Biometric Data Policy

Effective date: 2026-05-30 Version: biometric-v1 Policy identifier (used in consent records): `biometric-v1`

This policy is required by the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14) and similar biometric privacy laws. It explains in plain language exactly what biometric data we collect, how we store it, how long we keep it, when we delete it, and what rights you have.

You must read and explicitly consent to this policy before uploading any photos. The upload feature will not be available until your consent is recorded.


1. What biometric data we collect

When you use the Suvant audit feature you upload up to 3 photographs of yourself ("selfies"). These photos may contain or be used to derive biometric identifiers and biometric information as defined by applicable law, including:

We collect these photographs for the sole purpose of running a one-time AI-based assessment of 8 presentation categories (face, hair, skin, body, style, grooming, photos, presence).


2. How we use biometric data

Your selfies are used to generate your personal image audit: an honest, numeric assessment of 8 presentation categories (face, hair, skin, body, style, grooming, photos, presence) using the OpenAI vision API. This is the only processing that happens by default, and it is what the consent on this policy authorizes.

Optional add-on — the AI "after you" transformation. Separately, you may optionally opt in to have one of your photos sent to OpenAI's image API to generate an illustrative "what you could look like" image reflecting the recommended grooming and style. This is off by default, requires its own separate, standalone consent, and is governed by the AI Transformation Policy. If you do not opt in, this never happens.

We will never:


3. How we protect biometric data


4. OpenAI subprocessor disclosure

Your selfies are sent to OpenAI's API (not the consumer ChatGPT service) for two processing steps:

  1. The audit (always): the vision API reads your 3 photos to produce your numeric scores.
  2. The transformation (only if you opt in): the image API generates your optional "after you" illustration from one photo. See the AI Transformation Policy.

Key facts about this processing:


5. Retention and deletion schedule

DataRetention periodDeletion mechanism
Raw selfie photos (GCS)Up to 30 days after your audit completesAutomatic scheduled deletion from GCS; or immediately on account deletion
Abandoned uploads (if you uploaded but never subscribed)Up to 30 days after uploadAutomatic scheduled purge
Optional AI transformation image (if you opted in)Automatically deleted about 1 day after it is createdAutomatic minimization; on account deletion; or anytime via Account › Privacy
Derived audit scores and numeric data (Postgres, not pixels)While your subscription is activeDeleted on account deletion
This biometric consent recordYour account lifetime + 4 yearsLegal hold; not deleted on account deletion

A GCS lifecycle rule provides an automatic backstop: any selfie object older than 31 days is permanently deleted regardless of application-level state.

What this means in practice: after your 30-day window, the original photos are gone. We retain only the 8 numeric category scores and the generated quest text, not any pixel data.


6. Your rights

You have the right to:

  1. Know — you are reading this policy before any data is collected.
  2. Delete your photos at any time without closing your account. Go to Account > Privacy > "Delete my photos". Deletion happens immediately; your subscription and progress scores are unaffected.
  3. Delete your account and all data at any time. Go to Account > Privacy > "Delete my account". This permanently deletes all your photos, scores, and account data.
  4. Withdraw consent — because selfie upload requires active consent, you may stop using the upload feature at any time. This does not trigger retroactive deletion; use the "Delete my photos" option for that.
  5. Request deletion by email — if you cannot access the app, email privacy@suvant.com and we will complete deletion within 72 hours.

7. Consent required before upload

No selfie byte is accepted until you have explicitly and affirmatively consented to this policy. The consent:

By recording your consent you affirm:

  1. You have read and understood this Biometric Data Policy.
  2. You are 18 years of age or older.
  3. The photos you will upload are of yourself only.
  4. You authorize Suvant to collect, store, and process your biometric data as described in this policy.

8. Questions and contact

Biometric privacy questions: privacy@suvant.com

Mailing address: Available on request at privacy@suvant.com.