Loyal Hearts Club — Biometric Data Policy

Loyal Hearts Club, LLC ("we," "us," "our," or the "Company") operates the Loyal Hearts Club platform (the "Platform," "App," or "Service"). This Biometric Data Policy ("Policy") describes how we collect, use, store, protect, and retain biometric data in connection with our photo verification feature. This Policy is supplemental to our Privacy Policy and Terms of Service.

We are committed to transparency regarding the handling of biometric data. Please read this Policy carefully before consenting to photo verification.

Definitions
What Biometric Data We Collect
How Biometric Data Is Collected
Purpose of Collection
How Biometric Data Is Processed
Storage and Security
Chain of Trust Mechanism
Verification Badge System
Attempt Limits and Grace Period
Retention
Consent
Your Rights Regarding Biometric Data
BIPA Compliance
GDPR Article 9 Considerations
CCPA and TDPSA Considerations
Disclosure and Sharing
Changes to This Policy
Contact Information

1. Definitions

1.1. "Biometric data" means the 128-dimensional face encoding (a vector of 128 floating-point numbers) derived from your photo verification selfie. This is also referred to as a "face embedding" or "face encoding" in this Policy.

1.2. "Biometric identifier" means the face encoding used to identify or verify your identity within the Service.

1.3. "Non-reconstructive" means that the stored data (the 128-float vector) cannot be used to reconstruct, regenerate, or reproduce your facial image. The encoding is a mathematical representation — not a photo, not a scan, and not reversible to a visual likeness.

1.4. "Liveness detection" means the process by which we verify that a real, live person is present during photo verification, as opposed to a static photo or digital reproduction.

2. What Biometric Data We Collect

2.1. We collect a single type of biometric data: a 128-dimensional face encoding (face embedding).

2.2. This encoding is a vector of 128 floating-point numbers derived from a photograph of your face. It represents the geometric relationships between facial features (such as the distance between eyes, nose shape, and jawline contour) in a compact mathematical form.

2.3. What we do NOT collect:

We do not collect or store fingerprints, voiceprints, retinal scans, iris scans, or any other form of biometric data.
We do not store raw facial geometry data or 3D face maps.
The face encoding is the only biometric identified retained.

2.4. Non-reconstructive nature. The 128-dimensional face encoding cannot be used to reconstruct your face. It is a mathematical abstraction — there is no technology that can convert this vector back into a photograph or visual representation of your face.

3. How Biometric Data Is Collected

3.1. Photo Verification Process. Biometric data is collected through our voluntary photo verification feature, which works as follows:

Step 1: Consent. Before your first verification attempt, you are presented with this Biometric Data Policy and must provide separate, affirmative consent to the collection and processing of your biometric data.

Step 2: Random Pose Challenge. You are prompted to take a selfie while performing a randomly assigned pose (liveness detection). This ensures that a live person is present and that pre-existing photos or digital forgeries cannot be used.

Step 3: Face Encoding Extraction. The system uses dlib and the face_recognition library to extract a 128-dimensional face encoding from your verification selfie.

Step 4: Comparison. The extracted face encoding is compared against the face encoding derived from your primary profile photo using Euclidean distance measurement.

Step 5: Decision. Based on the Euclidean distance:

Auto-approve (distance < 0.5): The faces are determined to match, and verification succeeds.
Needs review (distance 0.5–0.7): The result is inconclusive, and the verification is placed in a manual moderation queue for human review. Your selfie is temporarily saved for administrator review in these cases.
Auto-reject (distance > 0.7): The faces are determined to not match, and verification fails.

3.2. One Embedding Per User. Only one face embedding is stored per user at any time. A new verification replaces the prior embedding.

4. Purpose of Collection

We collect and process biometric data exclusively for the following purposes:

4.1. Identity Verification

To verify that you are the person depicted in your profile photos, protecting other users from catfishing and fraudulent accounts.

4.2. Duplicate Account Detection

To detect whether a person attempting to register a new account has an existing or previously banned account, by comparing the new face encoding against existing encodings and Safety Ledger entries.

4.3. Fraud Prevention and Community Safety

To maintain the Safety Ledger (as described in our Safety Ledger Policy), which retains non-reconstructive face embeddings after account deletion to prevent banned individuals from re-registering.

