Biometric Retention & Destruction Policy

This is the public written policy that Illinois BIPA §15(a) (740 ILCS 14/15(a)) requires of any business that handles a "biometric identifier." It explains how Phiusion Labs handles the face-geometry vector that SkinXS derives from a patient's photograph, how long that vector exists, and how it is destroyed. It applies to every patient whose photograph is analysed in the Phiusion application, regardless of the patient's or practitioner's location. It is not a consent document — consents sit at the Patient Photo Consent and the Patient AI Improvement Consent; this is the operational standard underneath them.

1. What this policy is

BIPA §15(a) requires a private entity in possession of a biometric identifier to "develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information." This is that policy. It is linked from the Phiusion application footer and is reachable without an account, as the statute requires.

2. What counts as a biometric identifier

• Illinois BIPA §10 (740 ILCS 14/10). A "biometric identifier" includes a "scan of face geometry." Phiusion treats the face-geometry vector SkinXS computes from a patient's photograph as a regulated biometric identifier from the moment SkinXS computes it, even though Phiusion does not use it to identify the patient and does not match it against any database.
• Texas CUBI (Tex. Bus. & Com. Code §503.001). Same biometric-identifier definition (face geometry, retina, fingerprint, voiceprint, hand-or-face record); triggers when captured for a commercial purpose.
• Washington RCW 19.375.010. Broader scope — the photograph itself is in-scope when "enrolled" in a face-recognition system. BIPA and CUBI do not bring the unprocessed photograph in-scope; only Washington does, and only on enrolment. Phiusion does not enrol photographs in any face-recognition system, but treats photograph and vector consistently under this policy.

The photograph itself is otherwise covered by the Patient Photo Consent and the Patient Privacy Notice. This policy governs the vector; where a commitment extends to the photograph, it is called out.

3. Universal-protection commitment

Phiusion applies the strictest of BIPA, CUBI, RCW 19.375, Quebec Law 25 art. 12, HIPAA, GDPR, UK GDPR, and Swiss nFADP to every patient, regardless of residence — per Patient Privacy Notice §6 and §8 and docs/legal/internal/phase-3-followups.md. Where windows differ, the shortest consistent window wins; where protocols differ, the stricter protocol wins. "Consistent" means a residence-keyed statutory ceiling on biometric or consumer-health data (e.g. WA-MHMDA RCW 19.373.070(2)(h) — one-year authorization-expiration ceiling on the WA-resident leg) stays residence-keyed where propagating it universally would be unsupported by any statute applicable to the non-residence cohort. State- and province-specific rights that only the resident can invoke — the BIPA §20 private right of action; the WA-MHMDA private right of action under RCW 19.86; Law 25 art. 90 complaint to CAI — remain residence-keyed by law. (Internal master: D18 §2.1.)

4. Default behaviour — vectors are ephemeral

By default, the face-geometry vector exists in memory only for the duration of a single SkinXS analysis request, and is discarded once the analysis returns. It is not written to disk, not committed to a database row, and not copied to any cache or backup tier. This is the default for every patient.

Because the default is ephemeral, BIPA §15(a)'s "initial purpose satisfied or three years from last interaction, whichever first" outer limit is met by non-persistence; CUBI §503.001's "destroy within one year of the purpose being fulfilled" is met for the same reason; RCW 19.375.020(4)'s "destruction consistent with the entity's policy" is met by the protocol in §7.

The HIPAA exemption in RCW 19.375.030 applies where the photograph is captured by a HIPAA covered entity for treatment, payment, or health-care operations (45 CFR §§ 164.502, 164.506) — the SkinXS analysis is a HIPAA treatment use and does not require a §164.508 authorization on the default-ephemeral leg.

5. When vectors are retained — AI Improvement opt-in only

A vector is retained beyond the SkinXS request only where the patient has given the separate opt-in at the Patient AI Improvement Consent. That consent is the BIPA §15(b) written release for retention, the HIPAA §164.508 authorization for non-routine use, and (for Washington residents) the WA-MHMDA §19.373.030 separate consumer-health authorization, in one document. It is independently revocable through the Consent Withdrawal flow.

Saying "no" has no effect on the patient's care. Default-ephemeral behaviour continues, and the SkinXS skin assessment runs the same way.

6. Retention schedule

The windows applied here are the shortest the applicable statutes permit. Where two statutes both apply, the shorter window controls.

Phiusion-strictest commitment. A retained vector (and the photograph that produced it) is destroyed at the earliest of:

1. 5 years from consent. Retention does not exceed 5 years from the consent date — inside BIPA §15(a)'s outer limit because "last interaction" is reset by each visit while the wellness relationship is active.
2. 30 days from withdrawal. If the patient withdraws the AI Improvement Consent, the vector and the photograph are destroyed within 30 days across every storage tier.

The shorter of (1) and (2) controls.

CUBI §503.001 purpose-fulfilment ceiling — operationally subsumed. CUBI requires destruction within one year of the purpose for collecting the biometric identifier expiring. For TX-resident patients on this opt-in leg, the AI Improvement Consent keeps the purpose ongoing for as long as the consent is in force; the purpose-fulfilment trigger therefore fires only on withdrawal. At that point the 30-day primary destruction window (item 2) already controls — shorter than CUBI's 1-year ceiling. The CUBI line is residence-anchored to TX but operationally subsumed by the withdrawal trigger; D18 §3 Notes carries the internal master statement.

