My website (not canvas app) uses facebook as it's membership system. It stores the user's facebook uid (with their permission). This info is never shared with anyone and the privacy policy specifically details how their facebook info is used.
Here's "the grey area" for me.
Linking to a user's profile picture looks like this: http://graph.facebook.com/[uid]/picture?type=small.
I use this code to show the user's profile pictur, at several places throughout the site (where the content was submitted by that user). Anyone viewing the site can see their profile picture.
As far as I can tell from reading the docs, as long as I'm not sharing uid's with third parties my website is appropriately using their uid's.
This scenario sounds common to me, but I want to make sure it's ok for me to use uid's like this.
Best Answer
To be honest, if you aren't sure if you are in violation or not the best thing to do would be to contact Facebook directly.
If you have confirmation directly from Facebook then you are in a pretty good position should anyone wish to complain or contend your privacy procedures.