Security & Privacy
Compliance
GDPR, BIPA, and CCPA compliance for biometric data
Regulatory Framework
FaceSmash processes biometric data (face descriptors) which is subject to special regulation in many jurisdictions. This page outlines how FaceSmash complies with major privacy regulations.
BIPA (Illinois Biometric Information Privacy Act)
BIPA is the strictest U.S. biometric privacy law. FaceSmash complies by:
| Requirement | How FaceSmash Complies |
|---|---|
| Written consent before collection | Users explicitly consent during registration |
| Purpose disclosure | Clear explanation of how biometric data is used |
| Retention schedule | Data retained only while account is active |
| Destruction upon purpose fulfillment | Immediate deletion when user deletes account |
| No sale or profit from biometric data | Biometric data is never sold or shared |
| Reasonable security measures | TLS encryption, access controls, audit logging |
GDPR (EU General Data Protection Regulation)
Face descriptors qualify as "biometric data" under GDPR Article 9 (special category data).
Legal Basis
FaceSmash processes biometric data under explicit consent (Article 9(2)(a)):
- Users provide explicit consent during registration
- Consent is specific, informed, and freely given
- Users can withdraw consent at any time by deleting their account
Data Subject Rights
| Right | Implementation |
|---|---|
| Right of access | Users can view all stored data via dashboard |
| Right to erasure | One-click account deletion removes all biometric data |
| Right to portability | Data export in machine-readable JSON format |
| Right to restriction | Users can disable face login without deleting data |
| Right to object | Users can delete their account at any time |
Data Protection Principles
| Principle | Implementation |
|---|---|
| Lawfulness | Explicit consent obtained |
| Purpose limitation | Data used only for authentication |
| Data minimization | Only 128-d descriptors stored, not images |
| Accuracy | Multi-template learning improves over time |
| Storage limitation | Data deleted when account is deleted |
| Integrity | TLS encryption, access controls |
CCPA (California Consumer Privacy Act)
Consumer Rights
| Right | Implementation |
|---|---|
| Right to know | Privacy policy discloses all data collection |
| Right to delete | Account deletion removes all data |
| Right to opt-out | No sale of biometric data |
| Right to non-discrimination | No service difference based on privacy choices |
Data Processing Agreement
For enterprise customers, FaceSmash provides a Data Processing Agreement (DPA) that covers:
- Sub-processor disclosure
- Data breach notification (within 72 hours)
- Data transfer mechanisms
- Technical and organizational security measures
- Audit rights
Contact legal@everjust.co for DPA requests.
Security Certifications
| Certification | Status |
|---|---|
| SOC 2 Type II | Planned |
| ISO 27001 | Planned |
| GDPR compliance audit | In progress |
| BIPA compliance review | Complete |
Contact
For privacy-related inquiries:
- Email: privacy@everjust.co
- Legal: legal@everjust.co
- Security issues: security@everjust.co