Privacy Policy

Last updated: July 14, 2026 · Draft — under attorney review

person·af ("we," "us") is a video-chat platform that connects strangers across differences. This policy describes exactly what we collect, why, where it goes, and when it's destroyed. It is written to match how the system actually works — no more, no less.

Contact for anything in this policy, including data requests: privacy@person.af.


The short version


What we collect, and why

1. Biometric data (faceprint)

At signup you complete a face liveness check. From it we derive and store a faceprint — a numeric template produced by Amazon Rekognition — associated with your account ID. We do not store the photo or video of the check.

2. Account & safety records

3. Things processed in the moment and never stored

4. Video & audio

Calls are peer-to-peer WebRTC. Media flows directly between participants (or through a blind TURN relay when networks require it — the relay cannot read the encrypted media). We have no access to, and keep no copy of, call audio or video.

5. Site analytics

Cloudflare Web Analytics — cookieless, aggregate page metrics. No cross-site tracking, no ad tech.


Who processes data on our behalf

Processor What they process Why
Cloudflare Hosting, connections, hashed-IP rate data, analytics Infrastructure
Amazon Web Services (Rekognition) Face liveness checks and faceprints Identity / anti-abuse
Anthropic (Claude) Report evidence snapshots; chat/caption text you send for translation; prompt snippets Moderation, translation, prompts
Telegram Operator alerts (report IDs and case summaries — never media, never chat content) Human moderation escalation
Your browser's speech service Your own speech, only if you enable captions Captions (your device, your consent)

We never sell, lease, share for advertising, or otherwise monetize personal data.


Retention schedule

Data Kept for
Faceprint Until account deletion request, or destroyed within 3 years of your last interaction — whichever comes first
Account & safety records Life of the account. On deletion they are erased, and your identifiers are replaced with a tombstone in any report the other party filed
Suspected-minor reports Preserved with identifiers, even after deletion — 18 U.S.C. § 2258A requires it
Report evidence snapshot 7 days maximum (automatic deletion)
Salted IP hash (bans/limits) Ban/limit window only (minutes–24h)
Stances, chat, captions, video, audio Never stored

Your rights

Email privacy@person.af to access or delete your data. Deletion erases your account records and destroys your faceprint from the face collection; we complete verified requests within 30 days. Reports that another user filed are their safety record, so those rows survive — but your identifiers in them are replaced with a tombstone, so your history is no longer queryable. The one exception is a suspected-minor report, which we must preserve intact under 18 U.S.C. § 2258A. If you're in the EU/UK (GDPR) or a US state with a privacy law, these are the mechanisms for the rights those laws grant you; we honor them for everyone regardless of location.

Age & child safety

person·af is for adults 18+ only. We are required by law (18 U.S.C. § 2258A) to report apparent child sexual abuse material to the National Center for Missing & Exploited Children (NCMEC), and we do. Suspected-minor reports trigger an immediate suspension and human review.

Security

Faceprints live in an isolated AWS face collection under least-privilege credentials; evidence lives in private object storage; all transport is encrypted (TLS/DTLS-SRTP); identity tokens are cryptographically signed; access to moderation data requires operator authentication.

Changes

We'll post changes here with a new "Last updated" date. Material changes to biometric handling will require fresh consent.