Privacy Policy

Last updated: 2026-02-10

Introduction

Welcome to Head Swap App (the "App", "Site" and "Services"). We provide AI-powered head swap and image-to-video editing features through our mobile application. We are committed to protecting and respecting your privacy in full compliance with Apple App Store requirements and applicable privacy laws.

1. Data Collection and Use - What We Collect and Why

1.1 Core Functionality Data

Photos and Images: We collect images you upload to provide head swap and image-to-video services. This data is:

Collected directly from your device when you select images
Used solely to process your head swap or video generation requests
Temporarily stored on our servers during processing (typically 1-5 minutes)
Automatically deleted from processing servers within 24 hours
Results stored for 3 days for your convenience, then automatically deleted

1.2 Account Information (Optional)

Basic Contact Information:

What we collect: Email address and username when you create an account
How we collect it: Directly from you during account registration or Apple Sign-In
Why we collect it: To provide account-based features, sync your creations, and send service updates
Optional nature: Account creation is completely optional - you can use core features without registration

1.3 Usage Analytics (Anonymous)

App Performance Data:

What we collect: Anonymous usage statistics, crash reports, feature usage patterns
How we collect it: Automatically through app analytics
Why we collect it: To improve app stability, performance, and user experience
Anonymous nature: This data cannot be linked back to individual users

2. Data Minimization and Permissions

2.1 Face Data Notice

This section answers frequently asked questions about face data in connection with our features such as image‑to‑video generation, face enhancement, and reenactment.

What face data does the app collect?

When you upload photos or videos for face‑related features, we process the pixels to detect faces and create short‑lived detection metadata (e.g., bounding boxes and landmarks). We may derive non‑reversible numerical representations ("face embeddings") to operate the requested feature. We do not collect government‑issued identifiers or store facial geometry templates designed to identify you across services.

Planned uses of the collected face data

Provide the requested feature (generation, enhancement, reenactment, safety checks).
Prevent abuse and ensure content safety.
Improve quality and reliability only if you opt‑in to contribute content for model improvement; this is optional and revocable.

Which third parties we share face data with

Face data may be processed by our cloud provider (Amazon Web Services, Inc.) that supply compute, storage, and moderation. We do not sell face data. Processing occurs on secure servers in the United States and/or the European Union. Access is restricted and logged.

Whether or not the third parties we share face data with also store face data

Face data will be stored by our cloud provider (Amazon Web Services, Inc.) for up to 24 hours to complete the requested AI processing. AWS stores this data temporarily on their secure servers to:

Enable processing completion: Face data must remain accessible during the AI model processing pipeline, which can take several minutes to hours depending on complexity
Ensure processing reliability: Temporary storage allows for retry mechanisms if processing fails due to technical issues
Support quality assurance: Brief retention enables our systems to verify processing completed successfully before deletion

The 24-hour retention period is necessary because:

AI processing may be queued during high-demand periods, requiring data to remain available until processing begins
Complex face swap operations may require multiple processing stages that cannot complete instantaneously
System maintenance windows or temporary service interruptions may delay processing completion

We automatically deletes all face data from AWS servers after this 24-hour period as part of our data processing agreement. AWS does not use, analyze, or retain copies of your face data for their own purposes.

Retention period

Uploads remain in your account until you delete them or close your account. Transient artifacts (including detection metadata and embeddings) are retained only as long as necessary to complete processing and for up to 30 days for troubleshooting and abuse prevention; backups may persist for up to 35 additional days. If you opt‑in to model improvement, we retain only minimal data until consent is withdrawn.

Where in the privacy policy is this explained?

Privacy Policy → Face Data and Biometric Information: collection, use, sharing, retention, and choices.
Privacy Policy → ASR & NR Privacy (Apple 5.1): consent, minimization, access, and choices.
Privacy Policy: general data handling, security, and rights.

Quoted text from our Privacy Policy

Face Data and Biometric Information — What we collect. When you upload photos or videos to use face-related features, we process those files to detect and align faces. During processing, we may generate short‑lived face detection metadata (for example, bounding boxes and landmarks) and non‑reversible numerical feature representations ("face embeddings") derived from the pixels.

How we use it. We use face data solely to provide and improve features you request, such as image‑to‑video generation, face enhancement, reenactment, style transfer, and safety checks. We do not use face data for advertising or for user profiling unrelated to the requested feature.