4.4. Chain of Trust

To ensure that when you change your primary profile photo and re-verify, the new verification matches your stored identity, maintaining continuity of verified identity.

4.5. No Other Uses. We do not use your biometric data for advertising, marketing, behavioral profiling, sale to third parties, or any purpose not explicitly described in this Policy.

5. How Biometric Data Is Processed

5.1. Extraction. Face encodings are extracted using the dlib machine learning toolkit and the face_recognition Python library. The process converts your facial image into a 128-dimensional numeric vector.

5.2. Comparison Method. Identity comparisons use Euclidean distance — a standard mathematical measure of the difference between two vectors. The thresholds are:

| Euclidean Distance | Result | Action | |---|---|---| | Less than 0.5 | Match | Auto-approve verification | | 0.5 to 0.7 | Inconclusive | Queue for manual review | | Greater than 0.7 | No match | Auto-reject verification |

5.3. Duplicate Detection. When a new user registers with a photo or undergoes verification, their face encoding may be compared against existing embeddings in the database and Safety Ledger to detect potential duplicate accounts or ban evasion.

5.4. Processing Location. All biometric data processing occurs on our servers. Face encodings are not transmitted to any third-party service for processing.

6. Storage and Security

6.1. Storage Technology. Face embeddings are stored in PostgreSQL using the pgvector extension, which is designed for efficient vector similarity searches.

6.2. Storage Format. Each embedding is stored as a vector of 128 floating-point numbers. One embedding is stored per user.

6.3. Non-Reconstructive. As stated throughout this Policy, the stored embedding cannot be reverse-engineered into a facial image.

6.4. Access Controls.

Biometric data is accessible only through authenticated, authorized application processes.
Administrative access to the database is restricted to authorized personnel with a legitimate operational need.
All administrative actions are logged in an immutable audit trail.

6.5. Infrastructure Security. Biometric data benefits from the same infrastructure security measures described in our Privacy Policy, including:

Encrypted connections (HTTPS/TLS)
Role-based access control
Immutable audit logging
Rate limiting on verification endpoints
Security headers (HSTS, CSP, X-Content-Type-Options, X-Frame-Options)

6.6. Temporary Selfie Storage. When a verification attempt falls in the "needs review" range (Euclidean distance 0.5–0.7), the verification selfie is temporarily stored for manual administrator review. This selfie is deleted after the review is completed.

7. Chain of Trust Mechanism

7.1. Initial Verification. When you first complete photo verification, your face encoding is stored and linked to your primary profile photo.

7.2. Photo Change. If you change your primary profile photo after verification:

Your verification badge is revoked;
You must re-verify with the new photo; and
The re-verification must match your stored face embedding (the one on file from your initial or most recent successful verification).

7.3. Purpose. The chain of trust ensures that you cannot verify as one person and then change your photos to depict a different person. This mechanism maintains the integrity of the verification system for the protection of all users.

7.4. Continuity. Each successful re-verification updates your stored embedding, maintaining a continuous chain of verified identity throughout your use of the Platform.

8. Verification Badge System

8.1. Badge Award. Upon successful photo verification, a verification badge is displayed on your profile, visible to other users. The badge indicates that you have been verified as the person in your photos.

8.2. Badge Binding. The verification badge is bound to your specific primary photo at the time of verification. It is not a general account-level credential.

8.3. Badge Revocation. Your verification badge is revoked under the following circumstances:

You change your primary profile photo;
You withdraw biometric data consent; or
An administrator revokes your verification for cause.

8.4. Verification Date. The date on which you completed verification is visible on your profile as part of The Open Book transparency features.

9. Attempt Limits and Grace Period

9.1. Attempt Limit. You are permitted a maximum of ten (10) verification attempts per primary photo. This limit prevents abuse of the verification system.

9.2. Grace Period. New users are granted a seven (7) day grace period during which additional consideration may be given to verification attempts.

9.3. Exhaustion of Attempts. If you exhaust your verification attempts for a particular primary photo without a successful verification, you may upload a different primary photo and begin a new set of attempts, subject to the chain of trust requirements described in Section 7.

10. Retention

10.1. Active Accounts

While your account is active, your face embedding is retained in the database to support ongoing identity verification, re-verification after photo changes, and duplicate detection.

