Privacy Policy

1. What we collect

HEIAN processes facial images to generate synthetic anonymous faces. Here is exactly what data we handle:

• —Your original face pixels: Processed entirely in your browser. Never sent to our servers. Never stored anywhere outside your device.
• —Abstract facial parameters: Landmark positions (468 geometric points), skin tone (RGB values), lighting direction, expression data. These are sent to our generation server to create your synthetic face. They cannot be used to reconstruct your real face.
• —Email address: If you create an account, we store your email for authentication and subscription management.
• —Payment data: Processed by Stripe. We never see or store your card number.
• —Usage metrics: Number of images/videos processed per day, for rate limiting only.

2. What we do NOT collect

• —Your original photos or videos (they never leave your device)
• —Your real face in any form (pixels, embeddings, or encodings)
• —Browsing history or tracking cookies
• —Location data
• —Device identifiers

3. How generation works

When you use HEIAN, your browser:

• —Detects your face locally using MediaPipe (Google open-source library)
• —Extracts abstract geometry (landmark coordinates), skin color, and lighting
• —Sends only these abstract parameters to our generation server
• —Receives a synthetic face image back
• —Composites the synthetic face onto your original image locally

The synthetic face is generated by an AI model and does not correspond to any real person.

4. Data retention

• —Facial parameters: Processed in memory only. Deleted immediately after generation. Never written to disk.
• —Generated faces: Returned to your browser and immediately discarded server-side.
• —Account data: Kept until you delete your account.
• —Usage logs: Kept for 90 days for rate limiting, then deleted.

5. Your rights (GDPR)

If you are in the EU/EEA, you have the right to:

• —Access your personal data
• —Rectify inaccurate data
• —Delete your account and all associated data
• —Export your data in a portable format
• —Object to processing

Contact: privacy@heian.app

6. EU AI Act compliance

HEIAN-generated content contains a discrete watermark indicating it was created with AI, in compliance with EU AI Act Article 50. Generated images include machine-readable metadata identifying them as synthetically produced.

7. Third parties

• —Stripe: Payment processing. Subject to Stripe Privacy Policy.
• —Cloudflare: CDN and DDoS protection. Subject to Cloudflare Privacy Policy.
• —MediaPipe: Runs entirely in your browser. No data sent to Google.

8. Contact

For any privacy-related questions: privacy@heian.app