BioEntries

1. Introduction

BDFM Management Ltd (“BDFM”, “we”, “our”, “us”) provides the BioEntries mobile application (the “App”) and related services to enable attendance, access control, incident reporting, deliveries, and site management. Protecting personal information is a fundamental responsibility. This Privacy Policy explains what personal data we collect, how we use it, how it is stored, and how users can exercise their rights.

We are registered with the Information Commissioner’s Office (ICO) and operate in accordance with applicable United Kingdom data protection laws.

2. Scope and Who This Applies To

This policy applies to:

• Individuals who register to use the BioEntries App or services with a valid subscription, regardless of location.
• Users who access the App for attendance, access control, incident reporting, deliveries, or site management.
• Administrators or account holders who manage user information and reporting through the App or web portal.

3. Summary of Key Points

• Purpose of processing: Attendance marking, access control, incident and delivery workflows, reporting, and site safety.
• Facial recognition: Used to identify registered users for check-in/check-out (attendance) and access control.
• Storage: All personal and biometric data are stored securely on our VPS servers managed by BDFM Management Ltd.
• Sharing: We do not sell facial or other personal data to third parties. We may engage trusted subprocessors (for hosting or maintenance) under strict contractual terms.
• Retention: Data are retained while a valid subscription is active and deleted upon termination or written request.
• Contact for privacy requests: [email protected]

4. What Personal Data We Collect

We collect only the personal data necessary to provide the BioEntries services. This includes:

• Account & Identity Data: Full name, company (if applicable), email address, job title, and phone number (as provided by the user or their organisation).
• Identification Documents: In some cases, we may collect copies or details of identification documents such as passports, driving licences, or other official ID forms to verify user identity or to comply with client, site security, or legal requirements.
• Facial / Biometric Data: Facial feature templates or biometric-derived vectors generated from submitted images. These templates are used by our recognition model to identify users for attendance and access control. (See Section 6 for details.)
• Location Data: Approximate geolocation to enforce attendance radius rules when marking attendance (only if enabled by the user or client).
• Usage & Event Data: Attendance logs (check-in/check-out timestamps), live events, device identifiers relevant for system functionality, incident reports, and delivery details entered into the App.
• Device / Technical Data: Device model, operating system version, IP address, and other diagnostic data necessary for service delivery and troubleshooting.

5. How We Collect Data

• User registration via a secure sign-up link or QR code provided by BioEntries.
• Submission of user details and photographs for facial recognition registration within the App.
• Administrator entry via the web portal for enrolment and user management.

6. Facial Recognition — How It Works & Why We Collect It

• What we collect: Biometric-derived facial feature templates (vectors) produced from submitted images. These templates are used to match faces for attendance and access control.
• Why we collect it: To enable fast, contactless, and accurate attendance and access for registered users, and to generate reports required for safety and auditing purposes.
• Consent: Users must submit their details and explicitly agree to the use of their facial information for attendance during registration. Registration will not proceed without consent.
• Server storage: Facial templates and related attendance logs are securely stored in encrypted form on our VPS servers.

7. Legal Basis for Processing

• Contractual necessity — processing required to provide services to our users and subscribers.
• Legitimate interests — ensuring security, safety, and accurate attendance records, balanced against users’ rights and freedoms.
• Consent — when users explicitly consent to facial recognition processing during registration where required by law.

8. Where Data Is Stored & Security Measures

• Storage: All personal and biometric data are stored exclusively on secure VPS servers managed by BDFM Management Ltd. Our servers are located in the United Kingdom. If any transfer outside the UK/EU occurs, we implement appropriate safeguards such as standard contractual clauses.
• Security measures: We apply administrative, technical, and physical security measures, including encryption in transit (TLS) and at rest, role-based access controls, secure authentication, regular access reviews, and vulnerability testing. Access to personal data is restricted to authorised staff and subprocessors under contract.
• Subprocessors: Trusted third-party subprocessors may assist with hosting or system maintenance, and are contractually bound to process data only under our instructions and with appropriate safeguards.

9. Sharing & Third Parties

• We do not sell facial or other personal data to any third parties.
• We do not share facial templates with marketing or advertising partners.
• We may share limited personal data only with:
• Authorised account administrators to manage attendance and reporting.
• Trusted subprocessors (e.g., hosting or maintenance) under contractual and security obligations.
• Law enforcement or regulatory authorities where legally required.

10. Data Retention & Deletion

• Retention period: Facial templates and attendance records are retained for the duration of the user’s active subscription. This retention period is necessary to provide contracted services and maintain reporting accuracy.
• Deletion after subscription expiry: Upon cancellation or written request, BDFM will permanently delete all associated facial templates and personal data once retention requirements have been met. Confirmation of deletion will be provided within 30 calendar days unless longer retention is required by law.
• Individual deletion requests: A user may request deletion of their personal data by contacting [email protected]. Identity verification may be required before processing the request.

11. User Rights

Under applicable data protection laws, users have the right to:

• Access the personal data we hold about them;
• Request correction of inaccurate data;
• Request deletion or restriction of processing;
• Object to processing (including profiling) on legitimate grounds;
• Request portability of data provided by them;
• Withdraw consent where processing is based on consent (withdrawal does not affect prior lawful processing).

To exercise any of these rights, contact: [email protected]. We may need to verify your identity before fulfilling your request and will respond within the statutory time limits.

12. Children

The App is not intended for use by children under the age of 16. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact [email protected] and we will take steps to delete it.

13. Contact & Complaints

For any questions, data subject requests, or complaints:

Email: [email protected]

If you remain dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the United Kingdom.