The company did not respond to multiple requests for comment, but it explained how the software works in a lengthy statement published on Wednesday by TechCrunch. When a user of the app selects a photograph to alter, that image — and only that image — is uploaded to FaceApp servers for processing, it said.
“We might store an uploaded photo in the cloud,” the statement read. “The main reason for that is performance and traffic: We want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.”
Even though its research-and-development team is based in Russia, the company said that user data was not transferred there. Photo processing is performed on servers operated by Amazon and Google, FaceApp’s founder, Yaroslav Goncharov, told TechCrunch.
In a letter on Wednesday, Senator Chuck Schumer, Democrat of New York, asked both the F.B.I. and the Federal Trade Commission to investigate the app, citing “serious concerns” about security, data retention and transparency.
“It would be deeply troubling if the sensitive personal information of U.S. citizens was provided to a hostile foreign power actively engaged in cyber hostilities against the United States,” he wrote.
But Ivan Rodriguez, a software engineer at Google who in his free time investigates suspicious iOS apps, including FaceApp, said he found little cause for concern. Like Mr. Robert, he found that the app collected little identifiable data beyond the photos users chose to alter.