Back to Home
SHMONG

Biometrics Policy

Last updated: April 25, 2025

SUMMARY

This Biometrics Policy governs how we collect, use, store, and protect biometric data. We collect biometric identifiers like facial geometry only with your explicit consent for specific purposes, such as face matching services. We implement strong security measures to protect this sensitive data and provide you with rights to access, delete, or withdraw consent for your biometric information. Special provisions apply based on your state or country of residence.

1. BIOMETRIC DATA COLLECTION AND CONSENT

1.1. Collection Authorization. SHMONG maintains a publicly available written policy detailing retention schedules and destruction guidelines for Biometric Data. By accepting this Agreement, you consent to the collection, storage, use, and processing of your Biometric Data (e.g., facial geometry, templates, vectors derived from your Content).

1.2. Specific Biometric Identifiers Collected. SHMONG explicitly collects and processes the following biometric identifiers:

  • Facial geometry and landmarks
  • Facial measurement vectors and templates
  • Facial recognition data points
  • Mathematical representations of facial features
  • Other facial biometric data necessary for our facial recognition technology

1.3. Commercial Data Usage. By accepting this Agreement, you expressly authorize SHMONG to:

  • Sell, trade, share, and commercially use your biometric data
  • Generate revenue from insights derived from biometric data
  • License biometric data to third parties for commercial purposes
  • Create and monetize products based on biometric data
  • Transfer or assign rights to biometric data as part of business operations

By accepting this Agreement, you explicitly consent to these commercial activities. We may engage in these commercial activities while maintaining reasonable security measures for your data as outlined in this Agreement.

1.4. Rights Waiver. By accepting this Agreement, you acknowledge and agree to waive the following rights regarding your biometric data:

  • The right to revoke consent for historical data usage that has already been incorporated into our systems
  • The right to restrict certain forms of processing necessary for core service functionality
  • The right to object to legitimate commercial usage as permitted by applicable law and described in this Policy
  • The right to disable certain security features that rely on biometric authentication
  • Any rights beyond those explicitly granted in this Agreement or required by applicable law

You retain all other rights not explicitly waived, including those detailed in Section 3 of this Biometrics Policy, and your right to opt-out as described in Section 1.5 remains unaffected by this waiver.

1.5. Opt-Out Procedure. You may opt out of biometric data collection, processing, and commercial usage at any time by:

  • Emailing a clear request to Legal@shmong.com with the subject line "Biometric Data Opt-Out"
  • Including your account information and specific opt-out request details
  • Verifying your identity through our standard verification process

Upon receipt of a verified opt-out request, SHMONG will:

  • Cease collecting new biometric data within 10 business days
  • Delete existing biometric data within 45 days (subject to legal retention requirements)
  • Confirm completion of your opt-out request
  • Note that opting out may limit or disable certain features that rely on biometric data

1.6. Uploader Responsibility. If you upload content containing other individuals, you are solely and exclusively responsible for obtaining their written consent, notifying them of this policy, and documenting their acceptance as specified in the Terms of Service. SHMONG's role is limited to requiring uploaders to certify they have obtained proper consent before uploading biometric data.

1.7. Certification of Consent by Uploaders. Before uploading any Content containing biometric data of other individuals, you must certify that:

  • You have obtained express, informed written consent from each identifiable individual
  • You have informed these individuals that their biometric data will be processed by SHMONG
  • You maintain verifiable records of these consents
  • You take full legal responsibility for the consent collection process
  • You will indemnify SHMONG against any claims arising from inadequate consent

1.8. Mandatory Certification Checkbox. SHMONG implements a mandatory certification process requiring uploaders to affirmatively check a box before each upload containing biometric data, specifically certifying they have obtained all necessary consents. This checkbox is non-optional, and uploads cannot proceed without this certification. SHMONG maintains records of these certifications, including timestamps and user information. However, SHMONG does not independently verify the actual consent documents and relies entirely on uploader certifications.

1.9. SHMONG's Limited Role in Consent Process. SHMONG's role regarding consent is limited to:

  • Requiring uploaders to certify they have obtained proper consent
  • Providing uploaders with information about consent requirements
  • Establishing a mechanism for certification during the upload process
  • Maintaining records of uploader certifications

SHMONG does not verify the actual consent documents obtained by uploaders and relies entirely on uploader certifications regarding consent.

