduced), and processing of any sensitive category data (which we currently do not collect).
  • Legal obligation— when required by law to retain or disclose certain information.

You may withdraw consent at any time without affecting the lawfulness of processing carried out beforehand.

6-PDPL. Lawful basis — KSA users (PDPL)

Where Saudi Arabia’s Personal Data Protection Law (PDPL, Royal Decree M/19, 1443H) and its Implementing Regulations apply to you, we process your personal data on the following bases under Art. 5 PDPL and Art. 6 of the Implementing Regulations:

  • Contractual necessity— to provide the Service you have requested, including authentication, running tools, and communicating with you about your account.
  • Consent— for any processing not strictly necessary to provide the Service, including analytics and optional communications. We collect consent separately where required.
  • Legitimate purposes— for security monitoring, fraud prevention, and improving the reliability of the Service, in ways proportionate to our legitimate interests and not overriding your rights.
  • Legal obligation— where Saudi or other applicable law requires us to retain or disclose information.

You may withdraw consent at any time by contacting us at legal@arabface.aiwith the subject “Privacy request.”

7. How we share information

We do not sell your personal information.

We share information only as follows:

7.1 With service providers we use to operate the Service

We use the following categories of vendors. Each is a data processor acting on our instructions, subject to a written agreement that requires confidentiality and the safeguards described in this Policy.

  • Cloud hosting and CDN — for serving our website and routing traffic.
  • Authentication and database— for account management and storing minimal account data.
  • AI processing— for running the comparison and analysis steps of our tools, inside isolated cloud projects controlled by us. Your inputs are not used to train the underlying provider’s general-purpose models when the configuration we use disables that path; we have configured our usage to disable that path.
  • Email delivery— for transactional emails (sign-in links, account notifications).

A current list of vendors is available on request to legal@arabface.ai with the subject “Subprocessors.”

7.2 For legal reasons

We may disclose information if we believe in good faith that disclosure is required by law, by court order, by legal process, or to protect the rights, property, or safety of users, the public, or us.

7.3 In a corporate transaction

If we are involved in a merger, acquisition, financing, or sale of all or part of our assets, information may be transferred to the successor as part of that transaction. We will notify you and provide a meaningful choice where required by law.

8. International data transfers

We are based in the United States. Your personal data may be processed in the following regions:

  • United States— our primary processing location, including Vercel (CDN and serverless functions), Google Cloud Vertex AI (region us-central1), Replicate (image processing for the Restore tool), Sentry (error monitoring), and PostHog (product analytics, when consent is given).
  • Japan (Tokyo, ap-northeast-1)— our database provider (Supabase, Inc., a US entity) hosts our database in this region.

Data processing agreements are in place (or being established) with each sub-processor above. Contractual safeguards include the relevant provider’s Data Processing Addendum and, where applicable, Standard Contractual Clauses.

For KSA users (PDPL Art. 29): Neither the United States nor Japan has been declared by SDAIA as providing an adequate level of protection equivalent to the PDPL as of the effective date of this Policy. We address these cross-border transfers through data processing agreements with each provider that include contractual safeguards, and through the contractual necessity exception for transfers required to deliver the Service you requested.

For EEA, UK, and Switzerland users:When we transfer personal data to a country not recognised as providing adequate protection, we rely on appropriate safeguards — primarily the European Commission’s Standard Contractual Clauses — supplemented by additional measures where required.

9. Data retention

We keep personal information only as long as necessary for the purposes set out in §5, and in line with applicable law. Specifically:

  • Account data: kept while your account is active. After account deletion, we remove identifying account data within thirty (30) days, except where retention is required by law.
  • Tool inputs — Aamen photo uploads and claim text: deleted on a schedule you control. The default is 30 days; you may change this to 7, 30, or 90 days from your account, or — if you are in the Contributor programme — keep them until you delete. See Photo retention for the full breakdown. If you request immediate deletion, we action it within a few business days.
  • Contributor-program labels (when the contributor tier launches): if you opt into the contributor program and grant a data-use license, your confirmed labels may be retained indefinitely for model-improvement purposes under the separately collected consent at opt-in. Withdrawal of consent does not retroactively delete confirmed labels already incorporated into training datasets; this limitation is disclosed at opt-in.
  • Communications: kept for up to three (3) years from the last contact, to allow follow-up and dispute resolution.
  • Logs and security data: kept for up to twelve (12) months unless a longer period is required by law or active investigation.

