Privacy Policy

01 Introduction

Welcome to Mogcheck, operated by Mogcheck LLC. This Privacy Policy explains how we handle account, guest-session, scan, payment, analytics, and camera-input information for the Mogcheck Lab scanner and related features.

References to "Mogcheck," "we," "us," or "our" in this Privacy Policy refer to Mogcheck LLC and its authorized agents.

02 Biometric data processing

Mogcheck uses MediaPipe WebAssembly for facial landmark tracking and facial analysis. Our approach is designed so the scan and facial analysis run locally on your device rather than serving as a permanent identity record:

• Client-side processing: Facial scanning, landmark detection, and biometric analysis run locally in your browser.
• No server storage of faceprints: We do not store, sell, lease, trade, or otherwise profit from facial meshes, faceprints, or face templates.
• Ephemeral processing: Once a scan session ends, the local biometric mapping is immediately discarded from your device's active memory.
• Lab reports: Lab scans are processed locally in your browser. Lab scan results, snapshots, overlay points, raw video, continuous camera feeds, dense landmark arrays, faceprints, and face templates are not uploaded or stored by Mogcheck.
• What we do store: Only the numeric metrics you choose to save to your account (if you have one) and a boolean indicating that a scan was completed. These records contain no biometric template content.

If you are a resident of Illinois, Texas, or Washington, please also see Section 6 ("Biometric Information Privacy Act") below for state-specific disclosures.

03 General data collection

To operate Mogcheck and let you save Lab reports across sessions, we store minimal account-level information including:

• Authentication descriptors provided during login (managed by Supabase).
• Guest session identifiers for anonymous use before an account is claimed.
• Your username and selected display preferences.
• Numeric Lab metrics you save to your account (not images or meshes).
• Payment metadata returned by Stripe for paid features (we never see card numbers).
• Analytics events from Google Analytics 4, Vercel Analytics, and Vercel Speed Insights — these services may receive online identifiers, IP address, user agent, page path, referrer, device/browser information, and event metadata such as button clicks. We do not permit these services to use your face images, biometric-adjacent data, Lab report data, or moderation evidence for advertising or model training. Where required, we honor Global Privacy Control (GPC) and privacy-choice signals before loading non-essential analytics.

This non-biometric data is securely stored in our databases to provide you with the persistent features of the Mogcheck platform.

04 Guest sessions and account claims

Mogcheck lets you run a scan as a guest so you can try the Lab without first creating a permanent account. A guest profile may have a temporary display name, saved Lab metrics, device/session identifiers, and anti-abuse logs associated with it.

Guest access is intended to be temporary. If you claim your profile with Google or another supported sign-in method, we link the guest data that is reasonably available in your current browser session to the claimed account. If you clear browser storage, use a different device, or wait too long, guest data may become unavailable and may not be recoverable.

Guest sessions are still subject to this Privacy Policy, the Terms of Service, and our safety systems. We may limit, suspend, or delete guest sessions to prevent abuse, enforce age and safety requirements, or keep the Service reliable.

05 Data retention

We keep each category of data only as long as needed for the purpose it was collected. Lab scan imagery and landmark arrays are not written to our servers.

You may request earlier deletion at any time via the Account settings or by emailing privacy@mogcheck.com.

06 Biometric Information Privacy Act (BIPA / CUBI / HB 1493)

If you reside in Illinois (BIPA, 740 ILCS 14), Texas (CUBI, Bus. & Com. Code §503.001), or Washington (HB 1493, RCW 19.375), the following applies to you:

• What we process: ephemeral facial landmark coordinates generated in-browser by MediaPipe for the purposes of deriving local Lab report metrics.
• What we do not do: We do not create, collect, capture, purchase, receive through trade, sell, lease, trade, or otherwise profit from a biometric identifier or biometric information as those terms are defined under BIPA. We do not retain faceprints or face templates.
• Retention schedule: Lab landmark values are destroyed at the end of the scan session and are not stored as faceprints or templates.
• Consent: By starting a scan, you acknowledge you have read this policy and the Terms of Service and provide informed written consent (via electronic signature) to the local processing described here.

07 Your rights (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

• Access the personal data we hold about you.
• Request correction or deletion of inaccurate or unnecessary data.
• Object to or restrict processing, including withdrawing consent at any time.
• Receive your data in a portable, machine-readable format.
• Lodge a complaint with your local supervisory authority.

Our legal bases for processing are (a) your consent (camera access, marketing emails), (b) performance of a contract (saved Lab reports, subscriptions), and (c) legitimate interests (fraud prevention, rate limiting). Contact privacy@mogcheck.com to exercise any of these rights.

08 Your rights (CCPA / CPRA — California)

California residents have the right to know what personal information we collect, to request deletion, to correct inaccurate information, to limit the use of sensitive personal information, and to opt out of the "sale" or "sharing" of personal information as those terms are defined under the CCPA/CPRA. We do not use or disclose sensitive personal information (including biometric data) for purposes other than those permitted by §7027(m) of the CCPA regulations. You will not receive discriminatory treatment for exercising any CCPA right.

Your California privacy choices

California residents may exercise their privacy rights through the Your California Privacy Choices link in our footer, by visiting /privacy/choices, or by emailing privacy@mogcheck.com. We recognize Global Privacy Control (GPC) signals as valid requests to opt out of the sale or sharing of personal information.

