Biometric Data Privacy Policy

Clear, comprehensive biometric data protection

Effective Date: August 5, 2025

Last Updated: October 14, 2025

This Biometric Data Privacy Policy ("Biometric Policy") explains how Swayed collects, uses, stores, and protects biometric information when you create AI avatars or use video features. This policy supplements our Privacy Policy and Terms of Service.

Important: Explicit Consent Required

By using avatar features, you provide informed written consent (as required by Illinois BIPA, Texas CUBI, and similar laws) for Swayed to collect, use, and store your biometric identifiers and biometric information.

You can withdraw consent and request deletion at any time.

1. What is Biometric Data?

1.1 Biometric Identifiers

Under laws like Illinois BIPA (740 ILCS 14/10), "biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.

Swayed collects the following biometric identifiers:

  • Facial geometry: Mathematical representations of facial features extracted from photos or videos you upload
  • Voiceprints: Unique voice characteristics extracted from audio recordings you provide

1.2 Biometric Information

"Biometric information" means information based on biometric identifiers used to identify an individual, including templates, mathematical representations, and other data derived from biometric identifiers.

1.3 What We Do NOT Collect

  • Fingerprints
  • Retina or iris scans
  • Hand geometry scans
  • DNA or genetic information
  • Physical or digital photographs (these are NOT biometric identifiers under BIPA)

Note

Photos and voice recordings themselves are not biometric identifiers until processed to extract unique geometric or voice characteristics. We only extract biometric data when you use avatar features.

2. How We Collect Biometric Data

2.1 When Collection Occurs

Biometric data is collected only when you actively use avatar creation features, including:

  • Creating a new AI avatar
  • Uploading photos for avatar generation
  • Recording or uploading voice samples
  • Using video generation features with human faces

2.2 Consent Process

Before We Collect Biometric Data:

We inform you that biometric data will be collected

We explain the purpose: To create AI avatars and generate video content

We specify the retention period: Maximum 30 days after avatar creation or account closure

We obtain your written consent: By clicking "I Consent" or proceeding with avatar creation

This consent satisfies the requirements of Illinois BIPA § 15(b), Texas CUBI § 503.001(b), and similar state laws.

2.3 Third-Party Processing

We use Hedra, Inc. as our biometric data processor. When you create avatars:

  • Your photos and voice recordings are transmitted to Hedra's servers
  • Hedra extracts facial geometry and voiceprints
  • Hedra generates your AI avatar
  • Hedra may retain data per their privacy policy (maximum 3 years)

Hedra Data Processing Agreement

By using avatar features, you consent to Hedra's processing of your biometric data as a service provider to Swayed. Hedra's data practices are governed by their privacy policy.

Important: Hedra is a separate legal entity. While we require Hedra to comply with biometric privacy laws, you should review their privacy policy.

3. Purpose and Use of Biometric Data

3.1 Permitted Uses

We collect and use biometric data solely for the following purposes:

  • Avatar creation: Generate AI avatars based on your facial features
  • Voice cloning: Create synthetic voice for avatar narration
  • Video generation: Produce animated videos featuring your avatar
  • Service improvement: Improve avatar quality and generation speed (aggregate data only, not individual identification)

3.2 What We Do NOT Do

Swayed Will NEVER:

Sell, rent, or trade your biometric data

Disclose biometric data without consent (except as legally required)

Use biometric data for advertising or profiling

Share biometric data with third parties except Hedra (our processor)

Use your biometric data to identify you in other contexts

Train AI models on your individual biometric data

4. Storage and Retention

4.1 Retention Period

As required by Illinois BIPA § 15(a) and similar laws, we have a written retention schedule:

  • Facial geometry data: Deleted within 30 days of avatar creation completion
  • Voiceprints: Deleted within 30 days of avatar creation completion
  • Generated avatars: Retained until you delete them or close your account
  • After account closure: All biometric data deleted within 30 days

Why 30 days?

This allows time for avatar generation (typically 20 minutes), troubleshooting, and regeneration if needed. You can request immediate deletion at any time.

