Biometric Data Policy
NextFace — Privacy Policy & Biometric Data Policy (DRAFT)
⚠️ DRAFT — not legal advice. This is a working draft to accelerate counsel review, not a launch-ready policy. Face images are biometric identifiers; BIPA (Illinois) requires a published written retention/destruction schedule, written consent, and a no-sale commitment, and GDPR Art. 9 treats biometrics as special-category data requiring explicit consent. A qualified privacy lawyer must finalize and localize this (BIPA, GDPR/UK GDPR, CCPA/CPRA, Texas CUBI, Washington) before launch. Fill every
[BRACKET].
Last updated: [DATE] · Operator: Ost Networks FZCO (Dubai, United Arab Emirates) · Contact: [PRIVACY@DOMAIN]
1. Who we are & scope
NextFace ("we") provides an AI face-signal app. This policy covers the data we collect when you use it. NextFace is for users 18 and older only.
2. What we collect
- Facial images (biometric data): selfies you capture in the app.
- Derived display measurements: the visible-signal readings we compute from your selfie to show your read (e.g., how rested or fresh you look). These are stored to display and compare your reads over time. We do not build or store a persistent "face template" or face-recognition model of you — continuity across days is kept by your browser session, not by matching your face.
- Self-reported intake: age band, and lifestyle inputs you choose to give (e.g., sleep, alcohol) to personalize your read.
- Usage & device data: events, attribution (how you arrived / who invited you), device/browser, for product analytics.
- Contact (email): an email you give to be notified about a challenge, or to keep your archive going after your first week (so your Day-7 rematch result and saved reads stay reachable). You can add it, decline where optional, or delete it anytime; it is never sold and never used for advertising.
- Push subscription (optional): if you turn on morning reminders, we store your browser's push endpoint and keys to send that reminder; you can turn it off anytime and it is deleted with your data.
3. Why we use it (purposes)
- Generate your personal face read and compare you to your own baseline over time.
- Power the challenge/comparison feature only when you choose to share with someone.
- Operate, measure, and improve the product (analytics).
- With your separate, optional consent: de-identified research to improve our models.
We do not use your biometric data for advertising, and we do not sell it.
4. Legal basis (GDPR/UK)
Biometric data is special-category data processed on the basis of your explicit consent (Art. 9(2)(a)). You may withdraw consent at any time (Section 9). Other data is processed under legitimate interests (product analytics) or consent.
5. Who we share it with (processors)
We share data only with vendors acting on our instructions under data-processing agreements:
- Anthropic — AI processing of the image to generate your read.
- Supabase — encrypted database & private storage.
- [Analytics: PostHog], [Email: Emailit] / [SMS: Twilio] — only the data needed for their function. We do not sell or rent personal or biometric data. We do not post your results publicly; a comparison is shown only to people you explicitly send a challenge link to.
6. Biometric retention & destruction schedule (BIPA)
WP12 FIX 6 — internal-contradiction removed (counsel to finalize). This section previously keyed retention to "only while your account is active." Test 1 has no accounts — the in-app consent (see
CONSENT_COPY.mdScreen 2, "How long") tells the user we keep their photos "for this browser session's lifetime — until you delete your data." A retention clause anchored to a non-existent "account" contradicted the very text the user agreed to under the same consent checkbox. The wording below is aligned to the session/deletion framing so the two surfaces no longer conflict. Counsel adjudicates the final retention wording (a formal policy may reintroduce an account concept and a fixed maximum) — the requirement here is only that the internal contradiction must not ride into sign-off.
- We retain your facial images and their derived display measurements only for as long as we hold your data for you — i.e., for the lifetime of your browser session / your saved data — and in any case no longer than [e.g., 12 months] after your last activity, or until you request deletion — whichever is first.
- On a deletion request (or automatic expiry above), we permanently delete your images and their derived display measurements from production systems within [e.g., 30 days], and from backups within the backup-rotation window.
- We do not sell, lease, trade, or otherwise profit from biometric data.
7. Security
Encryption in transit and at rest; private storage with signed, time-limited access; access controls and least-privilege keys; no face data in logs or analytics payloads.
8. International transfers
Data may be processed in [REGIONS]. Where required, we use [SCCs / appropriate safeguards].
9. Your rights
Depending on where you live, you can: access, correct, delete, export, restrict/object, and withdraw biometric consent at any time. Use Settings → Delete my data, or contact [PRIVACY@DOMAIN]. Withdrawing consent stops further processing and triggers deletion of your biometric data.
10. Children
NextFace is 18+ only. We do not knowingly collect data from anyone under 18; if we learn we have, we delete it.
11. Changes
If we materially change how we handle biometric data, we will notify you and re-request consent before the new use.
12. Contact
[PRIVACY@DOMAIN] · Ost Networks FZCO (Dubai, United Arab Emirates) · Data Protection Contact: [NAME/EMAIL]