Apple plans to share facial mapping data captured by the iPhone X’s series of front-facing cameras and sensors, according to a report by Reuters. The revelation, contained in a developer agreement detailing the use of Apple’s new facial recognition software, would appear to undermine statements Apple made during the iPhone X reveal back in September. The company’s executives at the time made an effort to placate privacy concerns with talk of strict on-device storage and end-to-end encryption.

However, there’s quite a bit of unpacking to do here regarding what developers actually have access to and under what terms. According to the developer agreement, third-party app makers only have access to the visual facial mapping data, and not the same mathematical representation of it that is used to unlock the iPhone X using Face ID. Apple claims the latter is encrypted on the device itself, so not even its own employees have access to it. Yet developers do still have access to a map of a user’s face as part of the True Depth camera, along with data on as many as 50 facial expressions that could tell a developer how exactly you raise your eyebrows or move your mouth, to name a few telling instances. This is how Snapchat’s iPhone X-specific filters, demoed onstage during the phone’s reveal, appear more sophisticated than standard ones.

Apple is relying on a threat of enforcement to keep developers in line

There are of course restrictions here. Apple says the data can never be used for advertising or marketing, and it cannot be bundled and sold to analytics companies or data brokers. Apple also bans developers from creating profiles of otherwise anonymous users by using identifying facial capture information. Apple cites its rigorous app review process, and its hardline stance on privacy issues that would result in App Store bans if violated, as safeguards against the misuse of Face ID data. Apple did not respond to a request for comment to confirm these aspects of Face ID or what the user permission process looks like. It’s unclear if permission can be granted on an app-by-app basis, similar to location services.

Despite the apparent protections, organizations like the American Civil Liberties Union are concerned that an era of widespread facial recognition technology, no matter the intentions or safeguards of its creator, could yield unexpected results. “Apple does have a pretty good historical track record of holding developers accountable who violate their agreements, but they have to catch them first — and sometimes that’s the hard part,” Jay Stanley, an ACLU senior policy analyst, told Reuters. “It means household names probably won’t exploit this, but there’s still a lot of room for bottom feeders.”

Correction: An earlier version of this article conflated depth mapping and other facial mapping data from the iPhone X with Face ID, which is strictly Apple’s biometric authentication feature. The headline has been updated to reflect this fact.