myav
Sign up

Privacy Policy

Last updated: 2026-05-19

This policy describes what data we collect, why, and your rights. We try to collect as little as possible.

1. Data we collect

Account data. When you create an account, we store your email address and a password hash (Argon2). If you sign in via magic link, we store the email only. If you enable passkey or TOTP 2FA, we store the public key / TOTP secret.

Activity data. We log request IP, timestamp, path, and HTTP status for operational debugging and abuse detection. Access logs are retained for 30 days.

Cookies. See section 4.

Face-swap inputs and outputs. When you submit a face image for the face-swap service, we store it in encrypted storage for the duration of the job, plus 30 days for abuse investigation, then delete. The generated output is retained on your account until you delete it.

Payment data. USDT payments are settled on-chain. We store the sending wallet address, transaction hash, amount, and chain. We do not collect credit-card data.

2. Why we collect it

  • to operate the service (authentication, playback, credits)
  • to prevent and investigate abuse (CSAM, non-consensual deepfakes, payment fraud)
  • to comply with legal obligations (DMCA, lawful access requests)
  • to debug operational issues

3. Third parties

We share the minimum data necessary with the following processors:

  • Cloudflare โ€” edge proxy, DDoS protection, CDN
  • AWS โ€” application hosting, database (Seoul region), transactional email (SES), object storage (S3, Seoul region)
  • RunPod โ€” GPU inference for the face-swap service (master clip + face image sent to the GPU node for the duration of the job)
  • PostHog โ€” product analytics, EU-hosted
  • Sentry โ€” error tracking, EU-hosted
  • Etherscan / TronGrid / BscScan / Alchemy โ€” public-chain indexers for payment verification (sending address + tx hash only)

We do not sell personal data.

4. Cookies

  • age_verified โ€” set when you confirm the 18+ gate; 1 year
  • better-auth.session_token โ€” your sign-in session; cleared on sign-out
  • lang โ€” your locale preference, when set explicitly

We do not use third-party advertising or tracking cookies.

5. Your rights

Depending on your jurisdiction (GDPR โ€” EU/UK, CCPA โ€” California, and similar laws elsewhere), you may have the right to:

  • request a copy of the personal data we hold about you
  • request correction or deletion
  • object to processing or withdraw consent
  • lodge a complaint with your data-protection authority

To exercise these rights, email [email protected] or use the /legal/contact form. We will respond within 30 days.

6. Children

The service is for adults only (18+). We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, please email [email protected] and we will delete it.

7. International transfers

Data is stored in the AWS Asia-Pacific (Seoul) region. If you access the service from outside that region your data is transferred to Seoul to be processed.

8. Changes

We may update this policy. Material changes will be announced via a banner at least 7 days before they take effect.

9. Contact

Privacy questions: [email protected] or /legal/contact.