Employer Biometric Policy Template
If your company uses biometric timekeeping, several states require you — the employer — to maintain your own written biometric policy: Illinois BIPA §15(a) requires a publicly available written retention-and-destruction policy, and Colorado C.R.S. §6-1-1314 requires a written policy including an incident-response protocol. This template is drafted to satisfy the strictest of those laws simultaneously and to match how Chronox actually behaves, so your policy never promises something the system doesn't do.
How to use it: (1) Copy the template or download the Word version. (2) Fill every [HIGHLIGHTED FIELD]. (3) Have employment/privacy counsel licensed in your state review it. (4) Publish it — company website or employee handbook (Illinois: it must be publicly available, e.g. a public web page). (5) Keep it next to your signed employee consents, which Chronox captures in-app before any enrollment. This template is general information, not legal advice, and using it does not create an attorney-client relationship.
[EMPLOYER LEGAL NAME] — Biometric Information Policy
Effective date: [DATE] · Policy owner: [TITLE, e.g. HR Director] · Publicly available at: [URL or "Employee Handbook §__"]
1. Purpose and scope
[EMPLOYER LEGAL NAME] ("the Company") uses the Chronox timekeeping system, operated by Foundation Digital LLC, which verifies employee identity with facial recognition when recording the start and end of the workday and breaks. This policy governs all biometric identifiers and biometric information ("biometric data") collected from employees for that purpose. The Company collects biometric data for timekeeping only — never for surveillance, and never for sale or profit. The Company will not sell, lease, trade, or otherwise profit from biometric data, and will not disclose it except as described in this policy or as required by law.
2. What is collected and where it lives
At enrollment and at each punch, a camera image of the employee's face is converted into a mathematical template; no photographs are retained. Templates are processed and stored by our vendor Chronox using Amazon Web Services (Oregon, USA) and Supabase (USA), and — where offline mode is enabled — as encrypted copies on authorized crew devices. The vendor's own public retention policy, sub-processor list, and no-sale pledge are at chronoxapp.net.
3. Written consent before any collection
No employee is enrolled before signing the Biometric Consent & Release (electronic signature valid). The Chronox system technically blocks enrollment until a signed consent is stored. Employees may decline enrollment (see §7) or revoke consent in writing at any time; revocation triggers permanent destruction of the employee's biometric data.
4. Retention schedule
Biometric data is retained only while the employee remains employed and enrolled in biometric timekeeping, and never longer than the deadlines in §5.
5. Destruction guidelines
Biometric data is permanently destroyed at the first of: (a) end of employment — destruction is triggered automatically when the employee record is deactivated; (b) a processed written revocation of consent; or (c) the statutory deadline: [SELECT PER YOUR STATE — Illinois: no later than 3 years after the employee's last interaction with the Company · Colorado: no later than 24 months after last interaction, or within 45 days of a determination that storage is no longer necessary · Texas: no later than 1 year after the purpose of collection ends · Washington: no longer than reasonably necessary for the timekeeping purpose · Default/multi-state: 3 years after last interaction]. Destruction is executed by the vendor (deletion of cloud face records, encrypted templates, and device caches) and evidenced by logged deletion receipts, which the Company can produce on request.
6. Data security and incident response
Biometric data is protected with a reasonable standard of care within our industry, at least equal to the protections for other confidential and sensitive information: encryption in transit and at rest, role-restricted access, and vendor-enforced consent gates and append-only audit logs. Incident response: any suspected security incident involving biometric data must be reported immediately to [TITLE / CONTACT], who will follow the Company's incident-response protocol: contain and assess the incident, engage the vendor, and notify affected employees, regulators, and authorities as required by applicable law, without unreasonable delay. (Colorado: this incident-response protocol is a required element of the written policy.)
7. Voluntariness, refusal, and accommodation
Consent to biometric timekeeping [SELECT — may be required as a condition of employment where the law allows it for recording the start and end of the workday and breaks (e.g., Colorado C.R.S. §6-1-1314(6)) / is voluntary]. Any employee with a religious, medical, disability-related, or privacy objection will be accommodated through the Company's accommodation procedure: management records the employee's work time by an alternative method (including the Chronox Face ID exemption, under which no biometric data is collected), with no penalty, discipline, or retaliation for requesting it. Employment is never conditioned on consent to biometric location tracking.
8. Access, administration, and misuse
Only [ROLES, e.g. HR administrators and authorized managers] may administer biometric enrollments, deletions, or revocations, and every such action is logged immutably in the vendor system. Misuse of biometric data or the timekeeping system is grounds for discipline up to and including termination.
9. Employee rights and questions
Employees may request access to, correction of, or deletion of their biometric data, and may revoke consent, by contacting [HR CONTACT — NAME, EMAIL, PHONE]. The vendor's public Biometric Data Retention & Destruction Policy is available at chronoxapp.net/biometric-retention-policy.html. [CALIFORNIA EMPLOYERS: add your CCPA Notice at Collection reference here. QUEBEC EMPLOYERS: the biometric database must be declared to the CAI at least 60 days before first use; French-language documentation applies.]
What Chronox enforces for you automatically
Consent-before-scan is blocked at the database layer; destruction fires automatically on termination, revocation, and statutory timers, each with an append-only deletion receipt; photographs are never stored; each company's face collection is isolated; and every consent records the exact policy text and version the employee saw. Your policy's promises in §§3–6 are system behavior, not aspirations. Details: Retention & Destruction Policy · No-Sale / No-Harvest Pledge · Sub-processors.
Disclaimer. Foundation Digital LLC is not a law firm. This template is provided for general informational purposes, reflects the law as of July 2026, and must be reviewed by counsel licensed in your jurisdiction before adoption. Statutes cited: 740 ILCS 14/15 (Illinois BIPA); C.R.S. §6-1-1314 (Colorado); Tex. Bus. & Com. Code §503.001 (CUBI); RCW 19.375 (Washington).