This policy governs biometric identifiers and biometric information created by Chronox facial-recognition timekeeping: face-geometry descriptors held in AWS Rekognition (one collection per customer company, Oregon, USA), encrypted offline face templates, and device template caches. Chronox never stores photographs of faces — camera images are converted to mathematical templates and discarded. Punch records (timestamps, GPS fixes, match scores) are separate, non-biometric business records governed by the time-record schedule in section 6.
Biometric identifiers are collected, used, and retained for exactly one purpose: verifying an enrolled employee's identity to record the start and end of work periods and breaks during their employment. They are never used for surveillance, profiling, or marketing, and are never sold, leased, traded, or otherwise profited from.
A biometric identifier is retained only while that purpose persists — while the individual remains an enrolled, employed worker of the customer company.
Identifiers are permanently destroyed at the first of:
Destruction is automated and receipted: AWS DeleteFaces is called for every stored FaceId; offline template rows are deleted; authorized crew devices purge their local caches at next synchronization; and an append-only deletion receipt (what was destroyed, when, and why) is recorded. Failed deletions are retried and surfaced to an integrity audit until resolved.
Non-biometric time and payroll records are retained per employment-law schedules (default 7 years) to satisfy wage-hour record-keeping duties. Destroying a face template never alters or deletes any punch or payroll record, and vice versa.
Biometric data is protected using a standard of care at least equal to Chronox's other confidential information: TLS in transit; encryption at rest, including keystore-backed AES-256-GCM encryption of offline templates on devices; strict per-company and per-crew access control enforced in the database; written consent required by a database trigger before any enrollment can activate; and append-only consent, event, and audit logs.
Suspected security incidents involving biometric data follow the Chronox Incident Response Plan. Affected individuals, customers, and regulators are notified as required by applicable law.
Privacy questions, revocation requests, and access requests: privacy@chronox.app. Employee requests are routed through, and verified by, the employer.