Privacy Policy
Last updated: 2026-03-15
This Privacy Policy explains how the Deepfake Police ("we," "us," or "our") processes your personal data when you visit our website, use our service or otherwise communicate with us (collectively, "Services"). It describes what data we collect, how and why we use it, how long we keep it, and the rights and choices available to you. For purposes of this Privacy Policy, "you" and "your" means the individual whose personal data we process under this Privacy Policy, including visitors, customers, and individuals whose information appears in content submitted to our Services.
Please read this Privacy Policy carefully. By using the Services, you acknowledge that your information will be collected, used, and disclosed as described in this Privacy Policy.
1. Controller
The controller responsible for your personal data is:
Niclas Pillath
Address: Am Scherfenbrand 47, 51375 Leverkusen, Germany
Email: privacy@deepfakepolice.app
2. Data We Process
We process three categories of personal data:
2.1 Technical access data
When you visit our website or use our service, your browser automatically transmits certain technical data. We collect and process:
- IP address
- date and time of access
- browser type and version
- operating system
- language preferences
- referrer URL
- pages and files accessed
We use this data to operate the website, generate usage statistics, identify technical issues, and improve the service.
2.2 Account and interaction data
When you create an account or interact with the service, we process:
- account registration details
- login history and session metadata
- user behaviour within the service
- content you submit through feedback forms or support messages, to the extent that it contains personal data
- emails you send to us, including your email address, name, and any personal data contained in the message
We use this data to maintain your account, authenticate your sessions, respond to your enquiries and support requests, fulfil our legal obligations, and improve the service based on how it is used.
2.3 Submitted media data
When you submit a URL pointing to digital media or upload a media file for analysis, we process the submitted content to perform forensic deepfake detection. This means we determine whether the media has been artificially generated or manipulated.
This content regularly contains personal data of individuals depicted or otherwise identifiable in the media, including:
- facial imagery and visual appearance
- voice recordings
- other biographic or biometric-adjacent information that can identify a person
Personal data of individuals depicted or heard in submitted media is provided to us by the user who submits the content for analysis. This content may originate from publicly accessible sources such as social media platforms, news websites, or video-sharing services. We process this data solely to perform the requested analysis and deliver the results to the submitting user.
3. Purposes and Legal Basis
| Data category | Purpose | Legal basis |
|---|---|---|
| Technical access data | Operating, securing, and improving the website and service; generating usage statistics | Legitimate interest (Art. 6(1)(f) GDPR) — we have a legitimate interest in collecting technical data to detect and prevent abuse, diagnose errors, and understand how the service is used so we can improve it |
| Account and interaction data | Providing and managing your account; authenticating sessions; delivering the service; responding to support requests | Performance of a contract (Art. 6(1)(b) GDPR) — processing is necessary to provide the service you signed up for |
| Submitted media data | Performing forensic deepfake detection analysis and delivering results | Performance of a contract (Art. 6(1)(b) GDPR) — processing is necessary to fulfil the analysis you requested |
Where we rely on legitimate interest, we have assessed that our interest in operating a secure and functional service does not override your rights and freedoms, particularly given that we limit collection to technical data that is necessary for these purposes.
4. Cookies
We use only strictly necessary (functional) cookies. These cookies are required for the website and service to function properly.
We do not use advertising cookies, tracking cookies, or third-party cookies.
5. Sharing of Data
Your personal data is processed by our internal team. We use netcup to host our servers within the European Economic Area (EEA); they act as a data processor under a data processing agreement and do not access your data for their own purposes.
We do not otherwise sell, rent, or share your personal data with third parties.
6. International Data Transfers
We do not transfer your personal data outside the European Economic Area (EEA). All data is stored and processed on servers located within the country where our company is registered, which is within the EEA.
7. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy:
- Technical access data (server logs, IP addresses, and related technical information) is deleted after 90 days.
- Account and interaction data is retained for as long as your account remains active. After you delete your account, we will delete this data within 30 days, unless a longer retention period is required by law.
- Submitted media data is retained until the submitting user deletes it from their account. Users can delete individual submissions at any time through the service. When a user deletes their account, all associated media data is also deleted. This includes any personal data of depicted or heard individuals contained within the media.
8. Automated Decision-Making
We do not use the results of our analysis to make automated decisions about any person. Our service provides an informational assessment for review by the submitting user. Any final decision is made by a human, not by automated processing.
9. Information for Individuals Depicted or Heard in Submitted Media
Our service analyses digital media that users submit for forensic deepfake detection. This media regularly contains personal data — such as facial imagery, visual appearance, and voice recordings — of individuals who have not themselves interacted with our service.
We are unable to notify each individual whose personal data appears in submitted media, as we generally do not know who these individuals are and have no means of contacting them. Providing individual notice would require disproportionate effort given the volume and nature of the media analysed. We therefore rely on the exemption under Art. 14(5)(b) GDPR.
To protect the rights and freedoms of depicted and heard individuals, we apply the following measures:
- Anonymisation of persisted data. Before storing submitted media or any derivatives (such as thumbnails or preview images), we anonymise the content by removing identifiable elements, for example by applying black boxes over faces in visual material. As a result, personal data of depicted individuals is not retained in a form that allows identification once the analysis is complete.
- Restrictions on audio content. Audio content submitted for analysis cannot be replayed by the submitting user or shared publicly through the service.
The information required under Art. 14(1) and (2) GDPR is made accessible to any individual whose data may have been processed through this publicly available Privacy Policy.
Individuals who believe their personal data has been processed through our service may exercise the rights described in Section 11 below by contacting us at privacy@deepfakepolice.app.
10. Obligation to Provide Data
Providing technical access data (such as your IP address) is a technical necessity. Your browser transmits it automatically when you visit any website, and we cannot provide the service without it. You can use the deepfake detection service without creating an account. If you choose to register, providing account data (name and email) is a contractual requirement; without it, you will not be able to create an account or access account-only features such as task history and task deletion. Submitting media for analysis is voluntary; if you do not submit media, you simply will not receive analysis results.
11. Your Rights
Depending on where you live, you may have some or all of the rights listed below in relation to your personal data. Under the GDPR, you have the following rights:
- Right of access (Art. 15) — you can request confirmation of whether we process your personal data and obtain a copy of it.
- Right to rectification (Art. 16) — you can request correction of inaccurate personal data.
- Right to erasure (Art. 17) — you can request deletion of your personal data where there is no compelling reason for continued processing.
- Right to restriction of processing (Art. 18) — you can request that we restrict processing of your data in certain circumstances.
- Right to data portability (Art. 20) — you can request to receive your personal data in a structured, commonly used, and machine-readable format, or to have it transmitted to another controller.
- Right to object (Art. 21) — you can object to processing that is based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Right to lodge a complaint (Art. 77) — you can lodge a complaint with a data protection supervisory authority, in particular in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.
How to exercise your rights
You may exercise any of these rights by contacting us using the contact details provided below. We may need to request additional information to verify your identity before responding to your request.
We will respond to your request without undue delay and in any event within one month of receipt. If your request is complex or we receive a large number of requests, we may extend this period by up to two further months; if so, we will inform you of the extension and the reasons for it within the first month.
If we are unable to act on your request, we will inform you of the reasons within one month and advise you of your right to lodge a complaint with a supervisory authority or seek a judicial remedy.
Exercising your rights is free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable administrative fee or refuse to act, in accordance with Art. 12(5) GDPR.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page and notify you through an in-service notification. We encourage you to review this Privacy Policy periodically.
13. Contact
If you have any questions about this Privacy Policy or our data processing practices, or if you would like to exercise any of your rights, please contact us at privacy@deepfakepolice.app.