BIOMETRIC DATA CONSENT AND POLICY

ID.me will never share your biometric data with a third party except to protect you or others from identity theft.

This Biometric Data Consent and Policy ("Biometric Consent") describes how ID.me ("ID.me", "we", "us" or "our") collects and uses certain Biometric Data ("Biometric Data") in connection with the services provided by ID.me ("Services"). By accepting this Consent, you consent to the collection, use and disclosure of your Biometric Data as described below. Please note that your consent may not be revoked in all circumstances, including where your Biometric Data is required to complete the transaction for which it was collected or to provide services requested by you and for security purposes. You further acknowledge and agree that you have been provided with, and agree to be bound by the terms of, the ID.me Terms of Service and the ID.me Privacy Policy to the extent applicable to such Biometric Data.
1. What is the significance of this Consent?

Certain laws require us to provide you notice and obtain your consent to use your Biometric Data. This means that you have agreed that we can collect, use and disclose your Biometric Data as described in this Consent.
2. Can I withdraw or revoke my Consent?

Subject to certain exceptions, you may have the option to withdraw or revoke your consent to use of your Biometric Data by notifying us at privacy@id.me. However, we may decline your revocation request if your Biometric Data is required to: (i) complete the transaction for which the information was collected, provide a good or service requested by you, or reasonably anticipated by you within the context of our ongoing business relationship with you, or otherwise perform a contract between ID.me and you; or (ii) to help to ensure security and integrity to the extent the use of your personal information is reasonably necessary and proportionate for those purposes. You may also decline to provide Biometric Data. If you revoke your consent or decline to provide Biometric Data that is required for you to use the Services, however, you may experience a loss of functionality as well as a reduced user experience or may not be able to use the Services for certain purposes.
3. What is Biometric Data?

Biometric Data is a form of information related to your biometric characteristics which may be used to identify you. Common examples include fingerprints, voiceprints, scans of a hand, facial geometry recognition and iris or retina recognition. There are various state laws that define Biometric Data including "biometric identifiers" and "biometric information" as defined under the Illinois Biometric Information Privacy Act, "biometric identifiers" under the Texas Capture or Use of Biometric Identifier Act, "biometric identifiers" under the Washington Biometric Information Law, and "biometric information" under the California Consumer Privacy Act. We will apply the definition and comply with the requirements of the applicable state law in which you are resident.

For purposes of this Consent, the term Biometric Data includes the information we describe in Section 4.
4. What Biometric Data Do We Collect?

When a user signs up or uses the Services we may collect the following Biometric Data:

    Facial Biometrics: Our Service may require you to upload an image of your government issued or other identification document(s) with your photographic image or "selfie" photograph of yourself using your mobile or other device. We use these images to create a facial geometry or faceprint which we use for purposes of identity verification and to prevent the fraudulent creation of multiple accounts in a fraudulent manner.
    Voiceprints: When creating an account on the Service, you may also be required to call ID.me and leave a voice recording that is used to create a voiceprint for you. We use this voiceprint for identity verification and to prevent the creation of multiple ID.me accounts in a fraudulent manner.

5. How Do We Use Your Biometric Data?

We use your Biometric Data as follows:

    To verify your identity when you are opening an account or using the Services;
    To authenticate use of your account and the Services for a transaction;
    To prevent fraudulent uses of the Service and the creation of multiple accounts for fraudulent purposes; and
    To comply with legal obligations or comply with a request from law enforcement or government entities where not prohibited by law.

6. Do We Share or Disclose Your Biometric Data?

We may share or disclose your Biometric Data in the following circumstances:

    To our clients for which you use the Service for verification purposes, such as to a bank or merchant for processing a payment at a point of sale or with a government agency for confirming your account for unemployment benefits purpose.
    To third party service providers that provide services or perform functions on our behalf necessary to provide the Service to you. These service providers are limited to using the Biometric Data to provide those services and functions, and to maintain such Biometric Data in a secure fashion consistent with this Consent.
    To other third parties where permitted by law, to enforce the Terms, to comply with legal obligations or applicable, to respond to legal process (such as a subpoena, warrant or civil discovery request), to cooperate with law enforcement agencies concerning conduct or activity that we reasonably and in good faith believes may violate federal, state, or local law, and to prevent harm, loss or injury to others.

7. Do We Sell Your Biometric Data?

No, we do not sell, lease, or trade your Biometric Data to any third parties or derive any profit from the sale, lease or trade of your Biometric Data.
8. How long does ID.me retain my Biometric Data?

ID.me stores and uses your Biometric Data as long as you have an active account with ID.me and are using the Services. After you close your account or stop using the Services, we may retain your Biometric Data for up to seven and a half years to comply with legal, contractual, fraud prevention and policy obligations, except where applicable law provides for a shorter period (for example, for Illinois residents, we destroy Biometric Data when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with ID.me, whichever occurs first). After your account is closed, you will need to re-enroll, which may include providing your Biometric Data to ID.me again, before you can use the Services.

In addition, you may request that ID.me delete your Biometric Data at any time and ID.me will process such request for deletion promptly, although we may decline your revocation request under certain circumstances, including if your Biometric Data is required to: (i) complete the transaction for which the information was collected, provide a good or service requested by you, or reasonably anticipated by you within the context of our ongoing business relationship with you, or otherwise perform a contract between ID.me and you; or (ii) to help to ensure security and integrity to the extent the use of your personal information is reasonably necessary and proportionate for those purposes. See Section 9 below about how to make such a request. Please note such deletion may affect the functionality and scope of Services that we can provide.
9. Can I request access, correction or deletion of my Biometric Data?

Yes, you can submit a request to access, correct or delete your Biometric Data by contacting us at privacy@id.me. We will respond to the request promptly within the time frame and in the form required by applicable law.
10. What Kind of Storage and Security Do You Use With My Biometric Data?

ID.me will store your Biometric Data safely and securely in accordance with applicable law. ID.me uses a reasonable care standard in accordance with industry standards to protect your Biometric Data against unauthorized access, accidental change or deletion and hacking attempts. For example, we encrypt Biometric Data both in transit and at rest when being used in connection with the Services. Further, when working with Biometric Data, ID.me employees are instructed: (i) to ensure the screens of their computers are always locked when left unattended for any period of time; (ii) that Biometric Data should never be shared informally; (iii) Biometric Data should not be sent by email; and (iv) Biometric Data must be encrypted before being transferred electronically.

Questions about how ID.me safely stores your Biometric Data should be directed to the IT Manager or Data Controller who can be reached through privacy@id.me.
11. Changes

We reserve the right to change or modify this Biometric Consent at any time. If we make material changes to this policy, we will notify you here, by email, or by means of notice on our home page. Such changes are binding on you if you continue to use the Service after such notice is provided, except if you are resident in a state that requires to affirmatively agree to the changes, in which case we will provide you the opportunity to do so before the changes take effect.