Biometric Data Policy
Version: v1 · Effective Date: June 1, 2026 · Governing Law: State of Delaware, United States
1. Introduction and Applicability
This Biometric Data Policy ("Policy") describes how RIG53, Inc.("RIG53," "we," "us," or "our"), a Delaware corporation, collects, uses, stores, and destroys biometric data in connection with the identity and credential verification features of the RIG53 platform.
This Policy applies to all users who undergo biometric-based verification on the Platform, including but not limited to drivers submitting Commercial Driver's License (CDL) scans for verification via the RIG53 Driver Qualification (DQ) Passport feature. It is incorporated by reference into the RIG53 Privacy Policy and Terms of Service.
2. What Biometric Data We Collect
In the context of the RIG53 verification flow, "biometric data" includes:
| Data Type | Collection Method | Purpose |
|---|---|---|
| Facial geometry / facial scan | Liveness detection via Didit identity verification SDK | Identity verification; liveness check to confirm real person |
| CDL photograph (facial image) | OCR scan of uploaded CDL document | Credential verification; name/DOB/CDL class extraction |
| Document biometric template | NFC or barcode chip read (if applicable to document type) | Authenticity verification of government-issued ID |
RIG53 does not collect fingerprints, retina scans, voiceprints, or any other biometric identifier beyond those listed above. We do not collect biometric data from any user who does not initiate the optional identity verification flow.
3. Purpose of Collection
Biometric data is collected solely for the following specific, documented purposes:
- Identity verification: Confirming that the person submitting a government-issued ID is the document holder, using a liveness check and facial comparison.
- Credential authenticity: Verifying that a submitted CDL or government-issued ID is genuine and unaltered.
- Fraud prevention: Detecting duplicate identity submissions, synthetic identities, or impersonation attempts.
- Platform Trust Score:Assigning a verified identity signal to a user's Trust Score following successful verification.
Biometric data is never used for advertising, profiling for commercial purposes, or any purpose beyond those listed above.
4. Legal Basis for Processing
Our legal bases for processing biometric data are:
- Consent (GDPR Art. 6(1)(a), BIPA §15(b)): We obtain explicit, informed, written consent before collecting any biometric data. Consent is specific to the verification purpose and is not bundled with other consents.
- Contractual necessity (GDPR Art. 6(1)(b)): Verification is necessary to provide certain gated features of the Platform (e.g., Driver Verified badge, access to commercial features requiring verified identity) as described in the Terms of Service.
- Legitimate interests (GDPR Art. 6(1)(f)): Fraud prevention and platform integrity constitute legitimate interests that do not override the fundamental rights of data subjects.
5. Consent — How We Obtain It
5.1 Consent Gate
Before initiating biometric data collection, RIG53 presents a biometric consent screen that clearly discloses: (a) the specific biometric data to be collected; (b) the purpose of collection; (c) the duration of retention; (d) the identity of any third-party processors; and (e) the right to refuse without consequence to non-verification features of the Platform.
The user must affirmatively check a consent checkbox and submit to proceed. Pre-checked boxes are not used.
5.2 Voluntary Nature
Biometric verification is optional. Declining does not prevent access to non-verification features of the Platform. However, certain gated features — such as the Driver Verified badge, verified profile ring, and access to verification-gated commercial features — will remain unavailable without completed verification.
5.3 Withdrawal of Consent
You may withdraw consent at any time by submitting a written request to privacy@rig53.com. Upon withdrawal, RIG53 will delete your biometric data within 30 days subject to any legally required retention period. Withdrawal of consent revokes access to verification-gated features and removes the verified badge from your profile.
5.4 Consent Records
RIG53 records the timestamp, IP address, and device identifier associated with each biometric consent event for audit purposes per the requirements of BIPA §15(b) and GDPR Art. 7(1).
6. Storage and Security
6.1 Encryption
All biometric data processed by RIG53 is encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are managed separately from data storage.
6.2 Access Controls
Access to biometric data is restricted to authorized RIG53 personnel with a documented need-to-know, and to our identity verification sub-processor (Didit). All access is logged in our audit system. No RIG53 employee may access raw biometric data for purposes beyond fraud investigation, legal compliance, or verified technical support.
