Last updated: July 14, 2026 · Draft — under attorney review
person·af ("we," "us") is a video-chat platform that connects strangers across differences. This policy describes exactly what we collect, why, where it goes, and when it's destroyed. It is written to match how the system actually works — no more, no less.
Contact for anything in this policy, including data requests: privacy@person.af.
The short version
- Your face makes your account. We store an irreversible faceprint (a numeric template), never your photo. It exists to stop banned users from returning and to let you log in from any device. You consent to this explicitly at signup, and you can have it destroyed.
- Conversations are not recorded. Video and audio flow peer-to-peer between you and your match — they never touch our servers. Text chat, live captions, and stance answers are relayed in the moment and never stored.
- We collect the minimum a safety system needs: account/reputation records, reports, and — only when someone is reported — a single snapshot used as evidence, deleted within 7 days.
- We don't sell, lease, or trade any of your data. Ever.
What we collect, and why
1. Biometric data (faceprint)
At signup you complete a face liveness check. From it we derive and store a faceprint — a numeric template produced by Amazon Rekognition — associated with your account ID. We do not store the photo or video of the check.
- Purpose (the only ones): prevent banned users from creating new accounts, prevent one person from holding multiple accounts, and let you sign in across devices.
- Explicit consent is collected before any scan.
- Our full written biometric policy, including the retention/destruction schedule, is at /biometrics.
2. Account & safety records
- Account ID, reputation score, session count, reports made/received, ban status, and an event log (signup, reports, bans, reinstatements).
- Reports: reporter, reported account, reason, and the AI/human decision.
- Evidence snapshots: when you report someone, your device captures one still image of their video, used solely to adjudicate the report. Stored encrypted, auto-deleted within 7 days. No snapshot is ever taken for suspected-minor reports.
- IP addresses: we never store your raw IP. We store a salted, one-way hash of it, used for rate limiting and short (1-hour) ban enforcement.
3. Things processed in the moment and never stored
- Stance answers (the viewpoint questions): kept in your browser, sent only while you wait to be matched, used in memory to pair you, then gone. Never written to a database.
- Text chat: relayed directly to your partner; never stored.
- Live captions (optional, off by default): if you enable them, your browser's speech service transcribes your own speech; the text is relayed to your partner and discarded.
- Translations & prompt suggestions: chat/caption text may be sent to our AI provider (Anthropic) in-flight to translate it or to suggest a conversation prompt. It is processed for that response and not stored by us.
- Country: your match sees your country (from network geolocation, e.g., "United States"). Country-level only; not stored.
4. Video & audio
Calls are peer-to-peer WebRTC. Media flows directly between participants (or through a blind TURN relay when networks require it — the relay cannot read the encrypted media). We have no access to, and keep no copy of, call audio or video.
5. Site analytics
Cloudflare Web Analytics — cookieless, aggregate page metrics. No cross-site tracking, no ad tech.
Who processes data on our behalf
| Processor | What they process | Why |
|---|---|---|
| Cloudflare | Hosting, connections, hashed-IP rate data, analytics | Infrastructure |
| Amazon Web Services (Rekognition) | Face liveness checks and faceprints | Identity / anti-abuse |
| Anthropic (Claude) | Report evidence snapshots; chat/caption text you send for translation; prompt snippets | Moderation, translation, prompts |
| Telegram | Operator alerts (report IDs and case summaries — never media, never chat content) | Human moderation escalation |
| Your browser's speech service | Your own speech, only if you enable captions | Captions (your device, your consent) |
We never sell, lease, share for advertising, or otherwise monetize personal data.
Retention schedule
| Data | Kept for |
|---|---|
| Faceprint | Until account deletion request, or destroyed within 3 years of your last interaction — whichever comes first |
| Account & safety records | Life of the account. On deletion they are erased, and your identifiers are replaced with a tombstone in any report the other party filed |
| Suspected-minor reports | Preserved with identifiers, even after deletion — 18 U.S.C. § 2258A requires it |
| Report evidence snapshot | 7 days maximum (automatic deletion) |
| Salted IP hash (bans/limits) | Ban/limit window only (minutes–24h) |
| Stances, chat, captions, video, audio | Never stored |
Your rights
Email privacy@person.af to access or delete your data. Deletion erases your account records and destroys your faceprint from the face collection; we complete verified requests within 30 days. Reports that another user filed are their safety record, so those rows survive — but your identifiers in them are replaced with a tombstone, so your history is no longer queryable. The one exception is a suspected-minor report, which we must preserve intact under 18 U.S.C. § 2258A. If you're in the EU/UK (GDPR) or a US state with a privacy law, these are the mechanisms for the rights those laws grant you; we honor them for everyone regardless of location.
Age & child safety
person·af is for adults 18+ only. We are required by law (18 U.S.C. § 2258A) to report apparent child sexual abuse material to the National Center for Missing & Exploited Children (NCMEC), and we do. Suspected-minor reports trigger an immediate suspension and human review.
Security
Faceprints live in an isolated AWS face collection under least-privilege credentials; evidence lives in private object storage; all transport is encrypted (TLS/DTLS-SRTP); identity tokens are cryptographically signed; access to moderation data requires operator authentication.
Changes
We'll post changes here with a new "Last updated" date. Material changes to biometric handling will require fresh consent.