🏢 HoopFrog is a brand of HoopFrog Inc. — Federal Corporation No. 1467452-9, Alberta, Canada.

HoopFrog Inc. · Last updated: June 2026

Biometric Privacy Policy

\n

Version: 1.0  |  Effective Date: April 18, 2026

\n

HoopFrog is operated by HoopFrog Inc. ("we", "us", "our"). This policy is adopted pursuant to the Illinois Biometric Information Privacy Act, 740 ILCS 14/15(a) (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), Washington’s H.B. 1493, and, for data subjects located in the European Union or United Kingdom, GDPR Article 9 and UK DPA 2018 requirements relating to special-category data.

\n\n

1. Purpose of Collection

\n

We collect facial geometry scores during our selfie age and identity verification process to:

\n
    \n
  • Prevent fraudulent signups (bots, catfish accounts, account takeovers);
    • \n
  • Comply with age-gate regulations (UK Online Safety Act 2023, EU DSA, US state laws) that require us to verify users are aged 18 or over;
    • \n
  • Protect our community from impersonation by matching a live selfie to the profile photos you upload.
    • \n
\n

Facial geometry scores are mathematical representations of the spatial relationships between facial landmarks. They are not photographs and cannot be used to recreate your image.

\n\n

2. Processors and International Transfers

\n

The following sub-processors may process biometric identifiers on our behalf. Each is bound by a Data Processing Agreement and, where applicable, Standard Contractual Clauses (SCCs) for cross-border transfers:

\n
    \n
  • VerifyMy (United Kingdom) — third-party age-assurance provider. Covered by UK GDPR and the EU→UK adequacy decision. SCCs in place for onward transfers.
    • \n
  • Amazon Web Services — Rekognition (United States) — face-matching and liveness detection. Covered by SCCs and the EU–US Data Privacy Framework.
    • \n
  • Microsoft PhotoDNA (United States) — image hash matching for illegal-content screening. Covered by SCCs.
    • \n
\n

No biometric identifier is sold, leased, traded, or otherwise profited from. We do not use biometric data for advertising or analytics.

\n\n

3. Retention Schedule

\n

Biometric identifiers (facial geometry scores) are destroyed when the initial purpose for collection is satisfied (i.e., verification outcome recorded) OR within three (3) years of the individual’s last interaction with the Service, whichever occurs sooner. This complies with BIPA 15(a) "whichever is sooner" standard.

\n

Failed, rejected, or expired verification attempts are purged within 90 days via an automated daily cron job.

\n

Successful verification retains only the outcome flag and a reference identifier; the raw facial geometry score is destroyed immediately after the match result is recorded where the processor’s API permits ephemeral processing.

\n\n

4. Destruction Process

\n

When retention limits are reached, or at user request:

\n
    \n
  • We delete all copies from our own storage (database rows and any derived artifacts).
    • \n
  • We issue deletion instructions to each sub-processor’s API (AWS Rekognition DeleteFaces, VerifyMy data-subject-request endpoint, Microsoft PhotoDNA opt-out endpoint).
    • \n
  • We retain an audit record of the deletion event (without the biometric data itself) to demonstrate compliance.
    • \n
\n\n

5. Legal Basis

\n
    \n
  • GDPR / UK GDPR: Article 9(2)(a) — your explicit consent, given via the Biometric Consent Release screen before selfie capture begins.
    • \n
  • BIPA (Illinois): 740 ILCS 14/15(b) — informed written release signed by the data subject, with full disclosure of purpose and retention schedule.
    • \n
  • Texas CUBI § 503.001 / Washington H.B. 1493: Informed disclosure and consent at the time of collection.
    • \n
  • PIPEDA (Canada): Meaningful consent under Principle 4.3.
    • \n
\n\n

6. Your Rights

\n

You may at any time:

\n
    \n
  • Revoke your consent. Go to Settings → Privacy → Revoke biometric consent. Upon revocation we will delete retained facial geometry from our storage and instruct processors to do the same within 7 days. Note: withdrawing consent does not retroactively invalidate lawful processing that occurred prior to withdrawal.
    • \n
  • Request access to any biometric record we hold about you (GDPR Art. 15, BIPA 15(d)).
    • \n
  • Request deletion. You may request deletion at any time, independent of consent withdrawal.
    • \n
  • Request portability of your verification outcome (pass/fail flag) — though the raw facial geometry score is not portable under current sub-processor APIs.
    • \n
\n\n

7. Security Safeguards

\n

Biometric identifiers in transit are protected by TLS 1.3. At rest, they are encrypted using AES-256 inside each processor’s infrastructure. Access is restricted to the narrow automated pipeline that performs the face match; no human operator at HoopFrog Inc. views raw biometric data in the ordinary course of business.

\n\n

8. Contact

\n

Questions, access requests, or consent revocations relating to biometric data:

\n

HoopFrog Inc.
\nAttn: Privacy Officer (Biometric Requests)
\n3-11 Bellerose Drive, Suite 312
\nSt. Albert, AB T8N 5C9, Canada
\nEmail: support@hoopfrog.com

\n\n

9. Changes to This Policy

\n

If we materially change this policy — for example by adding a new sub-processor or extending retention — we will increment the version number and re-prompt affected users for consent before continuing to process their biometric data under the new terms.