What is Faceify Labs?

Faceify Labs is a browser-based AI surgical simulation platform with 85+ procedure simulators built for plastic surgeons, aesthetic clinics, and patients. It processes patient photos entirely on-device using a 468-point anatomical facial mesh — no images are uploaded to any server. It is an educational visual planning tool, not regulated as a medical device under the U.S. FDA, the Thai FDA, the Korean MFDS, ANVISA (Brazil), or the PMDA (Japan). See faceifylabs.com/clinical-safety for our full clinical posture.

How many procedures does Faceify Labs simulate?

Faceify Labs supports 85 procedures across 6 categories: 19 surgical (rhinoplasty, blepharoplasty, facelift, brow lift, otoplasty, V-line, etc.), 16 non-surgical (chemical peels, laser, microneedling, HIFU, RF), 14 injectable (Botox, fillers, lip flip, Profhilo, Sculptra, Radiesse, Kybella, masseter Botox), 7 dental (veneers, smile design, teeth whitening, gummy smile, dental implants, Invisalign, gum contouring), 20 body contouring (breast, lipo, BBL, tummy tuck, mommy makeover, brachioplasty, thigh lift), and 9 hair restoration (FUE/FUT/DHI hair transplant, beard, eyebrow, SMP, hairline lowering, PRP).

Is Faceify Labs free to try?

Yes. Visit faceifylabs.com/demo to try every procedure simulator free with no signup required. Surgeon plans start at $149/month with a 14-day money-back guarantee. Patients can buy a $19 Day Pass for 24-hour unlimited simulator access (₹1,599 in INR).

How does Faceify Labs compare to Crisalix, Vectra, or AEDIT?

Faceify Labs runs entirely in the browser with no hardware required. Crisalix uses a 3D mobile scanner. Vectra (Canfield) requires $25k+ in dedicated 3D camera hardware. AEDIT focuses on patient discovery, not parametric simulation. FaceTouchUp is rhinoplasty-only with manual brush tools. Faceify ships 90 parametric procedures with clinical safety constraints, 100% on-device processing, and a 468-point anatomical mesh — at $149/month.

Is patient data safe with Faceify Labs?

Yes. All facial photo processing is performed entirely on-device in the browser using WebGL2 and TensorFlow.js. No patient photos are ever uploaded to or stored on any Faceify Labs server. The platform is built with HIPAA-ready architecture and complies with GDPR, Thailand PDPA, South Korea PIPA, Singapore PDPA, and India DPDPA.

What devices and browsers does Faceify Labs support?

Any modern browser with WebGL2: Chrome, Safari, Firefox, or Edge — on desktop, tablet, or mobile. iOS Safari 15+ and Android Chrome are fully supported. iPad is the most common device for in-clinic surgeon demos. No app download or hardware required.

How accurate are the AI simulations?

Simulations use a 468-point anatomical facial mesh (MediaPipe Face Mesh) with sub-millimeter landmark tracking precision (0.04mm RMSD per Kartynnik 2019). Each procedure has clinical safety constraints — anatomical clamps prevent unrealistic deformations such as eye-orbit displacement past 1.2% of face height. Simulations are educational, directional previews, not surgical-outcome guarantees.

Can I share a simulation with my patient or surgeon?

Yes. Surgeons can email patients a one-click link that opens the simulation plan in a browser — patients see the surgeon's parameter selections without uploading anything new. Patients can email surgeons a share link the same way. Photos stay on each person's device throughout — only the parameter state is transmitted.

Security & compliance posture

How we handle your clinic's data

This page documents what we have deployed today, what we have committed to ship, and what we have explicitly decided not to pursue at the current company stage. Honesty over polish.

The patient photo never leaves the patient's browser.

Image processing — landmark detection, mesh fitting, deformation rendering — happens entirely on-device. We cannot see the photo. We cannot store the photo. The only exceptions are explicit-consent flows: the patient clicks “Share with my surgeon” (a hashed reference is transmitted, not the photo) or submits to the public gallery (with admin-reviewed consent).

Encryption

In transit:TLS 1.3 enforced on all routes via Vercel's edge. HSTS preload eligible. CSP nonce-based with no unsafe-inline on script-src.

At rest: Postgres volumes encrypted by Neon (AES-256). Vercel Blob storage encrypted at rest. Redis TLS-encrypted between client and Upstash.

Secrets: stored in Vercel encrypted env vars, rotated on personnel changes. AUTH_SECRET, POLAR_WEBHOOK_SECRET, and RAZORPAY_KEY_SECRET are never logged.

Subprocessors

Every vendor that touches data on our behalf, what they do, and the BAA / DPA status. We update this table within 7 days of any vendor change.

