Privacy Policy
This Privacy Policy explains how Deepfake Detector Inc. ("Deepfake Detector," "we," "us," or "our") collects, uses, shares, and protects personal information when you visit deepfakedetector.ai, use our browser extension, call our API, or otherwise interact with our services (collectively, the "Service"). We have written this policy to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act respecting the protection of personal information in the private sector (Law 25), the EU General Data Protection Regulation (Regulation 2016/679) and UK GDPR for our EU and UK users, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and the privacy laws of Colorado, Connecticut, Utah, and Virginia. If you have questions, contact our Data Protection Officer at privacy@deepfakedetector.ai.
01Introduction
Deepfake Detector is a synthetic-media detection service incorporated in Quebec, Canada, with its registered office at 410 rue Saint-Nicolas, Suite 236, Montreal, Quebec H2Y 2P5, Canada. We are the data controller for personal information processed through the Service unless we are clearly acting as a processor on behalf of a customer (for example, when a business customer uploads files belonging to its end users under an Enterprise agreement).
This policy applies to:
- Visitors to deepfakedetector.ai and any of its subdomains;
- Users of the Deepfake Detector browser extension distributed via the Chrome Web Store and other supported stores;
- Developers and applications calling our public detection API;
- Account holders on any pricing tier (Free, Starter, Business, or Enterprise);
- Recipients of marketing or transactional emails from us.
This policy does not apply to third-party websites, products, or services that link to or integrate with the Service. Their data practices are governed by their own privacy policies.
02Information We Collect
2.1 Information you provide directly
- Account information. When you create an account, we collect your name, email address, organization name (optional), and a salted, hashed copy of your password. We never store passwords in plaintext.
- Billing information. If you subscribe to a paid plan, our payment processor (Stripe, Inc.) collects your payment-card or bank-account details and tokenizes them. We receive only a payment token, the last four digits of the card, the card brand, the expiration date, the billing country, and the postal code. We do not store full card numbers.
- Submitted media. The audio, video, and image files you upload for detection. We treat these files as confidential and process them as described in Section 3.
- Communications. When you contact our support, sales, or legal teams, we retain the content of your communications (including email subject lines, message bodies, and any attachments) and our responses.
- Optional profile information. Job title, industry, country of residence, and other fields you choose to provide via account settings or signup forms.
2.2 Information collected automatically
- Device and connection information. IP address, browser type and version, operating system, device identifiers, language preference, referring URL, and the date and time of each request.
- Usage telemetry. Pages viewed, features used, detection requests submitted, error events, performance metrics (page-load time, time to first byte, API response latency), and aggregate-level click and scroll data.
- Detection metadata. For each detection request, we log a hash of the input file (not the file itself after the retention window expires), the verdict ("authentic," "likely synthetic," or "inconclusive"), the confidence score, the detection model version, and the request timestamp. This metadata is used for billing, abuse prevention, and accuracy monitoring.
- Cookies and similar technologies. See Section 10 for details.
2.3 Information from third parties
- Identity providers. If you sign in using a third-party identity provider (for example, Google or Microsoft), we receive the basic profile information that provider shares with us under your authorization.
- Payment processors. Stripe shares transaction status, fraud signals, and dispute information with us.
- Analytics and advertising platforms. Where applicable and where you have consented to non-essential cookies, we may receive de-identified audience signals from Google Analytics, Meta, or LinkedIn.
- Threat intelligence. We receive abuse signals from third-party security providers to identify and block automated attacks, credential stuffing, and known-malicious infrastructure.
03How We Use Information
We use the information we collect for the following purposes:
- To provide the Service. Authenticating you, processing detection requests, returning verdicts and confidence scores, displaying account dashboards, and enabling the browser extension and API.
- To bill and collect payment. Initiating subscription charges, recording usage against tier limits, applying coupons, processing refunds, and recovering failed payments.
- To improve detection accuracy. Aggregated, de-identified metrics about detection outcomes (verdict distributions, confidence histograms, false-positive feedback) inform model retraining. We do not train models on your submitted media unless you explicitly opt in via a separate consent dialog presented at upload time.