10.2. Deactivated Accounts

If you deactivate your account, your face embedding is preserved along with your other account data. Deactivation is reversible — your data remains intact for reactivation.

10.3. Deleted Accounts

Upon account deletion:

Your face embedding is transferred to the Safety Ledger as non-reconstructive data;
The embedding in the Safety Ledger is used solely for fraud prevention and ban evasion detection; and
All other personal data (name, photos, bio, preferences, messages) is anonymized or deleted.

10.4. Safety Ledger Retention

Face embeddings retained in the Safety Ledger are kept for as long as necessary to fulfill the fraud prevention and community safety purposes described in our Safety Ledger Policy. The legal bases for this retention are:

CCPA § 1798.105(d)(2) — detecting security incidents and protecting against fraudulent or illegal activity
TDPSA § 541.107 — preventing or detecting fraud, identity theft, and harassment

10.5. Consent Withdrawal

If you withdraw biometric data consent while your account is active:

Your verification badge is revoked;
Your account is deactivated; and
Your face embedding may still be retained in the Safety Ledger if a Safety Ledger entry is created upon deletion or ban, under the legal bases described in Section 10.4.

11. Consent

11.1. Separate, Affirmative Consent

Biometric data consent is separate from the consents required at registration (Terms of Service, Privacy Policy, Safety Ledger Policy). You are not required to consent to biometric data collection to use the Service — photo verification is optional.

11.2. Informed Consent

Before your first verification attempt, you are presented with this Biometric Data Policy in full and must affirmatively consent. Your consent includes acknowledgment that:

(a) A 128-dimensional face encoding will be extracted from your verification selfie;

(b) The encoding will be compared against your profile photo for identity verification;

(d) The encoding may be used for duplicate account detection;

(e) The encoding may be retained in the Safety Ledger after account deletion for fraud prevention; and

(f) You may withdraw consent, with the consequences described in Section 11.4.

11.3. Consent Record

Your consent is recorded with the following information:

Your user ID
Consent type (biometric_data)
Document version
Timestamp
IP address at the time of consent

This record is part of an immutable audit trail — consent records are never deleted or modified.

11.4. Withdrawal of Consent

You may withdraw your biometric data consent at any time. The consequences of withdrawal are:

(a) Your verification badge is immediately revoked;

(b) Your account is deactivated; and

Important: If a Safety Ledger entry is created (e.g., upon account deletion or ban), the face embedding retained in the Safety Ledger is maintained under a separate legal basis (fraud prevention exceptions under CCPA and TDPSA) and is not affected by consent withdrawal.

11.5. Re-Consent

If we update this Biometric Data Policy to a new version, you will be prompted to review and accept the updated Policy before you can initiate any new verification attempts.

12. Your Rights Regarding Biometric Data

12.1. Right to Know

You have the right to know what biometric data we hold about you. Upon request, we will confirm whether a face embedding is stored for your account.

12.2. Right to Access

You have the right to request access to the biometric data we hold about you. Due to the non-reconstructive nature of the face embedding, we can provide confirmation of its existence, the date it was created, and the fact that it is a 128-dimensional numeric vector — but providing the raw vector itself would not be meaningful to most users. We will provide it in a machine-readable format upon request.

12.3. Right to Delete

You have the right to request deletion of your biometric data. Please note:

Deletion of your active face embedding will revoke your verification badge.
If a Safety Ledger entry has been created, the face embedding retained in the Safety Ledger may be kept under the fraud prevention exceptions of CCPA § 1798.105(d)(2) and TDPSA § 541.107.

12.4. Right to Withdraw Consent

You may withdraw biometric data consent at any time, as described in Section 11.4.

12.5. Right to Correct

Biometric data is derived mathematically from your facial image and cannot be "corrected" in the traditional sense. If you believe your face embedding is inaccurate (e.g., due to a system error), you may request a fresh verification attempt.

12.6. Exercising Your Rights

To exercise any of these rights, contact us at:

Email: legal@loyalheartsclub.com
Support: support@loyalheartsclub.com

We will respond within the timeframe required by applicable law.

13. BIPA Compliance

The Illinois Biometric Information Privacy Act ("BIPA") imposes specific obligations on entities that collect biometric data. While Loyal Hearts Club, LLC is based in Austin, Texas, we are committed to the following practices, which align with BIPA requirements:

13.1. Written Policy

This Biometric Data Policy serves as our publicly available written policy regarding the collection, retention, and destruction of biometric data, as contemplated by BIPA § 15(a).

