Test mode · use card 4242 4242 4242 4242 · no real money is charged
The Million Faces
Claim a face
← Back

Privacy Policy

Last updated: June 11, 2026

1. Controller

The controller responsible for data processing on this website within the meaning of the EU General Data Protection Regulation (GDPR) is:

Peter Uphaus, Holtkampweg 58, 45721 Haltern am See, Germany. Email: p.uphaus@gmx.de

2. Scope of this policy

This policy explains what personal data we collect when you visit themillionfaces.com (the "Service"), claim a pixel, upload a selfie, or otherwise interact with the global mosaic, and how that data is processed.

3. Data we collect

  • Account data: email address, display name, country (optional), and a hashed password when you create an account.
  • Selfie / image data: the photo you upload, attached to the pixel(s) you claim. Images are publicly displayed as part of the mosaic.
  • Claim data: the position(s) of your pixel(s), timestamp, and the participant identifier linked to your account.
  • Payment data: processed by our payment provider; we never store your full card details.
  • Technical data: IP address, browser, device, and approximate location, collected automatically in server logs for security and abuse prevention.

4. Purposes and legal bases

  • Providing the Service and displaying the mosaic — Art. 6(1)(b) GDPR (contract).
  • Account management, authentication, and abuse prevention — Art. 6(1)(b) and (f) GDPR.
  • Payment processing — Art. 6(1)(b) GDPR.
  • Legal obligations (accounting, tax) — Art. 6(1)(c) GDPR.

5. Public display of your selfie

By uploading a selfie and claiming a pixel, you consent to that image being publicly visible as part of the mosaic, indefinitely, including via web search, social previews, and archived snapshots. This is the core function of the project.

6. Recipients and processors

We use the following processors under data-processing agreements: our hosting and database provider (Lovable Cloud / Supabase, EU region), our payment provider, and email delivery providers. Data is not sold or used for advertising.

7. International transfers

Where data is transferred outside the EEA, we rely on EU Standard Contractual Clauses or equivalent safeguards.

8. Retention

Account and claim data is stored for as long as your account exists. Selfies attached to claimed pixels remain visible as part of the historical mosaic unless removed for legal reasons (see Section 10). Server logs are typically deleted within 30 days.

9. Cookies

We use only strictly necessary cookies (session, authentication, CSRF). No tracking, advertising, or analytics cookies are set without your consent.

10. Your rights

You have the right to:

  • access your personal data (Art. 15 GDPR);
  • rectify inaccurate data (Art. 16);
  • erase your data (Art. 17), subject to legal retention duties;
  • restrict or object to processing (Art. 18, 21);
  • data portability (Art. 20);
  • withdraw consent at any time;
  • lodge a complaint with a supervisory authority.

To exercise these rights, contact p.uphaus@gmx.de. Note: once a selfie has been integrated into the public mosaic, deletion may take up to 30 days and the corresponding pixel will be returned to a neutral state.

11. Children

The Service is not directed to children under 16. Do not upload images of minors without verifiable parental consent.

12. Changes

We may update this policy. Material changes will be announced on the Service.