- To detect, prevent, and respond to abuse. Rate limiting, fraud detection, account-takeover prevention, denial-of-service protection, and investigation of policy violations.
- To communicate with you. Sending transactional emails (receipts, password resets, account-security alerts), responding to your inquiries, sending product updates, and—only with your consent or as permitted by applicable law—sending marketing emails. You can opt out of marketing emails at any time via the unsubscribe link.
- To comply with legal obligations. Responding to lawful requests from courts, regulators, or law-enforcement authorities; responding to data-subject requests; maintaining records required by tax and accounting law.
- To enforce our agreements. Investigating violations of our Terms of Service or Acceptable Use Policy, and protecting our rights, property, and safety.
- To conduct business analytics and research. Understanding usage patterns, measuring marketing campaign effectiveness, performing A/B tests on the Service, and preparing internal reports.
04Legal Bases for Processing (UK / EU Users)
If you are located in the United Kingdom, the European Economic Area, or Switzerland, the following legal bases under Article 6(1) of the UK/EU GDPR apply to our processing of your personal information:
| Processing Purpose | Legal Basis |
|---|---|
| Providing the Service to you under your subscription | Contract (Art. 6(1)(b)) |
| Processing payments and managing billing | Contract (Art. 6(1)(b)) |
| Sending transactional emails (receipts, security alerts) | Contract (Art. 6(1)(b)) |
| Improving accuracy through aggregated, de-identified metrics | Legitimate interests (Art. 6(1)(f)) |
| Training models on your media (where opted in) | Consent (Art. 6(1)(a)) |
| Marketing communications | Consent (Art. 6(1)(a)) or, where permitted, legitimate interests (Art. 6(1)(f)) |
| Detecting and preventing abuse and fraud | Legitimate interests (Art. 6(1)(f)) |
| Complying with tax, accounting, and other legal obligations | Legal obligation (Art. 6(1)(c)) |
| Enforcing our Terms of Service | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment balancing our interests against your rights and freedoms. You may request a copy of the assessment by contacting privacy@deepfakedetector.ai.
05How We Share Information
We share personal information only as described below. We do not sell personal information for monetary consideration, and we do not engage in "sharing" of personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
5.1 Service providers (subprocessors)
We engage the following categories of service providers to operate the Service. Each provider is bound by a written data-processing agreement that imposes confidentiality, security, and processing-limitation obligations consistent with this policy and applicable law.
| Provider | Purpose | Region |
|---|---|---|
| Vercel, Inc. | Web hosting and edge delivery | United States · EU |
| Cloudflare, Inc. | DNS, CDN, DDoS protection | Global anycast |
| Amazon Web Services | Object storage, compute, model inference | EU (eu-west-1) · US |
| Stripe, Inc. | Payment processing | United States · Ireland |
| Resend | Transactional email delivery | United States |
| Google Workspace | Internal email, document storage | EU · United States |
| Google Analytics 4 (if enabled) | Aggregate website analytics | EU · United States |
| Sentry / Datadog | Error monitoring, performance telemetry | United States |
A current list of subprocessors is maintained at deepfakedetector.ai/privacy#s5. Enterprise customers may request thirty (30) days' advance notice of new subprocessors by emailing privacy@deepfakedetector.ai.
5.2 Legal and safety disclosures
We may disclose personal information when we have a good-faith belief that disclosure is necessary to (a) comply with applicable law or a valid legal process (including subpoenas, court orders, or government requests); (b) enforce our Terms of Service; (c) protect the rights, property, or safety of Deepfake Detector, our users, or the public; or (d) detect, prevent, or otherwise address fraud, security, or technical issues. Where legally permitted, we will notify you before disclosing your personal information in response to legal process.
5.3 Business transfers
If Deepfake Detector is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal information may be sold or transferred as part of that transaction. We will notify you of any such transaction and the resulting changes to this policy.