Vendor	Role	Data	Region	BAA / DPA
Vercel	Application hosting + CDN	Request logs (IP, UA)	Global edge	Enterprise plan available
Neon (Postgres)	Primary database	Account, profile, simulation metadata	AWS us-east + eu-central	Available
Upstash Redis	Rate limiting, session cache	Hashed session IDs	Global edge	Available
Vercel Blob	Gallery photos, KYC docs	User-uploaded images	AWS us-east	Available
Vercel Edge Config	Per-partner CSP allowlist	None	Global edge	N/A (no PII)
Resend	Transactional email	Email address, message body	AWS us-east	Available
Polar	Payment processing (USD/THB)	Billing details (Polar = MoR)	Polar-managed	Out of PHI scope (MoR)
Razorpay	Payment processing (INR)	Billing details (PCI-managed)	India	PCI; we never see card numbers
Sentry	Error reporting	Scrubbed; no PHI/PII reaches Sentry	AWS us-east	Available
PostHog	Product analytics	Pseudonymous user ID; PHI scrub	EU primary	Available (Enterprise plan)
Cal.com	Consultation booking	Patient name, email, booking time	AWS us-east	Available
Cerebras	Chatbot LLM inference	Chat input only (no patient photos)	Cerebras-managed	Under review

Authentication & access control

Custom JWT (jose, HS256) issued on email + OTP verification. Cookie name fl-session, httpOnly, secure in production, sameSite=lax, 30-day TTL with refresh on activity.

CSRF: double-submit cookie (fl-csrf) + x-csrf-token header. Required on all mutating routes except the auth boundary itself.

Role-based access: patient, surgeon, admin. Surgeon access additionally requires KYC approval (gov ID + medical council number + clinic certificate) before deal posting or commission collection.

What we keep vs delete on account closure

Procurement and audit teams ask this often, so it's worth a row-level breakdown rather than buried prose. Anything marked “legal hold” is required by tax / dispute-resolution / fraud-investigation law and is anonymised (FK link severed) rather than retained as personal data.

Data	Action on deletion	Reason
Account profile (name, email, phone)	Hard delete	No legal basis to retain
Simulator session metadata + saved presets	Hard delete	Photo never reached us; metadata not needed post-account
Subscription + billing-rail metadata	Hard delete	Polar/Razorpay holds the canonical record on their side
Gallery submissions you uploaded	Hard delete (incl. blob storage)	Consent withdrawn; blobs removed from CDN
Q&A questions you submitted	Anonymise display name → “Anonymous patient”	Public answers help future patients; identifying fields removed
Annotations you created (surgeons)	Hard delete	Only the surgeon who created them can read them; on deletion they have no further use
Audit logs (admin actions, login attempts)	Legal hold — anonymise, retain	Required for fraud + dispute investigation; FK to user is set null
Payment records (orders, refunds, commission)	Legal hold — 7 years	Tax law (India + EU + Polar MoR jurisdictions)
Adverse-event reports you filed	Legal hold — anonymise, retain	Clinical-safety record; identifying fields removed

Data deletion (GDPR Art. 17)

Self-serve in-app:sign in → Settings → Danger Zone → “Delete account.” The existing flow hard-cascades through account, subscription, simulation metadata, gallery submissions, blob storage, and clears your session immediately.

Email request:if you can't access your account, email privacy@faceifylabs.com with the email address on the account. SLA: deleted within 5 business days, sooner where possible.

What we keep (legal hold): audit logs and payment records (anonymised, FK link severed). These are required by tax + dispute-resolution law for up to 7 years.

Audit & observability

Sentry captures application errors with PII scrubbed. PostHog captures product analytics with PHI scrubbed (server-side filter). Authenticated admin actions (gallery moderation, role changes, refund issuance) are logged to the AdminAuditLog table with actor + timestamp + before/after.

A dedicated PHI-tier audit log table (photos, annotations, consultation messages) is on the Q2 roadmap (CTO §4) for first US/EU clinic conversation readiness.

What we have explicitly chosen not to pursue yet

SOC2 Type II.$30–80k and 6+ months. We will start the audit when our first $50k ACV contract is contingent on it. Not before.
HITRUST. Irrelevant until we sell to U.S. hospital systems. Currently selling to private clinics.
FDA medical-device classification. Out of scope by design. The simulator is a visualisation tool, not a diagnostic device. See /clinical-safety.
PCI compliance. Polar (USD/THB) and Razorpay (INR) handle all card data as Merchants of Record / PCI providers. We never see a card number.

Breach response

On detection of an incident affecting patient data:

Containment within 4 hours of confirmation.
Affected-user notification within 72 hours of confirmation.
Regulator notification per applicable jurisdiction (GDPR Art. 33: 72h to supervisory authority; HIPAA: 60 days; CDSCO: per local law).
Public post-mortem at faceifylabs.com/incidents within 14 days.

Contact

Security questions, BAA / DPA requests, and procurement questionnaires: security@faceifylabs.com

Vulnerability disclosure (responsible disclosure): security@faceifylabs.com with subject prefix [VDP]. We aim to acknowledge within one business day and to remediate or respond within 30.