You may request earlier deletion at any time (see §10).

10. Your rights

Depending on where you live, you have one or more of the following rights:

10.1 Universal rights we honour

You may at any time:

  • Request access to the personal information we hold about you.
  • Request correction of inaccurate personal information.
  • Request deletion of your personal information.
  • Withdraw consent where processing is based on consent.
  • Receive a copy of your personal information in a portable format.

To exercise any of these rights, write to legal@arabface.ai with the subject “Privacy request.” We confirm receipt within seven (7) business days and complete the action within thirty (30) days, except where law allows a longer period.

10.2 Additional rights — EEA, UK, Switzerland (GDPR)

  • Object to processing based on legitimate interests.
  • Restrict processing in defined circumstances.
  • Lodge a complaint with your local data protection authority.

10.3 Additional rights — California (CCPA / CPRA)

  • Know what personal information we collect, use, disclose, and (if applicable) sell or share. We do not sell or share personal information for cross-context behavioural advertising.
  • Request deletion of personal information.
  • Correct inaccurate personal information.
  • Limit the use of sensitive personal information. We do not collect sensitive personal information for purposes that would trigger a “limit” right.
  • Be free from discrimination for exercising these rights.

To exercise California rights, use the contact path in §10.1 with subject “California privacy request.”

10.4 Rights — KSA users (PDPL)

If you are located in the Kingdom of Saudi Arabia, you have the following rights under the PDPL and its Implementing Regulations:

  • Access (Art. 5 PDPL): request a copy of the personal data we hold about you.
  • Correction (Art. 6 PDPL): request that we correct inaccurate or incomplete personal data.
  • Erasure / Destruction (Art. 7 PDPL): request deletion of your personal data where it is no longer needed for the purposes for which it was collected, or where you withdraw consent and no other lawful basis applies.
  • Withdrawal of consent (Art. 8 PDPL): withdraw consent at any time for processing based on consent, without affecting prior lawful processing.
  • Objection (Art. 10 PDPL): object to processing based on legitimate purposes where your interests or fundamental rights override ours.
  • Portability: receive a copy of your personal data in a structured, commonly used format where technically feasible.

To exercise any of these rights, contact us at legal@arabface.ai with the subject “Privacy request — KSA.” We confirm receipt within seven (7) business days and complete the action within thirty (30) calendar days, as required under Art. 35 of the Implementing Regulations. If you are unsatisfied with our response, you may lodge a complaint with the Saudi Data and AI Authority (SDAIA) via sdaia.gov.sa.

We also acknowledge the United Arab Emirates’ Federal Decree-Law No. 45 of 2021 on Personal Data Protection. Users in the UAE may exercise the universal rights in §10.1 and contact us as above.

11. Security

We use technical and organisational measures intended to protect personal information against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS), encryption at rest where supported by our service providers, isolated processing environments for AI workloads, role-based access controls for our staff, and audit logging of access to production systems.

No system can be guaranteed to be perfectly secure. We do not claim absolute security or absolute privacy.

If we become aware of a security incident affecting your personal information, we will notify affected users and, where required by law, the relevant data protection authority — including SDAIA within 72 hours where the incident affects KSA residents and poses a material risk (PDPL Art. 20 / Art. 19 Implementing Regulations).

12. Cookies and similar technologies

We use a small number of cookies and similar technologies:

  • Strictly necessary cookies— to maintain your sign-in session and to remember your locale preference.
  • Functional cookies— to remember basic UI preferences.
  • Analytics— only if introduced and only with your consent in jurisdictions where consent is required. The current Policy does not assume non-essential analytics; this paragraph will be updated when analytics are introduced.

