Certain parts of our Services (as defined in our Privacy Policy) make use of biometric data.  Biometric data generally means personal data about an individual’s physical or human characteristics that can be used to identify that person, such as facial recognition technology performed on photographs collected through our Services. Biometric data may be subject to additional laws and regulations, including, but not limited to, the General Data Protection Regulation (EU) 2016/679 (the “GDPR”); and the Illinois Biometric Information Privacy Act (the “Illinois Act”), and other United States Federal, State or local legislation or ordinances (collectively, the “U.S. Laws,” and, in the aggregate, the “Biometrics Laws”). For the purposes of this Biometric Privacy Notice, “Biometric Data” means any such physical information we collect about you (in this instance the 3D FaceScan and FaceMap described below) to provide the Services that is within our possession, including, as applicable: (i) “biometric identifiers” and “biometric information” as defined under the Illinois Act or other U.S. Laws; and (ii) “biometric data” as defined under the GDPR.  This policy sets forth Civic’s procedures for how we treat Biometric Data related to Civic’s Pass Uniqueness Service. 

Collection, Disclosure, and Use of Biometric Data

We collect Biometric Data from you to detect liveness, verify your uniqueness, and for other similar purposes when you complete Civic’s Uniqueness Verification steps.  These identifiers may include facial recognition data, as well as mathematical or topographical representations of your biometric identifier. 

To use the Services, you will need to submit a recording of your face (“3D FaceScan”). The 3D FaceScan will be analyzed by Artificial Intelligence technology to distinguish live humans from attempted spoofs. A topology of your face (“FaceMap”) will then be produced and compared against all previously enrolled FaceMaps to detect duplicate enrollments. If no duplicates are found, you will be considered “Unique” and issued a Civic Pass. If a duplicate record is found, you will be able to revoke previous verifications and request a new Civic Pass. Note that the FaceMap is not an image of your face and cannot be used without Civic-controlled tools. An image of your face cannot be regenerated from a FaceMap. Once the FaceMap is generated, Civic deletes your 3D FaceScan.

We share Biometric Data as detailed in our Privacy Policy in order to provide the Services, including (i) with our third-party service providers who assist with the provision of our biometrics-related services or our IT, security, and fraud programs, and (ii) as required by law or regulation. Except in connection with a merger, acquisition, reorganization, bankruptcy, receivership, purchase or sale of assets, other change of control event, or transition of service to another provider, Civic does not sell your Biometric Data.

When we collect Biometric Data, we endeavor to provide a specific notice and consent request at the time of that collection. Each user of our Services is required to expressly consent to our collection of such user’s Biometric Data when they engage with our Services. If a user chooses not to consent to our collection of such user’s Biometric Data, then the user should not use the service. We reserve the right to request a new consent if any of the terms contained in this Biometric Privacy Notice undergo a material change.

Retention of Biometric Data

Civic will retain Biometric Data in accordance with our Privacy Policy, except where otherwise required under the Biometrics Laws.

Unless required by law to maintain any specific Biometric Data for longer than our retention schedule, Civic will securely delete Biometric Data according to this schedule rendering it no longer available for inspection or access. Civic will securely delete Biometric Data upon request.

Security of Biometric Data

Civic implements industry-leading encryption and other data security technology designed to ensure that your Biometric Data is processed, stored, transmitted, and protected in a secure fashion.

Third-Party Service Providers

Civic uses tools provided by FaceTec, a third-party service provider, to capture and process your Biometric Data.  Your biometric data is not accessible to or shared with FaceTec or it’s subcontractors. Civic will not provide FaceTec with any personally identifiable data and FaceTec will not collect nor solicit any personally identifiable data from Civic.