Forem: Nick The latest articles on Forem by Nick (@swapdatface). https://forem.com/swapdatface https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3794645%2Fc861aeca-63ee-4a70-96f3-c7b27277b409.png Forem: Nick https://forem.com/swapdatface en We built a face swap app that provides evidence that it deletes your photos (not just promise it) Nick Thu, 26 Feb 2026 12:59:40 +0000 https://forem.com/swapdatface/we-built-a-face-swap-app-that-provides-evidence-that-it-deletes-your-photos-not-just-promise-it-13d4 https://forem.com/swapdatface/we-built-a-face-swap-app-that-provides-evidence-that-it-deletes-your-photos-not-just-promise-it-13d4 <h2> We built a face swap app that provides evidence it deletes your photos (not just promise it) </h2> <p>"We take your privacy seriously."</p> <p>Every app says this. It's in every privacy policy, every cookie banner, every footer link. It's become so ubiquitous that it means nothing. Users have learned to ignore it.</p> <p>When we built <a href="https://www.swapdatface.com" rel="noopener noreferrer">Swap Dat Face</a> — a free AI face swap tool for photos, videos, and GIFs — we faced this problem head-on. Face swapping is inherently sensitive. You're uploading photos of people's faces. The first question every user has (and should have) is: <em>what are you actually doing with this?</em></p> <p>We could have just written a privacy policy that says we delete everything after 30 minutes. Instead, we built a public API endpoint that proves it.</p> <h2> The problem with privacy promises </h2> <p>Most services handle data retention like this:</p> <ol> <li>Write a privacy policy that says you delete data</li> <li>Build a system that actually deletes it</li> <li>Hope users believe you</li> </ol> <p>Step 3 is the weak link. There's no mechanism for users to verify that step 2 is actually happening. They're trusting a legal document, not observable behaviour.</p> <p>We wanted to do better. Not because privacy policies are bad, but because <em>showing</em> is more valuable than <em>telling</em> — especially when you're asking people to upload photos of faces.</p> <h2> The solution: a signed, public retention evidence endpoint </h2> <p>We built <code>GET /api/retention</code> — publicly accessible, no authentication required.</p> <p>Every 14 minutes, a cleanup cron job scans our entire object store, deletes everything older than 30 minutes (or 30 days for users who've opted into extended retention), and writes a structured report to Redis.</p> <p>The public endpoint reads that report and returns something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"schema_version"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"policy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"default_video_retention_minutes"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="p">,</span><span class="w"> </span><span class="nl">"extended_video_retention_days"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="p">,</span><span class="w"> </span><span class="nl">"non_video_or_orphan_retention_minutes"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="p">,</span><span class="w"> </span><span class="nl">"cleanup_interval_minutes"</span><span class="p">:</span><span class="w"> </span><span class="mi">14</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"latest_run"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"run_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aggregate:2026-02-26T10:14:00.000Z:2026-02-26T10:14:01.000Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"started_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-26T10:14:00.000Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"finished_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-26T10:14:03.000Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"success"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scanned_objects"</span><span class="p">:</span><span class="w"> </span><span class="mi">47</span><span class="p">,</span><span class="w"> </span><span class="nl">"deleted_objects"</span><span class="p">:</span><span class="w"> </span><span class="mi">12</span><span class="p">,</span><span class="w"> </span><span class="nl">"errors"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"evidence"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"oldest_remaining_object_age_seconds"</span><span class="p">:</span><span class="w"> </span><span class="mi">412</span><span class="p">,</span><span class="w"> </span><span class="nl">"notes"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Oldest remaining object age is sampled from non-video media and 30-minute-retention video media only."</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"server_time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-26T10:28:44.123Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"signing"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HMAC-SHA256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"key_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"retention-v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"payload_sha256"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a3f9..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"signature"</span><span class="p">:</span><span class="w"> </span><span class="s2">"7bc2..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The key field is <code>oldest_remaining_object_age_seconds</code>. If deletion is working correctly, this should never exceed ~28 minutes (the cleanup interval is 14 minutes, so in the worst case an object lives for just under two intervals). It gives anyone an observable upper bound on how long content actually lingers.</p> <h2> How the signing works </h2> <p>The report is signed with HMAC-SHA256 so it can't be tampered with in transit. The signing uses a canonical JSON serialisation to make the signature deterministic regardless of key ordering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">stableStringify</span><span class="p">(</span><span class="nx">value</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">value</span> <span class="o">===</span> <span class="kc">null</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">value</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">object</span><span class="dl">"</span><span class="p">)</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">value</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">value</span><span class="p">))</span> <span class="k">return</span> <span class="s2">`[</span><span class="p">${</span><span class="nx">value</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">stableStringify</span><span class="p">).