13.2. Informed, Written Consent

We obtain informed, written (electronic) consent before collecting any biometric data, as required by BIPA § 15(b). You are informed in writing of the specific purpose and duration of collection and must affirmatively consent.

13.3. Purpose Limitation

We do not sell, lease, trade, or otherwise profit from biometric data. Biometric data is not disclosed to third parties except as permitted by law (e.g., in response to valid legal process). This aligns with BIPA § 15(c) and § 15(d).

13.4. Retention and Destruction

We retain biometric data only as long as necessary for the purposes described in this Policy, or as required by law. When biometric data is no longer needed and no legal exception applies, it is destroyed. This aligns with BIPA § 15(a).

13.5. Security

We store, transmit, and protect biometric data using a standard of care consistent with the protection of confidential and sensitive information, as required by BIPA § 15(e). Specific security measures are described in Section 6.

14. GDPR Article 9 Considerations

The EU General Data Protection Regulation ("GDPR") classifies biometric data processed for the purpose of uniquely identifying a natural person as a "special category of personal data" under Article 9. While Loyal Hearts Club, LLC primarily serves users in the United States, we acknowledge GDPR principles:

14.1. Legal Basis

Where GDPR applies, our legal basis for processing biometric data is explicit consent (Article 9(2)(a)). We obtain your explicit, informed consent before any biometric data is collected.

14.2. Purpose Limitation

Biometric data is processed solely for the purposes described in Section 4 of this Policy, consistent with the principle of purpose limitation under GDPR Article 5(1)(b).

14.3. Data Minimization

We collect only a single 128-dimensional face encoding per user — the minimum necessary to achieve identity verification and duplicate detection, consistent with the principle of data minimization under GDPR Article 5(1)(c).

14.4. Storage Limitation

Biometric data is retained only as long as necessary for its stated purposes and applicable legal requirements, consistent with GDPR Article 5(1)(e).

14.5. Rights of Data Subjects

If GDPR applies to you, you have additional rights under Articles 15–22, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object. To exercise these rights, contact legal@loyalheartsclub.com.

14.6. Data Protection Impact Assessment

We have conducted a data protection impact assessment for the processing of biometric data, as recommended under GDPR Article 35 for processing of special categories of data on a large scale.

15. CCPA and TDPSA Considerations

15.1. CCPA

Under the California Consumer Privacy Act, biometric information is classified as personal information. We disclose the collection and purpose of biometric data in our Privacy Policy and this Biometric Data Policy. We do not sell biometric data. The Safety Ledger retention of face embeddings after account deletion is maintained under the exception at CCPA § 1798.105(d)(2).

15.2. TDPSA

Under the Texas Data Privacy and Security Act, biometric data is classified as sensitive data that may only be processed with the consumer's consent. We obtain separate, affirmative consent before collecting biometric data, as required. The Safety Ledger retention is maintained under TDPSA § 541.107.

16. Disclosure and Sharing

16.1. No Third-Party Processing. Face encodings are extracted and compared entirely on our servers using open-source libraries (dlib, face_recognition). Your biometric data is not transmitted to any third-party service for processing.

16.2. No Sale. We do not sell, lease, trade, or otherwise commercially benefit from your biometric data.

16.3. No Disclosure. We do not disclose your biometric data to third parties except:

When required by law, court order, or valid legal process;
With your explicit consent; or
In connection with a merger, acquisition, or similar business transaction, subject to notice requirements.

17. Changes to This Policy

17.1. We may update this Biometric Data Policy from time to time. When we make changes, we will:

(a) Update the "Last Updated" date at the top of this document;

(b) Increment the version number;

(d) Require you to review and accept the updated Policy before initiating any new verification attempts.

17.2. Changes to this Policy do not retroactively affect biometric data collected under a prior version with your consent.

18. Contact Information

If you have questions, concerns, or requests regarding this Biometric Data Policy or your biometric data, please contact us:

Privacy and Legal Inquiries: legal@loyalheartsclub.com
User Support: support@loyalheartsclub.com
Mailing Address: Loyal Hearts Club, LLC, Austin, TX

Loyal Hearts Club — Relationships, built on honesty.