PalmID® IDP Privacy Policy

Last update: May 22, 2020

This is the privacy policy for Redrock Biometrics, Inc. and its affiliates (“Redrock”) for its PalmID® Identity Provider (IDP) service including PalmID Agent, a mobile app for capturing palm images and creating palm models (together, the “Service”).

This policy does not apply to Redrock’s and its affiliates’ handling of personal data unrelated to the Service.

About Our Palm Verification Service

Our Service is built upon Redrock’s palm recognition platform PalmID® that allows for potential user verification and identification by showing the palm of a hand.  If you enroll in the Service, you will use our PalmID Agent application you install on your mobile phone to take pictures or a video of the palm-side of your hands. Our technology analyzes the information in the photos and videos to calculate a unique descriptor for your palm, called a model.  You can then use your palm as a possible means for verifying your identity to the Redrock service directly or to a third-party website or application that you have authorized to use the Service with.

The palm models may be considered sensitive personal data under the laws of your jurisdiction.

About User Service Accounts

To start using benefits of the Service, you must create an account with the Service. Your personal record is comprised of your personal metadata and indirect links to your palm biometric data. Your palm biometric data are stored and matched by an isolated PalmID service, which contains no personal metadata.

Information We Collect from the Palm Recognition Service, How We Collect It and Why

  • Palm photos and videos. If a user chooses to enroll in the Service, we collect the original photos and videos of user’s palms to create the user’s unique palm model in the PalmID Agent app. These original photos and videos never leave the phone and get deleted a palm model is created except in cases where spoofing activity is suspected. (Spoofing is trying to use something other than the real user’s actual palm, in real-time, to create a palm model.) In these rare cases the captured data will be anonymized and used for improving the Service’s anti-spoofing mechanisms.  
  • Palm models. We encrypt all palm models before transmission to our servers. We collect and store the encrypted palm model created from the photos and videos on our servers. When a user of the Service wishes to undergo verification by the Service, or by a 3rd party application or website that has integrated the Service as a means of user verification, the PalmID Agent app creates a temporary candidate palm model, and the Service compares it with the stored palm models to verify the user identity if a match is made.  
  • Device information. When you download and open the PalmID Agent app, we automatically collect data about the device and the camera used in capturing the palm model. We collect this to ensure we deliver the right version of the app for your device.
  • Phone number. When you create an account with the Service using the PalmID Agent app, we ask you to provide a phone number. If you use the app to then create a palm model, we link the phone number to the palm model. We collect the phone number to use as an identifier for your PalmID account and to speed up the time to process a verification attempt.
  • Account history and verification history. When you use the PalmID Agent app to log into a third party service or verify user identity, we may collect information associated with your login activity including your IP address, device ID, what third party service you logged into using the Service, geolocation data, and timestamp. We collect this information in case there are questions about performance of the Service or verification history.

Your Control Over Your Information and Palm Model

In order to enroll your palm model using the PalmID Agent, and to use the Service, you must first provide your consent. We rely on your consent to provide the lawful basis for the processing of your personal data, including your palm models.

You may withdraw your consent by deleting your palm models from the Service by using the “Erase” function in your profile in the PalmID Agent app.  This deletion completely wipes out your biometric information from our servers. Because we do not store any security tokens other than users’ palms, your identity must be successfully verified using palm matching prior to the models’ deletion. We are not otherwise technically able to process a request to delete a palm model (such as through an emailed request). Deletion of your palm model does not delete the record of your prior transactions with the deleted palm model, or your account activity. We may retain verification transaction and other account activity records for up to one year, or longer if there is an ongoing investigation.

You may update your palm model at any time by deleting your stored palm models and completing the enrollment process again through the PalmID Agent app. It is not otherwise possible to review or correct your palm model.

Use of Service Data

We use the information we collect, store and process from the Service as follows:

  • To provide the Service
  • To improve the Service, including by training our model extraction algorithms, and increasing the speed by which matches of palm images to models are made.
  • To improve anti-spoofing capability of the Service.
  • To enforce the legal terms that govern the Service.

Sharing of Your Information and Palm Models

If you use the Service to log into or verify user identity with a third party application or program, that third party application or program is able to access a record of the phone number that you provided to the Service. We may also share information with the third party in the event of suspected suspicious or fraudulent activity. The third-party application or program will not have direct access to your palm model. 

In addition, we may disclose personal information that we collect, or you provide as described in this policy:

  • To contractors and other third-party service providers we use to support our business. However, these service providers do not have any independent right to share this information (except pursuant to a legal requirement such as a subpoena or warrant).
  • To our subsidiaries or affiliates.
  • To fulfill the purpose for which you provide the information or for any other purpose disclosed by us when you provide the information.
  • To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which personal information held by Redrock about our users is among the assets transferred.

We may also disclose your personal data, including palm models:

  • To comply with any law, court order, legal process, or government or regulatory request.

Data Security, Storage and Retention of Palm Models

We maintain physical, organizational, and technical safeguards to manage data security risks, including with respect to palm models.

We encrypt and store palm models in a dedicated database which stores only the encrypted models.

We hold palm models until the earlier of (1) your request to delete your palm models and (2) 3 years after your last use of the Service. We hold other personal data for as long as necessary to fulfill the purposes set forth in this policy or as long as we are legally required or permitted to do so. However, information may persist in copies made for backup and business continuity purposes for longer than the original data.

International Users and International Data Transfers

We are based in the United States. If you are outside the United States, please be aware that privacy laws in the United States may not provide as much protection as the country in which you are located.

In order to enroll your palm model using the PalmID Agent, and to use the Service, you must first provide your consent. If you are outside the United States, we rely on your consent to provide the lawful basis for the transfer of your personal data, including your palm models, to the United States and to any other jurisdictions where we may transfer it to provide the Service or otherwise under this privacy policy. 

If the laws of your jurisdiction do not permit collection, processing and transfer of biometric data based on consent, then you may not use the Service.

Children under the Age of 18

The Services are not intended for anyone under 18 years of age. 

Changes to Our Privacy Policy

The date the privacy policy was last revised is identified at the top of the page. We will post any changes we make to our privacy policy on this page with a notice that the privacy policy has been updated via phone text message to the phone number specified in your account. You are responsible for ensuring we have an up-to-date active phone number, and for periodically visiting this privacy policy to check for any changes.

Contacting Redrock

To ask questions or comment about this privacy policy and our privacy practices, you may contact Redrock in the following ways:

Web: http://www.redrockbiometrics.com/

Postal:

Redrock Biometrics, Inc.
649 Mission Street, 5th floor
San Francisco, CA 94105

Email: idp@redrockbiometrics.com