In Plain Language: If you upload photos of other people to our service:

  • You must check a box confirming you have their permission
  • You are responsible for actually getting their written permission
  • We keep a record of your certification but don't check the actual permission forms
  • We trust that when you check the box, you've truly gotten proper permission
  • You are legally responsible if you upload someone's face without proper permission

1.10. Consent Verification and Audit Program. To ensure the integrity of our consent certification system:

  • SHMONG conducts periodic random audits of uploader consent records to verify compliance
  • Selected uploaders must provide verifiable evidence of proper consent within 10 business days
  • Uploaders agree to participate in these audits as a condition of using our Services
  • Audits will assess both the existence and validity of consent records
  • SHMONG will maintain detailed records of all audit processes and findings
  • Audit frequency will be determined based on risk assessment and usage volume

1.11. Consequences of Audit Failure. Failure to comply with audit requirements or discovery of consent violations may result in:

  • Immediate account suspension pending investigation
  • Permanent account termination for serious or repeated violations
  • Removal of all Content uploaded without proper consent documentation
  • Prohibition from creating new accounts on the platform
  • Potential reporting to relevant regulatory authorities
  • Legal action for indemnification as provided in the Terms of Service
  • Additional remedial measures as required to ensure compliance

In Plain Language:

  • We will randomly check if uploaders actually have the permission forms they claimed to have
  • If selected for audit, you must show us the permission documents within 10 business days
  • If you can't prove you had permission or you've falsely claimed to have permission, we may suspend or terminate your account, remove your content, ban you from our platform, report you to authorities, and/or take legal action against you

2. STORAGE AND PROTECTION

2.1. Duration of Storage. We retain Biometric Data until the earliest of:

  • For Texas residents, not later than the first anniversary of the date the purpose for collecting the identifier expires
  • For Illinois residents, when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction, whichever occurs first
  • For residents of other states, three (3) years after last interaction
  • Your deletion request fulfillment
  • Failure to provide re-consent

In Plain Language: We'll keep biometric data until:

  • For Texas residents: for no more than 1 year after we no longer need it
  • For Illinois residents: until we no longer need it or for 3 years after last activity, whichever happens first
  • For other states: for up to 3 years after last activity
  • Earlier if you ask us to delete it or don't renew your consent when asked

2.2. Security Standards. We store, transmit, and protect Biometric Data using a reasonable standard of care within our industry, at least as protective as how we handle other confidential information. Measures include:

  • Encryption (AES-256+)
  • Access controls
  • Security assessments
  • Personnel training
  • Physical security
  • Data segregation
  • Timely breach notification

2.3. Periodic Re-Consent. To comply with laws and maintain accuracy, periodic re-consent (at least every 24 months) is required for continued storage/use of Biometric Data.

3. USER RIGHTS REGARDING BIOMETRIC DATA

3.1. Right to Access. You have the right to confirm processing and access your Biometric Data.

3.2. Right to Deletion. You may request deletion of your Biometric Data. SHMONG will permanently delete it from its systems within 45 days (subject to legal retention needs).

3.3. Right to Withdraw Consent. You may withdraw consent anytime. SHMONG will cease processing and delete your Biometric Data accordingly.

3.4. Exercise Rights. Contact Legal@shmong.com to exercise these rights. SHMONG will respond within legal timeframes (typically 45 days, extendable once).

3.5. Data Removal Request Process. Individuals may request complete Biometric Data removal:

  • Uploader Responsibility: As an uploader, you are solely responsible for all legal compliance related to biometric data consent, notification, and record-keeping. You must:
    • Establish a clear process for individuals in your Content to request removal
    • Collect sufficient information to verify identity
    • Maintain an immutable log of all removal requests for 3 years
    • Bear sole legal responsibility for any claims related to consent or improper collection
    • Indemnify SHMONG for any claims arising from your uploaded Content
  • SHMONG Technical Role: Upon receiving a verified removal request (either directly or from an uploader), SHMONG will:
    • Execute the technical removal of biometric data from SHMONG systems
    • Complete removal within 30 calendar days from verification
    • Provide confirmation of technical deletion
    • Notify relevant service providers processing this data
  • Limited Technical Role Disclaimer: SHMONG's execution of technical deletion does not in any way assume, transfer, or share the uploader's sole legal responsibility for consent collection, notification requirements, or compliance with biometric privacy laws. The uploader acknowledges and agrees they remain solely legally accountable for all consent-related matters regardless of who executes the technical deletion.

In Plain Language:

  • If someone wants their face data removed, they can ask you (the uploader) or us directly
  • If asked, we'll delete their data within 30 days and confirm when it's done
  • Even though we'll delete the data when requested, uploaders remain fully responsible for having gotten proper permission in the first place
  • As an uploader, you need to have your own process for handling removal requests

4. DATA SHARING LIMITATIONS

4.1. Commercial Data Usage and Rights. SHMONG expressly reserves the right to the following, subject to state-specific limitations in Section 5:

  • Commercially use your biometric data as permitted by applicable law
  • Generate revenue from insights derived from biometric data
  • Share biometric data with service providers and partners as needed
  • Create and monetize products based on biometric data
  • Use anonymized biometric data for commercial purposes in all jurisdictions

"Anonymization" means the process of permanently removing all identifiers that could link biometric data to you personally. This includes removing names, account details, device identifiers, and applying technical measures to prevent re-identification. Anonymized data is transformed so it can no longer be associated with any specific individual.

