The company did not respond to multiple requests for comment, but it explained how the software works in a lengthy statement published on Wednesday by TechCrunch. When a user of the app selects a photograph to alter, that image — and only that image — is uploaded to FaceApp servers for processing, it said.

“We might store an uploaded photo in the cloud,” the statement read. “The main reason for that is performance and traffic: We want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.”

FaceApp does not sell or share user data with third parties, the company said, though it reserves the right to share some information as outlined in its privacy policy. According to that agreement, the app uses “third-party analytics tools to help us measure traffic and usage trends.”

Even though its research-and-development team is based in Russia, the company said that user data was not transferred there. Photo processing is performed on servers operated by Amazon and Google, FaceApp’s founder, Yaroslav Goncharov, told TechCrunch.

In a letter on Wednesday, Senator Chuck Schumer, Democrat of New York, asked both the F.B.I. and the Federal Trade Commission to investigate the app, citing “serious concerns” about security, data retention and transparency.

“It would be deeply troubling if the sensitive personal information of U.S. citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States,” he wrote.