Deepfake Detector
Detectors
AI Video DetectorFrame-by-frame video analysis AI Image DetectorEvery major image generator AI Voice DetectorCloned & synthetic speech
Developer APIs
Deepfake Detection APIOne REST API, all media Image Detection APIImage checks via REST Voice Detection APIVoice checks via REST
Learn
More
How Deepfake Detection WorksThe complete guide BlogGuides, news & research What Is a Deepfake?Plain-English explainer Chrome ExtensionScan media on any page How to Spot a DeepfakeThe signs to look for AboutWhy we built this Deepfake Statistics2026 data & trends ContactSales, support & press
Pricing
Sign in Start free · 50 scans
Sign in Get started
Privacy Policy
Effective · 25 May 2026
  1. Introduction
  2. Information We Collect
  3. How We Use Information
  4. Legal Bases (UK/EU)
  5. How We Share Information
  6. International Transfers
  7. Data Retention
  8. Your Privacy Rights
  9. California Rights
  10. Cookies & Tracking
  11. Children's Privacy
  12. Data Security
  13. Changes to this Policy
  14. Contact Us

Privacy Policy

Effective 25 May 2026 · Version 1.0

This Privacy Policy explains how Deepfake Detector Inc. ("Deepfake Detector," "we," "us," or "our") collects, uses, shares, and protects personal information when you visit deepfakedetector.ai, use our browser extension, call our API, or otherwise interact with our services (collectively, the "Service"). We have written this policy to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act respecting the protection of personal information in the private sector (Law 25), the EU General Data Protection Regulation (Regulation 2016/679) and UK GDPR for our EU and UK users, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and the privacy laws of Colorado, Connecticut, Utah, and Virginia. If you have questions, contact our Data Protection Officer at privacy@deepfakedetector.ai.

01Introduction

Deepfake Detector is a synthetic-media detection service incorporated in Quebec, Canada, with its registered office at 410 rue Saint-Nicolas, Suite 236, Montreal, Quebec H2Y 2P5, Canada. We are the data controller for personal information processed through the Service unless we are clearly acting as a processor on behalf of a customer (for example, when a business customer uploads files belonging to its end users under an Enterprise agreement).

This policy applies to:

  • Visitors to deepfakedetector.ai and any of its subdomains;
  • Users of the Deepfake Detector browser extension distributed via the Chrome Web Store and other supported stores;
  • Developers and applications calling our public detection API;
  • Account holders on any pricing tier (Free, Starter, Business, or Enterprise);
  • Recipients of marketing or transactional emails from us.

This policy does not apply to third-party websites, products, or services that link to or integrate with the Service. Their data practices are governed by their own privacy policies.

02Information We Collect

2.1 Information you provide directly

  • Account information. When you create an account, we collect your name, email address, organization name (optional), and a salted, hashed copy of your password. We never store passwords in plaintext.
  • Billing information. If you subscribe to a paid plan, our payment processor (Stripe, Inc.) collects your payment-card or bank-account details and tokenizes them. We receive only a payment token, the last four digits of the card, the card brand, the expiration date, the billing country, and the postal code. We do not store full card numbers.
  • Submitted media. The audio, video, and image files you upload for detection. We treat these files as confidential and process them as described in Section 3.
  • Communications. When you contact our support, sales, or legal teams, we retain the content of your communications (including email subject lines, message bodies, and any attachments) and our responses.
  • Optional profile information. Job title, industry, country of residence, and other fields you choose to provide via account settings or signup forms.

2.2 Information collected automatically

  • Device and connection information. IP address, browser type and version, operating system, device identifiers, language preference, referring URL, and the date and time of each request.
  • Usage telemetry. Pages viewed, features used, detection requests submitted, error events, performance metrics (page-load time, time to first byte, API response latency), and aggregate-level click and scroll data.
  • Detection metadata. For each detection request, we log a hash of the input file (not the file itself after the retention window expires), the verdict ("authentic," "likely synthetic," or "inconclusive"), the confidence score, the detection model version, and the request timestamp. This metadata is used for billing, abuse prevention, and accuracy monitoring.
  • Cookies and similar technologies. See Section 10 for details.

2.3 Information from third parties

  • Identity providers. If you sign in using a third-party identity provider (for example, Google or Microsoft), we receive the basic profile information that provider shares with us under your authorization.
  • Payment processors. Stripe shares transaction status, fraud signals, and dispute information with us.
  • Analytics and advertising platforms. Where applicable and where you have consented to non-essential cookies, we may receive de-identified audience signals from Google Analytics, Meta, or LinkedIn.
  • Threat intelligence. We receive abuse signals from third-party security providers to identify and block automated attacks, credential stuffing, and known-malicious infrastructure.

03How We Use Information

We use the information we collect for the following purposes:

  • To provide the Service. Authenticating you, processing detection requests, returning verdicts and confidence scores, displaying account dashboards, and enabling the browser extension and API.
  • To bill and collect payment. Initiating subscription charges, recording usage against tier limits, applying coupons, processing refunds, and recovering failed payments.
  • To improve detection accuracy. Aggregated, de-identified metrics about detection outcomes (verdict distributions, confidence histograms, false-positive feedback) inform model retraining. We do not train models on your submitted media unless you explicitly opt in via a separate consent dialog presented at upload time.
  • To detect, prevent, and respond to abuse. Rate limiting, fraud detection, account-takeover prevention, denial-of-service protection, and investigation of policy violations.
  • To communicate with you. Sending transactional emails (receipts, password resets, account-security alerts), responding to your inquiries, sending product updates, and—only with your consent or as permitted by applicable law—sending marketing emails. You can opt out of marketing emails at any time via the unsubscribe link.
  • To comply with legal obligations. Responding to lawful requests from courts, regulators, or law-enforcement authorities; responding to data-subject requests; maintaining records required by tax and accounting law.
  • To enforce our agreements. Investigating violations of our Terms of Service or Acceptable Use Policy, and protecting our rights, property, and safety.
  • To conduct business analytics and research. Understanding usage patterns, measuring marketing campaign effectiveness, performing A/B tests on the Service, and preparing internal reports.

04Legal Bases for Processing (UK / EU Users)

If you are located in the United Kingdom, the European Economic Area, or Switzerland, the following legal bases under Article 6(1) of the UK/EU GDPR apply to our processing of your personal information:

Processing PurposeLegal Basis
Providing the Service to you under your subscriptionContract (Art. 6(1)(b))
Processing payments and managing billingContract (Art. 6(1)(b))
Sending transactional emails (receipts, security alerts)Contract (Art. 6(1)(b))
Improving accuracy through aggregated, de-identified metricsLegitimate interests (Art. 6(1)(f))
Training models on your media (where opted in)Consent (Art. 6(1)(a))
Marketing communicationsConsent (Art. 6(1)(a)) or, where permitted, legitimate interests (Art. 6(1)(f))
Detecting and preventing abuse and fraudLegitimate interests (Art. 6(1)(f))
Complying with tax, accounting, and other legal obligationsLegal obligation (Art. 6(1)(c))
Enforcing our Terms of ServiceLegitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment balancing our interests against your rights and freedoms. You may request a copy of the assessment by contacting privacy@deepfakedetector.ai.

05How We Share Information

We share personal information only as described below. We do not sell personal information for monetary consideration, and we do not engage in "sharing" of personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

5.1 Service providers (subprocessors)

We engage the following categories of service providers to operate the Service. Each provider is bound by a written data-processing agreement that imposes confidentiality, security, and processing-limitation obligations consistent with this policy and applicable law.

ProviderPurposeRegion
Vercel, Inc.Web hosting and edge deliveryUnited States · EU
Cloudflare, Inc.DNS, CDN, DDoS protectionGlobal anycast
Amazon Web ServicesObject storage, compute, model inferenceEU (eu-west-1) · US
Stripe, Inc.Payment processingUnited States · Ireland
ResendTransactional email deliveryUnited States
Google WorkspaceInternal email, document storageEU · United States
Google Analytics 4 (if enabled)Aggregate website analyticsEU · United States
Sentry / DatadogError monitoring, performance telemetryUnited States

A current list of subprocessors is maintained at deepfakedetector.ai/privacy#s5. Enterprise customers may request thirty (30) days' advance notice of new subprocessors by emailing privacy@deepfakedetector.ai.

5.2 Legal and safety disclosures

We may disclose personal information when we have a good-faith belief that disclosure is necessary to (a) comply with applicable law or a valid legal process (including subpoenas, court orders, or government requests); (b) enforce our Terms of Service; (c) protect the rights, property, or safety of Deepfake Detector, our users, or the public; or (d) detect, prevent, or otherwise address fraud, security, or technical issues. Where legally permitted, we will notify you before disclosing your personal information in response to legal process.

5.3 Business transfers

If Deepfake Detector is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal information may be sold or transferred as part of that transaction. We will notify you of any such transaction and the resulting changes to this policy.

