Privacy Policy

Last updated: April 20, 2026

This policy explains what personal information Faceb LLC (“we”) collects when you use Faceb.ai, why we collect it, how long we keep it, and what rights you have over it.

1. What we collect

• Account: email address, hashed password, language preference, and the timestamps of account creation and last login.
• Usage and billing: your conversations (prompts, model selection, assistant responses, attachments, credits consumed per message), API keys (SHA-256 hashed — we never store the plaintext), and payment records (Stripe returns a token plus the last 4 digits of the card and expiration; we never see full card numbers).
• Technical: IP address, user agent, request timestamps, and cookies required for login and CSRF protection. We do not use third-party ad or social trackers.
• Support correspondence: if you email us, we retain the thread.

2. Why we collect it

• To operate the Service (route your prompts to upstream LLMs, stream back the response, store your chat history so you can resume).
• To meter and bill usage.
• To communicate service updates, security notices, and (only with your consent) product announcements.
• To detect fraud, abuse, and violations of the Terms of Service.

3. Upstream AI providers

When you send a message, we forward your prompt and any attachments to the LLM provider you selected (OpenAI, Anthropic, Google, Meta/Llama hosters, Mistral, xAI, DeepSeek, and others). Those providers have their own privacy and data-retention policies:

• We send them only the message payload plus a routing token. We do not send your email, payment info, IP address, or account metadata.
• We have contractually requested that providers not train on the content routed through our API. We cannot, however, independently verify every provider's training pipeline.
• If you select a provider (e.g., a free-tier community model) whose terms reserve training rights, we will route your message anyway — you are responsible for knowing the selected model's terms. We surface the provider name in the picker.

4. Sharing

We share data only with:

• Upstream LLM providers (see §3).
• Stripe for payment processing (card tokenization happens in your browser, so we never see full card details).
• Our hosting, email, and analytics vendors listed below, bound by data-processing agreements.
• Law enforcement when we receive a lawful request we are legally required to honor, and not before.

We do not sell personal information. We do not share usage data with data brokers, ad networks, or third parties for advertising.

5. Processors we use

• Stripe (payments)
• VPS.org (server hosting)
• Clicky (anonymous page-view analytics — no cross-site tracking)
• OpenAI, Anthropic, Google, Meta partners, Mistral, xAI, DeepSeek, and any additional LLM providers you explicitly select in the model picker

6. How long we keep it

• Account record: until you delete your account, or 24 months after your last sign-in if dormant.
• Conversations and messages: until you delete them or delete your account.
• Payment records: 7 years, to comply with tax and accounting requirements.
• Server access logs: 90 days.

7. Your rights

Regardless of where you live, you have the following rights over your data:

• Access and export: download everything we have on you as a single JSON file from Account → Export my data.
• Correction: change your email, password, and preferences in Account.
• Deletion: permanently delete your account and all associated conversations and API keys from Account → Delete my account. Payment records are retained per §6 for accounting purposes.
• Withdraw consent: toggle marketing emails off in Account → Email preferences.
• Portability: the JSON export is yours to reuse anywhere.
• Complaint: EU/EEA and UK residents may lodge a complaint with their local data-protection authority.

8. Cookies

We use first-party cookies for login sessions and CSRF protection — these are strictly necessary and cannot be disabled without breaking the Service. We use Clicky for anonymous analytics that does not require a cookie banner under ePrivacy guidance, because it does not identify you individually and has no cross-site tracking. We do not use advertising cookies.

9. Security

Passwords are stored as salted hashes. API keys are stored as SHA-256 hashes with only a 12-character prefix shown in the UI so you can identify keys. Card numbers never reach our servers — Stripe Elements tokenize them in your browser. All traffic is TLS 1.2+ only. Database backups are encrypted at rest.

10. Children

The Service is not directed at children under 13 (or 16 in the EU/EEA). If you are a parent or guardian and believe a child has registered, contact hello@faceb.ai and we will promptly delete the account.

11. International transfers

Our servers are located in the United States. If you access the Service from outside the US, your data is transferred to and processed in the US. Our upstream LLM providers process data in their respective jurisdictions (primarily US and EU).

12. Changes

Material changes to this policy will be announced by email to registered users and on this page at least 14 days before they take effect.

13. Contact

Questions or requests? hello@faceb.ai. Faceb LLC, United States.