Yesterday, AI photo editor app FaceApp went viral on social media as celebrities, athletes, and musicians all shared their faces with an age challenge old person filter. As more celebrities downloaded and utilized the app, the usage spread until millions were downloading and using it. Now, however, tech sources are raising security concerns about the app.

As many flash in the pan apps do, FaceApp already went viral two or so years ago with a more rudimentary version of its photo editing software. Returning this year, it has reignited security concerns as the core R&D group is located in Russia.

In its Terms & Conditions, writes New York Post, the app includes “they have the right to modify, reproduce and publish any of the images you process through its AI.” This raises concerns about using users’ photos for commercial purposes, especially as the threat of Russian interference in elections is looming overhead.

According to TechCrunch, the app cannot see your entire photo library unless you give it permission, even if you are still able to edit photos — at least on iOS. This is due to certain API permissions that enable an app to let a user pick a single photo to work on.

9to5Mac first published a story about security concerns based off a tweet from tech author Joshua Nozzi. However, the allegation that FaceApp “immediately uploads your photos without asking, whether you chose one or not” was debunked by security researcher Elliot Alderson in a separate Twitter thread.

FaceApp issued a statement addressing most of the concerns regarding its security and practices:

We are receiving a lot of inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:

1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.

2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.

3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.

4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.

5. We don’t sell or share any user data with any third parties.

6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.

Additionally, we’d like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696). We don’t do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.

As always, it’s up to the consumer to do their due diligence when allowing unknown apps permission to possibly sensitive material. Good advice is to never download apps like this on work computers or phones, and always read the permissions carefully before installing.