5.4 With your consent or at your direction

We may share information with third parties when you direct us to do so—for example, by integrating the Service with a third-party application via API key.

06International Data Transfers

Deepfake Detector is headquartered in the United Kingdom, and several of our subprocessors are located in the United States and other jurisdictions. When we transfer personal information out of the United Kingdom or the European Economic Area, we rely on one or more of the following safeguards:

  • Adequacy decisions. Where the receiving country is recognized by the UK Government or the European Commission as providing an adequate level of data protection (for example, US providers certified under the EU–US and UK–US Data Privacy Frameworks).
  • Standard Contractual Clauses (SCCs). We use the European Commission's 2021 Standard Contractual Clauses and the UK International Data Transfer Addendum with subprocessors not covered by an adequacy decision.
  • Supplementary measures. Encryption in transit (TLS 1.3) and at rest (AES-256), strict access controls, and contractual restrictions on government-access disclosures.

You may request a copy of the transfer mechanism applicable to a particular subprocessor by emailing privacy@deepfakedetector.ai.

07Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Specific retention periods are:

CategoryRetention Period
Submitted media filesDeleted from primary storage within 60 seconds of analysis completion, unless you explicitly opt into retention
Detection metadata (verdict, confidence, file hash)13 months from request, then aggregated and de-identified
Account informationFor the lifetime of the account plus 90 days after closure
Billing and tax records7 years (Canada Revenue Agency and US IRS requirements)
Email communications3 years from last interaction
Server logs30 days for raw logs; 13 months for aggregated analytics
Backups35 days, automatically purged on a rolling basis

Where you have requested deletion under Section 8, we will erase or anonymize your personal information within the timeframe required by applicable law (generally within 30 days), except where retention is required by law (for example, billing records) or necessary to defend legal claims.

08Your Privacy Rights

Depending on your location, you have one or more of the following rights with respect to your personal information:

  • Right of access. Request a copy of the personal information we hold about you.
  • Right to rectification. Request correction of inaccurate or incomplete information.
  • Right to erasure ("right to be forgotten"). Request that we delete your personal information, subject to limited exceptions.
  • Right to restriction. Request that we limit our processing of your information.
  • Right to data portability. Receive a copy of your information in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to object. Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right not to be subject to automated decision-making. We do not use personal information for automated decision-making that produces legal or similarly significant effects without your explicit consent and meaningful human review.
  • Right to lodge a complaint with a supervisory authority. If you are in Canada, contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, in Quebec, the Commission d'accès à l'information du Québec (cai.gouv.qc.ca). If you are in the UK or EU/EEA, contact the UK Information Commissioner's Office (ico.org.uk) or your local data-protection authority.

To exercise any of these rights, email privacy@deepfakedetector.ai or submit a request through your account settings. We will respond within thirty (30) days, or within forty-five (45) days for complex requests, and may request reasonable verification of your identity before fulfilling the request. Exercising your rights is free of charge unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

09California & Other US State Rights

9.1 California (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know. Request disclosure of the categories and specific pieces of personal information we have collected about you in the prior twelve (12) months, the sources, the business or commercial purposes for which we collected the information, and the categories of third parties with whom we shared the information.
  • Right to delete. Request deletion of personal information we collected from you.
  • Right to correct. Request correction of inaccurate personal information.
  • Right to opt out of "sale" or "sharing." We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. There is therefore nothing to opt out of, but you may submit a request to confirm this at any time.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes other than those permitted under CPRA Section 1798.121(a).
  • Right to non-discrimination. We will not deny you services, charge you a different price, or provide a different level of service because you exercised any of these rights.

To exercise these rights, email privacy@deepfakedetector.ai with the subject line "California Privacy Request." You may also designate an authorized agent to act on your behalf; we will require written authorization from you and verification of the agent's identity.

9.2 Other US states

Residents of Colorado (Colorado Privacy Act), Connecticut (Connecticut Data Privacy Act), Utah (Utah Consumer Privacy Act), and Virginia (Virginia Consumer Data Protection Act) have rights substantially similar to those described in Sections 8 and 9.1, including the rights to access, correct, delete, and opt out of targeted advertising, sale of personal data, and certain profiling. To exercise these rights, contact privacy@deepfakedetector.ai.

