Help · Privacy + data

How we handle biometric data.

Explained the way we'd want it explained to us. For the formal policy, see the privacy policy.

What counts as biometric data

For parent enrollment in camps, two things count:

  • The face embedding (a 512-dimensional vector) generated from your child's photos
  • The reference photo crops we use to generate the embedding

Both are tied to your account and deletable on request. We only ever generate them from the reference photos you provide at enrollment, never from the camp's uploaded photos.

BIPA in plain English

Illinois' Biometric Information Privacy Act is the strictest US biometric law. It requires:

  • Written notice that biometric data is being collected + why
  • Informed written consent before collection
  • Retention schedule, with destruction after purpose is met
  • Limits on disclosure / sale
  • Protection equivalent to what you give other confidential info

We apply BIPA standards to every parent in every state. One policy. No state-by-state logic.

How consent works

Before any biometric data is created, the parent gives written consent once, at the account level:

  • We show the full consent disclosure on screen
  • The parent checks an affirmative attestation box and types their name to sign
  • We store the disclosure version, a timestamp, and the IP + device alongside the signature

That single written consent covers every child on the account, now and any added later. It's BIPA-strength informed written consent (BIPA §15(b)), stored separately from the biometric data it authorizes, and you can withdraw it anytime from your settings.

COPPA + children

COPPA (Children's Online Privacy Protection Act) is the US federal law for kids under 13. We collect only what's required for matching, the parent authorizes all of it, and the data is deletable on request.

We don't advertise to children, profile children, or use children's data for any purpose beyond delivering photos to their family.

Deletion: what we delete + what we keep

When a parent deletes their account:

  • Hard-deleted from storage: face embeddings, reference photo crops, any enrollment clips, account record
  • Retained per BIPA: the consent log entry. By law, the proof of authorization must outlive the data

We've been careful to make the retained record contain no biometric data itself. It's just a timestamped log of the written consent: which parent consented, when, the disclosure version they agreed to, and the IP + device. The signed attestation is what proves the consent.

Third parties

We don't share photos with face recognition APIs (AWS Rekognition, Clearview AI, Google, etc.). The face engine is InsightFace, an open-source model we host ourselves on our own CPU servers.

Our infrastructure providers (AWS for storage + email) handle data on our behalf, subject to their compliance posture. Photos + embeddings stay in our AWS account and aren't used to train any model.

Specific concern?

Email us at support@photoenroll.com.

Help · Privacy + data handling · PhotoEnroll · PhotoEnroll