Privacy Policy
Last updated: July 2026
This Privacy Policy describes how miniface (miniface.org) — operated by Pooya Moradi M., based in Rome, Italy — collects, uses, and protects your personal data. We are committed to transparency and to processing your data lawfully under the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Italian and European data protection law.
1. Data Controller
The data controller responsible for your personal data is:
Pooya Moradi M.
Rome, Italy
arkitface@gmail.com
2. Personal Data We Collect
We collect only what is necessary to provide the service:
- Account information: when you register or sign in using Google OAuth, we receive your name, email address, Google account ID, and profile picture from Google.
- Voluntarily provided data: if you submit a contact form, sign up for updates, or register your interest, we collect your name and email address, stored in our database (Supabase, EU-hosted infrastructure).
- Motion capture recordings: if you choose to save a recording to your account, the numerical motion keyframe data is stored in Supabase under your user ID and is accessible only to you. We store motion data — not video or images of your face.
- Camera feed: your device camera is accessed via the browser MediaStream API for real-time facial motion capture. The video stream is processed entirely on your device using MediaPipe running in WebAssembly. It is never uploaded, transmitted, or stored on our servers.
- Usage and analytics data: we use Google Analytics 4 to collect aggregated, anonymised data about how visitors interact with miniface (pages visited, session duration, device type, referrer). IP anonymisation is enabled. See our Cookie Policy for details.
- Technical data: IP address, browser type, operating system, and access timestamps, collected automatically by our hosting and analytics infrastructure.
We do not collect: payment information, precise location, device contacts, biometric identifiers, or any sensitive special-category data under Article 9 GDPR.
3. Legal Basis for Processing
- Contract performance (Art. 6(1)(b) GDPR): to create and maintain your account and deliver the service you signed up for.
- Legitimate interest (Art. 6(1)(f) GDPR): for security monitoring, fraud prevention, analytics, and the proper functioning of the service. Our interest does not override your rights.
- Consent (Art. 6(1)(a) GDPR): for cookies, analytics, and marketing emails, where you have given explicit consent. You can withdraw consent at any time.
4. Camera Access & Facial Data
The mocap studio in miniface is a real-time facial motion capture tool. Here is exactly how your camera data is handled:
- Your browser will ask for camera permission before anything starts. You are in full control.
- The video stream is processed entirely on your deviceusing MediaPipe's face landmarker model running in WebAssembly. Nothing is sent to our servers.
- Facial landmark coordinates are used only to animate the 3D avatar in real time. They are not stored, analysed, or shared.
- Exported
.glbfiles contain only numerical motion keyframes — not video or images of your face. - You may revoke camera permission at any time through your browser settings.
5. How We Use Your Data
- Provide and improve miniface.
- Authenticate users via Google OAuth and manage user accounts.
- Send relevant product updates, news, or information — only to users who have registered and where permitted by applicable law or explicit consent. You may opt out at any time.
- Analyse usage patterns to improve user experience (via Google Analytics 4).
- Comply with legal obligations.
6. Communication & Email
If you have registered, we may contact you with relevant information about miniface, product updates, new features, or research-related communications. You may opt out at any time by clicking the unsubscribe link in any email or by contacting us at arkitface@gmail.com. We will never share your email with third parties for their own marketing purposes.
7. Data Sharing & Third Parties
We do not sell, rent, or trade your personal data. We share data only with the sub-processors necessary to run the service:
- Supabase — database and authentication infrastructure (EU-hosted). Stores account data and any saved recordings. Supabase is GDPR-compliant, SOC 2 Type 2 certified, and offers Data Processing Agreements. Supabase Privacy Policy.
- Google LLC— Google OAuth (authentication) and Google Analytics 4 (anonymised usage stats). Data is processed under Google's terms and applicable EU Standard Contractual Clauses. Google Privacy Policy.
- Vercel Inc. — website hosting and content delivery. Vercel may log access requests transiently for operational and security purposes. Vercel Privacy Policy.
8. International Transfers
Some third-party service providers (including Google and Vercel) may process data outside the European Economic Area (EEA). Where this occurs, transfers are safeguarded by EU Standard Contractual Clauses (SCCs) or adequacy decisions as required under GDPR Chapter V.
9. Data Retention
- Account data: retained as long as your account is active. If you delete your account, all associated data is deleted within 30 days.
- Analytics data: Google Analytics data is retained for 14 months (minimum configurable period in GA4).
- Email logs: transactional email delivery logs are retained for 90 days for debugging purposes.
10. Your Rights (GDPR)
Under GDPR, you have the following rights:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure("right to be forgotten") — request deletion of your data and account.
- Right to restriction — request that we restrict processing of your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests or analytics.
- Right to withdraw consent — withdraw consent for marketing emails or analytics at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at arkitface@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali).
11. Security
- HTTPS encryption for all data in transit.
- Authentication handled by Supabase with industry-standard JWT tokens.
- Row-level security on our database so each user can only access their own data.
- No passwords stored — sign-in is handled entirely by Google OAuth.
If you discover a security vulnerability, please disclose it responsibly to arkitface@gmail.com.
12. Children's Privacy
miniface is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us so we can delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and notify signed-in users by email. Continued use of miniface after changes constitutes acceptance of the updated policy.
14. Contact
For any privacy-related questions or requests:
Pooya Moradi M.
Rome, Italy
arkitface@gmail.com