7. Destruction protocol

When a trigger fires, Phiusion executes the following within the 30-day SLA (the database delete is normally immediate):

1. Primary database — cryptographic erase. Vector columns and the photograph object reference on operational Supabase Postgres rows are NULLed and status='destroyed', destroyed_at are set. The row itself is preserved as an immutable audit anchor so the destruction record stays queryable (destruction_log cross-reference). True row-level hard_delete is reserved for the in-clinic patient-mediated path where the patient asks for the audit row itself to be removed; in that case the row is deleted outright. (D18 §4.4 carries the internal-master statement of this reconciliation.)
2. Object storage. The corresponding object in Supabase Storage is permanently deleted; storage-layer versioning is bypassed (any prior object versions or soft-delete tombstones are purged in the same operation so no shadow copy survives the destruction event).
3. Sub-processor caches. Universkin SAS (operator of SkinXS and the AI-improvement training corpus) is instructed to delete the corresponding training-corpus entry under the intercompany BAA/DPA filed as D15. Deletion confirmation is recorded.
4. Backups — bounded rotation. Hot backups (point-in-time recovery, ≤7 days on the production tier) and daily snapshots (aged out at 30 days) cycle in parallel, not in series. A cryptographic erase on the primary therefore propagates to all backup tiers within max(N, M) = 30 days of the primary erase (N = 7-day PITR; M = 30-day snapshot rotation) — the longer of the two windows controls because both expire independently from the same erase moment. Longer-horizon archive snapshots — if any — are sealed-and-expiry per docs/SUPABASE_OPS.md. This satisfies GDPR Art. 32(1)(c).
5. Error-monitoring exhaust. Sentry receives error metadata only — never photograph bytes, URLs, or vector payloads. There is no exhaust to scrub.
6. Audit log. A destruction record (trigger, timestamp, tier, sub-processor confirmations) is written. The record contains no biometric data.

Certificate of destruction. A patient who withdrew consent — or the patient's practitioner — can request a written certificate from the Privacy Officer, issued within 30 days of the request.

8. Sub-processors who may hold biometric vectors

The canonical list lives at Sub-Processors; cross-border transfer mechanisms are at Patient Privacy Notice §5.1. In-scope for the retained-vector leg:

• Universkin SAS (France) operates SkinXS and the AI-improvement training corpus — the "in-possession" entity under BIPA §15(a). Phiusion ↔ Universkin governed by the intercompany BAA + DPA filed as D15. Storage region: EU.
• Supabase (US) stores the underlying photograph object and the consent record. Does not see the vector. SCCs + TIA on file.
• Vercel (US) is the compute pass-through for the SkinXS request leg. Does not retain at rest. SCCs + TIA on file.

Other vendors in D9 (Anthropic, Stripe, SendGrid, AfterShip, remove.bg, Google Maps, Sentry) are out of scope for retained vectors. remove.bg sees the photograph during background removal but never the vector; the vector is computed inside SkinXS only.

9. Your rights

Patient-facing rights live in Patient Privacy Notice §11 (access, correction, deletion, portability, withdrawal — with the residence-keying rule for state-specific rights), the Patient Photo Consent §7, the Patient AI Improvement Consent, and the Consent Withdrawal flow.

Illinois residents. BIPA §20 (740 ILCS 14/20) provides a private right of action: any person aggrieved by a violation may recover liquidated damages or actual damages, attorney's fees, and other relief, in addition to or in lieu of the operational remedies above. Nothing in this policy waives, limits, or conditions that right.

Washington residents. The WA-MHMDA private right of action under the Washington Consumer Protection Act (RCW 19.86) operates on the same footing for the consumer-health-data layer.

Quebec patients. Law 25 art. 12 governs biometric processing. Per Patient Privacy Notice §9 and §17, Phiusion has not opened the platform to Quebec patients pending the French-language launch gate and the Law 25 art. 12 / CAI 60-day pre-notification + art. 17 PIA.

EU / EEA / UK / Swiss patients. GDPR Arts. 15–22 (and UK / Swiss equivalents) apply to the Universkin processing leg; see Patient Privacy Notice §10. Biometric data is GDPR Art. 9 special-category; the lawful basis for the opt-in retention leg is Art. 9(2)(a) explicit consent.

10. How to request destruction

1. In-clinic, through your practitioner. Tell your practitioner at your next visit; the 30-day destruction window starts from the recorded withdrawal timestamp.
2. Directly to Phiusion. Email privacy@phiusionlabs.app, or use the in-app flow at Consent Withdrawal.

The Privacy Officer acknowledges receipt within 5 business days and confirms destruction within the 30-day window. A certificate of destruction (§7) is available on request.

11. Public availability and updates

This policy is published at /legal/biometric-retention-and-destruction-policy and linked from the application footer, reachable without authentication — in satisfaction of BIPA §15(a)'s public-availability requirement. Version history at /legal/changelog. Semantic versioning: major (X.0.0) for material change to the schedule, protocol, or in-scope sub-processors; minor (1.X.0) for clarifications, new anchors, or sub-processor updates that do not change processing categories; patch (1.0.X) for typos and broken links.

12. Contact

• Privacy Officer (Phiusion Labs): Jonathan Garbutt, privacy@phiusionlabs.app.
• Data Protection Officer (Universkin SAS, France): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

Full supervisory-authority list (HHS-OCR, FTC, Illinois / Texas / Washington Attorneys General, OPC Canada, IPC Ontario, CAI Quebec, CNIL, ICO, FDPIC) at Patient Privacy Notice §16.