PimEyes has approximately 3 billion faces in its database. Clearview AI has 30 billion. FaceCheck.ID runs a different algorithm entirely, matching exact copies of profile photos across platforms. If you have ever appeared in a photograph on the open web, your face has almost certainly been indexed by at least one facial recognition site without your consent. The real question is who is searching for you, and what they are finding.
I use these tools professionally. As an OSINT investigator, facial recognition is part of my digital footprint mapping methodology. I have run thousands of searches across all three platforms. What follows is what I have actually seen.
Who is paying to search your face on PimEyes
PimEyes claims in its terms and conditions that users may only search for their own face. This is fiction, and they know it.
Their subscription tiers tell the real story. The highest plans offer up to 75 searches per day. Some tiers go even further. Nobody is searching their own face 75 times a day. The commercial model is built for investigators, journalists, stalkers, jealous partners, and anyone else willing to pay a monthly fee. PimEyes knows this. Their pricing structure makes it obvious.
In the private investigation world, PimEyes is standard kit. I have used it myself during legitimate investigations and the results are genuinely impressive. The matching algorithm picks up faces in stadium crowds, protest footage, tiny background appearances in event photography. Resolution barely matters. A face occupying 40 pixels in a crowd shot will still return a match if the angle is close enough.
The people paying for PimEyes subscriptions are not consumers worried about their own privacy. They are investigators, skip tracers, debt collectors, journalists, and in the worst cases, stalkers and harassers. For someone with a public profile or significant wealth, this means your face is searchable by anyone with a credit card and ten minutes.
What PimEyes actually surfaces in practice
Most discussions about facial recognition focus on the privacy implications in the abstract. I can tell you what PimEyes actually finds, because I have seen the results across hundreds of client assessments.
PimEyes indexes from the open web. News articles, event photography, corporate headshots, charity gala photos, conference speaker pages, sports event coverage, photographer portfolios. If a photographer uploaded images from a fundraiser dinner to their portfolio site, and you were at that dinner, PimEyes has your face. You were never asked. You were never informed.
Through investigation work I have also seen results appear on suspicious and outright illicit websites. Swingers platforms, fetish sites, escort directories. If someone ever signed up to one of these sites and uploaded a photo, PimEyes will find it. I have had to deliver that finding to clients, and it is never a comfortable conversation. But it illustrates the real power of the tool. It does not discriminate between a LinkedIn headshot and a photo uploaded to an adult platform a decade ago.
For high-net-worth individuals, the exposure compounds in direct proportion to public visibility. You appear at more events. More photographers capture you. More publications feature you. Every additional public appearance adds another indexed face to the database, and every indexed face is searchable by anyone willing to pay.
How facial recognition sites index your face without consent
These platforms do not store your photographs. They store mathematical representations of your facial geometry, called facial vectors. A vector is a numerical fingerprint derived from the distances between your eyes, the shape of your jawline, the proportions of your nose, and dozens of other measurable features.
Web crawlers scrape publicly accessible images continuously. Each face detected in each image is converted to a vector and stored alongside the source URL. When someone uploads a search photo, the system converts that photo to a vector and matches it against the full database. The match is mathematical, not visual. This is why PimEyes can find you in a blurry crowd photo where a human would struggle to identify anyone.
The consent problem is structural. You never agreed to have your face scraped from a photographer’s website. You never agreed to have your facial geometry converted into a searchable vector. The platforms argue they only index publicly available data. The ICO and UK courts have challenged that position, but enforcement has been inconsistent at best.
What makes this worse: even if you successfully opt out, new photos of you appearing at new URLs will be re-indexed in the next crawl cycle. The opt-out suppresses existing vectors. New vectors from new source images require fresh opt-out submissions. It is a repeating maintenance task, not a one-time fix.
FaceCheck.ID: one specific strength worth knowing about
FaceCheck.ID gets dismissed for weak facial matching, and most of that criticism is fair. General facial similarity searches return poor results compared to PimEyes.
But it has one capability that PimEyes does not replicate. If the exact same photograph is used across multiple platforms (your LinkedIn headshot reused on a conference bio, a dating profile, a forum account), FaceCheck.ID is remarkably good at matching identical copies. Their algorithm matches on micro-features that are identical between copies of the same image, not on general facial similarity. That is a meaningful distinction.
I have found profile photos reused across platforms that PimEyes missed entirely, because FaceCheck.ID was looking for the specific image rather than the face. For anyone who has reused a profile photo across personal and professional contexts, this is worth checking. Removal is straightforward at facecheck.id/Face-Search/RemoveMyPhotos and I would rate the effort as easy to medium.
