Privacy Policy

1. Data We Collect

We may collect the following categories of personal data:

• names and contact details (email address, phone number, postal address)
• account information (username, password, account preferences)
• uploaded likeness images and associated facial data
• payment details (processed by third-party payment providers; we do not store full payment card details)
• usage data (IP address, browser type, device information, pages visited, interactions with the Platform)
• communications data (support requests, correspondence with us)

2. Biometric Data

Uploaded facial images constitute biometric data as defined under the UK GDPR (Article 9), the EU GDPR, and, where applicable, US state biometric privacy laws including the Illinois Biometric Information Privacy Act (BIPA).

Consent. We process biometric data only with your explicit, informed consent. Before uploading any facial likeness data, Talent will be presented with a separate consent notice that clearly explains: (a) the specific biometric data being collected; (b) the purpose of collection (enabling likeness licensing on the Platform); (c) the duration for which the data will be stored; and (d) how the data will be used and shared. You must actively consent before any facial data is uploaded or processed.

Storage and security. Biometric data is stored using encryption at rest and in transit, with access restricted to authorised personnel and systems only. Biometric data is stored separately from other personal data where technically feasible.

Retention. Biometric data held on the Platform is retained for the duration of your active account. Upon account closure or withdrawal of consent, your source biometric data (the facial images you uploaded) will be permanently deleted from the Platform within 30 days. However, content already generated by Licensees under active licences may continue to be used for the remainder of the applicable licence term, as set out in Section 8. This distinction is important: once your source data is deleted, no new content can be generated from your likeness, but existing licences for already-created content will be honoured until their natural expiry.

Right to withdraw consent. You may withdraw your consent to the processing of your biometric data at any time by contacting privacy@likeness-app.com. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. See Section 8 for the effects of withdrawal on active licences.

3. Legal Basis for Processing

We process personal data on the following legal bases under UK GDPR Article 6 and, where applicable, Article 9:

• Explicit consent (Article 6(1)(a) and Article 9(2)(a)) – for the processing of biometric data (facial likeness) uploaded by Talent. This is collected through a separate, specific consent mechanism at the point of upload.
• Performance of a contract (Article 6(1)(b)) – for processing necessary to operate the Platform, manage user accounts, process licensing transactions, and fulfil our obligations under the Terms of Service and License Agreement.
• Legitimate interests (Article 6(1)(f)) – for Platform security, fraud prevention, analytics to improve our services, and enforcement of our Terms of Service. We have conducted a legitimate interest assessment and concluded that these interests are not overridden by your data protection rights.
• Legal obligation (Article 6(1)(c)) – for processing necessary to comply with applicable legal requirements, including tax, accounting, and regulatory obligations.

4. Data Use

We use personal data to:

• operate and maintain the Platform
• process licensing transactions between Talent and Licensees
• manage user accounts and provide customer support
• verify Talent identity and likeness ownership
• enforce our Terms of Service and License Agreement
• detect and prevent fraud, abuse, and security incidents
• comply with legal obligations
• improve and develop our services (using anonymised or aggregated data where possible)

5. Cookies and Tracking Technologies

The Platform uses cookies and similar tracking technologies. A cookie is a small text file stored on your device when you visit the Platform. We use the following categories of cookies:

• Strictly necessary cookies: Required for the Platform to function (e.g., session management, security). These do not require consent under the Privacy and Electronic Communications Regulations 2003 (PECR).
• Analytics cookies: Help us understand how users interact with the Platform. Under the Data (Use and Access) Act 2025, certain analytics cookies may be used without consent provided they do not have an adverse impact on user privacy. We will clearly identify which analytics cookies fall within this exemption.
• Functional cookies: Remember your preferences and settings to improve your experience.

Where consent is required under PECR, we will obtain your consent through a cookie consent mechanism before placing non-essential cookies on your device. You may manage your cookie preferences at any time through the Platform’s cookie settings. For further details, please refer to our separate Cookie Policy available on the Platform.