5.4 With your consent or at your direction
We may share information with third parties when you direct us to do so—for example, by integrating the Service with a third-party application via API key.
06International Data Transfers
Deepfake Detector is headquartered in the United Kingdom, and several of our subprocessors are located in the United States and other jurisdictions. When we transfer personal information out of the United Kingdom or the European Economic Area, we rely on one or more of the following safeguards:
- Adequacy decisions. Where the receiving country is recognized by the UK Government or the European Commission as providing an adequate level of data protection (for example, US providers certified under the EU–US and UK–US Data Privacy Frameworks).
- Standard Contractual Clauses (SCCs). We use the European Commission's 2021 Standard Contractual Clauses and the UK International Data Transfer Addendum with subprocessors not covered by an adequacy decision.
- Supplementary measures. Encryption in transit (TLS 1.3) and at rest (AES-256), strict access controls, and contractual restrictions on government-access disclosures.
You may request a copy of the transfer mechanism applicable to a particular subprocessor by emailing privacy@deepfakedetector.ai.
07Data Retention
We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Specific retention periods are:
| Category | Retention Period |
|---|---|
| Submitted media files | Deleted from primary storage within 60 seconds of analysis completion, unless you explicitly opt into retention |
| Detection metadata (verdict, confidence, file hash) | 13 months from request, then aggregated and de-identified |
| Account information | For the lifetime of the account plus 90 days after closure |
| Billing and tax records | 7 years (Canada Revenue Agency and US IRS requirements) |
| Email communications | 3 years from last interaction |
| Server logs | 30 days for raw logs; 13 months for aggregated analytics |
| Backups | 35 days, automatically purged on a rolling basis |
Where you have requested deletion under Section 8, we will erase or anonymize your personal information within the timeframe required by applicable law (generally within 30 days), except where retention is required by law (for example, billing records) or necessary to defend legal claims.
08Your Privacy Rights
Depending on your location, you have one or more of the following rights with respect to your personal information:
- Right of access. Request a copy of the personal information we hold about you.
- Right to rectification. Request correction of inaccurate or incomplete information.
- Right to erasure ("right to be forgotten"). Request that we delete your personal information, subject to limited exceptions.
- Right to restriction. Request that we limit our processing of your information.
- Right to data portability. Receive a copy of your information in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to object. Object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
- Right not to be subject to automated decision-making. We do not use personal information for automated decision-making that produces legal or similarly significant effects without your explicit consent and meaningful human review.
- Right to lodge a complaint with a supervisory authority. If you are in Canada, contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, in Quebec, the Commission d'accès à l'information du Québec (cai.gouv.qc.ca). If you are in the UK or EU/EEA, contact the UK Information Commissioner's Office (ico.org.uk) or your local data-protection authority.
To exercise any of these rights, email privacy@deepfakedetector.ai or submit a request through your account settings. We will respond within thirty (30) days, or within forty-five (45) days for complex requests, and may request reasonable verification of your identity before fulfilling the request. Exercising your rights is free of charge unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
09California & Other US State Rights
9.1 California (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to know. Request disclosure of the categories and specific pieces of personal information we have collected about you in the prior twelve (12) months, the sources, the business or commercial purposes for which we collected the information, and the categories of third parties with whom we shared the information.
- Right to delete. Request deletion of personal information we collected from you.
- Right to correct. Request correction of inaccurate personal information.
- Right to opt out of "sale" or "sharing." We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. There is therefore nothing to opt out of, but you may submit a request to confirm this at any time.
- Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes other than those permitted under CPRA Section 1798.121(a).
- Right to non-discrimination. We will not deny you services, charge you a different price, or provide a different level of service because you exercised any of these rights.
To exercise these rights, email privacy@deepfakedetector.ai with the subject line "California Privacy Request." You may also designate an authorized agent to act on your behalf; we will require written authorization from you and verification of the agent's identity.
