Biometric Data Policy
Last Updated: September 15th, 2025
Uzio Technology, Inc. (“we,” “our,” “us”) offers payroll, HR, and timekeeping services, including optional biometric authentication features such as facial recognition for employee time and attendance. This policy explains how Uzio and its service providers (such as Amazon Web Services AWS Rekognition) collect, use, disclose, retain, and destroy biometric information when our facial recognition feature is enabled by our clients (employers).
1. Scope
This policy applies to employees, contractors, and other individuals (“users”) whose biometric information is collected and processed through Uzio’s biometric timekeeping feature at the direction of their employer (the “Client”). Clients remain the data controllers responsible for providing legally required notices and obtaining consents under applicable law. Uzio acts as a service provider/processor of Clients. Clients are also responsible for developing and complying with their own biometric data handling practices and policies as may be required under applicable law.
2. Definition of Biometric Data
For purposes of this policy, “Biometric Data” means biological characteristics of an individual, or information based on or derived from such a characteristic or measurements, that can be used to identify or authenticate that individual and as may be defined by applicable local laws that govern the collection, use, storage or disclosure of biometric information which includes a mathematical representation of facial features (“facial template”) generated by AWS Rekognition or similar technology for authentication; photos captured at clock in/out or break in/out for fraud prevention or security verification as enabled by Clients.
3. Collection & Consent
Biometric data will only be collected after obtaining explicit, informed consent from the users.
– Employers must also provide one-time authorization before enabling biometric features.
– Consent records will be logged and maintained for auditing purposes.
4. Use, Disclosure and Sharing of Biometric Data
Biometric data will be used solely for authentication within kiosks and mobile applications for the identity of users for time and attendance tracking, compliance with legal obligations.
Uzio may disclose biometric data only to the Client that enabled biometric timekeeping; Uzio’s authorized service providers (such as AWS) that support biometric processing and as required by law, regulation, or valid legal process.
It will not be sold, leased, or otherwise disclosed to third parties except as required by law.
5. Retention & Deletion
– Biometric data will be retained only while the user is actively employed by the Client or as otherwise required by law.
Upon the earlier of (i) notification from the Client that the user’s employment has ended or biometric use has been discontinued, or (ii) expiration of the maximum retention period permitted by law, Uzio will permanently delete the user’s biometric data.
– Deletion will cover all systems, including backups.
6. Security Controls
– Biometric templates only (no raw images) will be stored.
– Data will be encrypted at rest (AES-256) and in transit (TLS 1.2+).
– Access to biometric data is restricted to authorized personnel under role-based access controls.
– All biometric actions (enrollment, deletion, authentication) will be logged in OCSF format.
– Anti-spoofing measures (e.g., liveness detection) will be implemented.
– No biometric data will be cached or stored on kiosk devices.
7. User Rights
Where required by law, users may: (a) request deletion of their biometric data at any time via kiosk or mobile app;(b) re-enroll if needed due to changes in facial features or errors; (c) withdraw consent at any time; (d) request details about retention and deletion practices.
Such requests should be directed to the user’s employer, who will coordinate with Uzio.
8. Updates
We may update or amend this policy from time to time to reflect changes in applicable laws, or Uzio’s business practices.