FaceApp is having a viral moment, thanks to its old age filter that allows people to run their photos through the free app to see what they may look like 40 years in the future.
While the aging app fronted by a Russian company is delighting millions of people, including celebrities, with a glimpse of what they may look like in old age, its terms of service are also raising security concerns about what data the app collects, who owns it, and how photos are processed. The latest version of FaceApp’s privacy policy was posted online was created on January 20, 2017, and does little to address these concerns in clear terms.
“Putting aside for a moment the fact that no one has time to read every policy they come across, it’s incredibly difficult to discern what the real risks are from this convoluted mess,” says Lindsey Barrett, a teaching fellow and staff attorney at Georgetown Law’s Communications and Technology Clinic.
While FaceApp’s privacy policy sheds some light on practices app that makes users look old, it leaves more questions than answers. Among the chief concerns being raised are whether it’s clear to users that FaceApp is uploading their photos to the cloud, instead of processing them privately on a person’s device, and how long the company holds onto user photos.
In a statement to Fortune, FaceApp CEO Yaroslav Goncharov confirmed the company processes photos on the cloud, but says “most” are deleted within 48 hours. He says the company uses AWS and Google Cloud.
The app’s team is based in Russia, however the company says none of the data it processes its transferred to the country.
For being such a popular app, Barrett says the “privacy policy is both pretty bad, and not much worse than the garden-variety policy you might come across from any app or service that didn’t put time or effort into trying to make its policy even somewhat comprehensible.”
From a privacy standpoint, she says the company’s clarifications about how it processes photos in the cloud, and when it deletes them, are “helpful, but they don’t make the terms of the privacy policy any less broad.”
Privacy-conscious users do have some recourse. Goncharov says his support team is “overloaded,” but is making it a priority to accept requests from users who want their data scrubbed from its servers. This can be done by going to settings, support, and choosing “report a bug.” Users should type the word “privacy” in the subject line to send their request.
FaceApp isn’t a stranger to the spotlight. The company previously went viral with its gender-bending filter, and in another case, was forced to apologize after it created filters to make people look like they were a different ethnicity.
While the free old face app is clearly once again tickling the funny bone for millions of people around the world, Barrett says it speaks to the larger problem of privacy policies that are littered with legal jargon, conditional words, and the statement that companies reserve the right to change their policies at any time.
“We don’t talk about people making trade-offs when it comes to other areas of consumer protection—where we know people aren’t adequately equipped to make informed decisions—and we should stop doing it when it comes to privacy,” she says.
More must-read stories from Fortune:
—The fall and rise of VR: The struggle to make virtual reality get real
—A new A.I. is running the table against poker pros. Is business strategy next?
—Video game addiction: These are the warning signs to look out for
—Apple has new MacBooks. Here’s what you need to know
—Listen to our new audio briefing, Fortune 500 Daily
Catch up with Data Sheet, Fortune‘s daily digest on the business of tech.
