Privacy Policy

holymog is an AI face-rating application. You submit a face scan; we send the resulting image to a third-party machine- learning model (currently Google Gemini 2.5 Flash Lite) and return the score. We keep as little personal information as possible. We do not sell or share your personal information for cross-context behavioral advertising. We do not record battle video.

We collect the following categories of information:

Account information

When you sign in with Google OAuth or email magic link, we collect your email address, display name (derived from your Google profile or email handle), profile image (if provided by your OAuth provider), and an internal account identifier. These are stored in our Supabase-managed Postgres database and authenticated through Auth.js v5.

Profile content

Signed-in users can optionally add information that becomes part of their public profile at /@your-username: a bio (up to 240 characters), a location string, an uploaded avatar image (which replaces the OAuth provider’s photo if you set one), an uploaded banner image, and handles for your accounts on third-party platforms (Instagram, X, Snapchat, TikTok, Discord). All of these fields are optional and editable from /account. Avatars and banners are stored in our public holymog-uploads bucket so other viewers’ browsers can fetch them; you can clear either upload at any time, after which the file is deleted within minutes.

Social graph

You can follow other signed-in users from their public profile pages. The follow graph itself is public: both the follower and following lists for any given account are visible to any visitor of that profile. Following someone does not grant either party access to anything private — it only updates the public counts and lists, and surfaces the followed user as a quick link elsewhere in the Service.

Biometric information (face scans)

Face-scan images are biometric information under the Illinois Biometric Information Privacy Act (BIPA), “biometric identifiers” under Texas/Washington biometric statutes, “sensitive personal information” under California’s CCPA/CPRA, and “special category data” under GDPR Art. 9. We collect them only with your express consent (see Section 3) and process them for the limited purpose of generating an aesthetic score.

While scanning, your camera frames are processed in your browser via MediaPipe FaceLandmarker, cropped to your face, downsized to 768 px max, and sent to our backend, which forwards them to the Gemini AI service for scoring.

Saved scan archive (signed-in users)

If you are signed in, the resulting scan image is also archived to a private storage bucket (holymog-scans). Purposes: (a)so you can view your record-scoring photo from your account at any time, even if you don't share it publicly; (b) for integrity review of high-score submissions (see below); and (c) as the source of truth if you later opt to display a saved scan on the public leaderboard. The bucket is never publicly readable — images are served only via short-lived authenticated URLs after we verify you own the scan or are an authorised reviewer. You can delete your saved scans at any time by deleting your account, or by emailing hello@holymog.com to request individual deletion.

Anti-cheat review of high scores (≥ S-tier, 87+)

When a scan's overall score reaches 87 or above (S-tier and up), the saved image is flagged in our admin queue and we receive a notification email containing a short- lived signed link to the image. A human reviewer verifies legitimacy only — that the face plausibly belongs to the account-holder rather than being a celebrity image, AI composite, or other ineligible submission. The review does notapprove or deny placement on the leaderboard; it's purely a top-of-board integrity check. Reviewers cannot share or redistribute the image.

Public leaderboard photo (optional, opt-in)

Whether to display your face on the public scan leaderboard is always optional — at every tier, including S+. If you opt in, a copy of your scan image is published to a public storage bucket alongside your display name and score. You can flip the “hide my scan photo from the leaderboard” toggle in account → privacy at any time to suppress the public copy (the private archive copy is unaffected). Removing your leaderboard entry deletes the public copy.

Gameplay data

When you participate in Mog Battles we collect: battle ID, participant IDs, peak scores, win/loss outcomes, ELO rating changes, timestamps, and the “most-called weakness” category emitted by the model. This data is stored in our Postgres database and surfaced on the leaderboard, your account history, and the global ELO standings.

Cosmetic inventory

When you earn an in-app cosmetic by hitting a gameplay milestone — for example, a name-effect treatment unlocked by completing your first scan, scanning at S-tier or higher, or reaching 1500 ELO — we store the list of cosmetics you own, the slug of whichever cosmetic you have equipped in each slot, and the timestamp when each item was granted. Cosmetics are purely decorative: they change how your display name and avatar render to other users on profile pages, leaderboards, battle tiles, and follower lists, and they do not affect scores, matchmaking, ELO, or any other functional behavior. Cosmetic-inventory data is never sold, rented, or shared.

Battle video & audio (live, not stored)

Mog Battles use LiveKit Cloud’s selective forwarding unit (SFU) to relay live video and audio between participants in real time. We do not record the stream. Once a battle ends, the media stream is discarded by LiveKit. Other participants in the session may capture the stream via screen recording or third-party software; we have no technical means to prevent that.

Battle peak frames (saved for moderation review)

For every battle — public 1v1 and private parties alike — we save one image per signed-in participant per battle: the highest-scoring single frame our scorer pulled during that match. Frames are stored in a private storage bucket (holymog-battles) and are never publicly readable. We use them only to verify post-match reports (see Section 9a) and only ever access them via short-lived authenticated URLs.