Sharing and storage. Face data and derived features may be processed by our cloud infrastructure and trusted subprocessors that provide compute, storage, and content moderation. We do not sell face data. Processing and storage occur on secure servers located in the United States and/or the European Union.

Retention. Uploaded media are retained in your account until you delete them or your account is closed. Transient processing artifacts (including face detection metadata and embeddings) are kept only for the duration necessary to complete the task and for up to 30 days for troubleshooting, abuse prevention, and to honor deletion requests; backups may persist for up to 35 additional days.

For additional details and your rights, see the Face Data and ASR & NR Privacy (Apple 5.1) sections of the Privacy Policy.

2.2 Photo Library Access

We request photo library access only to allow you to select images for head swap processing. This permission is:

Purpose-limited: Used only for image selection, not browsing your entire photo library
Optional: You can decline and still use the app with camera capture
Transparent: Clear explanation provided when permission is requested

2.3 Camera Access

Camera access is requested only when you choose to take a new photo. This is completely optional and only used for capturing images for head swap processing.

2.4 No Unnecessary Data Collection

We do NOT collect:

Location data
Contacts or address book information
Microphone or audio data
Device identifiers for tracking
Social media credentials (stored locally only if using Apple Sign-In)

3. Third-Party AI Service Data Sharing, Consent, and Protection

3.1 What Data Is Shared with Third-Party AI Services

To provide our core AI-powered features (head swap, face enhancement, image-to-video generation, and face reenactment), we transmit the following personal data to third-party AI processing services:

Photos and images you upload for processing, which may contain your face or likeness
Processing parameters: technical settings you choose (e.g., style, motion type) that accompany your images during processing

Face detection metadata (bounding boxes, landmarks) and face embeddings are generated and used solely on our own servers during processing. They are not shared with any third party.

We do not send your email address, username, device identifiers, or any other account information to third-party AI services. Only the minimum data required to fulfill your specific request is transmitted.

3.2 Who Receives Your Data

Your uploaded images are sent to the following identified third parties solely for the purpose of providing the AI features you request. Face detection metadata and face embeddings are generated and remain on our own servers and are not shared.

Amazon Web Services, Inc. (AWS) — provides cloud compute and temporary storage infrastructure used to run AI processing pipelines. AWS temporarily stores your uploaded images on secure servers located in the United States and/or the European Union.
Our proprietary AI model servers — hosted on AWS infrastructure, these servers execute the head swap, face enhancement, image-to-video, and reenactment algorithms. They receive your uploaded images, process them, and return the generated results.

We do not sell, rent, or share your personal data with advertisers, data brokers, or any other third parties beyond those listed above.

3.3 Your Permission — Consent Before Data Is Shared

We obtain your explicit permission before any personal data is transmitted to third-party AI services:

In-app consent prompt: Before your first use of any AI-powered feature, the App displays a clear consent dialog explaining that your images and face data will be sent to our cloud-based AI services for processing. You must affirmatively agree (tap "I Agree" or equivalent) before any data is transmitted.
Per-action initiation: Each time you initiate a head swap, face enhancement, or image-to-video request, you actively choose to submit your image by tapping the processing button. No data is sent automatically or in the background without your action.
Right to decline: If you do not consent, your images remain on your device and are not transmitted. You may still browse the App, but AI-powered features will not function without your consent to data sharing.
Withdrawal of consent: You may withdraw your consent at any time by discontinuing use of the AI features. Previously processed data will be deleted according to our retention schedule (see Section 4).

3.4 How We Collect and Use Your Data — Summary

The following table summarizes the data we collect, how we collect it, all uses of that data, and the third parties involved:

Data Type	How Collected	Purpose / Use	Third Party Recipient
Photos & images	Uploaded by you from your device	Head swap, face enhancement, image-to-video generation	Amazon Web Services, Inc.
Face detection metadata (bounding boxes, landmarks)	Automatically derived from your uploaded images during processing	Face alignment and feature processing	Not shared — processed on our own servers only
Face embeddings (non-reversible numerical representations)	Automatically generated from your facial features during processing	AI model inference for requested features	Not shared — processed on our own servers only
Email & username (optional)	Provided by you during registration or Apple Sign-In	Account management, sync, service updates	Not shared with third parties
Anonymous usage analytics	Automatically collected (crash reports, feature usage)	App stability and performance improvement	Analytics provider (anonymized, no personal data)

