Biometric Information Policy

Effective Date: [DATE — TODO: set before launch]

This Biometric Information Policy ("Policy") explains how Smiley Pay Limited ("Smiley Pay," "Company," "we," "our," or "us") collects, uses, stores, retains, protects, and permanently destroys biometric information used in connection with the Smiley Pay biometric authentication platform.

This Policy supplements our Privacy Policy and Terms of Service and applies to all users who voluntarily enroll in Smiley Pay's biometric authentication system.

1. Purpose

Smiley Pay provides biometric identity verification technology that enables users to authenticate themselves using facial recognition for payment authorization and related authentication services.

This Policy explains our biometric data practices and our commitment to protecting user privacy.

2. Definitions

For purposes of this Policy:

Biometric Identifier means data generated from an individual's unique biological characteristics that can be used to identify that individual.

Biometric Information means information based on a biometric identifier that is used for identification or authentication purposes.

For Smiley Pay, biometric information may include:

• Facial photographs captured during enrollment
• Live facial images captured during authentication
• Facial geometry measurements
• Facial recognition templates
• Mathematical feature vectors or embeddings derived from facial images
• Authentication records
• Verification logs associated with biometric authentication

Biometric information does not include information that has been permanently anonymized so that it cannot reasonably be associated with an identifiable individual.

3. Biometric Information We Collect

When a user voluntarily enrolls in Smiley Pay, we may collect:

• One or more facial images
• Live facial scans
• Facial landmarks
• Facial geometry
• Encrypted biometric templates
• Mathematical embeddings generated from facial images
• Authentication timestamps
• Authentication success or failure records
• Security and fraud prevention logs related to authentication events

Smiley Pay seeks to minimize the amount of biometric information collected and processes only information reasonably necessary to provide the Service.

4. Purposes of Collection

Biometric information is collected and processed solely for legitimate business purposes, including:

• Identity verification
• User authentication
• Payment authorization
• Fraud prevention
• Account recovery
• Security monitoring
• Detection of unauthorized account access
• Improving authentication accuracy and system security
• Compliance with legal obligations

Smiley Pay does not collect biometric information for advertising, behavioral marketing, or sale to third parties.

5. User Consent

Biometric information is collected only after the user voluntarily enrolls and provides affirmative consent through electronic acceptance of Smiley Pay's Terms of Service, Privacy Policy, and this Biometric Information Policy.

Users may withdraw consent at any time by deleting their account or contacting Smiley Pay.

Withdrawal of consent may prevent future use of biometric authentication features.

6. Creation and Storage of Biometric Data

During enrollment, Smiley Pay collects and securely stores facial images provided by the user for the purpose of biometric authentication. These facial images may also be processed using machine learning algorithms to generate encrypted biometric templates, facial geometry measurements, or mathematical feature embeddings used to facilitate identity verification.

When a user authenticates, a newly captured live facial image may be compared against the user's stored facial images and/or biometric templates to verify identity and authorize access to the Service.

Stored facial images and derived biometric templates are maintained solely for authentication, fraud prevention, security, and operation of the Service, and are protected using reasonable administrative, technical, and organizational safeguards designed to prevent unauthorized access or disclosure.

7. Use of Live Facial Images

When a user authenticates at a participating merchant, Smiley Pay may temporarily process a live facial image to compare it against the user's enrolled biometric data.

Live authentication images may be retained only for fraud prevention, security investigations, system diagnostics, legal compliance, or dispute resolution where reasonably necessary.

8. Retention of Biometric Information

Smiley Pay retains biometric information only for as long as reasonably necessary to:

• Provide authentication services
• Maintain account security
• Detect fraud
• Investigate unauthorized activity
• Comply with legal obligations
• Resolve disputes
• Enforce agreements

Biometric information will generally be deleted when:

• The user permanently deletes their account;
• The user withdraws biometric consent; or
• The information is no longer reasonably necessary for the purposes for which it was collected,

unless retention is required or permitted by applicable law.

9. Destruction of Biometric Information

When biometric information is no longer required to provide the Service or satisfy legal obligations, Smiley Pay will permanently delete or irreversibly anonymize such information using commercially reasonable methods designed to prevent recovery or reconstruction.

Deletion may include secure destruction of biometric templates, embeddings, facial images, authentication records, and related biometric databases.

Backups containing biometric information may persist for a limited period until overwritten in accordance with routine backup schedules and legal requirements.

10. Disclosure of Biometric Information

Smiley Pay does not sell, rent, lease, trade, or otherwise monetize biometric information.

Biometric information may be disclosed only:

• To service providers acting on Smiley Pay's behalf under confidentiality obligations
• To cloud infrastructure providers necessary to operate the Service
• To fraud prevention providers assisting with platform security
• To governmental authorities when legally required
• Pursuant to a valid subpoena, court order, or other legal process
• In connection with a merger, acquisition, or corporate restructuring where permitted by law

Recipients may receive only the information reasonably necessary to perform their authorized functions.

11. Security Safeguards

Smiley Pay implements reasonable administrative, technical, organizational, and physical safeguards designed to protect biometric information.

These safeguards may include:

• Encryption during transmission
• Encryption at rest
• Access controls
• Multi-factor authentication
• Role-based access restrictions
• Audit logging
• Security monitoring
• Intrusion detection
• Penetration testing
• Regular security assessments

Despite these safeguards, no information system can be guaranteed completely secure.

12. User Rights

Subject to applicable law, users may request:

• Access to their biometric information
• Deletion of biometric information
• Withdrawal of biometric consent
• Closure of their account
• Information regarding Smiley Pay's retention practices

Requests may require verification of identity before processing.

13. Policy Changes

Smiley Pay may modify this Policy from time to time.

Updated versions become effective upon posting or otherwise notifying users.

Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

14. Contact Information

Smiley Pay Limited
Address: [ADDRESS — TODO: set before launch]
Email: privacy@smileylimited.com
Website: smileylimited.com

Questions regarding biometric information practices, deletion requests, or withdrawal of biometric consent may be directed to the contact information above.