4.2 Permanent Deletion

In compliance with Illinois BIPA § 15(a), we permanently delete biometric data when:

  • Initial purpose fulfilled: 30 days after avatar creation completes
  • User requests deletion: Within 30 days of your deletion request
  • Account closed: Within 30 days of account closure
  • 3-year maximum: All biometric data deleted after 3 years regardless of other factors (in accordance with industry standards)

4.3 Storage and Security

Biometric data is protected with:

  • Encryption at rest: AES-256 encryption
  • Encryption in transit: TLS 1.3
  • Access controls: Restricted to authorized personnel only
  • Separate storage: Biometric data stored separately from other user data
  • Regular audits: Security reviews and penetration testing
  • Incident response: Procedures for data breach notification

Security Notice

As required by Illinois BIPA § 15(e), we use a reasonable standard of care to store, transmit, and protect biometric data. This standard is the same or more protective than the manner we store, transmit, and protect other confidential information.

5. Disclosure and Sharing

5.1 No Sale or Profit from Biometric Data

In compliance with Illinois BIPA § 15(c) and Texas CUBI § 503.001(c)(1), we do NOT:

  • Sell biometric data
  • Lease or trade biometric data
  • Otherwise profit from biometric data

5.2 Limited Disclosure

We may disclose biometric data only in the following circumstances (per BIPA § 15(d)):

  • To Hedra: Our service provider for avatar processing (with your consent)
  • With your consent: If you explicitly authorize disclosure
  • Legal obligations: If required by valid court order, subpoena, or law
  • To protect rights: To investigate violations or protect safety

Notice

If legally required to disclose biometric data, we will notify you unless prohibited by law (e.g., gag order).

6. Your Rights

6.1 General Rights

You have the right to:

  • Know: What biometric data we collect and how we use it (this policy)
  • Consent: Opt-in before any biometric data collection
  • Withdraw consent: Revoke consent at any time
  • Access: Request a copy of your biometric data
  • Delete: Request deletion of your biometric data
  • Opt-out: Use Swayed without providing biometric data (non-avatar features)

6.2 State-Specific Rights

Illinois Residents (BIPA)

Illinois residents have:

  • Private right of action: Sue for BIPA violations (740 ILCS 14/20)
  • Statutory damages: $1,000 per negligent violation, $5,000 per intentional violation
  • Attorney's fees: Recover legal fees if you prevail
  • Written consent required: We must obtain written release before collection

Texas Residents (CUBI)

Texas residents have:

  • Notice requirement: We must inform you before collection
  • Consent requirement: We must obtain consent before capture/use
  • No private right of action: But you can complain to Texas AG
  • Civil penalties: Up to $25,000 per violation (enforced by AG)

Washington Residents

Washington residents have:

  • Notice and consent: Required before enrollment
  • Purpose limitation: Data used only for disclosed purposes
  • No sale: Biometric data cannot be sold

California Residents (CCPA/CPRA)

California residents have:

  • Right to know: Categories of biometric data collected
  • Right to delete: Request deletion of biometric data
  • Sensitive personal information: Biometric data receives enhanced protection
  • Opt-out rights: Limit use of sensitive personal information

7. How to Exercise Your Rights

7.1 Request Deletion

To delete your biometric data:

  • In-app: Go to Settings → Privacy → Delete Biometric Data
  • Email: support@swayed.io (Subject: "Delete Biometric Data")
  • Processing time: Deletion within 30 days
  • Confirmation: You'll receive email confirmation

7.2 Request Access

To access your biometric data:

  • Email: support@swayed.io (Subject: "Biometric Data Access Request")
  • Include: Account email, description of data requested
  • Verification: We may request ID verification
  • Response time: Within 45 days
  • Format: Provided in portable format (JSON or CSV)

7.3 Withdraw Consent

To withdraw consent for future biometric data collection:

