Privacy Policy

MOGBOARD ("we", "us", "our") is an AI-powered facial ranking platform operated by Robert Moiseyev, an individual based in Sweden. We act as the data controller within the meaning of the EU General Data Protection Regulation (GDPR). We can be reached at bluepeak.enterpriseco@gmail.com.

This policy explains what personal data we collect, how we use it, the legal basis for processing, who we share it with, and what rights you have — including your right to delete all of your data at any time.

When you create an account and use MOGBOARD, we collect:

• Account data: your name and profile picture provided by Google when you sign in via Google OAuth.
• Face photos: images you upload to be scanned. These are stored on our servers and displayed publicly on your profile and the leaderboard.
• Biometric analysis scores: numerical scores (0–10) generated by AI analysis of facial features including jawline, symmetry, canthal tilt, cheekbones, skin quality, sexual dimorphism, and facial harmony. These scores are derived from your face photo and constitute special category (biometric) data under GDPR Article 9.
• Usage data: scan timestamps, scan count, and your self-reported gender (used to select the appropriate AI scoring model).
• Authentication cookies: session tokens stored in browser cookies to keep you signed in, managed by Supabase Auth.

We process your personal data on the following legal bases under GDPR:

• Consent (Art. 6(1)(a)): for all personal data you provide when creating an account and using the Service.
• Explicit consent for biometric data (Art. 9(2)(a)): for your face photo and all derived facial analysis scores. This consent is collected via the explicit consent checkbox on the scan page before any photo is processed. You may withdraw this consent at any time by deleting your account.

We do not rely on legitimate interests as a basis for processing your biometric or personal data. All processing is consent-based and you may withdraw consent at any time.

We use your data solely to operate the MOGBOARD platform:

• Display your score, rank, and photo on the public leaderboard and your profile page.
• Calculate and update your ranking each time you submit a scan.
• Show your score history and trend over time.
• Authenticate you and maintain your session.

We do not use your data for advertising, profiling for commercial purposes, or any purpose beyond operating the ranking service.

Your facial analysis score is generated by fully automated processing — an AI model analyses your photo and produces a numerical score with no human review involved. This score is then displayed publicly on your profile.

Under GDPR Article 22, you have the right to request human review of your score, to express your point of view, or to contest the result. To exercise this right, contact us at bluepeak.enterpriseco@gmail.com.

All scores are for entertainment purposes only and do not produce legal effects or significantly affect you in any legally recognised sense. AI models may reflect biases present in their training data; we make no claim that scores are objective or free of bias.

We use the following third-party services to operate MOGBOARD. Each acts as a data processor on our behalf under a Data Processing Agreement (DPA). Transfers of personal data to processors based in the United States are governed by Standard Contractual Clauses (SCCs) adopted under EU Commission Decision 2021/914.

• OpenAI: your face photo is transmitted to OpenAI's API to generate your facial analysis scores. OpenAI processes this data under their Privacy Policy and Data Processing Agreement. OpenAI may retain API inputs for up to 30 days for safety monitoring per their API usage policies.
• Supabase: we use Supabase to store your profile data, scan results, and photos. Data is stored on servers in the United States. Supabase's practices are described in their Privacy Policy.
• Google: we use Google OAuth for authentication. We only receive your name and profile photo from Google at sign-in. Google's data use is governed by their Privacy Policy.

Your display name, face photo, overall score, and trait scores are publicly visible to anyone who visits MOGBOARD, including users who are not signed in. By submitting a scan, you give explicit consent to this public display.

Your email address is never publicly displayed.

Face photos and derived facial geometry scores are special category biometric data under GDPR Article 9. We collect this data only with your explicit consent, obtained via the consent checkbox on the scan page before any photo is processed.

For users in US states with specific biometric privacy laws (including Illinois BIPA and Texas CUBI), the same consent mechanism applies and we comply with applicable retention and destruction requirements.

We do not sell, lease, or trade biometric data to third parties. The only third-party transmission is to OpenAI for the purpose of generating your scores, as described above.

Biometric data is retained until you delete your account. Upon account deletion, all photos and scores are permanently removed from our systems within a short processing window.

We are based in Sweden (EU) and our infrastructure providers (Supabase, OpenAI) operate primarily in the United States. Transfers of your personal data to these US-based processors are safeguarded by Standard Contractual Clauses (SCCs) in accordance with GDPR Article 46 and EU Commission Decision 2021/914.

If you have questions about the safeguards in place for international transfers, you may contact us or request a copy of the relevant SCCs at bluepeak.enterpriseco@gmail.com.

As a data subject under GDPR, you have the following rights. To exercise any of them, contact us at bluepeak.enterpriseco@gmail.com. We will respond within 30 days.

• Access (Art. 15): request a copy of the personal data we hold about you.
• Deletion / Right to erasure (Art. 17): delete your account at any time from the user menu. This permanently removes your profile, all scan photos, and all scan records. You may also request deletion by email.
• Rectification (Art. 16): contact us to correct inaccurate account data.
• Portability (Art. 20): request an export of your personal data in a machine-readable format by emailing us at bluepeak.enterpriseco@gmail.com.
• Withdraw consent (Art. 7(3)): you may withdraw consent for all processing, including biometric processing, by deleting your account. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Object to automated decision-making (Art. 22): request human review of your AI-generated score or contest the result.
• Restriction of processing (Art. 18): request that we restrict processing of your data in certain circumstances.
• Lodge a complaint: you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Swedish Data Protection Authority (Integritetsskyddsmyndigheten / IMY) at imy.se. If you are located in another EU member state, you may also contact your local Data Protection Authority.

MOGBOARD is intended for users who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If we become aware that a user is under 18, we will delete their account and all associated data promptly.

If you believe a minor has created an account, please contact us at bluepeak.enterpriseco@gmail.com.

We retain your data for as long as your account exists. When you delete your account, all of your personal data — including your profile, face photos, and scan scores — is permanently deleted from our systems within a short processing window.

Note that OpenAI may retain API request data for up to 30 days per their own policies; we have no control over this retention window.

Because scan photos are served via public URLs, cached copies of public content may persist in third-party caches (such as search engine indexes or CDN edge nodes) for a period after deletion.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (IMY) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

If the breach is likely to result in a high risk to you, we will also notify you directly at your registered email address without undue delay, as required by GDPR Article 34.

We use cookies and browser storage only for authentication session management via Supabase Auth. We do not use tracking cookies, advertising cookies, or analytics cookies.

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes affecting how we use your personal data, we will make reasonable efforts to notify registered users by email before the changes take effect.

For any privacy-related questions, data requests, or to report a concern, contact us at: bluepeak.enterpriseco@gmail.com.