Privacy Policy
Last updated: July 7, 2026
Summary: We store your account details and usage logs to operate the service. For face processing, uploaded images and videos are processed transiently and are not stored — only the numerical face embeddings you register are kept, in a database isolated to your account, and you can delete them at any time.
1. Who We Are
ARSA Face Recognition API ("the Service") is operated by ARSA Technology, an Indonesian technology company. This policy describes how we collect, use, store, and protect personal data when you use the Service at faceapi.arsa.technology, including its website, dashboard, and REST API.
When you use our API to process images of your own end users, you act as the data controller for that data and we act as a processor on your instructions. Section 3 describes exactly what we do with face data so you can meet your own obligations under laws such as the GDPR and Indonesia's Personal Data Protection Law (UU PDP).
2. Data We Collect
Account data. When you register we collect your email address, your name (optional), and a password, which is stored only as a bcrypt hash — we never store plaintext passwords. If you sign in with Google or GitHub, we receive your email and profile name from the provider instead of a password.
Billing data. Paid subscriptions are processed by PayPal. We store your subscription status, plan, and invoice records. We never see or store your credit card or bank details — those stay with PayPal.
API usage data. For each API request we log the endpoint, HTTP method, response status, latency, a truncated API-key prefix, and the client IP address. We use these logs to enforce plan quotas, detect abuse, and give you a request history in your dashboard.
Authentication events. We record security-relevant events such as logins, failed login attempts, and password resets, including IP address and timestamp, to protect your account.
Cookies. We use strictly necessary cookies to keep you signed in (JWT access and refresh tokens). We do not use advertising cookies.
3. How We Handle Face & Biometric Data
This is the part of the Service where data sensitivity is highest, so we are specific:
- Images are processed transiently. Images submitted to recognition, verification, analytics, and liveness endpoints are processed in memory and are not written to permanent storage. They are discarded once the API response is produced.
- Videos for active liveness are deleted after processing. Videos submitted for active liveness checks are held in temporary storage only for the duration of the analysis and are deleted immediately afterward.
- Only embeddings are stored — and only when you register a face. When you call the face registration endpoint, we convert the face into a numerical embedding (a vector of numbers) and store that embedding together with the face ID you chose. The original photo is not stored. An embedding cannot be reversed into the original photograph.
- Your face database is isolated. Registered embeddings are stored in a database scoped to your account. No other customer can query, view, or match against your registered faces.
- No secondary use. We do not use your images or embeddings to train models, we do not sell them, and we do not share them with third parties.
You are responsible for obtaining any consent legally required from the individuals whose faces you submit. Our guides to biometric consent under the GDPR and Indonesia's UU PDP explain what that typically involves.
4. How We Use Your Data
- To provide the Service: authenticate you, process your API calls, and maintain your face database
- To enforce plan limits, rate limits, and fair use
- To send transactional email: verification, password resets, billing notices, and support replies
- To secure the platform: detect abuse, investigate incidents, and maintain audit trails
- To improve reliability using aggregate, non-biometric usage metrics
We do not send marketing email without your consent, and we never use biometric data for any purpose other than serving your own API requests.
5. Third-Party Services
- PayPal — subscription payment processing. Subject to PayPal's own privacy policy.
- Google / GitHub OAuth — optional sign-in. We receive only your email and profile name.
- Email delivery (SMTP) — transactional email such as verification and password-reset messages.
No face images or embeddings are ever shared with these providers.
6. Data Retention & Deletion
- Face embeddings — kept until you delete them. You can delete an individual face via the delete-face endpoint or wipe your entire face database via the reset endpoint, at any time and effective immediately.
- Account data — kept while your account is active. Contact us to delete your account; associated records, including your face database, are removed.
- Request and authentication logs — retained for operational and security purposes, then periodically purged.
- Invoices — retained as required by tax and accounting law.
7. Your Rights
Depending on your jurisdiction (including under the GDPR and UU PDP), you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data (including your registered face embeddings — available self-service via the API)
- Object to or restrict processing
- Receive a copy of your data in a portable format
- Withdraw consent at any time, without affecting prior lawful processing
To exercise any of these rights, email us at hello@arsa.technology. We respond within 30 days.
8. Security Measures
We protect your data with HTTPS-only transport, bcrypt password hashing, per-account database isolation, API key authentication with instant revocation, rate limiting, security headers, and full request and admin audit logging. See our Security page for the complete overview.
9. Legal Bases & Applicable Law
We process account and usage data as necessary to perform our contract with you and to pursue our legitimate interest in securing the Service. We process biometric data solely on your instructions as our customer. ARSA Technology is an Indonesian company and processes data in accordance with Indonesia's Personal Data Protection Law (UU No. 27/2022). Where the GDPR applies to your use of the Service, we support your controller obligations as described in Section 3.
10. Changes to This Policy
We may update this policy as the Service evolves. Material changes will be announced by email or a dashboard notice before they take effect. The "Last updated" date at the top reflects the current version.
11. Contact Us
Privacy questions, rights requests, or concerns: hello@arsa.technology
ARSA Technology — arsa.technology