Biometric Data Handling
How FaceSign processes, stores, and deletes biometric data -- what IS and IS NOT retained.
FaceSign processes biometric data during verification sessions and retains only what is necessary for future recognition. This page documents what data is captured, what is retained, and how you and your users can exercise data rights.
Processor vs. controller
FaceSign operates as a data processor. Your organization is the data controller.
| Role | Entity | Responsibility |
|---|---|---|
| Controller | Your organization | Decides when to trigger verification, sets retention policy, responds to user rights requests |
| Processor | FaceSign | Processes biometric data on your behalf, follows your retention instructions, provides deletion and access APIs |
FaceSign does not independently decide to collect, use, or share biometric data. All processing occurs at your direction, for the purpose of the verification session you initiated.
What IS processed during a session
During a verification session, FaceSign processes the following biometric and behavioral signals in memory:
| Data type | Source | Purpose |
|---|---|---|
| Facial video | User's camera | Liveness detection, face recognition, deepfake analysis |
| Audio | User's microphone | Voice stress analysis, coercion detection, conversational AI |
| Micro-expressions | Video frame analysis | Emotional state assessment, duress indicators |
| Gaze patterns | Eye tracking via video | Coercion detection (aversion, reading from a script) |
| Response timing | Interaction timestamps | Behavioral analysis, coaching detection |
| Device and environment | Browser and network metadata | Predictive risk scoring, environmental analysis |
Video frames are processed in memory and discarded at session end. Raw media is never written to persistent storage unless you explicitly opt in for audit purposes. See Security Architecture for the full data flow.
What IS retained after a session
After the session ends, FaceSign retains only:
| Retained data | Format | Purpose |
|---|---|---|
| Biometric fingerprint | One-way tokenized hash | Matching in future RECOGNITION nodes (only if consented and opted in) |
| Session metadata | Structured data | Timestamps, risk scores, node outcomes, session status |
| AI transcript | Text | Conversation record for your audit trail |
| Per-node reports | Structured data | Outcome per verification step, type-specific fields |
| Tokenized features | Encrypted tokens | Audit and dispute resolution |
What IS NOT retained
- Raw video -- discarded at session end
- Raw audio -- discarded at session end
- Unprocessed biometric frames -- never written to storage
- Any media that could reconstruct the original recording -- not retained by default
- Raw photos -- biometric fingerprints are hashed, not raw photos. Matching requires a live session plus liveness detection, which blocks replay and rainbow attacks.
Session media (video and screenshots) are retained only if you explicitly opt in for audit purposes. Recognition against hashed fingerprints only occurs if the user's consent allows it and your deployment has opted in. Defaults lean toward minimum retention.
What you control
You choose:
- Whether to retain session media for audit or attribution
- Whether to store biometric fingerprints for cross-session recognition
- Whether to pass any user identifiers from your system into the session context
- Whether to enable document scan retention
All choices are configurable per integration.
Retention periods
FaceSign applies two retention thresholds:
| Rule | Period | What happens |
|---|---|---|
| Inactivity purge | 12 months | If a biometric fingerprint is not matched against a new session for 12 consecutive months, it is permanently deleted |
| Maximum retention | 3 years | Regardless of activity, all biometric fingerprints are permanently deleted after 3 years from creation |
| Session metadata | Configurable | You control how long session metadata and transcripts are retained, up to the 3-year maximum |
After deletion, the data cannot be recovered. FaceSign does not maintain backup copies of purged biometric data.
Right to delete
Data subjects (end users) can request deletion of their biometric data. As the data controller, you handle these requests and relay them to FaceSign:
User submits a deletion request to your organization through your standard privacy process.
You verify the request and determine it is valid under the applicable regulation (GDPR, CCPA, or your local law).
You submit a deletion request to FaceSign via the API or by contacting privacy@facesign.ai.
FaceSign deletes the data within 30 days. This includes the biometric fingerprint, session metadata, and any tokenized features associated with that user.
Right to access
Data subjects can request a copy of the data FaceSign holds about them. FaceSign supports access requests by providing:
- Confirmation of whether biometric data exists for the subject
- Session history and metadata (dates, outcomes, risk scores)
- AI transcripts from verification sessions
- A description of the biometric fingerprint (not the fingerprint itself, which is a one-way hash and not human-readable)
The biometric fingerprint is a one-way tokenized representation. It cannot be reversed to reconstruct the original face or voice. Access requests receive a description of what is stored, not the raw token.
Consumer rights by regulation
| Right | GDPR | CCPA |
|---|---|---|
| Right to know what data is collected | Yes (Art. 15) | Yes (Sec. 1798.100) |
| Right to delete | Yes (Art. 17) | Yes (Sec. 1798.105) |
| Right to data portability | Yes (Art. 20) | Limited |
| Right to restrict processing | Yes (Art. 18) | N/A |
| Right to opt out of sale | N/A | Yes (Sec. 1798.120) -- FaceSign does not sell data |
| Biometric data classification | Special category (Art. 9) | Sensitive personal information |
FaceSign does not sell, share, or use biometric data for any purpose beyond the verification session you initiated. There is no secondary use.