You can manage cookies through your browser settings. Blocking strictly necessary cookies will prevent sign-in and may break parts of the Service.

13. Children’s privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, write to legal@arabface.ai and we will take prompt steps to delete it.

In some jurisdictions, the age of digital consent is higher (16 in some EEA states). Where such law applies, the threshold in this section is read up to that age.

14. Third-party links

Our pages may link to websites or services operated by third parties. This Privacy Policy does not apply to those third parties. Their privacy practices are governed by their own policies.

15. AI and tool-specific disclosures (Aamen)

When you use Aamen:

  • The photo and the claim you enter are processed in an isolated AI workload to compare what the photo shows against the claim and against available reference context.
  • The result is a probabilistic confidence signal — high, medium, or low. It is not a verdict, not an analysis of chemical composition, not a purity test, not a toxicity assessment, not a verification of origin or supply chain, and not a substitute for a domain expert.
  • The reference context is built from non-personal materials we have collected and curated; your individual inputs are not used to update general-purpose models, and are not shared with our AI provider for the purpose of training their general models, in line with the configuration described in §7.1.
  • Confidence signals depend on the density of our reference materials and the clarity of the input you provide. Limits are set out on the tool’s page.

Contributor program disclosure:When the Aamen contributor tier launches, participants who opt in will separately consent to a data-use license granting JUMNAT LLC a perpetual, non-exclusive license to use their confirmed labels and associated photo submissions to improve Aamen’s models. That consent is collected at opt-in via a separate acknowledgement, not this Policy. Participants may withdraw future contribution rights from their account settings; historical confirmed labels are not retroactively deleted. License version and grant date are stored per event in our database for audit purposes.

For other tools released under the arabface.ai brand, tool-specific disclosures will be added either to this Policy or to a per-tool addendum referenced from this Policy.

15a. Automated decision-making (Aamen)

Aamen uses automated processing to classify each scan result into one of four states: consistent, uncertain, inconsistent, or result unavailable. This classification is based on visual pattern analysis by an AI model; it is not a human expert review.

Under the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL), Article 22, you have the right to:

  • Opt out of seeing the automated classification. You can turn off the authenticity score display from your account settings. Underlying confidence signals remain available.
  • Contestany result you believe is wrong. A “Disagree with this result?” link appears on every result page. Submissions are reviewed by a human analyst, and the result will be updated if warranted.
  • Human review SLA. We commit to responding to every valid contestation within 5 business days. Complex cases may take longer; we will notify you if so.

The automated classification affects the information displayed to you about a batch you scanned. It does not affect your access to the service, your account, or your pricing tier. A result classification does not constitute a binding verdict on the product, seller, or supply chain.

To submit a contestation, use the link on the relevant result page. To exercise your opt-out right, visit your account settings at arabface.ai. For any other query related to automated decision-making, write to legal@arabface.ai.

16. Changes to this Policy

We may update this Policy. Material changes will be announced by email to account holders, by a notice on the Service, or both. The “Effective date” at the top of this Policy is updated each time. Continued use of the Service after the effective date of a change constitutes acceptance of the updated Policy.

17. Languages

This Policy is published in English and Arabic. In case of any conflict between the two versions, the English text is the legal source of truth. The Arabic version is provided for user clarity.

18. Contact

For any privacy question, request, or complaint:

  • Email: legal@arabface.ai
  • Subject (suggested): “Privacy request” for §10 actions; “Privacy request — KSA” for PDPL-specific requests; “Subprocessors” for vendor list; “Privacy” for general questions.

We do not currently designate a formal Data Protection Officer. If your inquiry requires escalation it will be directed to the founding team. This assessment will be revisited when user numbers exceed 50,000 KSA residents or when the contributor tier launches at scale.

You also have the right to lodge a complaint with the data protection authority in your country of residence:

  • KSA residents: Saudi Data and AI Authority (SDAIA) — sdaia.gov.sa
  • UAE residents: UAE Data Office — tdra.gov.ae
  • EEA residents: your national supervisory authority (list at edpb.europa.eu).