  • In-app: Settings → Privacy → Biometric Consent → Revoke
  • Email: support@swayed.io (Subject: "Withdraw Biometric Consent")
  • Effect: You can no longer use avatar features, but other features remain available
  • Existing data: We'll delete per retention schedule unless you request immediate deletion

7.4 File a Complaint

If you believe we violated biometric privacy laws:

  • Illinois residents: File a lawsuit under BIPA or contact Illinois Attorney General
  • Texas residents: File complaint with Texas Attorney General
  • Washington residents: File complaint with Washington Attorney General
  • California residents: File complaint with California Privacy Protection Agency
  • Contact us first: support@swayed.io – we want to resolve issues quickly

8. Minors and Biometric Data

Zero Tolerance: No Minors

Swayed does NOT knowingly collect biometric data from individuals under 18.

Users must be 18+ to use Swayed

Do not upload photos, videos, or voice of anyone under 18

Do not create avatars based on minors

Violations result in immediate account termination

If you believe we collected biometric data from a minor, contact us immediately at support@swayed.io. We will delete the data within 24 hours.

9. Your Responsibilities and Consent Requirements

9.1 User Responsibilities

You are solely responsible for ensuring:

  • You own the biometric data or have explicit written consent to use it
  • No minors appear in uploaded content
  • You comply with all applicable biometric privacy laws
  • You have proper authorization before uploading others' data

Liability Warning

You are liable for violations of biometric privacy laws resulting from your misuse of Swayed. Statutory damages can be significant: $1,000-$5,000 per violation under BIPA, and up to $25,000 under Texas CUBI.

9.2 Third-Party Consent Form

If you want to create avatars using someone else's likeness, you MUST obtain written consent. We recommend using a consent form that includes:

  • Statement that biometric data will be collected
  • Purpose of collection (avatar creation)
  • Retention period (maximum 30 days)
  • Right to withdraw consent
  • Signature and date

Need a template?

Email support@swayed.io for a sample consent form.

10. Data Breach Notification

In the unlikely event of a biometric data breach, we will:

  • Notify affected users within 72 hours via email
  • Provide details: What data was affected, date of breach, steps we're taking
  • Notify authorities as required by law
  • Offer remediation: Credit monitoring or other support as appropriate
  • Investigate and remediate the breach

11. International Users

Swayed is operated in the United States. Biometric data is processed and stored in the U.S.

  • GDPR compliance: If you're in the EU, biometric data is "special category data" requiring explicit consent
  • Data transfers: By using Swayed, you consent to transfer of biometric data to the U.S.
  • Local law compliance: You're responsible for ensuring compliance with your local biometric privacy laws

12. Changes to This Policy

We may update this Biometric Privacy Policy to reflect legal changes, new features, or best practices.

  • Notice: Material changes will be communicated via email 30 days in advance
  • Re-consent: We may request new consent if collection practices change
  • Last Updated: Check the date at the top to see when this policy was last revised
  • Continued use: Using avatar features after changes constitutes acceptance

13. Contact Us

For questions, concerns, or requests regarding biometric data:

  • Email: support@swayed.io
  • Subject line: "Biometric Privacy Question"
  • Response time: Within 48 hours
  • Mailing address: Swayed.io, PO Box 816152, Dallas 75381 USA

We Take Biometric Privacy Seriously

Biometric data is sensitive, and we're committed to protecting it with the highest standards. This policy is designed to exceed legal requirements and give you full control over your biometric information.

Questions or concerns? We're here to help. Email support@swayed.io anytime.

14. Acknowledgment and Consent

By Using Avatar Features, You Acknowledge:

You have read and understood this Biometric Privacy Policy

You consent to collection, use, and storage of biometric identifiers (facial geometry, voiceprints)

You understand the purpose: AI avatar creation

You understand the retention period: Maximum 30 days after creation or 3 years

You understand Hedra will process your biometric data

You can withdraw consent and request deletion at any time

You are 18+ years old

You own or have consent for any biometric data you upload.

Related Policies:

Terms of ServicePrivacy PolicyAcceptable Use Policy