← Back to facegate.ai

Last updated: March 25, 2026

Biometric Data Retention and Destruction Policy

Policy version 1.0.0 — Effective March 25, 2026

1. What Biometric Data Is Collected

FaceGate collects face geometry vectors — mathematical representations derived from facial images captured during enrollment and authentication. These vectors describe the spatial relationships between facial landmarks (such as the distance between eyes, nose shape, and jawline geometry). They are unique to each individual and constitute biometric identifiers under applicable privacy laws.

2. What Is Not Stored

Photographs and raw images are never retained. When your camera captures a frame during enrollment or authentication, that image is processed immediately to extract a face geometry vector. The image is then discarded and is not written to disk, stored in any database, transmitted to any server log, or retained in any backup system. Only the derived vector is stored.

Face geometry vectors cannot be reverse-engineered into photographs or any visual representation of your face.

3. Purpose of Collection

Biometric data collected through FaceGate is used exclusively for identity authentication — verifying that the person attempting to log in is the same person who enrolled. FaceGate does not use biometric data for:

  • Surveillance or monitoring
  • Marketing, advertising, or profiling
  • Cross-tenant identification or tracking
  • Sale or transfer to third parties
  • Any purpose other than authentication for the service where you enrolled

4. Sub-Processors

FaceGate uses the following sub-processors to store and process biometric data:

Sub-ProcessorRoleData Processed
AWS RekognitionFace matching and liveness detectionFace vectors and liveness challenge frames (images not retained)
SupabaseDatabase storageFace geometry vectors, enrollment metadata

5. Retention Period

Biometric data is retained for the shorter of:

  • 3 years from the date of your last successful authentication, or
  • Until you request deletion, whichever comes first

At the end of the retention period, biometric data is automatically scheduled for destruction. No manual action is required on your part for routine expiration.

6. Destruction Method

When biometric data is deleted — whether by expiration, user request, or account termination — the following destruction procedure is followed:

  1. Face geometry vectors are deleted from the FaceGate database (Supabase)
  2. The corresponding face collection entry is deleted from AWS Rekognition
  3. Deletion is confirmed by querying both systems to verify no records remain
  4. A deletion confirmation event is written to the audit log, including timestamp and scope

Deletion is permanent and irreversible. Once destroyed, biometric data cannot be recovered. You will need to re-enroll if you wish to use FaceGate authentication again.

7. How to Request Deletion

You may request deletion of your biometric data at any time through any of the following methods:

Via API

Send a DELETE request to /v1/users/{userId} using your enrollment token or an authorized API key. Your biometric data will be destroyed within 24 hours.

Via the Tenant Who Deployed FaceGate

If you enrolled through an application that uses FaceGate (such as a business or platform), contact that application's support team to request deletion. Tenants are required to process deletion requests within 30 days.

Direct to FaceGate

Email privacy@facegate.ai with your user ID or the email address associated with your enrollment. Include the name of the application where you enrolled. We will coordinate deletion with the relevant tenant.

8. Contact Information

For questions about this policy, biometric data practices, or to exercise your privacy rights:

Privacy contact: privacy@facegate.ai

Response time: Within 5 business days for general inquiries; within 30 days for formal deletion requests

9. Policy Version History

VersionEffective DateSummary of Changes
1.0.0March 25, 2026Initial policy