Privacy

This policy covers three surfaces operated by BioFRQ:

• the marketing site at biofrq.com,
• the dashboard at dash.biofrq.com,
• the public API at api.biofrq.com.

It applies to two groups of people: customers (account holders who use the API and dashboard) and data subjects (the people whose face data is sent through the API by a customer).

Material changes are communicated by email to account holders and via a dashboard banner at least 30 days before they take effect. Non-material clarifications are published with a revised effective date at the top of this page.

We collect only what we need to provide the service, bill for it, and keep it secure.

• Account profile. Name, work email, company name, country, billing address.
• Authentication state. Argon2id-hashed passwords, opaque session tokens, optional TOTP 2FA secret. We never store raw passwords.
• API usage metadata. Timestamp, request ID, customer ID, action name, status code, latency, and billable unit count per call. We do not log the request body or response body.
• Operational telemetry. Aggregated error rates, throughput, infrastructure health metrics. Anonymised — no customer identifiers leave the production network.
• Billing records. Payment method tokens (held by our payment processor; we receive only the token), invoice history, tax IDs where required.
• Support communications. Emails, dashboard chat messages, and any documents you choose to share with us.

The following are explicit non-collections:

• Raw input images. Images submitted to the API are held in memory only for the duration of the call and are never written to durable storage.
• Cropped face evidence. The optional evidence store is off by default in production deployments and is never enabled without explicit per-customer configuration. When enabled in development, the bucket is dev-tenant-only.
• Tracking cookies. The marketing site sets no cookies. The dashboard sets one essential session cookie. We use no advertising trackers, no fingerprinting scripts, no third-party tag managers.
• Cross-site browsing. We do not buy, sell, or consume third-party browsing data about you.

The API processes face images and returns biometric data: bounding boxes, liveness scores, age/gender/mood estimates, and — for enrolled subjects — mathematical face representations stored as vectors in a per-customer pgvector index.

These face vectors are not images. They are high-dimensional numeric encodings of facial geometry; the original image cannot be reconstructed from them. They are treated as special-category personal data under GDPR Article 9 (biometric data used for unique identification) and equivalent regimes (BIPA, CCPA, India DPDP).

The lawful basis is yours, not ours.BioFRQ acts as a processor: we operate the infrastructure that runs the model, but the decision to capture, retain, and process a subject's face is taken by you (the customer). You are the controller. You hold the lawful basis (consent, contract, legitimate interest with balancing test, statutory authorisation), the obligation to inform subjects, and the obligation to honour their rights.

A subject's face vector and all metadata associated with that subject ID are deleted within seconds of a successful deleteSubject API call.

Each category of processing has a named lawful basis under GDPR Article 6 (and equivalent regimes):

• Account data — contract performance. We process this to provide the service you signed up for.
• API usage metadata — contract performance. Required to bill accurately and to power the dashboard you log into. Some retention is required for fraud and abuse prevention (legitimate interest).
• Biometric inferences — contract performance with our customer. We process a face only because the customer called the API. The customer holds the lawful basis with the subject.
• Operational telemetry — legitimate interest. Anonymised metrics let us run a reliable service.
• Marketing communications — consent. Opt-in only, with an unsubscribe link in every message.

• Account data: lifetime of the account + 30-day grace period after closure.
• API usage metadata: 90 days hot (queryable from the dashboard), then 12 months cold (for billing reconciliation and statutory audit).
• Billing records: 7 years (tax and accounting obligations).
• Face embeddings (enrolled subjects): retained for the lifetime of the enrolment; deleted immediately on a successful deleteSubject call; deleted in full within 30 days of account closure.
• Operational telemetry: 30 days.
• Support communications: 3 years from last contact.

We rely on the following third parties to deliver the service. Material changes are announced 30 days in advance via the dashboard and email.

• Hetzner (Germany, EU) — production hosting, dedicated servers, encrypted backup region.
• Cloudflare (US, with EU edge) — DNS, DDoS protection, WAF, edge TLS termination, privacy-safe web analytics.
• Stripe (US / EU) — payment processing. PCI DSS Level 1; we never see raw card numbers.
• Postmark (US) — transactional email (account, billing, alerts).
• Sentry (EU region) — application error tracking with PII scrubbing enabled.

Each subprocessor is bound by a data processing addendum compatible with the Standard Contractual Clauses where data crosses EU borders.

Under GDPR (and equivalent regimes) you have the following rights. We honour them whether or not the underlying law applies in your jurisdiction.

• Access — request a copy of the personal data we hold on you.
• Rectification — correct inaccurate data. Most fields are editable directly in the dashboard.
• Erasure — close your account; we delete account data within 30 days and biometric vectors immediately. Specific subjects can be erased mid-account via deleteSubject.
• Portability — structured export of your data on request, in JSON.
• Restriction and objection — opt out of marketing in the dashboard; raise other objections to privacy@biofrq.com.
• Lodge a complaint — with your local supervisory authority (e.g. ICO in the UK, CNIL in France, BfDI in Germany).

We respond to rights requests within 30 days. Identity verification may be required for sensitive requests.

Privacy enquiries: privacy@biofrq.com

Data Protection Officer: dpo@biofrq.com

For security vulnerabilities, see biofrq.com/security.