Privacy Policy

Form is an iOS application ("Form", "the App") that produces a structural rating from a user-submitted portrait. This policy explains what information the App collects, how it is used, how it is protected, and your rights as a user.

1. Data we collect

1.1 Face data and images you submit

When you run an analysis, you submit a single front-facing portrait photograph ("the Image"). The Image contains face data within the meaning of Apple's App Store Review Guideline 5.1.1. We treat the Image, any detected face region, and any on-device geometric measurements derived from it (together, "Face Data") as sensitive personal information. Form does not create, store, or transmit a biometric template, a face-recognition embedding, a face-identification signature, or any Face ID data; the App's face-detection pipeline uses Apple's Vision framework for geometric measurement only and never performs identity matching.

What Face Data is collected. The Image itself; a face-bounded crop of the Image; on-device landmark points and ratios (facial thirds, bilateral symmetry indices, jawline angle, canthal tilt, and similar geometric measurements) computed by Apple's on-device Vision framework; and the AI-generated structural rating and textual notes produced from the Image.

How Face Data is used. Face Data is used only to generate the structural analysis the user explicitly requested and to present that analysis back to the user. Face Data is not used for identification, advertising, profiling, training of third-party models, or any purpose unrelated to producing the requested analysis.

Where Face Data is processed. Face detection and geometric measurement run on-device via Apple's Vision framework. When AI scoring is enabled in the App, the analyzed Image is transmitted over TLS to our Firebase Cloud Functions endpoint, which forwards it to our AI processing vendor (OpenRouter) solely to return the structural rating. The Image is not retained by our endpoint or by the AI vendor after the rating is returned.

Third parties. The only third party that receives the Image is the AI processing vendor described above, and only for the seconds needed to return the rating. Face Data is not sold, rented, or shared with advertisers, analytics vendors, data brokers, insurers, or any other third party.

Retention. Face Data is retained on your device inside the App's private container and, so that your scan history survives an app reinstall or a device switch, mirrored under your account in two Firebase services: structural metadata (scores, rank, textual notes, recommendations — no pixels) in Firestore, and the analyzed JPEG image in Firebase Storage under users/{your account id}/scan-images/. Both Firebase Storage and Firestore are encrypted in transit and at rest, and scoped by security rules so only your signed-in account can read or write the objects under your folder. You can delete any individual scan from the session archive at any time; doing so immediately removes the local copy, the Firestore metadata record, and the Firebase Storage image. Deleting your account (see Section 5) erases every Firestore record and every Storage image associated with your account. On the AI vendor side, the transmitted Image is processed transiently and is not retained after the rating is returned.

Sharing. Face Data is never shared with any party other than the AI processing vendor described above (and only for the duration of generating a single rating). Your scan images and metadata stored in Firebase are visible only to the signed-in account that created them and to the Form operator for debugging and abuse response; they are never sold, rented, or disclosed to advertisers, analytics vendors, or data brokers.

1.2 Analysis results

The numerical scores, rank, and textual analysis produced for each session are stored locally on your device and, for the account that produced them, in our Firestore database as metadata only (no pixels). They are visible only to the signed-in account.

1.3 Account data

If you sign in with Apple, Google, or email, we receive a stable account identifier and, where you choose to share it, a display name or email address. We do not store passwords. Authentication is performed by Apple, Google, or Firebase Authentication.

1.4 Subscription data

Subscription purchases are processed by Apple. Form receives a signed receipt confirming your subscription status. We do not see or store your payment card details.

1.5 Diagnostic data

The App may log anonymized crash reports and performance metrics through Apple's standard frameworks. These do not include the Image or its analysis.

2. How we use data

• To produce your analysis. The Image is processed to generate the score, rank, and structural notes.
• To preserve your session history. Results are kept on your device so you can review past scans.
• To verify entitlement. Subscription receipts are used to confirm access to premium features.
• To improve reliability. Aggregate, anonymized diagnostics help us identify bugs and performance issues.

3. Third parties

Form uses a limited set of third-party services to function. Each operates under its own privacy policy.

• AI processing provider. Receives the Image and a prompt to generate the analysis. The Image is not retained after processing.
• Apple (App Store, Sign in with Apple). Processes your subscription and, if chosen, authenticates your identity.
• Google Sign-In. Authenticates your identity if you choose this method. No images are shared with Google.

4. Storage and retention

Your scans are stored in three places: (a) on your device inside the App's private container, (b) as structural metadata in our Firestore database under your signed-in account (numeric scores, rank, textual notes, recommendations — no pixels), and (c) as JPEG images in Firebase Storage under your signed-in account at users/{your account id}/scan-images/. Both Firebase services are encrypted in transit and at rest, and security-rule-scoped so only the signed-in account that created a scan can read or write it. Reinstalling the App on the same Apple ID / sign-in account rehydrates your archive from Firestore and Firebase Storage so your scans and their images are restored automatically. You can delete any scan from the session archive inside the App at any time, which removes the on-device copy, the Firestore record, and the Storage image. Uninstalling the App removes local data from that device but leaves the server copies intact until you sign in again to delete them or use "Delete account" (see Section 5). Server-side diagnostic data is retained in anonymized form for up to 90 days.

5. Your rights — including account deletion

You have the right to delete your local history, delete individual scans, and delete your entire account at any time from within the App. To delete your account, open the App, tap Legal from the landing screen, scroll to the Account section, and tap Delete account. This single in-app action:

• deletes every scan, score, and rating stored in our Firestore database under your account;
• deletes every scan image stored in Firebase Storage under your account;
• deletes every scan image and cached file stored locally on the device;
• deletes your Firebase Authentication record so the account identifier is no longer associated with your email or third-party provider;
• signs you out of the App.

Account deletion is immediate and irreversible. Active Apple subscriptions are managed separately through your Apple ID — cancel them under Settings → [your name] → Subscriptions; Apple's receipt history is retained by Apple, not by Form. If you have signed in with a third-party identity provider, you can additionally revoke Form's access from your Apple ID or Google account settings. For any inquiry regarding your data, contact us at support@form.app.

6. Children

Form is not intended for users under the age of 16. We do not knowingly collect data from children. If you believe a child has submitted data to Form, contact us and we will remove it.

7. Security

Images are transmitted over TLS to our AI processing vendor and are not retained after processing. Local session history is stored inside the App's private container using the operating system's standard protections. No system is perfectly secure; we cannot guarantee absolute security.

8. International users

If you access Form from outside the United States, your Image and data may be transmitted to servers located in countries with different data protection laws. By using the App you consent to this transfer.

9. Changes to this policy

We may update this Privacy Policy. Material changes will be reflected in the "Last updated" date above and, where appropriate, announced in-app. Continued use of Form after a change constitutes acceptance of the revised policy.

10. Contact

Questions regarding this policy or your data can be directed to support@form.app.

This policy is provided for informational purposes and does not constitute legal advice. Consult qualified counsel for jurisdiction-specific compliance before launch.