Battle reports (public 1v1 only)

After a public 1v1 match, your opponent may file a report against you for cheating (deepfake / AI face / celebrity photo), the presence of a minor on camera, nudity or sexual content, harassment, spam / impersonation, or other policy violations. The report includes the reason, optional written details, the battle ID, both participant user IDs, and a 7-day signed link to the reported player’s saved peak frame. Reports are reviewed by a holymog operator; see Section 9a for the resolution flow and what happens to your data if you’re banned.

Technical data

We collect standard web technical data: IP address, user agent, referrer, request timestamps, and approximate request source (used solely for rate-limiting and abuse prevention). Hosting and request logs are managed by Vercel.

Because face scans constitute biometric information / special category data, we obtain your express consent before collection and processing:

• You provide consent by initiating a face scan, joining a Mog Battle, or submitting a photo to the leaderboard, each of which is preceded by clear notice of what data will be collected and processed.
• Consent is revocable at any time by emailing hello@holymog.com from the address linked to your account, after which we will delete stored biometric identifiers within thirty (30) days, subject to legal retention obligations.
• Our written policy on biometric retention and destruction is published in Section 8 of this Privacy Policy and incorporated into the Terms of Service by reference.

For users in the European Union, United Kingdom, and Switzerland, we rely on the following lawful bases under GDPR Article 6 and (for biometric data) Article 9:

• Account creation and operation of the Service — performance of a contract (Art. 6(1)(b)).
• Processing of biometric data (face scans, leaderboard photos) — your explicit consent (Art. 9(2)(a)). Consent is revocable at any time.
• Sending transactional sign-in emails — performance of a contract and your consent (Art. 6(1)(a)/(b)).
• Rate-limiting and abuse prevention — our legitimate interests in operating a safe and reliable Service (Art. 6(1)(f)).
• Security incident response and legal compliance — legal obligations (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).

You have the right to object to processing based on legitimate interests (see Section 13).

We use the information described above to:

• Operate, maintain, and provide the Service.
• Process face scans and battles via third-party AI and video infrastructure.
• Authenticate accounts and protect against unauthorized access.
• Display the public leaderboard and account stats.
• Compute and update ELO ratings, win/loss records, and streaks.
• Rate-limit and prevent abuse, fraud, manipulation of scores, and spam.
• Send transactional emails (e.g. magic-link sign-in codes).
• Comply with legal obligations and enforce our Terms of Service.
• Improve the model, the prompt, and the user experience.

Every face scan and every battle frame is sent to Google Gemini 2.5 Flash Lite for scoring via Google Cloud Vertex AI. The request includes the cropped face image and a prompt instructing the model to return a numeric score and breakdown.

Under the Google Cloud Service Specific Terms for Vertex AI, customer data (including prompts and responses) is not used to train or improve Google’s foundation models and is subject to Google’s data-processing commitments described at cloud.google.com/terms/service-terms and Google’s privacy policy. We do not train any model on your data. We do not share scan data with any third party other than the AI-processing pipeline described here.

We rely on a small set of trusted infrastructure providers, each governed by their own terms and privacy policies, and each acting as a processor on our behalf:

• Vercel — application hosting, CDN, request logs.
• Supabase — managed Postgres database, storage bucket for leaderboard photos, Realtime channel for matchmaking and battle events.
• Google Cloud Vertex AI — AI scoring of face images via Gemini 2.5 Flash Lite.
• Google (OAuth) — sign-in with Google.
• Google Workspace SMTP — transactional email (magic-link sign-in codes), sent from auth@holymog.com.
• LiveKit Cloud — live video and audio relay for Mog Battles.
• Upstash — rate-limit data store.
• NextAuth (Auth.js v5) — authentication library.

We do not sell, rent, or otherwise share your personal information for advertising or marketing purposes with any third party.

We retain personal information only as long as necessary to provide the Service and meet legal obligations. The following table summarises our retention schedule:

We may retain limited information for longer where required by law, to resolve disputes, prevent abuse, or enforce our agreements.

We share personal information only as follows:

• Publicly displayed — your display name, scores, photo (if submitted), and ELO are visible to all users via the leaderboard, account pages, and battle UIs.
• With service providers — see Section 7; each handles data only as required to provide their service to us.
• For legal reasons — to comply with valid legal process (subpoenas, court orders, regulatory requests), enforce our Terms, protect the rights / property / safety of holymog or any third party, or detect and prevent fraud or abuse.
• In connection with a business transaction — if we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred subject to standard confidentiality protections and notice requirements under applicable law.

We never sell your personal information. We do not “sell” or “share” (as those terms are defined under California’s CCPA/CPRA) personal information for cross-context behavioral advertising. See Section 11 for California-specific rights including the right to opt out.

