SELFISH SOFTWARE LTD. - AI & BIOMETRIC DATA POLICY

Last Updated: January 24, 2026

This Policy details how Selfish Software Ltd. ("Selfish," "we") processes biometric data and constitutes our written policy for biometric data retention and destruction as required by the Illinois Biometric Information Privacy Act (740 ILCS 14/15(a)) and similar laws.

---

1. DEFINITIONS

"Biometric Identifier" means a scan of hand or face geometry, as defined by applicable law.

"Biometric Information" means any information based on a biometric identifier used to identify an individual.

"Faceprint" means a numerical representation of facial features used for matching purposes.

---

2. WHAT WE COLLECT

2.1 Biometric Data Collected

We collect biometric data in the form of facial geometry measurements ("faceprints") derived from:

Photos uploaded by Event Hosts

Selfies uploaded by Guests for matching

2.2 Purpose

Biometric data is collected and used solely for the purpose of enabling facial recognition photo matching within our Service.

---

3. CONSENT REQUIREMENTS

3.1 Event Host Responsibility

Event Hosts are responsible for obtaining written releases from all individuals depicted in photos they upload, including:

Informing individuals that biometric data will be collected and stored

Informing individuals of the specific purpose and duration of collection

Obtaining written consent for such collection and storage

3.2 Guest Consent

Before uploading a selfie, Guests are informed:

1. Collection: We will capture a scan of facial geometry from the selfie

2. Purpose: To create a temporary biometric identifier for matching against event photos

3. Retention: The selfie and faceprint are immediately and permanently deleted after matching

4. No Sale: We do not sell, lease, or trade biometric data

By clicking the camera button, Guests provide written release for this collection as required by applicable law.

---

4. DATA RETENTION AND DESTRUCTION

4.1 Schedule

| Data Type | Retention |

|-----------|-----------|

| Guest Selfie | Immediately deleted after matching |

| Guest Faceprint | Immediately deleted after matching |

| Event Biometric Index | Until Host deletion or 1 year maximum |

4.2 Destruction Protocol

Biometric data is destroyed when the initial purpose for collection is satisfied

In no event is biometric data retained longer than three (3) years from the individual's last interaction

Destruction is permanent and irreversible

4.3 No Backup of Guest Data

Guest selfies and temporary faceprints are never written to persistent storage or included in backups.

---

5. PROHIBITION ON SALE AND DISCLOSURE

We do not sell, lease, trade, or otherwise profit from biometric data.

We do not disclose biometric data except:

To service providers bound by confidentiality obligations for the sole purpose of providing the Service

With consent of the individual

As required by law

---

6. SECURITY

We protect biometric data using:

Encryption at rest and in transit

Access controls limiting data access to automated systems

Secure infrastructure

We store, transmit, and protect biometric data using a reasonable standard of care as required by applicable law.

---

7. MULTI-JURISDICTION COMPLIANCE

7.1 Illinois (BIPA)

We comply with all requirements of 740 ILCS 14/1 et seq., including written consent, retention limits, destruction protocols, and prohibition on sale.

7.2 Texas (CUBI)

We do not capture biometric identifiers for commercial purposes without consent, do not sell or disclose them, and destroy them within a reasonable time.

7.3 Washington

We provide notice, obtain consent, and do not sell or trade biometric identifiers.

7.4 GDPR (EEA/UK)

Biometric data is processed only with explicit consent under Article 9(2)(a).

7.5 CCPA/CPRA (California)

We disclose biometric data collection, honor deletion requests, and do not sell biometric information.

---

8. CONTACT

For questions about this Policy: info@selfish-events.com

Selfish Software Ltd.

Israel

Selfish Software Ltd. - AI & Biometric Data Policy