Privacy Policy
Last updated: 2026-04-14
Biometric Data Retention Policy
This publicly available policy governs the collection, use, and destruction of biometric identifiers and biometric information collected by nocensor.ai, as required by the Illinois Biometric Information Privacy Act (BIPA), Texas CUBI, Washington WFPF, and Colorado CPA Biometric Amendment (effective July 2025).
- Face images are collected solely for processing the requested face swap output.
- Face images are permanently deleted within 48 hours of job completion, unless the job is flagged during automated safety screening. In that event, the image and associated job data may be retained for up to 1 year as required by 18 U.S.C. § 2258A (REPORT Act) and the TAKE IT DOWN Act. Content retained for this purpose is accessible only to authorized personnel and law enforcement, and deleted at the end of the legally required retention period.
- Face images are processed on GPU servers in the United States solely for generation. Our GPU provider does not retain images beyond the processing request.
- Face images are never sold, leased, traded, or used for any secondary purpose.
- Face images are never used for identification, tracking, or surveillance.
- Users provide explicit written consent before any biometric data is collected.
For questions about biometric data handling, contact privacy@nocensor.ai.
1. Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Account | Email address | Authentication |
| Usage | Job metadata (timestamps, credit cost) | Service operation |
| Billing | Transaction IDs, amounts | Payment processing |
| Face Swap | Uploaded face images (biometric data) | AI processing only |
2. Legal Basis for Processing (GDPR)
For users in the European Economic Area, we process personal data under the following legal bases pursuant to GDPR Article 6 (and Article 9 for biometric data):
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contractual necessity (Art. 6(1)(b)) |
| AI content generation | Contractual necessity (Art. 6(1)(b)) |
| Payment processing | Contractual necessity (Art. 6(1)(b)) |
| Safety monitoring and abuse prevention | Legitimate interests (Art. 6(1)(f)) |
| REPORT Act / legal compliance retention | Legal obligation (Art. 6(1)(c)) |
| Biometric data (face swap) | Explicit consent (Art. 9(2)(a)) |
| Analytics (Vercel) | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails | Consent (Art. 6(1)(a)) |
| ExoClick conversion tracking | Consent (Art. 6(1)(a)) — GPC opt-out honored |
3. Biometric Data (Face Swap)
Face images uploaded for the face swap feature constitute biometric data under BIPA (IL), CUBI (TX), and WFPF (WA). By using the face swap feature, you provide explicit written consent for the collection and processing of this biometric data. Face images are:
- Processed solely for the purpose of generating the requested output
- Transmitted to our GPU processing infrastructure in the United States for processing — our GPU provider does not retain images
- Deleted within 48 hours of generation completion, unless flagged for safety review (up to 1 year per REPORT Act / TAKE IT DOWN Act)
- Never shared with third parties beyond GPU processing or legally required disclosure
- Never used for identification or surveillance purposes
4. Cryptocurrency Payments
When paying with Bitcoin or cryptocurrency via BTCPay Server, no personal identifying information is collected. NOWPayments may perform AML monitoring which could trigger KYC requirements under their own terms. CCBill (credit card) processes payments under their own privacy policy.
5. Data Retention
- Account data: retained until account deletion
- Generated outputs: retained until user deletes them
- Input images (face swap, img2img): deleted within 48 hours of processing — except jobs flagged for safety review, which are retained up to 1 year per federal law
- Payment records: retained for legal/accounting requirements
6. Data Sharing
Data is only shared with:
- Supabase (database and storage, EU/US) for service operation
- Our GPU processing infrastructure (United States) — face images and input images are transmitted for processing. Our GPU provider processes data under a data processing agreement and does not retain images. Transfer mechanism: Standard Contractual Clauses (GDPR Article 46).
- Payment processors (BTCPay, NOWPayments, CCBill) for transaction processing
- Discord (signup notifications) — a masked email identifier and signup metadata are sent to a private Discord channel for operational monitoring. No account credentials are transmitted.
- Law enforcement when required by valid legal process, or as required by the REPORT Act / TAKE IT DOWN Act for flagged content
- ExoClick (ad network) for conversion tracking — see below
ExoClick Conversion Tracking. If you arrive via an ExoClick advertisement, we store an opaque click token in a cookie (__exo). When you make a purchase, we send that token along with your purchase amount to ExoClick's server (s.magsrv.com) so we can measure ad effectiveness. No name, email, or personally identifiable information is transmitted — only the opaque click token and transaction amount. This constitutes sharing data with a third-party ad network for advertising purposes under CCPA/CPRA but is not a "sale" of personal data. You can opt out by enabling Global Privacy Control (GPC) in your browser, which will prevent the tracking cookie from being set.
7. Your Rights
You may request deletion of your account and associated data by contacting privacy@nocensor.ai. Under GDPR and CCPA, you have the right to access, correct, delete, and port your personal data.
If you are located in the European Economic Area, you also have the right to lodge a complaint with your local data protection supervisory authority (Article 77 GDPR). A list of EU supervisory authorities is available at edpb.europa.eu/about-edpb/board/members_en.
8. Automated Decision-Making
Our service uses automated systems to analyze prompt content and user behavior for safety purposes. These systems may automatically block prompt submissions or suspend accounts when prohibited content patterns are detected. Such decisions constitute automated processing that may significantly affect your access to the service.
Under GDPR Article 22, EEA residents have the right to request human review of any automated decision that significantly affects them. To contest an automated account suspension or prompt block, contact legal@nocensor.ai with your account email and a description of the decision you wish to contest. We will respond within 7 business days.
9. Data Residency
User data is stored on Supabase infrastructure. GPU processing occurs on GPU servers in the United States.
10. Analytics & Tracking
We use the following tools to understand service usage:
- Vercel Analytics — aggregated pageviews and custom events. Does not use cookies for tracking and does not collect personally identifiable information.
- Vercel Speed Insights — anonymized Core Web Vitals performance sampling. No personal data collected.
Both tools are production-only and are not active during development.
Cookies set by this site:
| Cookie | Duration | Purpose | Opt-out |
|---|---|---|---|
__exo | 30 days | ExoClick ad attribution (click token + purchase amount sent to ExoClick on conversion) | Enable GPC in your browser |
__utm | 30 days | UTM campaign attribution (source, medium, campaign stored server-side) | Remove UTM params from URL |
__ref | 30 days | Referral code attribution | Navigate without ?ref= param |
__aff | 30 days | Affiliate attribution | Navigate without ?via= param |
__ab_hero | Session | A/B test variant assignment (internal only, no third-party sharing) | Not applicable |
11. Data Breach Notification
In the event of a personal data breach, nocensor.ai will notify affected users and relevant supervisory authorities as required by applicable law. Under GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that poses a risk to your rights and freedoms, and will notify affected users without undue delay when the breach is likely to result in a high risk to your rights and freedoms. Under applicable US state laws (CCPA, SHIELD Act, and others), we will notify affected residents within the timeframes required by law. Notifications will be sent to the email address associated with your account.
To report a suspected security vulnerability, contact legal@nocensor.ai.
12. Contact
For privacy inquiries, contact privacy@nocensor.ai.