How we handle biometric data.

For parent enrollment in camps, two things count:

• The face embedding (a 512-dimensional vector) generated from your child's photos
• The reference photo crops we use to generate the embedding

Both are tied to your account and deletable on request. We only ever generate them from the reference frames in your enrollment video — never from the camp's uploaded photos.

Illinois' Biometric Information Privacy Act is the strictest US biometric law. It requires:

• Written notice that biometric data is being collected + why
• Written + recorded consent before collection
• Retention schedule, with destruction after purpose is met
• Limits on disclosure / sale
• Protection equivalent to what you give other confidential info

We apply BIPA standards to every parent in every state. One policy. No state-by-state logic.

During child enrollment, the parent records a short video that:

• Plays a written consent disclosure on screen
• Captures the parent reading a verbal consent statement
• Captures the parent's own face on the same recording

That single recording proves: notice was given, consent was given freely, and the consenting person was the parent. It's stored separately from the biometric data it authorizes.

COPPA (Children's Online Privacy Protection Act) is the US federal law for kids under 13. We collect only what's required for matching, the parent authorizes all of it, and the data is deletable on request.

We don't advertise to children, profile children, or use children's data for any purpose beyond delivering photos to their family.

When a parent deletes their account:

• Hard-deleted from storage: face embeddings, reference photo crops, enrollment videos, account record
• Retained per BIPA: the consent log entry. By law, the proof of authorization must outlive the data

We've been careful to make the retained record contain no biometric data itself — it's just a timestamped log of "parent X consented to biometric processing on Y date, see video at S3 key Z." The video itself is what proves the consent; the log is the index.

We don't share photos with face recognition APIs (AWS Rekognition, Clearview AI, Google, etc.). The face engine is InsightFace, an open-source model we host ourselves on our own CPU servers.

Our infrastructure providers (AWS for storage + email) handle data on our behalf, subject to their compliance posture. Photos + embeddings stay in our AWS account and aren't used to train any model.