9.3 "Do Not Track" and Global Privacy Control

Some browsers transmit "Do Not Track" or Global Privacy Control (GPC) signals. We honor GPC signals as opt-out requests from CCPA "sale/sharing" and from non-essential cookie tracking. Because there is no industry consensus on how to interpret "Do Not Track," we do not respond differently to that signal.

10Cookies & Tracking Technologies

We use the following categories of cookies and similar technologies:

CategoryPurposeLifespan
Strictly necessaryAuthentication, CSRF protection, load balancing, session continuitySession and up to 30 days
FunctionalRemembering preferences such as language and dark-mode settingUp to 12 months
AnalyticsMeasuring website usage and performanceUp to 13 months
Marketing (where enabled)Measuring marketing campaign effectiveness; remarketing audiencesUp to 12 months

Strictly necessary cookies do not require consent and cannot be disabled while you use the Service. All other categories are presented in a cookie banner on first visit, and you may change your preferences at any time via the "Cookie Settings" link in the footer. You can also configure your browser to block or delete cookies; doing so may impair some functionality.

We do not use cross-device tracking pixels except where you have explicitly consented to marketing cookies.

11Children's Privacy

The Service is not directed to children, and we do not knowingly collect personal information from children under 16 years of age (under 13 in the United States, in accordance with the Children's Online Privacy Protection Act). If we become aware that we have collected personal information from a child under the applicable age without verifiable parental consent, we will take reasonable steps to delete that information promptly. If you believe we may have collected personal information from a child, please contact privacy@deepfakedetector.ai.

12Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information against accidental loss and unauthorized access, use, alteration, or disclosure. Our security program is informed by ISO 27001 controls and is independently assessed under the SOC 2 Type II framework on an annual basis. Specific measures include:

  • TLS 1.3 encryption for all data in transit;
  • AES-256 encryption for all data at rest in primary storage and backups;
  • Role-based access control with mandatory multi-factor authentication for all employees;
  • Principle-of-least-privilege production access; production access is logged and audited;
  • Secure software development lifecycle, including peer code review and static analysis;
  • Continuous vulnerability scanning and quarterly penetration testing;
  • Network segmentation and intrusion detection on the production environment;
  • Incident-response procedures with defined escalation paths and post-incident review.

No system is completely secure. If we become aware of a personal-data breach that creates a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by applicable law (72 hours under UK/EU GDPR; "without unreasonable delay" under most US state laws).

13Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, in technology, in law, or in regulatory guidance. The "Effective" date at the top of this page indicates when the most recent version became effective. For material changes, we will provide notice through one or more of the following channels at least thirty (30) days before the change takes effect:

  • An email to the address associated with your account;
  • A prominent notice on the Service prior to the change taking effect;
  • A revised version of this policy published at deepfakedetector.ai/privacy.

Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes. If you do not agree to the revised policy, you should stop using the Service and may close your account in accordance with our Terms of Service.

14Contact Us

For privacy questions, data-subject requests, or to report a privacy concern, please contact our Data Protection Officer:

By email: privacy@deepfakedetector.ai
By post: Data Protection Officer, Deepfake Detector Inc., 410 rue Saint-Nicolas, Suite 236, Montreal, Quebec H2Y 2P5, Canada

EU representative: Under Article 27 GDPR, we have appointed a representative in the European Union for data-subject inquiries from EEA residents. Contact details are available on request.

Supervisory authority: If you believe we have processed your personal information unlawfully, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca), the Quebec Commission d'accès à l'information (cai.gouv.qc.ca), the UK Information Commissioner's Office (ico.org.uk), or your local EU/EEA data-protection authority.

This policy was last reviewed by counsel on the effective date shown above. We recommend reviewing this page periodically to stay informed of our current privacy practices.
Effective · 25 May 2026 Back to home  ·  Terms of Service  ·  Contact privacy
Deepfake Detector

Detect deepfakes before they spread. Built for journalists, finance teams, fact-checkers, and anyone who needs to know what's real.

Office 410 rue Saint-Nicolas, Suite 236
Montreal, Quebec
H2Y 2P5
Canada
Detectors
  • AI Video Detector
  • AI Image Detector
  • AI Voice Detector
  • Deepfake Detector
Product
  • Pricing
  • Developer API
  • Image Detection API
  • Voice Detection API
  • Chrome Extension
Learn
  • How Deepfake Detection Works
  • What Is a Deepfake?
  • How to Spot a Deepfake
  • Blog
Company
  • About
  • Contact
  • Terms of Service
  • Privacy Policy
© Deepfake Detector Inc. All rights reserved. SOC 2 In Progress · v3.2-forensic