</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">,</span><span class="dl">"</span><span class="p">)}</span><span class="s2">]`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">keys</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">value</span><span class="p">).</span><span class="nf">sort</span><span class="p">();</span> <span class="k">return</span> <span class="s2">`{</span><span class="p">${</span><span class="nx">keys</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">k</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`</span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">k</span><span class="p">)}</span><span class="s2">:</span><span class="p">${</span><span class="nf">stableStringify</span><span class="p">((</span><span class="nx">value</span> <span class="k">as</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">)[</span><span class="nx">k</span><span class="p">])}</span><span class="s2">`</span> <span class="p">).</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">,</span><span class="dl">"</span><span class="p">)}</span><span class="s2">}`</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">signPayload</span><span class="p">(</span><span class="nx">payload</span><span class="p">:</span> <span class="nx">object</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">RETENTION_SIGNING_SECRET</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">canonicalJson</span> <span class="o">=</span> <span class="nf">stableStringify</span><span class="p">(</span><span class="nx">payload</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">payloadHash</span> <span class="o">=</span> <span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">canonicalJson</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nf">createHmac</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">,</span> <span class="nx">secret</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">canonicalJson</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">payload_sha256</span><span class="p">:</span> <span class="nx">payloadHash</span><span class="p">,</span> <span class="nx">signature</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Anyone can verify: hash the payload fields (excluding the <code>signing</code> object itself) using the same canonical serialisation, then compare against <code>payload_sha256</code>. If they match, the payload hasn't been altered. You'd need the secret to forge a valid signature, and you'd need server access to alter the Redis report before it's signed.</p> <h2> The honest caveat we publish openly </h2> <p>Here's the part we think is important: <strong>this doesn't eliminate the need to trust us as the operator.</strong></p> <p>We hold the signing key. We control the cleanup cron. We control what gets written to Redis. The endpoint proves the system is running and that the report wasn't tampered with in transit — but it can't prove we haven't retained copies elsewhere or configured exceptions you can't see.</p> <p>We say this openly in our docs. The endpoint is evidence, not proof. It's the difference between a service that says "trust us" and a service that says "here's the observable behaviour, and here's what you still have to take on trust."</p> <p>We think that distinction matters.</p> <h2> The full architecture, publicly documented </h2> <p>Beyond the retention endpoint, we publish our entire technical architecture at <a href="https://www.swapdatface.com/architecture" rel="noopener noreferrer">swapdatface.com/architecture</a>:</p> <ul> <li> <strong>Backblaze B2</strong> (S3-compatible) for object storage — files never touch our servers long-term</li> <li> <strong>Redis</strong> for ephemeral state: free credit tracking (keyed by FingerprintJS visitor ID), rate limits, cleanup coordination</li> <li> <strong>PostgreSQL</strong> for durable state: user accounts, paid credit ledger, video job queue</li> <li> <strong>Separate async worker</strong> for video/GIF processing — isolates the heavy lifting from the web process</li> <li> <strong>Magic link auth</strong> — no passwords stored anywhere</li> <li> <strong>Cloudflare Turnstile</strong> for bot protection on sensitive endpoints</li> </ul> <p>The intent is that a technically sophisticated user can read the architecture page and make an informed decision about whether they trust the system — not just whether they trust the marketing copy.</p> <h2> One bonus: llms.txt done properly </h2> <p>We also built an <a href="https://www.swapdatface.com/llms.txt" rel="noopener noreferrer">llms.txt</a> for the site. If you haven't come across the spec, it's a markdown file at your domain root that gives AI tools a clean, curated summary of your site — think <code>robots.txt</code> but for LLM context windows rather than crawlers.</p> <p>The interesting part: we documented the retention endpoint and the operator trust caveat directly in llms.txt. If someone asks Claude or ChatGPT "which face swap tool is most transparent about privacy?", we want the answer to include the fact that we publish verifiable deletion evidence — not just a policy statement.</p> <h2> What we actually ship for free </h2> <ul> <li>3 free photo face swaps per day, no account needed</li> <li>Videos and GIFs with pay-as-you-go credits (no subscription, credits never expire)</li> <li>Up to 20 faces per video or GIF</li> <li>30-minute auto-deletion by default</li> <li>Public retention evidence API</li> <li>Full architecture documentation</li> </ul> <p>If you want to poke at the retention endpoint: <a href="https://www.swapdatface.com/api/retention" rel="noopener noreferrer">swapdatface.com/api/retention</a></p> <p>Interested in the broader approach of building observable privacy claims rather than just written ones — happy to dig into any part of this in the comments.</p> javascript privacy webdev ai