By accepting this Agreement, you explicitly consent to these commercial activities to the extent permitted in your jurisdiction. The exact rights we exercise will depend on the laws of your state of residence.

4.2. Limited Disclosure. We will not disclose Biometric Data unless:

  • You consent
  • It completes a requested transaction
  • Required by law/valid legal process
  • To contractors/agents assisting us, who are contractually bound to confidentiality

5. STATE-SPECIFIC PROVISIONS

5.1. Illinois Residents (BIPA). For Illinois residents:

  • We will store, transmit, and protect biometric identifiers using reasonable care and in accordance with the Illinois Biometric Information Privacy Act (BIPA)
  • We will destroy biometric data within 3 years of last interaction or when the purpose is satisfied
  • We will not sell, lease, trade, or otherwise profit from your identifiable biometric information as prohibited by BIPA
  • Any commercial use of Illinois residents' data will be strictly limited to properly anonymized data that cannot be re-identified
  • "Anonymization" for BIPA compliance means irreversibly removing or transforming all identifiers and applying technical safeguards certified to prevent the data from being re-associated with your identity
  • By accepting this Agreement, you provide written release as required by BIPA solely for the collection, storage, and explicitly permitted uses of your biometric data
  • This written release does not authorize any use prohibited by BIPA
  • Illinois residents' biometric data will be handled with the highest level of protection required by BIPA

5.2. Texas Residents (CUBI). For Texas residents:

  • The purpose of collecting biometric identifiers is to provide face matching services for users to their images
  • We will destroy biometric identifiers within one year after this purpose expires, meaning one year after you stop using our face matching service or delete your account
  • We will store and protect biometric identifiers using reasonable care as required by Texas law
  • Texas law allows for commercial use of biometric data with proper consent
  • By accepting this Agreement, you provide consent for the sale, sharing, and commercial use of your biometric data as permitted by Texas law
  • You acknowledge you have been informed and give permission for these commercial uses
  • For additional protection, we may anonymize your data before certain commercial uses
  • "Anonymization" means permanently removing identifiers that could connect the data to you personally, making it impossible to re-identify you from the data

5.3. California Residents (CCPA/CPRA). For California residents:

  • Biometric Data is treated as sensitive personal information under California law
  • You have the right to limit use/disclosure of your biometric data
  • You have the right to opt-out of the sale or sharing of your biometric data
  • To exercise your "Do Not Sell/Share" right under California law, email Legal@shmong.com with the subject line "California Do Not Sell/Share"
  • We will process your request within 15 calendar days of receipt
  • You will not be discriminated against for exercising your California privacy rights
  • We provide this email mechanism as our required "Do Not Sell/Share" functionality for all California residents

5.4. Additional States. We commit to complying with applicable biometric/privacy laws in other states (WA, NY, CO, etc.) providing additional protections.

6. DATA SECURITY AND BREACH RESPONSE

6.1. Technical Safeguards. We implement specific safeguards for biometric data, including:

  • Multi-factor authentication for system access
  • Database-level encryption
  • Regular penetration testing
  • Zero-trust security architecture

6.2. Breach Response Protocol. In the event of a biometric data breach:

  • We will notify affected individuals within 72 hours of breach confirmation
  • We will notify regulatory authorities as required by law
  • We will provide description of the breach and types of data affected
  • We will outline steps taken to remediate the breach

7. INTERNATIONAL CONSIDERATIONS

7.1. Cross-Border Data Transfers. Your biometric data may be transferred to, stored, and processed in countries outside your country of residence, including the United States. For such transfers, we implement appropriate safeguards in accordance with applicable data protection laws, which may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules (BCRs) where applicable
  • Data Transfer Impact Assessments (DTIAs) to assess and mitigate risks
  • Additional technical, organizational, and contractual measures as required
  • Country-specific transfer mechanisms as legally required

7.2. European Union/EEA Users. For EU/EEA residents:

  • We process biometric data based on your explicit consent as required by GDPR Article 9
  • We implement appropriate technical and organizational security measures
  • We fully respect and facilitate all data subject rights under GDPR Articles 15-22
  • We conduct and document data protection impact assessments
  • For cross-border transfers, we utilize European Commission approved SCCs with supplementary measures as recommended by the European Data Protection Board
  • We maintain records of all processing activities involving biometric data
  • We apply Privacy by Design principles to all biometric data processing

7.3. UK Residents. For UK residents, we comply with the UK GDPR and UK Data Protection Act 2018, including UK-specific data transfer mechanisms where relevant.

