FaceLock

FaceLock Reader Application Privacy Policy

Last Updated: January 12, 2026

FaceLock ("we", "us", or "our") is committed to protecting the privacy and security of all individuals who use our FaceLock Reader Application (the "App"). This Privacy Policy explains how we collect, use, disclose, store, and protect information when you use the App to scan and verify FaceTec UR Codes for identity verification purposes.

Critical Privacy Statement: FaceLock Reader does NOT store, retain, or transmit any biometric data (FaceMap, photos, images). All biometric processing occurs locally on your device and no biometric data leaves the device.

This policy applies to all users of the FaceLock Reader app, including individuals scanning credentials and organizations (Relying Parties) using the app for verification purposes. We operate in compliance with applicable data protection laws, including the GDPR (where relevant), CCPA/CPRA, BIPA, and other jurisdictional biometric privacy requirements.

1. Information We Collect

Biometric Data - NOT Collected, Stored, or Transmitted

FaceLock Reader does NOT collect, store, or transmit any biometric data:

  • No photos are stored — The device camera is used only for real-time face comparison during the scanning process. No image data persists after the comparison is complete.
  • No residual images are stored — No image data is retained on the device after verification.
  • No FaceMap data is stored — UR Codes contain 72 bytes of encrypted face vector data (FaceMap), which is proprietary to FaceTec. This FaceMap is extracted from the UR Code during scanning for comparison purposes only, but is NOT stored or transmitted.
  • No biometric data is transmitted — FaceMap, photos, images, and biometric identifiers are NOT transmitted to FaceLock servers or any third-party servers.

Metadata Attributes - Transmitted for Logging

Non-biometric metadata attributes from UR Codes ARE transmitted to servers for logging purposes, as requested by client organizations (Relying Parties):

  • First name and last name — Name information encoded in the UR Code
  • Date of birth — Birth date information when present in the credential
  • Credential attributes — Other non-biometric information added to the credential by the credential holder (e.g., ID numbers, issue/expiry dates, organizational affiliations)

Implicit Consent: By presenting a credential to the FaceLock Reader app and completing face validation, the credential holder implicitly consents to the reading and storage of their credential metadata for audit logging and compliance purposes.

Technical Data

We may collect limited technical information necessary to provide the App:

  • Device information (type, OS version)
  • App usage metrics and performance data
  • Error logs for troubleshooting purposes

2. How We Use Your Information

Biometric Data Usage

The embedded FaceTec SDK only uses the device camera to compare the face visible in the camera feed with the encrypted FaceMap data extracted from the scanned UR Code. The comparison happens in real-time during the scanning process:

  • The camera feed is used only for real-time comparison
  • The 72-byte FaceMap is extracted from the UR Code for comparison purposes
  • No biometric data is stored — All biometric processing occurs locally and is discarded immediately after comparison
  • No biometric data is transmitted — No FaceMap, photos, or images leave the device
  • The app provides only a match/no-match indication

Metadata Usage

We use transmitted metadata attributes solely for:

  • Audit logging — Maintaining records of verification events for compliance and chain-of-custody tracking
  • Compliance — Meeting legal and regulatory requirements as requested by client organizations
  • Security — Supporting fraud prevention and security incident response

We do not use metadata for marketing, profiling, or unrelated purposes.

3. Biometric Data Handling (Privacy-Preserving Architecture)

FaceLock Reader's core innovation is privacy-preserving biometric verification:

  • Real-time processing only — Biometric comparison occurs exclusively in real-time during the scanning process
  • Local processing — All biometric processing occurs locally on your device using the FaceTec SDK
  • No biometric storage — No biometric data (FaceMap, photos, images) is stored on the device or transmitted to servers
  • UR Code technology — FaceLock Reader reads FaceTec UR Codes (as documented at https://urcodes.com/), which are digitally signed biometric barcodes that enable privacy-preserving identity verification
  • Offline capability — The verification process can work offline without requiring network connectivity for the biometric comparison itself

This architecture minimizes privacy risks, avoids central biometric databases, and supports compliance with GDPR (special category data minimization), BIPA (no storage of biometric identifiers by FaceLock), and similar laws.

4. Sharing of Information

We do not sell, rent, or trade personal information. We may share metadata information only:

  • With client organizations (Relying Parties) who have requested logging services, under strict data processing agreements
  • With service providers (e.g., Azure hosting, logging tools) under strict data processing agreements
  • To comply with legal requirements, court orders, or protect rights/safety
  • In connection with business transfers (e.g., merger/acquisition), with notice where feasible

We do NOT share biometric data — as no biometric data is collected, stored, or transmitted.

5. Data Storage, Security, and Retention

  • Metadata is hosted in Azure SQL databases with encryption at rest and in transit
  • We implement industry-standard security measures (access controls, audit logging)
  • Metadata is retained as long as required for audit and compliance purposes, as requested by client organizations
  • We do NOT retain any biometric data — no biometric data is stored

6. International Data Transfers

Data may be processed in the United States or other jurisdictions. Where required (e.g., GDPR), we implement appropriate safeguards such as Standard Contractual Clauses.

7. Your Rights

Users may:

  • Request information about what metadata has been logged (subject to client organization policies)
  • Request deletion of metadata (subject to retention requirements for legal/audit purposes as requested by client organizations)

For questions about metadata logged by specific client organizations, please contact the relevant Relying Party, as they control the logging requirements.

To exercise rights or inquire, contact us at privacy@envoc.com.

8. Changes to This Privacy Policy

We may update this policy to reflect changes in practices or law. Significant changes will be notified via the App or email. Continued use constitutes acceptance of updates.

9. Contact Us

For privacy questions, contact:

FaceLock Privacy Team
Email: privacy@envoc.com

We take privacy seriously and design FaceLock Reader to unlock trust — enabling secure, privacy-preserving identity verification while respecting the highest standards of data protection.

Trademarks

"UR" and "UR Codes" are trademarks of FaceTec, Inc. "UR" is registered in the European Union and United Kingdom. "FaceTec" is a trademark of FaceTec, Inc. and is registered in the United States.