KEYper BIOMETRIC POLICY

KEYper Systems (“KEYper”) has instituted the following policy related to any finger-sensor or biometric data that KEYper may possess, if any, as a result of KEYper’s customers’ and customers’ employees’ and/or other individuals who are provided access to the KEYper devices (“User” or “Users”) and/or use of KEYper products and services and whose data is transmitted or disclosed to KEYper by its customers. KEYper’s customers are responsible for developing and complying with their own biometric data policies, including retention and destruction policies, as may be required under applicable law as further set forth below.

BIOMETRIC DATA DEFINED

As used in this policy, biometric data means any biological characteristics of a person, or information based upon such a characteristic, including characteristics such as those defined as “biometric identifiers” and “biometric information” under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”). Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. “Biometric information” means any information, regardless of how it is captured, converted, stored, received through trade or otherwise obtained or shared, based on an individual’s biometric identifier used to identify an individual. The KEYper devices utilize a finger-sensor which may be considered to collect biometric data.

COLLECTION, STORAGE, USE, AND TRANSMISSION OF BIOMETRIC DATA

KEYper’s customers are responsible for compliance with applicable law, governing any collection, capture, receipt through trade or otherwise obtained, possession, storage, use, and/or transmission of biometric data they conduct or facilitate, including, but not limited to, BIPA; Tex. Bus. & Com. Code § 503.001; Wash. Rev. Code § 19.375.020; Virginia Consumer Data Privacy Act, § 59.1-574(A)(5); “the New York Stop Hacks and Improve Electronic Data Security Act, N.Y. Gen Bus. Law § 899-bb; “Arkansas Code § 4-110-103(7); Colorado Privacy Act. Colo. Rev. Stat. 6-1-1301 et.seq. and any other local, state and federal statute enacted into law. KEYper’s customers shall obtain written authorization from each User of KEYper devices to collect, capture, receive or otherwise obtain, possess, store, use, and/or transmit biometric data prior to the collection of such data. Specifically, KEYper must inform its customers that they must:

1.          Establish a retention and destruction schedule that complies with any required statute including, but not limited to, BIPA, must make such policy available to the public and need to follow that schedule with timely data deletion;

2.          Notify the subjects of collection or Users, in writing, that finger-sensor data is being collected, captured, received through trade, otherwise obtained, possessed, stored, used, and disclosed by KEYper’s customers and/or KEYper;

3.          Notify the subjects of collection or Users in writing of the purposes and length of term that finger-sensor data is being collected, captured, received through trade, otherwise obtained, possessed, stored, used and disclosed by KEYper’s customers and/or KEYper; and

4.           Obtain a written release consenting to the collection, capture, receipt through trade or otherwise obtain, possession, storage, use and disclosure of finger-sensor data by KEYper customers and/or by KEYper.

KEYper and/or its vendors may receive, store, use and/or transmit any biometric data solely for access to KEYper devices and keys stored therein. Neither KEYper nor its vendors will sell, lease or trade any biometric data that it receives from customers or customer employees as a result of their use of KEYper devices and services.

RETENTION SCHEDULE

KEYper will retain any client’s employee’s or User’s biometric data in KEYper’s possession, if any, until the customer notifies KEYper Systems that it has terminated the employee or User or discontinued their access to the KEYper devices. When KEYper Systems receives notification that (1) a customer’s employee’s employment has been terminated or the employee’s or User’s access has been discontinued; or (2) the customer otherwise has discontinued using the KEYper devices; or (3) the User requests in writing that his/her data be deleted. KEYper’s retention of finger-sensor or biometric data shall be no longer than the earlier of the date when (i) the customer ceases to have a relationship with KEYper or (ii) within three (3) years after the customer informs KEYper that its last interaction with User has occurred.

BIOMETRIC DATA STORAGE

KEYper and/or its vendors shall use the reasonable standard of care in KEYper’s industry to store, transmit and protect from disclosure any finger-sensor or biometric data collected or received, and shall store, transmit, and protect from disclosure all finger-sensor or biometric data in a manner that is the same as or more protective than the manner in which KEYper stores, transmits, and protects other personal information of Users.