Acceptable use

Face recognition technology has real-world consequences for the people it sees. A false match in a fraud-screening flow can cost someone their account. A confident verdict in a watchlist context can cost someone their liberty. The same API call can be the difference between a friction-free login and a wrongful denial.

This policy is part of your contract with BioFRQ. It sets the floor: the uses we permit, the uses we prohibit, and the obligations you accept by sending traffic to api.biofrq.com. You are free — and encouraged — to apply stricter internal standards on top.

You must maintain a documented lawful basis for every subject you process through the API, in every jurisdiction where that subject resides. Acceptable bases under GDPR (and equivalents) include:

• Consent — freely given, specific, informed, and unambiguous.
• Contract performance — where biometric verification is necessary to deliver a service the subject has actively engaged.
• Legitimate interest— only after a documented balancing test that demonstrates the subject's rights do not override your interest.
• Legal obligation — where statute requires identity verification (regulated KYC, anti-money-laundering, child-safety obligations).
• Vital interests or public task — narrow categories typically reserved for public bodies or emergency response.

BioFRQ does not establish or verify your lawful basis. You are the data controller; the basis is yours to document and defend.

Where consent is your lawful basis, it must be:

• Freely given — never coerced, never bundled with terms the subject must accept to use an unrelated service, no pre-checked boxes.
• Specific— to face recognition for a named purpose, not a blanket "biometric processing" authorisation.
• Informed — the subject knows who you are, what you collect, why, how long you keep it, who else might receive it, and their rights.
• Unambiguous — a clear affirmative action, not inferred from inaction.
• Withdrawable— at any time, as easily as it was given. Withdrawal triggers your obligation to delete the subject's data; you should call our deleteSubject endpoint in response.

Notice must be presented before the first biometric capture, in language the subject understands, and must remain accessible. "Consent buried in clickwrap" is not consent.

The following are prohibited regardless of any lawful basis you believe you have. Engaging in them is a material breach of your agreement with BioFRQ.

• Mass-surveillance scraping.Building or augmenting a face identification gallery from public imagery (CCTV feeds, social-media accounts, search results) without the subjects' consent or a clear statutory authorisation.
• Covert identification. Identifying individuals in public or semi-public spaces in real time, without their knowledge, where you are not a state actor operating under specific legal authority.
• Decisions with legal effect, without review. Using API outputs as the sole basis for decisions that produce legal or similarly significant effects on individuals (loan denial, employment termination, custody, immigration) without a documented human-review process.
• Predictive policing or social scoring. Targeting individuals or populations on the basis of biometric data for predicted future behaviour.
• Inference of protected attributes. Using the API to infer race, religion, sexual orientation, health status, or political opinion of an individual, where doing so is unlawful or unethical in the relevant jurisdiction.
• Re-identification. Attempting to re-identify individuals from datasets that were pseudonymised or anonymised by another party.
• Deception and impersonation. Generating, evaluating, or training systems to produce synthetic biometric data intended to deceive humans or other systems.
• Targeting vulnerable populations for harm. Processing refugees, asylum seekers, religious or ethnic minorities, LGBTQ+ individuals, or other vulnerable groups for uses likely to expose them to harm.
• Violation of applicable law. Including but not limited to the EU AI Act, GDPR, Illinois BIPA, Texas CUBI, Washington H.B. 1493, India DPDP Act, China PIPL.

If you operate a face-identification gallery (a watchlist), you are subject to additional governance obligations because the consequences of a wrongful inclusion are severe.

• Documented inclusion criteria. Who can add an entry, on what evidence, with what authorisation.
• Review cadence. Inclusions reviewed at least quarterly; we recommend monthly. Stale entries removed.
• Subject notification. Unless law explicitly authorises secret inclusion (a narrow exception), the subject is informed they are on the list and given a meaningful way to challenge their inclusion.
• Decision logging. Every identification result that triggers a real-world action is logged with the score, the threshold, the reviewer, and the action taken — for audit and appeal.
• No third-party sharing. Watchlist contents may not be sold, traded, or shared with third parties without an independent lawful basis for the sharing.
• No behavioural aggregation. Watchlist outputs may not be aggregated into general behavioural profiles of individuals.

Processing the face data of minors requires heightened protection. For purposes of this policy, "minor" means a person under 18, or under the age of digital consent in the subject's jurisdiction, whichever is higher.

• Processing a minor's face requires verifiable consent from a parent or legal guardian, captured before the first API call.
• For children under 13 (or the equivalent threshold in your jurisdiction), additional regimes apply: COPPA in the US, GDPR Article 8 in the EU, and analogous protections elsewhere.
• BioFRQ may not be used for routine surveillance of minors in schools (entry control, attendance, behavioural monitoring) without an explicit statutory authorisation that overrides this prohibition.
• BioFRQ may not be used to identify minors in public spaces.

To report suspected misuse of BioFRQ by a customer — whether you are a subject, a journalist, a regulator, or a concerned third party — contact abuse@biofrq.com.

Please include, where possible:

• the URL or identifier of the customer's product;
• the specific concern (which prohibited use, why);
• any evidence you can share (screenshots, links, documents);
• your relationship to the situation and your contact details.

Reports are reviewed within 5 business days. Reporter identity is protected — we will not disclose your identity to the reported customer without your written consent, except where ordered by a competent court.

Our enforcement is graduated. Typical sequence:

• First-time, good-faith breach. Written notice and 14 days to remedy.
• Repeated or significant breach. Immediate suspension pending review, with the customer given 14 days to submit a written response.
• Material breach (any of the prohibited uses). Immediate termination and, where applicable, reporting to the relevant data-protection authority or law-enforcement body.

Customers may appeal a termination by writing to legal@biofrq.com within 30 days. Appeals are reviewed by an officer who was not involved in the original decision.

We may publish anonymised case studies of enforcement actions in our annual transparency report. Customer-identifying details are removed; the underlying conduct and our response are described so that the rest of the customer base understands where the line is.