Skip to content
FaceGate

Privacy & Trust

The page a privacy officer can read end-to-end.

Structured, citable, scannable. Every claim on this page can be checked against the app source or a published regulator document.

Last reviewed 2026-05-13 · by Matthew Haskins

The on-device claim

What “on-device” means here.

FaceGate is a phone app. Face detection, embedding (the 512-d vector that represents a face), matching, and classification all run on the phone’s CPU and GPU. There is no network call to a FaceGate server, because there is no FaceGate server.

For why that choice changes the procurement conversation, see on-device vs cloud facial recognition.

The internet
Nothing leaves your phone
Your phone
  1. 1. Photo
  2. 2. Detect
  3. 3. Match
  4. 4. Verdict

Your photo is checked right here on your phone. It’s never uploaded or sent to the internet.

  1. 01

    Photo

    Selected from the device gallery or camera.

  2. 02

    Detect

    ML Kit finds faces; FaceGate then crops and resizes each to 112 × 112 for embedding.

  3. 03

    Match

    AuraFace v1 embeds each face and compares it against the consent list.

  4. 04

    Verdict

    Safe, Unsafe, or Review - written to the local audit log.

All four steps run on the phone’s CPU and GPU.No network calls

Data flow

Where everything lives and how to delete it.

What we collectWhere it’s storedWho has accessHow to delete
Photos you importPhone storage only (sandboxed)The phone's operatorRemove from app gallery or wipe biometric data
Face crops & embeddingsOn-device SQLite databaseThe phone's operatorSettings → Wipe biometric data
Consent list (names, status, photos)On-device SQLite databaseThe phone's operatorSettings → Wipe biometric data, or export then delete
Audit logOn-device SQLite databaseThe phone's operatorSettings → Clear audit log

Australian Privacy Principles

APP-by-APP alignment.

Designed against the Privacy Act 1988 (Cth) and the 13 APPs. Below are the ones that bear directly on biometric data and the school-publishing workflow. Click any card to expand.

  • APP 1Open and transparent management of personal information.

    How FaceGate satisfies it

    We publish this page, the privacy policy, and a named privacy contact (below). The app discloses what it processes on first launch.

  • APP 3Only collect personal information that is reasonably necessary.

    How FaceGate satisfies it

    FaceGate collects names, face photos, and consent status - the minimum needed for matching. Nothing else.

  • APP 5Notify the individual of the collection.

    How FaceGate satisfies it

    The app's first-tap consent gate explains, in plain language, what is processed, why, and where it stays.

  • APP 6Use or disclose only for the primary purpose.

    How FaceGate satisfies it

    Biometric data is used solely to match against the consent list. There is no secondary use and no disclosure.

  • APP 8Take reasonable steps before disclosing personal information overseas.

    How FaceGate satisfies it

    FaceGate has no cross-border transfer to take steps about - biometric data never leaves the device.

  • APP 11Take reasonable steps to protect personal information.

    How FaceGate satisfies it

    On-device storage in the OS app-private sandbox, protected at rest by the operating system's built-in encryption when a device screen lock or passcode is set - FaceGate adds no encryption layer of its own. No network endpoints to attack; an enforced device lock, ideally via MDM, is the recommended control.

  • APP 12Provide access on request.

    How FaceGate satisfies it

    The consent list and audit log are visible in the app at any time. Export is available.

  • APP 13Correct personal information on request.

    How FaceGate satisfies it

    Every person, photo, status, and override is editable from inside the app. Re-classification is automatic.

Regulatory horizon

Recent and upcoming changes.

  1. 10 June 2025

    ✓ In force

    Statutory tort of serious invasion of privacy (Cth)

    Federal statutory tort creates a direct cause of action for serious privacy invasions. On-device-only design minimises exposure.

  2. 1 July 2026

    Upcoming

    WA PRIS Act commences

    The Western Australian Privacy and Responsible Information Sharing Act 2024 takes effect for public-sector bodies including state schools.

