No Sale. No Harvest.
The Chronox Biometric Data Pledge
A worker's face exists in Chronox for exactly one reason: to prove it's really them clocking in and out. We will never sell it, rent it, trade it, mine it, or profit from it — and we will never use it to build anything else.
What we pledge
- No sale, no lease, no trade — ever. We will never sell, lease, trade, disclose for consideration, or otherwise profit from a biometric identifier or biometric information. There is no version of our business model where face data is the product. (This is also the law — Illinois BIPA §15(c) prohibits it absolutely, with no consent exception — but our commitment does not depend on where you live.)
- No harvesting, no model training. Face templates and enrollment images are never used to train, improve, or evaluate any machine-learning model — ours or anyone else's. No dataset building, no "product improvement" carve-out, no research use, no aggregation across customers. Each customer company's face collection is isolated; templates from one employer are never matched, pooled, or compared against another's.
- No scraping, no import without live consent. Enrollment happens one way: a live, consented capture by the individual, after the full written notice and the retention policy are shown and a signed consent is stored. Our database physically blocks enrollment without one. We never enroll faces from photographs, ID badges, social media, or any pre-existing image source.
- No surveillance, no sideline uses. Biometric verification runs at punch moments only. Face data is never used for monitoring, tracking, profiling, sentiment or attention analysis, marketing, or advertising — and punch-moment GPS is never conditioned on biometric consent.
- No disclosure except the narrow lawful three. Biometric data is disclosed only (a) at or with the individual's documented consent, (b) to the named sub-processors that perform the verification itself, listed publicly with the data each touches on our sub-processor page and bound to all of these restrictions by contract, or (c) when required by law, subpoena, or warrant — in which case we notify the affected customer unless legally barred.
- Destruction is the default, with receipts. Face data is destroyed automatically at employment end, on consent revocation, or at the statutory deadline — whichever comes first — with an append-only deletion receipt for every destruction. The full schedule is public in our Biometric Retention & Destruction Policy.
- This pledge survives us. If Foundation Digital LLC or the Chronox product is ever acquired, merged, or wound down, biometric data may not be transferred as an asset free of these commitments: any successor takes it subject to this pledge and applicable biometric law, or the data is destroyed first, with receipts.
Why we publish this
Biometric identifiers are the one credential a worker can never reset. A password can be changed; a face cannot. Laws like Illinois' BIPA, Texas' CUBI, Washington's biometric statute, and Colorado's C.R.S. §6-1-1314 exist because companies harvested and monetized exactly this data. We built Chronox so that complying with the strictest of those laws is the system's default behavior — not a jurisdiction toggle.
Holding us to it. Questions, concerns, or suspected violations of this pledge: privacy@chronoxapp.net. Workers may also revoke biometric consent in writing at any time through their employer — destruction is then automatic and receipted.
Related: Biometric Retention & Destruction Policy · Sub-processors · Privacy Policy · Employer Policy Template