How to submit a verifiable request

To submit a request to know, delete, correct, port, or limit, email privacy@mogcheck.com from the email address on your Mogcheck account, or use the in-product Account > Delete Account flow for deletion. We verify requests by matching the requesting email to the authenticated account on file. We respond within 45 days as permitted by California Civil Code §1798.130(a)(2). You may designate an authorized agent to submit a request on your behalf; we may require the agent to provide proof of authorization.

Categories of personal information we collect

In the preceding 12 months we have collected the categories described in Section 3 above (identifiers, account credentials managed by Supabase, internet/network activity, geolocation inferred from IP, commercial information related to subscriptions, and limited sensitive personal information consisting of short-lived in-browser facial landmark coordinates). We disclose these categories to the service providers listed in Section 11 (International Transfers and Subprocessors) under written contracts that limit their use to providing services to Mogcheck. We do not sell personal information for monetary consideration and do not share personal information for cross-context behavioral advertising.

09 Trust & Safety and law-enforcement cooperation

Mogcheck does not host user-to-user content, public profiles with uploaded imagery, or live video between users. Our trust-and-safety scope is narrow: we enforce rate limits, prevent abuse of the scanner, and respond to lawful government requests.

Law-enforcement requests

We respond to lawful government requests for user information consistent with applicable law. We require valid legal process appropriate to the type of information sought (for example, a subpoena for basic subscriber information, a court order for non-content records, and a warrant for content). Where permitted by law, we will notify affected users before disclosure. Emergency disclosure requests are handled on a case-by-case basis under 18 U.S.C. §2702(b)(8) standards. Send formal legal process to the legal contact in Section 15.

10 Security and breach notification

Mogcheck maintains administrative, technical, and physical safeguards designed to protect personal information appropriate to its sensitivity, including encryption in transit, scoped database access controls, and rate limiting and signature verification on payment webhooks. No system is perfectly secure, and we do not guarantee that unauthorized access will never occur.

If we determine that an unauthorized acquisition of unencrypted personal information has occurred, we will provide notice to affected individuals and to the California Attorney General as required by California Civil Code §1798.82, in the form and within the timing required by law. To report a suspected security incident or vulnerability, contact security@mogcheck.com.

11 International transfers and subprocessors

Mogcheck operates globally. Non-biometric data (account info, saved metrics, payment metadata, and analytics events) may be processed on servers located outside your country, including the United States. Where EU/UK data is transferred, we rely on Standard Contractual Clauses with the subprocessors below.

• Supabase — authentication, database, storage, and Edge Functions.
• Stripe — payment processing and subscription billing.
• Vercel — application hosting, Vercel Analytics, and Vercel Speed Insights.
• Google — Google Analytics 4 (web measurement) and Google sign-in (authentication). These are separate Google services from any Google advertising product.
• Redis (Upstash) — rate-limit counters and active-user signals.
• Email delivery — transactional email is sent via the provider integrated with our authentication stack. We will update this list if we add or replace an email provider.

Each subprocessor is engaged under a written agreement that restricts their use of personal information to providing services to Mogcheck.

12 Children and likely-minor-audience posture

Mogcheck is intended for users 13 and older, and certain features require users to be 18+. We do not knowingly collect personal information from anyone under 13, and we do not knowingly process or sell the personal information of consumers under 16 years of age. If we learn that we have collected data from someone under 13, we will delete it promptly.

If a parent, guardian, or the affected user tells us that an under-13 person used Mogcheck, we will verify the request using the information reasonably available to us, disable the account or guest profile where applicable, and delete or anonymize associated personal information. We may retain limited records only where required for a legal hold, security incident, fraud/abuse prevention, payment/tax obligation, or other non-waivable legal requirement.

We have considered the California Age-Appropriate Design Code (AADC) and structured the Service to discourage minor access: age self-attestation, the absence of profile-based behavioral advertising, and our general prohibition on selling or sharing personal information.

Parents or guardians who believe their child has submitted information to Mogcheck should contact privacy@mogcheck.com with the account email, username, guest/session details, approximate dates of use, and any other information that helps us locate the data. We will not require a child to create a new account to submit a deletion request.

13 Prohibited uses — Intellectual property

Mogcheck LLC expressly prohibits the use of the Service — including its platform, API endpoints, scoring algorithms, facial-analysis pipeline outputs, MediaPipe integration, and any associated content or output — for purposes that infringe upon the intellectual property rights of any third party. Without limiting the foregoing, the following are strictly prohibited:

• Unauthorized reproduction: Scraping, copying, mirroring, or reproducing Mogcheck's proprietary content, scoring algorithms, or facial-analysis pipeline outputs without express written permission from Mogcheck LLC.
• Commercial exploitation: Using any output, data, or content generated by the Service to train competing AI or machine-learning models, to build derivative products, or for any commercial purpose not explicitly authorized in writing by Mogcheck LLC.
• Brand impersonation: Using the Mogcheck name, logos, trade dress, or any confusingly similar mark in a manner that is likely to cause confusion as to the source, sponsorship, affiliation, or endorsement of any product or service.
• Third-party IP violations: Using the Service to upload, transmit, display, or distribute any content that infringes upon the copyright, trademark, trade secret, patent, or other intellectual property rights of any third party.

Enterprise, business, or automated access to the Service for any of the above purposes is prohibited without a separate written agreement with Mogcheck LLC. Violations may result in immediate account termination, IP-level blocking, and/or legal action.

14 Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via the app or by email. The "Last Updated" date at the top of this page reflects the most recent revision.

15 Contact

Questions, concerns, or requests regarding this Privacy Policy or our data handling practices can be sent to privacy@mogcheck.com. We respond to verifiable requests within 30 days (or 45 days for CCPA requests, as permitted by statute).