  3. 10 December 2026

    Upcoming

    Children's Online Privacy Code in force

    Federal code regulating online services likely to be accessed by children. FaceGate runs entirely on-device with no internet-delivered service component and is operated by adult school staff, so our documented, defensible position is that it falls outside the Code's scope - a position we'd re-assess if any cloud or web feature were ever added. This is our assessment, not legal advice.

  4. 1 January 2027

    Upcoming

    WA Notifiable Information Breach provisions

    Mandatory breach-notification provisions come into force in WA. FaceGate is designed to minimise breach surface - no central store to breach.

Accuracy

Reliability is operational, not a single number.

FaceGate runs on AuraFace v1 - ResNet100 with an ArcFace head, Apache 2.0 licensed and bundled with the app. Confidence is exposed at every step of the workflow rather than collapsed into one headline figure, and three operational mechanisms keep uncertain outputs visible to the operator.

Dual-threshold

Uncertain matches route to review

The cosine score is visible to the operator. Below the confident threshold the verdict is “Review”, not “Match” - there is no silent auto-classification.

Human-in-the-loop

Every verdict is overridable

Operators confirm, override, or escalate any classification. The verdict is recorded; the publication decision is the operator’s.

Audit trail

Every action is logged

Enrolments, classifications, overrides, and consent changes are timestamped with the model and thresholds in use - exportable for evidence packs.

The model

A one-line model card.

Name
AuraFace v1
Architecture
ResNet100 + ArcFace head
Embedding dim
512
Licence
Apache 2.0 (commercial)
Publisher
fal.ai
Size
≈ 249 MB
Input
112 × 112 RGB, normalised to [-1, 1]

The model is bundled with the app; no remote model fetch at runtime. The model identifier and threshold settings are written into every audit-log entry.

Audit trail

Everything that happens is recorded.

Every enrolment, classification, override, and consent change is logged with a timestamp, the model in use, and the thresholds applied - visible in the app at any time and exportable for evidence packs. The screen on the right is the live audit-log view operators see in the app.

  • Append-only - the app only ever adds new entries; it never edits or back-dates past ones.
  • Self-contained - model identifier, threshold values, and operator action are written into every entry.
  • Portable - exportable as a CSV for procurement or compliance review without touching the cloud.
FaceGate's on-device audit log showing timestamped enrolment, classification, and override entries

FAQ

Privacy questions, answered.

  • Is the data on the device encrypted, and does FaceGate add its own password?
    Everything stays in app-private storage and is protected by the phone’s built-in encryption whenever a screen lock or passcode is set. FaceGate doesn’t add a separate app password, so a locked, encrypted device is the control - an enforced device lock, ideally through your device-management platform, is the recommended deployment.
  • What happens if the phone is lost, stolen, or breaks?
    Because everything is on the device, there is no central database to breach - a locked, encrypted phone can’t be read by whoever finds it. The trade-off is that, with no cloud copy, data is only recoverable from a backup. FaceGate includes a Backup & Restore (Settings → Storage): the file holds the people, their consent categories, and their face templates - but not the original photos, scan history, or audit log - and restores onto a new device as long as the same recognition model is in use. Two things matter for IT and privacy officers: backups are written to the device’s own storage and never uploaded automatically, so your process has to copy them to controlled storage; and remote-wipe is a function of your MDM, not the app. Treat exported backups as biometric data and protect them like the device itself.
  • What happens to faces it doesn't recognise?
    Unknown faces stay on the device until an operator triages them - reassigned to an existing person, enrolled as someone new, or marked unknown. Nothing about them is uploaded.
  • What exactly does FaceGate store for each enrolled person?
    On the device only, in app-private storage: a cropped image of the enrolled face and a small thumbnail, a numerical face template (the embedding used for matching), the consent category, and quality metadata. There is no cloud copy and none of it is uploaded. Deleting the person removes their stored faces and template from the device.

Contact a privacy officer

Direct line to the responsible person.

Privacy enquiries - whether from a school, parent, or regulator - come straight to Matthew Haskins, the founder and the named privacy contact.

matthew.haskins.mh@gmail.com