I cover the full PimEyes and FaceCheck opt-out process separately, including the re-listing problem and what to do when images reappear after suppression.
Clearview AI: 30 billion images and an ongoing legal standoff
Clearview AI operates in a different category. Their database holds approximately 30 billion facial images scraped from social media and the open web. They market primarily to law enforcement rather than individual subscribers.
The UK enforcement history tells you everything about the difficulty of regulating this space. The ICO fined Clearview AI 7,552,800 pounds in May 2022 and ordered deletion of UK residents’ data. The First-tier Tribunal overturned that decision in October 2023. The Upper Tribunal then reversed the First-tier Tribunal in October 2025, reinstating the ICO’s jurisdiction. The enforcement notice is effectively back in play for reconsideration, but years of legal proceedings have produced no confirmed deletion of UK data.
If your face is in the Clearview database (and if you have ever posted a photo on social media, it almost certainly is), there is currently no reliable mechanism to get it removed. The effort rating is hard to impossible during ongoing legal proceedings.
Then there are the Russian platforms. FindClone holds 1.1 billion VK avatars. Search4faces indexes 125 million TikTok avatars. Neither falls under GDPR jurisdiction. Removal from these is effectively impossible.
The compound threat that most privacy advice misses
Facial recognition does not exist in isolation. The real risk emerges when someone combines a facial recognition match with other commercially available data sources.
Here is how that chain works in practice. An investigator uploads a photo to PimEyes. It returns a match from a charity gala page that includes your full name. That name goes into 192.com, which returns your home address from the open electoral register. The address goes into a LexisNexis or GBG query, which confirms current residence and returns previous addresses going back years. A breach data search on your email address returns passwords and associated accounts from historical data leaks.
From a single photograph to a complete profile: name, home address, address history, email accounts, breached credentials, company directorships, property ownership. Every step uses legal, commercially available tools. Total cost to the investigator is under 200 pounds. Total time is under an hour.
This chain is why I always tell clients that facial recognition opt-out is necessary but insufficient on its own. If your face leads to your name, and your name leads to your home address through any of the dozens of data brokers operating in the UK, you have addressed one link in a much longer chain.
Why source control matters more than opt-out
The standard privacy advice for facial recognition is: opt out of PimEyes, submit a Google RTBF request, move on. That advice is incomplete for anyone with genuine exposure.
Opting out of PimEyes suppresses existing facial vectors. But PimEyes re-crawls the web continuously. If the source image still exists at its original URL, it will be re-indexed. I have seen this happen within weeks of a successful opt-out. The same 90-day re-scrape cycle that affects data broker removal across the board applies equally to facial recognition platforms.
The priority order should be:
- Remove or request removal of source images where possible (photographer portfolios, event galleries, old social media posts, corporate website team pages)
- Submit PimEyes and FaceCheck opt-out requests once source images are down
- Submit Google and Bing delisting requests for any cached results
- Monitor quarterly for re-indexing and submit fresh opt-outs as needed
Most people start at step two. They should start at step one. If the source image no longer exists on the web, the next crawl cycle has nothing new to index.
For ongoing image hygiene: be deliberate about where your face appears going forward. Event photographers, conference organisers, and charity galas routinely publish attendee photos without explicit consent. If you attend these events regularly, request in advance that your image not be published, or at minimum that it be excluded from public-facing online galleries. This sounds excessive to most people. For someone facing a genuine stalking, harassment, or corporate espionage threat, it is basic operational security.
My honest take on the regulatory gap
The regulatory framework is years behind the technology. The ICO has spent four years in court over a single enforcement action against Clearview AI, and the data has not been deleted. PimEyes operates from Poland with a terms-of-service fig leaf that does nothing to prevent misuse. FaceCheck.ID processes removal requests but has no obligation to prevent re-indexing from new source URLs. The law provides rights on paper under UK GDPR. Enforcing them against platforms that operate across jurisdictions requires sustained effort, technical knowledge, and in many cases, professional support.
Most people reading this do not need to panic. If your public profile is moderate and you have no specific threat actor, the PimEyes opt-out process combined with basic source image cleanup will reduce your exposure meaningfully.
For clients with genuine risk (public figures, individuals dealing with active harassment, executives whose personal security extends to their families), facial recognition is one layer of a much larger digital footprint mapping exercise. It cannot be addressed in isolation because the threat does not operate in isolation. Your face connects to your name. Your name connects to your address. Your address connects to everything else.
If you are concerned about facial recognition exposure specifically, or your broader digital footprint across UK data sources, get in touch. I map this professionally and I can tell you exactly where you stand.
