FaceApp took social media by storm this week as thousands of users uploaded photos of themselves to the app, which then altered the photos to make users look older, younger or have a different gender.

But privacy advocates quickly sounded the alarm, pointing out that FaceApp is owned by a Russian company and that the app’s privacy policy does anything to protect your privacy.

Sen. Chuck Schumer (D-N.Y.) sent a letter to the FBI and the Federal Trade Commission (FTC) yesterday asking them to investigate the app over privacy and national security concerns.

According to FaceApp’s privacy policy, the app does not “sell or rent” user data to “third parties outside of FaceApp,” but does share data with FaceApp’s service providers (like analytics companies) and “affiliates,” which FaceApp describes as “businesses that are legally part of the same group of companies that FaceApp is part of, or that become part of that group.”

In other words, FaceApp does share your data with other apps and tech companies, but you don’t know who. According to a report by The New York Times, the photos you upload to FaceApp are stored via cloud services provided by Amazon and Google. In this way, FaceApp is just like pretty much any other app you use through Apple’s App Store or the Google Play Store — they all share your data among themselves.

When you download the FaceApp, you grant it permissions to access your camera, read, modify and delete the contents of your phone’s memory card, view network connections, access App Store or Google Play billing services and install application programming interfaces (APIs), which are the linchpins in data-sharing agreements set up between tech companies and apps.

Many other apps ask for these same permissions, and privacy experts say this is an easy way for malware hiding in an app’s software to hack your phone and access and share your data and potentially sensitive information.

Tim LeMaster, director of systems engineering at mobile security company Lookout, told InsideSources in February that many apps are built from open-source code libraries, which are often rife with malicious or weak code.

“Most of these apps are trying to monetize themselves through your data — so they embed advertising ACKs (Acknowledgement Codes) and sell that information to other advertisers,” LeMaster said. “We often find apps that have the ACKs and they’re too promiscuous about how they collect information. There’s concern about how that data is protected.”

Privacy International published a blog post Wednesday warning users not to give FaceApp photos of themselves, because in order to make users look older or younger, the app creates a “detailed biometric map of their faces–which can be as unique to them as their fingerprint or DNA.”

According to the blog post, “because of the uniquely identifying nature of our faces and our inability to change them, cataloging and storing peoples’ faces in a database that can be mined indefinitely is problematic. A biometric map of someone’s face isn’t just used for unlocking smartphones, it is now a highly-prized commodity by governments and tech companies used to train algorithms and for facial recognition-enabled mass surveillance. In the future such biometric maps could be used for all sorts of purposes that people may not anticipate.”

Privacy Matters, a U.K.-based privacy advocacy organization, also warned people against using the app on Twitter Wednesday.

“If you are thinking of using the FaceApp consider Section 5 of the ToS & that you grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use your content (and which may be of your friends or colleagues),” the organization tweeted.

Schumer said FaceApp could be misleading consumers by saying it doesn’t sell and share their data, when the app does in fact share data with multiple third parties. He also questioned whether users can actually “opt out” and “take back” their data.

“It is unclear how long FaceApp retains a user’s data or how a user may ensure their data is deleted after usage,” he wrote. “These forms of ‘dark patterns’ which manifest in opaque disclosures and broader user authorizations can be misleading to consumers and may even constitute a deceptive trade practice. …FaceApp’s location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including potentially foreign governments.”

In a statement provided to TechCrunch, FaceApp said users can request to have their data deleted by reporting an issue to the app with the word “privacy” in the subject line.

Privacy Matters pointed out that this doesn’t necessarily mean your data will be deleted.

Follow Kate on Twitter