6. Data Sharing

We may share personal data with the following categories of recipients:

• Payment processors – to facilitate licence transactions and Talent payouts
• Cloud infrastructure providers – for Platform hosting and data storage
• Technical service providers – for Platform operation, security, and analytics
• Licensees – limited likeness data as necessary to fulfil a purchased licence
• Legal authorities – where required by law, court order, or regulatory requirement
• Professional advisors – legal, accounting, and audit advisors under confidentiality obligations

We do not sell personal data. We require all third-party service providers to process personal data only on our instructions and in accordance with applicable data protection law.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom and the European Economic Area (EEA), including where our cloud infrastructure providers, payment processors, or technical service providers are based.

Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place, including:

• transfers to countries recognised as providing an adequate level of data protection by the UK Secretary of State or the European Commission;
• the use of Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by the UK International Data Transfer Addendum where required;
• other lawful transfer mechanisms as appropriate.

In assessing the adequacy of data protection in third countries, we apply the “not materially lower” standard introduced by the Data (Use and Access) Act 2025, which has replaced the previous “essentially equivalent” test. Our transfer impact assessments are reviewed against this updated standard.

Given the special category nature of biometric data, we apply additional safeguards to international transfers of facial likeness data, including encryption in transit and contractual restrictions on sub-processing.

You may request a copy of the safeguards we use for international transfers by contacting privacy@likeness-app.com.

8. Removal Requests and Licence Wind-Down

Talent may request deletion of their likeness data at any time by contacting privacy@likeness-app.com.

It is important to understand the distinction between source biometric data (the facial images you upload to the Platform) and already-generated content (AI-generated images or videos that a Licensee has already created using your likeness under an active licence). These are treated differently upon a deletion request:

Upon receiving a valid deletion request:

• Source data removal. Your source biometric data (uploaded facial images and associated facial data) will be permanently deleted from the Platform within 30 days of the request. Once deleted, your likeness will no longer be available for new licence purchases, and no new AI-generated content can be created from your likeness.
• Active licences continue to term. Where Licensees have already generated content under active licences before your deletion request, those licences will continue for the remainder of their stated licence term. This is because the already-generated content is a derivative commercial work governed by a contractual licence; the source biometric data is no longer being processed by Likeness Ltd or the Licensee. Licensees will be notified that the source data has been removed and that no further content may be generated. The legal basis for the continued use of already-generated content under active licences is performance of a contract (Article 6(1)(b)) and, where applicable, the establishment, exercise, or defence of legal claims (Article 17(3)(e)).
• Informed consent at onboarding. At the time of account creation, Talent will be clearly informed that licences granted before a deletion request will continue for their full stated term. This acknowledgment forms part of the explicit consent process under Article 9(2)(a). Talent will be provided with a clear explanation of what this means in practice before consenting.
• Full deletion of source data. All source biometric data held by Likeness Ltd will be permanently deleted within 30 days of the removal request. Likeness Ltd does not retain any copy of the source facial images after this period.
• Licence expiry.Once all active licences have expired, Licensees must cease all use of previously generated content incorporating the Talent’s likeness and delete or destroy such content within 14 days of licence expiry.

9. Data Retention

We retain personal data for the following periods:

• Source biometric/likeness data:for the duration of the Talent’s active account. Permanently deleted from the Platform within 30 days of account closure or consent withdrawal. Already-generated content under active licences may continue to be used until the licence term expires (see Section 8).
• Account data: retained for the duration of the active account, then deleted within 30 days of account closure.
• Transaction records: retained for 7 years from the date of the transaction, as required by UK tax and accounting regulations.
• Usage and analytics data: retained for up to 24 months in identifiable form, after which it is anonymised or deleted.
• Support correspondence: retained for 24 months after the issue is resolved, then deleted.

10. Data Breach Notification

In the event of a personal data breach, we will:

• notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to individuals’ rights and freedoms;
• notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, providing details of the breach, likely consequences, and measures taken or proposed;
• document all breaches in our internal breach register, including those not requiring notification, together with the facts, effects, and remedial actions taken.

Given the sensitive nature of biometric data, any breach involving facial likeness data will be presumed to meet the high-risk threshold requiring individual notification unless a documented risk assessment concludes otherwise.