7.4. Other International Jurisdictions. We comply with applicable privacy and data protection laws in other countries regarding biometric data, including but not limited to:

  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Brazil's General Data Protection Law (LGPD)
  • Australia's Privacy Act
  • Japan's Act on the Protection of Personal Information (APPI)
  • South Korea's Personal Information Protection Act (PIPA)

8. BIOMETRIC ALGORITHM TRANSPARENCY

8.1. Accuracy and Performance. Our facial recognition technology:

  • Achieves 99.8% accuracy in controlled testing environments
  • Maintains 98.5% accuracy in real-world conditions with proper lighting
  • Has a false positive rate of less than 0.1% (1 in 1,000)
  • Has a false negative rate of approximately 1.5%
  • Performance metrics are regularly updated through continuous testing

8.2. Demographic Performance. Our commitment to fairness includes:

  • Testing across diverse demographic groups to identify and mitigate potential biases
  • Accuracy rates of 98.0-99.9% across different skin tones
  • Gender classification accuracy of 98.5% across gender expressions
  • Age group recognition accuracy of 97% across age ranges
  • Continuous algorithm improvement to address any identified disparities

8.3. Testing Methodology. Our facial recognition system is evaluated using:

  • Diverse test datasets representing various demographics
  • Real-world usage scenarios and lighting conditions
  • Independent third-party validation of performance metrics
  • Confusion matrix analysis for false positive/negative rates
  • Benchmarking against industry standards and datasets

8.4. System Limitations. We transparently acknowledge the following limitations:

  • Reduced accuracy in extremely low lighting conditions
  • Potential challenges with partial face occlusions
  • Performance variations with significant facial changes (injury, surgery, aging)
  • Environmental factors such as glare or extreme angles may affect performance
  • Limitations processing multiple faces in crowded scenes with overlapping features

8.5. Continuous Improvement. Our facial recognition technology undergoes:

  • Regular retraining with diverse datasets
  • Quarterly bias audits and fairness evaluations
  • Performance benchmarking against industry standards
  • Feature engineering optimization based on user feedback

9. FACIAL RECOGNITION ETHICS STATEMENT

9.1. Ethical Principles. SHMONG is committed to the following ethical principles:

  • Human-centered approach prioritizing user dignity and rights
  • Fairness and non-discrimination across all demographic groups
  • Accountability through transparent practices and policies
  • User autonomy through informed consent and control
  • Privacy by design and default in all aspects of our service

9.2. Prohibited Use Cases. Our facial recognition technology shall not be used for:

  • Mass surveillance or monitoring of public spaces
  • Law enforcement or criminal investigation purposes without explicit legal process
  • Discrimination based on race, gender, religion, or other protected characteristics
  • Tracking individuals without their knowledge and consent
  • Evaluating eligibility for essential services, housing, or employment
  • Any purpose that violates fundamental human rights

9.3. Algorithmic Fairness. We maintain fairness through:

  • Regular auditing for potential biases across demographic groups
  • Diverse training datasets representing various populations
  • Transparency about performance variations across demographics
  • Regular testing by independent third parties
  • Ongoing adjustments to improve equity across all groups

9.4. Human Oversight. While we use automated systems:

  • Critical decisions involve human review
  • Regular human auditing of algorithmic performance
  • Users can request human review of automated decisions
  • Human expertise is incorporated in system design and implementation
  • Staff training on ethical considerations and potential impacts

9.5. Commitment to Research and Improvement. We are dedicated to:

  • Ongoing research into potential social impacts of facial recognition
  • Incorporating evolving ethical standards into our practices
  • Participating in multi-stakeholder dialogues on responsible AI
  • Publishing transparency reports on system performance
  • Continuous improvement based on emerging best practices

DEFINITIONS

  • "Biometric identifier": A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.
  • "Biometric information": Information based on an individual's biometric identifier used to identify an individual.
  • "BIPA": Illinois Biometric Information Privacy Act, which regulates the collection and use of biometric identifiers.
  • "CUBI": Texas Capture or Use of Biometric Identifier Act, which regulates biometric identifiers.
  • "CCPA/CPRA": California Consumer Privacy Act and California Privacy Rights Act, which regulate personal information, including biometric data.
  • "Encryption": The process of converting information into a code to prevent unauthorized access.
  • "One-way encryption": A form of encryption that cannot be reversed to recreate the original data.
  • "Zero-trust security": A security model that requires strict identity verification for every person and device.
  • "Data segregation": The separation of different types of data to enhance security and privacy.

© 2025 SHMONG. All rights reserved.

Terms & Privacy Biometrics Policy