Privacy Policy & Biometric Data Consent

Important Notice: We take your privacy and the security of your biometric data seriously. Please read this policy carefully before providing any biometric information.

1. Introduction

Welcome to BioAuth. This Privacy Policy describes how we collect, use, process, and store your personal information, including biometric data, when you use our biometric authentication services. By using our services, you agree to the collection and use of information in accordance with this policy.

2. What Biometric Data Do We Collect?

We collect face biometrics (specifically, face descriptors or embeddings) for the sole purpose of verifying your identity during login and signup. We do not store raw images of your face; instead, we convert facial features into a unique numerical representation (a "descriptor" or "embedding") which is then securely stored.

  • Face Descriptors/Embeddings: A mathematical representation of your unique facial features. This is used for comparison during authentication.
  • No Raw Images: We do not store the original images used to generate these descriptors.

3. How We Use Your Biometric Data

Your biometric data (face descriptors) is used exclusively for:

  • Identity Verification: To authenticate your identity when you access your account.
  • Enrollment: To create your unique biometric profile during the signup process.
  • Security: To enhance the security of your account and prevent unauthorized access.

We will never use your biometric data for marketing, advertising, or share it with third parties for any purpose other than providing and improving our authentication service, unless required by law.

4. Storage and Security of Biometric Data

We are committed to protecting the security of your biometric data. We implement industry-standard security measures, including:

  • Encryption at Rest: Your face descriptors are encrypted when stored in our database.
  • Secure Transmission: All data transmitted between your device and our servers is encrypted using HTTPS (TLS).
  • Access Controls: Strict access controls are in place to limit who can access biometric data.
  • Vector Database: Biometric descriptors are stored in a specialized vector database (e.g., PostgreSQL with pgvector) for efficient and secure comparison, not as easily readable JSON.
  • Data Minimization: We only collect and store the necessary biometric information required for authentication.

5. Biometric Data Retention and Deletion

We retain your biometric data only for as long as your account is active and you continue to use our biometric authentication service. You have the right to request the deletion of your biometric data at any time. Upon account deletion or explicit request, your biometric descriptors will be permanently removed from our systems, subject to legal and regulatory requirements.

6. Your Consent

By proceeding with biometric authentication, you explicitly consent to the collection, processing, and storage of your face descriptors as described in this Privacy Policy. You understand that this data will be used to verify your identity and secure your account.

You have the right to withdraw your consent at any time by disabling biometric authentication in your account settings or by contacting our support team. Withdrawal of consent may result in the inability to use biometric features for authentication.

7. Minimal Legal Checklist for Biometric Storage

8. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. You are advised to review this Privacy Policy periodically for any changes.

9. Contact Us

If you have any questions about this Privacy Policy, please contact us at privacy@bioauth.com.