3.5 Third-Party Protection Standards

All third parties we share your data with are contractually required to provide the same or equal level of protection for your personal data as described in this Privacy Policy. Specifically, each third party must:

Provide data protection equivalent to or exceeding the standards in this Privacy Policy
Use your data only for the specified processing purposes and not for any other purpose
Implement industry-standard security measures including encryption in transit and at rest
Delete your data according to the retention schedules described in Section 4
Not sell, sublicense, or further share your personal data with any additional parties
Comply with applicable data protection laws (including GDPR where applicable)

3.6 Service Providers Summary

We work with the following third parties:

Amazon Web Services, Inc. (AWS): Cloud compute and temporary storage for AI processing — data encrypted, access restricted and logged, automatically deleted within 24 hours
Analytics Provider: Anonymous app performance metrics only — no personal data shared

4. Data Retention and Deletion

4.1 Automatic Deletion

Processing Data: Images deleted from processing servers within 24 hours
Results: Your created head swaps and videos automatically deleted after 3 days
Account Data: Deleted immediately when you delete your account

4.2 User-Controlled Deletion

You can delete your data at any time:

Individual Results: Delete specific head swaps or videos from the Results tab
Account Deletion: Use the "Delete Account" button in Profile to permanently delete all data
Request Deletion: Contact us to request deletion of specific data

5. Your Rights and Consent Management

5.1 Consent Withdrawal

You can withdraw consent for data collection at any time:

Photo Access: Revoke photo library permission in iOS Settings > Head Swap App > Photos
Camera Access: Revoke camera permission in iOS Settings > Head Swap App > Camera
Account Data: Delete your account in the app's Profile section

5.2 Data Access and Control

You have the right to:

Access all data we have about you
Correct inaccurate information
Export your data (data portability)
Object to processing
Request deletion of all your data

6. No Account Required for Core Features

Our app is designed with privacy in mind:

No Forced Registration: You can use head swap features without creating an account
Optional Account Benefits: Account creation only provides convenience features like saving your creations
No Personal Information Required: Core functionality works without collecting personal information

7. Children's Privacy (Under 18)

Our app is not intended for children under 18 years of age:

We do not knowingly collect personal information from children
If we discover we have collected information from a child, we will delete it immediately
Parents can contact us to request deletion of any child's data

8. Data Security

We implement industry-standard security measures:

Encryption in transit and at rest
Secure cloud infrastructure
Regular security audits
Limited access to personal data

9. International Data Transfers

If data is transferred internationally, we ensure:

Appropriate safeguards are in place
Compliance with applicable data protection laws
Same level of protection as required by this policy

10. European Privacy Rights (GDPR)

If you are in the EEA/UK, you have additional rights including:

Right to object to processing
Right to restrict processing
Right to lodge a complaint with your supervisory authority
Right to data portability

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or applicable laws. We will:

Post updates on this page with the revision date
Notify you of material changes through the app or email
Seek your consent for changes that affect your rights

12. Zero-Tolerance Policy for Child Sexual Abuse Material (CSAM)

We have a zero-tolerance policy regarding the upload, generation, or distribution of Child Sexual Abuse Material (CSAM). To protect children and comply with global safety standards:

Strict Prohibition: You are strictly prohibited from uploading any images or videos containing children for the purpose of sexual exploitation or any other illegal content.
Automated Scanning: We use automated technologies to scan and detect CSAM in all uploaded content.
Law Enforcement Reporting: We will immediately report any detected CSAM and associated user data to the National Center for Missing & Exploited Children (NCMEC) and other relevant law enforcement authorities worldwide.
No Refunds for Violations: Any generation attempt that fails or is blocked due to a violation of this CSAM policy will NOT be eligible for a refund of credits or any other payment.

13. Contact Us

For questions about this Privacy Policy or to exercise your rights, contact us:

Email: privacy@headswap.app
Support Page: Contact Support
In-App: Use the "Delete Account" feature in Profile settings

Response Time: We will respond to your privacy requests within 30 days or as required by applicable law.