How it works

Discovery to
takedown,
end to end.

Medusa runs five stages in sequence. Nothing skips ahead; every stage is gated on the one before it. Here is exactly what happens, step by step.

01

Onboard

Prove it is you.

Identity verification gated on liveness.

You upload three to five reference photos of yourself. These are your "known-you" signatures.

Medusa opens your camera and asks for a short, live-captured video clip with gentle head movement. The clip proves you are present, not a still photo or deepfake replay.

We match the live capture to your references. Only when the match passes our similarity threshold is your account flagged as a verified subject — and only a verified subject can authorize takedowns in your name.

02

Consent

On your terms.

BIPA-compliant biometric consent, timestamped and revocable.

Before any biometric identifier leaves your browser, Medusa asks you to acknowledge what we collect, how long we keep it, and how you revoke it.

Your acknowledgement is stamped on your account with a timestamp an auditor can verify.

Delete your account any time — biometric data is purged within 30 days. Metadata rows remain for audit; the biometric payload is gone.

03

Crawl

Scan the surface.

Targeted, rate-limited, evidence-preserving.

Our crawlers walk an operator-curated list of URLs where unauthorized photos cluster. Not the open web — specific targets, by design.

Per-domain rate limits, robots.txt policy, residential-proxy exits with sticky sessions: visible, polite, reproducible.

Every image discovered is content-addressed by SHA-256 so we never re-download the same image twice. Every place an image appeared is logged separately — the same photo, found on three pages, produces three source records.

04

Match

See what we saw.

Face embeddings on an in-cluster GPU, filtered to you alone.

Each discovered image passes through a face detector; every face produces a 512-dimension embedding.

Embeddings are compared against your reference embeddings by cosine similarity, above an operator-tuned threshold.

Every match lands in your dashboard for review before any action is taken. You can authorize, mark as unauthorized, or dispute — nothing is assumed.

05

File

Takedowns, not surveillance.

Re-verified consent + provider-specific routing + evidence PDF per filing.

Marking a match as unauthorized triggers a fresh liveness check — we re-prove identity before anything legally serious leaves our cluster.

You sign a DMCA perjury statement (identity-authenticated, timestamped, versioned). The statement version lives with the filing record so a future revision does not retroactively cover old filings.

Medusa generates a per-takedown evidence PDF — your reference photo, the matched image, similarity score, identity verification reference, your signed authorization — and routes the takedown to the right provider: DMCA email for most hosts, API integrations where available, form-driven submission for specific sites.

Every state transition — submitted → verify-24h → verify-7d → verify-30d → resolved / failed-persistent — writes to an audit log. You see the whole lifecycle in the dashboard.

Guardrails

What we won't do.

Curated target list

No open-web crawling. Every URL lives in an admin list, enabled per-target. Known-host chrome (logos, UI frames) is pHash-filtered before matching.

Identity-gated filing

No takedown leaves the cluster without a fresh liveness check and your signed DMCA statement. An 'impersonated' admin session can't file on your behalf.

Versioned perjury statement

The DMCA statement copy is versioned. The version you signed is preserved on every filing — a revision only applies to new filings going forward.

Audit log end-to-end

Every state change — upload, verify, match, decision, takedown submit, verify probe, close — is append-only. We can reconstruct exactly what happened for any account, any filing.

Join the beta →How we handle your data →