Privacy Policy

We collect and process the following categories of information in the course of providing our iris recognition products and services: **Biometric Data:** Iris images, iris templates (mathematical representations derived from iris scans), and associated biometric metadata. Biometric data is collected only with explicit consent or as required by law for our B2B clients' authorized use cases. **Contact Information:** Name, email address, phone number, company name, job title, and mailing address provided through our website forms, sales inquiries, or contract engagements. **Technical and Usage Data:** IP address, browser type, device information, pages visited, and interaction patterns collected automatically when you visit our website. This data is used solely for website improvement and analytics. **Transactional Data:** Purchase history, contract details, support tickets, and communication records related to our business relationship.

We use collected information for the following purposes: - Providing, maintaining, and improving our iris recognition products and services - Processing orders, managing contracts, and delivering customer support - Conducting research and development to advance iris recognition technology - Communicating product updates, security advisories, and service notifications - Complying with legal obligations, including law enforcement cooperation where required by law - Ensuring the security and integrity of our systems and preventing fraud - Generating aggregated, anonymized analytics to improve our offerings We do not sell personal information to third parties. We do not use biometric data for advertising purposes.

Given the sensitive nature of biometric data, we apply enhanced protections: **Collection:** Iris biometric data is collected only through authorized devices deployed by our B2B clients. End users are informed of biometric collection at the point of capture. Consent mechanisms comply with applicable local regulations. **Processing:** Iris templates are generated using our proprietary Phaselris algorithm. Raw iris images are converted to mathematical templates and, where possible, raw images are discarded after template generation. **Storage:** Biometric templates are encrypted at rest using AES-256 encryption. Access is restricted to authorized systems through role-based access controls. Templates are stored separately from personally identifiable information where technically feasible. **GDPR Compliance:** For data subjects in the European Economic Area, we process biometric data under Article 9(2) of the GDPR, relying on explicit consent or substantial public interest as the legal basis. Data subjects have the right to withdraw consent at any time. **BIPA Considerations:** For deployments in jurisdictions with biometric information privacy laws (including the Illinois BIPA), we ensure that written consent is obtained, a publicly available retention schedule is maintained, and biometric data is destroyed when the initial purpose has been satisfied or within three years of last interaction, whichever occurs first.

We implement industry-standard technical and organizational measures to protect your data: - **Encryption:** AES-256 encryption at rest and TLS 1.3 encryption in transit for all sensitive data - **Access Controls:** Role-based access control (RBAC) with multi-factor authentication for all systems handling biometric data - **Infrastructure Security:** ISO 27001-aligned security practices, regular penetration testing, and continuous security monitoring - **Incident Response:** Documented incident response procedures with notification to affected parties within 72 hours of confirmed breach - **Employee Training:** Regular security awareness training for all employees with access to sensitive data - **Audit Logging:** Comprehensive audit trails for all access to biometric data, retained for a minimum of 12 months

We retain data only as long as necessary for the purposes described in this policy: - **Biometric Data:** Retained for the duration of the active service contract with our B2B client, plus a maximum of 90 days for backup and disaster recovery purposes. Upon contract termination, biometric data is securely deleted using cryptographic erasure methods. - **Contact Information:** Retained for the duration of the business relationship and up to 3 years after the last interaction for legitimate business purposes. - **Usage Data:** Aggregated and anonymized within 12 months of collection. Raw usage data is deleted within 24 months. - **Transactional Records:** Retained for 7 years to comply with financial and tax reporting obligations. Data subjects may request earlier deletion subject to legal and contractual obligations.

Depending on your jurisdiction, you may have the following rights regarding your personal data: - **Right of Access:** Request a copy of the personal data we hold about you - **Right to Rectification:** Request correction of inaccurate or incomplete personal data - **Right to Erasure:** Request deletion of your personal data, subject to legal retention requirements - **Right to Data Portability:** Request a machine-readable copy of your data for transfer to another provider - **Right to Restrict Processing:** Request limitation on how we process your data in certain circumstances - **Right to Object:** Object to processing based on legitimate interests or direct marketing - **Right to Withdraw Consent:** Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing To exercise any of these rights, contact us at sales@opticsiris.com with the subject line "Data Rights Request." We will respond within 30 days.

As a company headquartered in Wuhan, China, with global operations, your data may be transferred to and processed in countries outside your jurisdiction. We ensure appropriate safeguards for international data transfers through: - Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA - Data processing agreements with all third-party processors - Compliance with China's Personal Information Protection Law (PIPL) for cross-border data transfers - Encryption of all data in transit between jurisdictions We evaluate the data protection laws of destination countries and implement supplementary measures where necessary to maintain an adequate level of protection.

For questions, concerns, or requests related to this privacy policy or our data practices, please contact us: **Wuhan Homsh Technologies Co., Ltd.** Email: sales@opticsiris.com Address: Wuhan Optics Valley, Wuhan, Hubei, China We are committed to resolving any complaints about our collection or use of your personal data. If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.