9.2 Other US states
Residents of Colorado (Colorado Privacy Act), Connecticut (Connecticut Data Privacy Act), Utah (Utah Consumer Privacy Act), and Virginia (Virginia Consumer Data Protection Act) have rights substantially similar to those described in Sections 8 and 9.1, including the rights to access, correct, delete, and opt out of targeted advertising, sale of personal data, and certain profiling. To exercise these rights, contact privacy@deepfakedetector.ai.
9.3 "Do Not Track" and Global Privacy Control
Some browsers transmit "Do Not Track" or Global Privacy Control (GPC) signals. We honor GPC signals as opt-out requests from CCPA "sale/sharing" and from non-essential cookie tracking. Because there is no industry consensus on how to interpret "Do Not Track," we do not respond differently to that signal.
10Cookies & Tracking Technologies
We use the following categories of cookies and similar technologies:
| Category | Purpose | Lifespan |
|---|---|---|
| Strictly necessary | Authentication, CSRF protection, load balancing, session continuity | Session and up to 30 days |
| Functional | Remembering preferences such as language and dark-mode setting | Up to 12 months |
| Analytics | Measuring website usage and performance | Up to 13 months |
| Marketing (where enabled) | Measuring marketing campaign effectiveness; remarketing audiences | Up to 12 months |
Strictly necessary cookies do not require consent and cannot be disabled while you use the Service. All other categories are presented in a cookie banner on first visit, and you may change your preferences at any time via the "Cookie Settings" link in the footer. You can also configure your browser to block or delete cookies; doing so may impair some functionality.
We do not use cross-device tracking pixels except where you have explicitly consented to marketing cookies.
11Children's Privacy
The Service is not directed to children, and we do not knowingly collect personal information from children under 16 years of age (under 13 in the United States, in accordance with the Children's Online Privacy Protection Act). If we become aware that we have collected personal information from a child under the applicable age without verifiable parental consent, we will take reasonable steps to delete that information promptly. If you believe we may have collected personal information from a child, please contact privacy@deepfakedetector.ai.
12Data Security
We implement administrative, technical, and physical safeguards designed to protect personal information against accidental loss and unauthorized access, use, alteration, or disclosure. Our security program is informed by ISO 27001 controls and is independently assessed under the SOC 2 Type II framework on an annual basis. Specific measures include:
- TLS 1.3 encryption for all data in transit;
- AES-256 encryption for all data at rest in primary storage and backups;
- Role-based access control with mandatory multi-factor authentication for all employees;
- Principle-of-least-privilege production access; production access is logged and audited;
- Secure software development lifecycle, including peer code review and static analysis;
- Continuous vulnerability scanning and quarterly penetration testing;
- Network segmentation and intrusion detection on the production environment;
- Incident-response procedures with defined escalation paths and post-incident review.
No system is completely secure. If we become aware of a personal-data breach that creates a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by applicable law (72 hours under UK/EU GDPR; "without unreasonable delay" under most US state laws).
13Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, in technology, in law, or in regulatory guidance. The "Effective" date at the top of this page indicates when the most recent version became effective. For material changes, we will provide notice through one or more of the following channels at least thirty (30) days before the change takes effect:
- An email to the address associated with your account;
- A prominent notice on the Service prior to the change taking effect;
- A revised version of this policy published at deepfakedetector.ai/privacy.
Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes. If you do not agree to the revised policy, you should stop using the Service and may close your account in accordance with our Terms of Service.
14Contact Us
For privacy questions, data-subject requests, or to report a privacy concern, please contact our Data Protection Officer:
By email: privacy@deepfakedetector.ai
By post: Data Protection Officer, Deepfake Detector Inc., 410 rue Saint-Nicolas, Suite 236, Montreal, Quebec H2Y 2P5, Canada
EU representative: Under Article 27 GDPR, we have appointed a representative in the European Union for data-subject inquiries from EEA residents. Contact details are available on request.
Supervisory authority: If you believe we have processed your personal information unlawfully, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca), the Quebec Commission d'accès à l'information (cai.gouv.qc.ca), the UK Information Commissioner's Office (ico.org.uk), or your local EU/EEA data-protection authority.