FaceApp, the AI-powered selfie-editing app that’s been having another viral moment of late, has now responded to a privacy controversy that we covered earlier here.

We’ve pasted the company’s full statement at the bottom of this post.

The tl;dr here is that concerns had been raised that FaceApp, a Russian startup, uploads users’ photos to the cloud — without making it clear to them that processing is not going on locally on their device.

Another issue raised by FaceApp users was that the iOS app appears to be overriding settings if a user had denied access to their camera roll, after people reported they could still select and upload a photo — i.e. despite the app not having permission to access their photos.

As we reported earlier, the latter is actually allowed behavior in iOS — which gives users the power to choose to block an app from full camera roll access but select individual photos to upload if they so wish.

This isn’t a conspiracy, though Apple could probably come up with a better way of describing the permission, as we suggested earlier.

On the wider matter of cloud processing of what is, after all, facial data, FaceApp confirms that most of the processing needed to power its app’s beautifying/gender-bending/age-accerating/-defying effects are done in the cloud.

Though it claims it only uploads photos users have specifically selected for editing. Security tests have also not found evidence the app uploads a user’s entire camera roll.

FaceApp goes on to specify that it “might” store the photos users have chosen to upload in the cloud for a short period, claiming this is done for “performance and traffic” — such as to make sure that a user doesn’t repeatedly upload the same photo to carry out another edit.

“Most images are deleted from our servers within 48 hours from the upload date,” it adds.

It also claims no user data is “transferred to Russia”, even though its R&D team is based there. So the suggestion is that storage and cloud processing are being performed using infrastructure based outside Russia. (We’ve asked it to confirm where this is done. Update: Founder Yaroslav Goncharov told us it uses AWS and Google Cloud.)

“We don’t sell or share any user data with any third parties,” it adds.

FaceApp also says users can request their data is deleted. Though it doesn’t yet have a very smooth way to do this — instead it asks users to send delete requests via the mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line, adding that it’s “working on a better UI for that”.

It also points out that the vast majority of FaceApp users don’t log in — making the point that it’s not able to link photos to identities in most cases.

Here’s its statement in full: