Privacy Policy & Biometric Data Consent
Important Notice: We take your privacy and the security of your biometric data seriously. Please read this policy carefully before providing any biometric information.
1. Introduction
Welcome to BioAuth. This Privacy Policy describes how we collect, use, process, and store your personal information, including biometric data, when you use our biometric authentication services. By using our services, you agree to the collection and use of information in accordance with this policy.
2. What Biometric Data Do We Collect?
We collect face biometrics (specifically, face descriptors or embeddings) for the sole purpose of verifying your identity during login and signup. We do not store raw images of your face; instead, we convert facial features into a unique numerical representation (a "descriptor" or "embedding") which is then securely stored.
- Face Descriptors/Embeddings: A mathematical representation of your unique facial features. This is used for comparison during authentication.
- No Raw Images: We do not store the original images used to generate these descriptors.
3. How We Use Your Biometric Data
Your biometric data (face descriptors) is used exclusively for:
- Identity Verification: To authenticate your identity when you access your account.
- Enrollment: To create your unique biometric profile during the signup process.
- Security: To enhance the security of your account and prevent unauthorized access.
We will never use your biometric data for marketing, advertising, or share it with third parties for any purpose other than providing and improving our authentication service, unless required by law.
4. Storage and Security of Biometric Data
We are committed to protecting the security of your biometric data. We implement industry-standard security measures, including:
- Encryption at Rest: Your face descriptors are encrypted when stored in our database.
- Secure Transmission: All data transmitted between your device and our servers is encrypted using HTTPS (TLS).
- Access Controls: Strict access controls are in place to limit who can access biometric data.
- Vector Database: Biometric descriptors are stored in a specialized vector database (e.g., PostgreSQL with pgvector) for efficient and secure comparison, not as easily readable JSON.
- Data Minimization: We only collect and store the necessary biometric information required for authentication.
5. Biometric Data Retention and Deletion
We retain your biometric data only for as long as your account is active and you continue to use our biometric authentication service. You have the right to request the deletion of your biometric data at any time. Upon account deletion or explicit request, your biometric descriptors will be permanently removed from our systems, subject to legal and regulatory requirements.
6. Your Consent
By proceeding with biometric authentication, you explicitly consent to the collection, processing, and storage of your face descriptors as described in this Privacy Policy. You understand that this data will be used to verify your identity and secure your account.
You have the right to withdraw your consent at any time by disabling biometric authentication in your account settings or by contacting our support team. Withdrawal of consent may result in the inability to use biometric features for authentication.
7. Minimal Legal Checklist for Biometric Storage
- Explicit Consent: Obtain clear, unambiguous consent before collecting any biometric data.
- Comprehensive Privacy Policy: Clearly articulate what data is collected, why, how it's stored, and user rights.
- Data Security: Implement robust encryption, access controls, and secure transmission protocols.
- Data Minimization: Collect only necessary data (e.g., descriptors, not raw images).
- Retention Policy: Define clear periods for data retention and deletion upon user request or account closure.
- Jurisdictional Compliance: Adhere to relevant laws (e.g., GDPR, CCPA, India DPDP, BIPA) based on where users are located.
- Risk Assessment: Conduct regular assessments for potential privacy and security risks.
- Right to Delete: Provide users with a clear and easy way to request deletion of their biometric data.
- No Selling/Sharing: Explicitly state that biometric data is not sold or shared with third parties for commercial use.
- Contact Information: Provide clear contact details for privacy-related inquiries.
8. Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. You are advised to review this Privacy Policy periodically for any changes.
9. Contact Us
If you have any questions about this Privacy Policy, please contact us at privacy@bioauth.com.