Trust & Architecture

Private processing. Short retention by default. Optional extended retention for paid jobs.

Privacy PolicyRetention LogContent Policy

Trust & Transparency

We prioritise short-lived processing and verifiable deletion.

  • Free photo swaps are automatically deleted after 30 minutes.
  • Paid GIF & Video jobs default to 30 minute deletion.
  • Users may opt into extended retention (up to 30 days) per account.
  • Manual deletion is available at any time.

Retention preference is stored at account level and applied at processing time.

How Your Data Flows

1

Upload

You select a file in your browser and send it to our API.

2

Validation & Processing

API validates request. Private worker executes the face swap.

3

Result Generated

Swap complete. Output saved to same private storage bucket.

4

Delivery via signed URL

Result delivered via time-limited presigned URL.

5

Auto Delete (Default)

30 minute processing window. Files removed by cleanup job.

6

Extended Retention

Optional, max 30 days. User-controlled retention window.

System Overview

BROWSERUserUpload / ViewCLOUDFLARECDNWAFTurnstileDDoSAPIUploadValidate + StoreREDISJobs / CreditsOBJECT STORAGEBackblaze B2Encrypted at RestPROCESSINGGPU WorkerFace SwapCLEANUPCron JobEvery ~14 minuploaddownloaddelete

Green arrows show uploads from the API to storage. Blue dashed arrows show presigned downloads to the browser. Red arrows show deletion flows.

Account & Credit Layer

  • Free users: browser identifier only
  • Paid users: secure account session
  • Credits ledger stored in database
  • Retention preference stored per account
  • Media files never stored in database, only object storage

Data Lifecycle

1UploadT+0Imagereceived2Processing~10-30sFace swapexecutes3Result ReadyT+~1 minDownloadavailableRetention WindowMax 15 minData exists4CleanupEvery ~14 minCron scans& deletesDeletedT+15 maxDatagone
1. Upload
2. Processing
3. Result Ready
4. Retention (30m)
5. Extended Retention (Optional)
6. Deleted
Note: Extended retention (up to 30 days) applies only to paid GIF and Video jobs where enabled. Extended retention can be enabled in account settings.

Data Handling Details

Free Photo Swaps

  • No account required
  • 3 swaps per 24 hours
  • 30 minute deletion

Paid Credits

  • Account required
  • Credits ledger maintained
  • GIF & Video unlocked
  • Optional extended retention

Uploads

  • Uploaded via the Swap Dat Face API
  • Download URLs expire in 1 hour
  • Storage is private, not public
  • Encrypted at rest

Processing

  • Runs in isolated worker
  • Faces detected for selection UI
  • Swap executes privately
  • Result written to same storage

Delivery

  • Results via presigned download
  • Links expire after 1 hour
  • No public bucket access
  • HTTPS only

Abuse Prevention & Fairness

We use a layered approach to prevent abuse and ensuring fair usage depending on if you are a free or paid user.

Free Users

  • Browser identifier for limits
  • Rate limits (3 swaps/24h)
  • Turnstile verification

Account Users

  • Secure session token
  • Credit balance tracking
  • Retention toggle control

What we store (and don't store)

No PII — we don't know who you are
No biometric data — no face embeddings stored
No link to identity — just a browser hash
24-hour auto-expiry — deleted after inactivity

Redis automatically forgets inactive users. If you stop using the site, your identifier is erased without any action required.

Not used for: Advertising, cross-site tracking, or building user profiles. We don't sell or share this data.

Deletion & Retention Log

30
minutes promised
~15
minutes typical
Ed25519
Public-key signed proof

Retention Log Endpoint

https://swapdatface.com/api/retention

Public Verification Key

https://swapdatface.com/api/retention/signing-key

What it returns:

  • Policy values (max retention, cleanup interval)
  • Latest cleanup run timestamp
  • Evidence: oldest remaining object age
  • Cryptographic Ed25519 signature
  • Published public verification key

Source Code

github.com/swapdatface/retention-log

The retention log reflects both default 30 minute deletions and extended retention deletions.

The retention report is cryptographically signed with a published public key so anyone can verify the payload without a shared secret. It provides operational evidence of deletion without exposing individual filenames.

What We Don't Store

We do not keep uploaded images beyond your selected retention
We do not store results beyond your selected retention window
We do not store face embeddings permanently
We do not require user accounts for free photo swaps
We do not build datasets from your photos
We do not train AI models on your images

FAQ

Do you store images long term?

No, not by default. Swap Dat Face says uploads and results are deleted within 30 minutes unless a signed-in user explicitly enables extended retention. If extended retention is enabled, the storage window can be increased up to 30 days.

After the chosen window expires, files are scheduled for deletion rather than being kept indefinitely. The architecture page is intended to explain that lifecycle in more detail.

Do I need an account?

No account is required for free photo swaps, including the 3 free photo swaps available every 24 hours. That means the default photo product can be tried without providing an email address first.

An account is required if you want to purchase credits, use GIF or video swaps, or enable longer retention. Those features depend on user-level settings and balances.

Can I delete early?

Yes. If you are using account-based storage features, you can manually delete stored files before the retention window ends. You do not have to wait for automatic cleanup if you want a result removed sooner.

For guest flows, the default behavior is still automatic deletion on the short retention schedule. Manual deletion is most relevant when extended retention is enabled.

Do you train AI models on my images?

No. Swap Dat Face says it uses pre-trained models and does not use customer uploads as training data for those models. Images are processed to complete the requested swap and then deleted on the selected schedule.

That distinction matters because many users want to know whether their uploads become part of a larger dataset. The architecture and privacy materials both frame the answer as no.

Do you track me across the web?

No. The architecture page says the service uses a pseudonymous browser identifier for abuse prevention and credit management rather than for cross-site advertising profiles. It is described as an operational identifier, not an ad-tech tracker.

That means it is intended to help enforce usage limits and protect the service rather than follow users around unrelated websites. The page does not present it as a marketing data product.

Can you absolutely prove you never retain data?

No online service can honestly claim absolute cryptographic proof of every aspect of runtime behavior without very specialized infrastructure. Swap Dat Face explicitly says it cannot provide that kind of perfect proof.

Instead, the stated approach is to minimize retained data, delete it quickly, and publish verifiable operational evidence such as signed retention reports. The goal is transparency and evidence, not an impossible absolute guarantee.

Questions? Contact [email protected]