11. Security

We implement appropriate technical and organisational measures to protect personal data, including:

• encryption of personal data at rest and in transit
• access controls and authentication for systems containing personal data
• regular security assessments and penetration testing
• staff training on data protection and security obligations
• incident response procedures for detecting and responding to security events

12. Automated Decision-Making

The Platform may use automated processing in connection with the following activities:

• Facial verification: automated comparison of uploaded images to verify likeness ownership and detect duplicate or fraudulent uploads.
• Fraud detection: automated analysis of account activity and transactions to identify potentially fraudulent behaviour.
• Content moderation: automated screening of platform content to detect potential policy violations.

Where automated processing produces decisions with legal or similarly significant effects on individuals, we ensure that appropriate safeguards are in place, including the right to obtain human intervention, to express your point of view, and to contest the decision. These safeguards are provided in compliance with the UK GDPR and the Data (Use and Access) Act 2025.

To request human review of an automated decision, please contact privacy@likeness-app.com.

13. User Rights

Under applicable data protection laws, including the UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

• Right of access (Article 15)– the right to request a copy of the personal data we hold about you.
• Right to rectification (Article 16) – the right to request correction of inaccurate or incomplete personal data.
• Right to erasure (Article 17) – the right to request deletion of your personal data, subject to applicable legal obligations and the licence wind-down provisions in Section 8.
• Right to restrict processing (Article 18) – the right to request that we limit how we use your personal data in certain circumstances.
• Right to data portability (Article 20) – the right to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Article 21)– the right to object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent (Article 7(3)) – the right to withdraw your consent to processing at any time, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint– the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk, or with another relevant supervisory authority.

To exercise any of these rights, please contact privacy@likeness-app.com. We will respond to your request within 30 days.

14. Data Privacy Complaints Procedure

In accordance with the Data (Use and Access) Act 2025, Likeness Ltd maintains a formal data privacy complaints procedure. If you wish to raise a complaint about how we process your personal data:

• Submitting a complaint: You may submit a data privacy complaint by email to privacy@likeness-app.com or by post to the Data Protection Officer at the address provided in Section 17. Please provide as much detail as possible about your concern.
• Acknowledgement: We will acknowledge receipt of your complaint within 30 days.
• Investigation: We will investigate your complaint without undue delay and provide you with a substantive response, including any actions we have taken or propose to take.
• Escalation:If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) or to seek a judicial remedy.

15. Data Protection Impact Assessment

Given the nature and scale of our processing of biometric data, Likeness Ltd has conducted a Data Protection Impact Assessment (DPIA) in accordance with UK GDPR Article 35. The DPIA is reviewed and updated regularly to reflect changes in our processing activities, technology, and the regulatory environment. A summary of the DPIA is available upon request by contacting dpo@likeness-app.com.

16. Records of Processing Activities

Likeness Ltd maintains comprehensive Records of Processing Activities (ROPA) as required by UK GDPR Article 30, documenting the categories of data processed, purposes, recipients, retention periods, and security measures in place. These records are reviewed regularly and are available to the ICO upon request.

17. Data Protection Officer

Given the nature and scale of our processing of biometric data, Likeness Ltd has appointed a Data Protection Officer (DPO). The DPO can be contacted at:

Email: dpo@likeness-app.com
Post: Data Protection Officer, Likeness Ltd, Flat 3, 50 Dunlace Road, London, England, E5 0NE

The DPO is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection laws.

18. Supervisory Authority

Our lead supervisory authority is the Information Commissioner’s Office (ICO): Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Website: ico.org.uk

19. Contact

For general privacy enquiries, please contact:

Email: privacy@likeness-app.com
Post: Likeness Ltd, Flat 3, 50 Dunlace Road, London, England, E5 0NE

20. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered email address at least 30 days before they take effect. Where changes affect the processing of biometric data, we may seek your renewed consent.

Where changes are required to comply with new or amended data protection legislation or regulatory guidance (including requirements of the DUAA), we may implement such changes on shorter notice or with immediate effect where legally mandated.