6.3 Geographic Storage
Biometric data is processed and stored in data centers located in the United States. International transfers to sub-processors are governed by Standard Contractual Clauses (SCCs) where applicable per the GDPR framework outlined in the Data Processing Agreement.
7. Retention and Destruction
7.1 Retention Period
Biometric data is retained only as long as necessary to fulfill the verification purpose:
| Data Type | Retention Period | Destruction Trigger |
|---|---|---|
| Facial geometry / liveness data | 30 days after verification completion | Automatic deletion after 30-day window |
| CDL document image | 7 years (49 CFR §391 DQ retention) | Account deletion or legal hold release |
| Verification session metadata | 7 years | Regulatory retention period |
| Consent records | 7 years | Regulatory compliance |
CDL images are retained for 7 years per 49 CFR §391.51 Driver Qualification file requirements. The facial geometry used for liveness checking is not retained beyond 30 days.
7.2 Destruction Method
Upon expiry of the applicable retention period, biometric data is permanently and irreversibly deleted using cryptographic erasure (key deletion) and secure overwrite procedures. Deletion is logged in the audit system.
9. Your Rights Under Illinois BIPA
If you are an Illinois resident subject to the Biometric Information Privacy Act (740 ILCS 14), you have the following rights:
- Right to written notice (§15(b)(1)): You must be informed in writing of the specific data being collected and the purpose and duration of retention before collection occurs. This Policy satisfies that notice.
- Right to written release (§15(b)(3)): We must obtain a written release before collecting your biometric data. We obtain this through the consent gate described in Section 5.
- Right to deletion: You may request deletion of your biometric data at any time (subject to legally required retention) by contacting privacy@rig53.com.
- Prohibition on profit (§15(c)): RIG53 does not profit from your biometric data.
- Prohibition on disclosure (§15(d)): RIG53 does not disclose or disseminate biometric data to any party without your written consent, except to sub-processors under contract, or as required by law.
- Private right of action (§20): You may seek relief under BIPA for any violation of its provisions. RIG53 is committed to full BIPA compliance.
10. Your Rights Under CCPA (California Residents)
Under the California Consumer Privacy Act (Cal. Civil Code §1798.100) and as amended by the CPRA, California residents have the following rights with respect to biometric information (a category of "sensitive personal information" under CCPA):
- Right to know: You may request disclosure of the categories and specific pieces of biometric data we have collected, the purposes of collection, and the categories of third parties with whom it was shared.
- Right to delete: You may request deletion of your biometric information, subject to applicable exceptions.
- Right to correct: You may request correction of inaccurate biometric or verification data we hold about you.
- Right to opt out of sale/sharing: RIG53 does not sell or share biometric data for cross-context behavioral advertising. No opt-out is required, but you may confirm our non-sale status by contacting us.
- Right to limit use of sensitive personal information: You may direct RIG53 to limit use of your biometric data to the purposes disclosed in this Policy.
- Right to non-discrimination: Exercising any CCPA right will not result in discrimination in the provision of Platform services.
To exercise any of the above rights, submit a verifiable consumer request to privacy@rig53.com or via the data subject request form in your account settings. RIG53 will respond within 45 days as required by CCPA §1798.130.
11. No Sale of Biometric Data
RIG53 does not and will not sell, lease, trade, or otherwise profit from any user's biometric data to any third party for any purpose. This prohibition is absolute and applies regardless of whether consent has been obtained for other forms of data processing.
12. Modifications to This Policy
RIG53 reserves the right to modify this Policy. Any material change to how we collect, use, store, or destroy biometric data requires renewed explicit consent from affected users before the change takes effect. Non-material changes (such as formatting updates or clarifications) will be communicated via email or in-app notice at least 14 days in advance.
The current version of this Policy is always available at rig53.com/legal/biometric.
13. Contact and DPO
For questions, consent withdrawal, or data subject requests related to biometric data:
RIG53 Privacy Team
Email: privacy@rig53.com
Legal: legal@rig53.com
RIG53, Inc. · Wilmington, Delaware, United States