Notice to Parents (COPPA + biometric data)

Photoenroll.com (the “Service”) is operated by Unleavened LLC (“we,” “us,” “our”). This notice explains how we handle children's information under the Children's Online Privacy Protection Act (COPPA) and the Federal Trade Commission's COPPA Rule (including the 2025 amendments extending the definition of personal information to biometric identifiers). It is intended for the parent or legal guardian of any child whose face you may enroll in the Service.

For any question about this notice or your child's data, contact privacy@photoenroll.com.

Children do not create accounts on Photoenroll and do not interact with the Service. All collection occurs through your account as the parent or legal guardian, and only after you give informed, verifiable consent at enrollment.

• The child's first name and (optionally) date of birth.
• Reference photos you provide so the matcher can learn what your child looks like.
• A mathematical face template (an embedding) derived from those photos. The template is a 512-dimensional vector and cannot be reversed into a recognizable image.
• Frames extracted from the enrollment gesture video you record at enrollment (used as additional reference imagery).
• Photo references and bounding boxes for matches our pipeline finds in galleries uploaded by camps, schools, photographers, or event hosts (“Partners”) you have subscribed to.

We do not collect a child's contact information, geolocation, persistent identifier outside the Service, or any other category of personal information defined by COPPA.

Exclusively to identify the enrolled child in galleries the parent has subscribed the child to, and to deliver match notifications to the parent's designated recipients. We do not use the child's data for advertising, behavioral profiling, third-party analytics, model training for unrelated products, or sale.

Partners never receive the child's reference photos, the consent recording, or the face template. When the matcher identifies the child in a Partner's gallery, the Partner sees only that someone enrolled in Photoenroll has been matched in their gallery — they do not see the child's identity unless you separately interact with them.

We use a small number of service providers (Amazon Web Services for hosting and storage; Stripe for billing on the parent account; Google for OAuth sign-in on parent accounts that choose it). Each provider is bound by confidentiality and security obligations and may only use data to provide its service to us. We do not sell biometric or other personal information of children.

Before any biometric processing of the child begins, we ask you, as the verified parent or guardian, to record a short video at enrollment. The recording captures:

• Your face on camera, in good light, at a known time.
• Your voice stating the consent phrase displayed on screen — for example, identifying the child you are enrolling and confirming authorization to create a face template for matching.
• The on-screen disclosure summarizing the contents of this notice and the Privacy Policy at the time of capture.

The recording is retained as evidence of consent, separately from the biometric data it authorizes. We also store an audit-log entry (“ConsentLog”) at the time of consent containing your account identifier, IP address, user agent, the on-screen disclosure version, and a timestamp. You may review the version of the disclosure that applied at the time of your consent on request.

• Review. Review what we have collected about your child from the account settings page or by emailing privacy@photoenroll.com.
• Delete. Delete your child's biometric data at any time from your account. Deletion is permanent and removes the face template, reference photos, and gesture-video frames not required as consent evidence.
• Withdraw consent. Withdraw your consent for future processing. We will stop matching the child immediately and delete the relevant biometric data.
• Refuse further collection. Close your account to prevent any further collection.

To exercise these rights, use the account settings page or contact privacy@photoenroll.com. We will respond within a reasonable time and, in any event, within the period required by applicable law.

We retain biometric data about the child (face template, reference photos, gesture-video frames not required as consent evidence) for the shorter of (a) the duration of your account or (b) three years from your last interaction with the Service. This matches the retention rules in the Illinois Biometric Information Privacy Act §15(a), which we apply to all users regardless of state.

The standalone consent recording and the parental-consent log entry are retained as evidence of consent for the longer of (a) three years from your last interaction or (b) the period required by applicable law, even after the biometric data they authorized is deleted.

We host biometric data in encrypted-at-rest cloud storage with access restricted to operational personnel. Reference photos, gesture videos, and consent recordings are not publicly accessible; URLs delivered to browsers are short-lived, signed URLs scoped to your authenticated session.

We may update this notice from time to time. The “Last updated” date at the top reflects the most recent change. For material changes we will notify registered parents by email and, where applicable law or this notice requires it, request renewed affirmative consent before the change applies to your child's data.

Unleavened LLC, d/b/a Photoenroll.com
138 Main Street, #1020
East Rockaway, NY 11518
Email: privacy@photoenroll.com