← Chronox

Biometric Data Retention & Destruction Policy

Version 1 · Effective July 4, 2026 · This policy is also shown inside the Chronox app before any biometric enrollment.

1. Scope

This policy governs biometric identifiers and biometric information created by Chronox facial-recognition timekeeping: face-geometry descriptors held in AWS Rekognition (one collection per customer company, Oregon, USA), encrypted offline face templates, and device template caches. Chronox never stores photographs of faces — camera images are converted to mathematical templates and discarded. Punch records (timestamps, GPS fixes, match scores) are separate, non-biometric business records governed by the time-record schedule in section 6.

2. Purpose limitation

Biometric identifiers are collected, used, and retained for exactly one purpose: verifying an enrolled employee's identity to record the start and end of work periods and breaks during their employment. They are never used for surveillance, profiling, or marketing, and are never sold, leased, traded, or otherwise profited from.

3. Retention rule

A biometric identifier is retained only while that purpose persists — while the individual remains an enrolled, employed worker of the customer company.

4. Destruction deadlines

Identifiers are permanently destroyed at the first of:

  1. End of employment — an automated purge fires when the employee record is deactivated;
  2. A processed revocation request — an employee may withdraw consent in writing through their employer at any time;
  3. The statutory deadline for the governing jurisdiction: Illinois (BIPA) — no later than 3 years after the individual's last interaction (also Chronox's conservative default everywhere); Colorado — no later than 24 months after last interaction, or 45 days after an annual review concludes storage is no longer necessary; Texas — no later than 1 year after the purpose ends; Quebec — when the purpose is fulfilled.

5. Destruction method and proof

Destruction is automated and receipted: AWS DeleteFaces is called for every stored FaceId; offline template rows are deleted; authorized crew devices purge their local caches at next synchronization; and an append-only deletion receipt (what was destroyed, when, and why) is recorded. Failed deletions are retried and surfaced to an integrity audit until resolved.

6. Time records are separate

Non-biometric time and payroll records are retained per employment-law schedules (default 7 years) to satisfy wage-hour record-keeping duties. Destroying a face template never alters or deletes any punch or payroll record, and vice versa.

7. Security

Biometric data is protected using a standard of care at least equal to Chronox's other confidential information: TLS in transit; encryption at rest, including keystore-backed AES-256-GCM encryption of offline templates on devices; strict per-company and per-crew access control enforced in the database; written consent required by a database trigger before any enrollment can activate; and append-only consent, event, and audit logs.

8. Incidents

Suspected security incidents involving biometric data follow the Chronox Incident Response Plan. Affected individuals, customers, and regulators are notified as required by applicable law.

9. Contact

Privacy questions, revocation requests, and access requests: privacy@chronox.app. Employee requests are routed through, and verified by, the employer.