Reports + bans

When you file a report against an opponent after a public 1v1 battle, we email a holymog operator the report reason, your optional written details, both participant user IDs, the battle ID, and a 7-day signed link to the reported player’s saved peak frame from the “battle peak frames” bucket. The operator clicks Ban or Dismiss; either action is recorded in our audit log and tied to the resolved report row. The reported player is not notifiedwhen a report is filed or dismissed — only when an operator clicks “Ban”, in which case the banned user receives an email explaining the action, every active session is purged, and sign-in is blocked going forward. The reporter is never told the outcome. Banned users may appeal by emailing safety@holymog.com with the date of the battle and the reason for appeal.

We set the following minimal client-side state:

• Authentication cookies set by Auth.js (e.g. authjs.session-token) to keep you signed in. These are first-party, HTTP-only, and Secure in production.
• Local-storage entries for UX: your most recent scan result (holymog-last-result), your active-battle reconnection token (holymog-active-battle), and your first-battle consent acknowledgement (holymog-battle-consent-accepted). These stay on your device and are never transmitted.
• Session-storage cache for the leaderboard’s first-page warm cache, to make navigation feel instant.

We do not use third-party analytics, advertising, or tracking cookies.

California residents have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”). The categories of personal information we collect, mapped to CCPA-defined categories, are:

• Identifiers — email, display name, internal account ID, IP address.
• Customer record information (Cal. Civ. Code § 1798.80(e)) — name, email, profile image.
• Internet/network activity — user agent, referrer, request timestamps.
• Sensory information — face-scan images and battle video frames (transient).
• Sensitive personal information — biometric information (face scans).
• Inferences — aesthetic scores and ELO ratings derived from the above.

Sources of information. Directly from you (face scans, account creation) and from third-party authentication providers (Google OAuth) at your direction.

Business purposes for collection. Operating the Service, providing AI scoring, displaying the leaderboard, preventing abuse, complying with law.

Disclosures. We disclose the categories above to the service providers listed in Section 7 for the business purposes described. We do not disclose personal information to third parties for their own marketing or advertising purposes.

Do Not Sell or Share My Personal Information. We do not “sell” or “share” (for cross-context behavioral advertising) personal information as those terms are defined under CCPA/CPRA. We also do not sell or share the personal information of users we know to be under 16 without affirmative consent.

Your California rights. Subject to verification, you have the right to:

• Right to know what personal information we collect, use, disclose, and sell or share about you.
• Right to delete personal information we have collected about you, subject to certain exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. (Reminder: we do not sell or share.)
• Right to limit use of sensitive personal information — you may direct us to use sensitive personal information (including biometric information) only for permitted purposes.
• Right to non-discrimination for exercising any of these rights.
• Right to designate an authorized agent to make requests on your behalf.

To exercise any of these rights, email hello@holymog.com from the address linked to your account, or contact us via the methods in Section 18. We will verify your identity before responding and will respond within forty-five (45) days, with a possible extension as permitted by law.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the EU/UK General Data Protection Regulation:

• Right of access to your personal data.
• Right to rectification of inaccurate data.
• Right to erasure (“right to be forgotten”).
• Right to restrict processing.
• Right to data portability.
• Right to object to processing based on legitimate interests.
• Right to withdraw consent at any time (where processing is based on consent), without affecting the lawfulness of processing based on consent before withdrawal.
• Right to lodge a complaint with your local supervisory authority.

Data controller. holymog is the data controller. Email hello@holymog.com for any privacy inquiry.

International transfers. Personal information is transferred to and processed in the United States and other jurisdictions where our service providers operate. Where required, we rely on appropriate transfer mechanisms (e.g. Standard Contractual Clauses approved by the European Commission, UK International Data Transfer Addenda) to ensure lawful transfer.

In addition to jurisdiction-specific rights described above, every user can:

• Download a complete JSON export of every record we hold about you from /account → your data → download my data.
• Remove your leaderboard entry, reset your stats, or permanently delete your account from /account → danger zone.
• Sign out from /account.
• Email hello@holymog.com from the address linked to your account to request access, correction, portability, or restriction of your data, or to follow up on a deletion request that can’t be self-served.

We will respond within 30 days, or sooner if required by applicable law.

The Service is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided personal information to us, please email hello@holymog.com and we will promptly delete the data and terminate the associated account.

The Service is operated from the United States. If you are accessing the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States and other countries where our service providers operate. By using the Service, you consent to this transfer, subject to the safeguards described in Section 12.

We implement reasonable administrative, technical, and physical safeguards to protect personal information, including: TLS-encrypted transport, hashed credentials managed by Auth.js, environment-secret separation, server-side rate limiting, and access controls on our database and storage buckets. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

In the event of a personal data breach, where required by applicable law we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (consistent with GDPR Art. 33). We will also notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, or as otherwise required by applicable law.

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of the page. Material changes will be communicated via the Service or by email to your account address at least seven (7) days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

For privacy questions or to exercise any of your rights, email hello@holymog.com. To report abuse or violations, email safety@holymog.com.