Biometric Information Notice

Purpose & Scope

This Biometric Information Policy (the “Policy”) describes how VertiSource HR, LLC (“VertiSource HR,” “we,” “our,” or “us”) collects, stores, uses, discloses, retains, and destroys biometric identifiers and biometric information received from biometric time-clock kiosks operated at client worksites where VertiSource HR has been engaged to administer payroll, time & attendance, and related HR services.

This Policy supplements the VertiSource HR Privacy Policy with respect to biometric data. Where this Policy conflicts with the general Privacy Policy on the subject of biometric data, this Policy controls.

This Policy is intended to satisfy the written-policy requirements of the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14) § 15(a), the Texas Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code § 503.001), the Washington biometric statute (RCW 19.375), the New York SHIELD Act, the Colorado Privacy Act (CPA), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) as they apply to biometric identifiers and sensitive personal information.

Definitions

• Biometric Identifier means a retina or iris scan, fingerprint, voiceprint, hand or face geometry scan, palm-vein pattern, or similar technological measurement of a unique individual biological characteristic used to identify that individual. Biometric Identifier does not include writing samples, written signatures, photographs used for identification, physical descriptions, demographic data, or information used for health-care treatment under HIPAA.
• Biometric Information means any information, regardless of how it is captured, converted, stored, or shared, based on a Biometric Identifier that is used or intended to be used to identify an individual.
• Worker means an individual whose biometric data is captured by a biometric time-clock kiosk administered through a VertiSource HR client’s worksite (whether the individual is classified as a W-2 employee or a 1099 contractor for that client).
• Client means a business entity that has engaged VertiSource HR under a written service agreement and that has elected to activate a biometric time-clock integration within the VertiSource HR HRIS or Time & Attendance platform.
• Time-Clock Vendor means the third-party hardware or software provider whose biometric kiosk captures the Biometric Identifier at the Client’s worksite and transmits a template (or, where applicable, a raw Biometric Identifier) to VertiSource HR.

Controller & Processor Allocation

For every biometric time-clock integration:

• The Client is the controller and the BIPA “private entity” with primary collection authority over its workers. The Client is responsible for (a) providing written notice to each Worker before collection, (b) obtaining the Worker’s written, informed consent before enrollment, and (c) handling the Worker’s direct employment relationship and any workplace-disciplinary matters that arise from opt-out.
• VertiSource HR is a processor / service provider that receives and stores the Biometric Identifier or Biometric Information (or a non-reversible template derived from it) solely to deliver contracted time-clock-punch authentication and payroll services. VertiSource HR does not use Biometric Identifiers or Biometric Information for any other purpose.
• The Time-Clock Vendor is a subprocessor of VertiSource HR and operates under a written data-processing agreement flowing down the protections of this Policy, BIPA, and applicable state laws.

Our service agreement with each Client includes BIPA indemnity, controller/processor allocation language, and a requirement that the Client warrant it will comply with § 15(b) of BIPA (written notice and informed consent) before any Worker is enrolled. Clients that do not agree to those terms are not eligible to activate a biometric time-clock integration within the VertiSource HR platform.

Notice & Consent Requirements

Before any Worker is enrolled in a biometric time-clock kiosk, VertiSource HR requires the Client to provide the Worker with written notice that includes:

1. That a Biometric Identifier or Biometric Information is being collected or stored;
2. The specific purpose for which the Biometric Identifier or Biometric Information is being collected, stored, and used (time-clock punch authentication);
3. The length of term for which the Biometric Identifier or Biometric Information will be collected, stored, and used; and
4. A statement that the Worker may refuse to consent and may request alternative (non-biometric) time-clock methods without retaliation.

The Client must obtain a written, informed release from the Worker before enrollment, executed by the Worker or the Worker’s legally authorized representative. The written release is retained by the Client and, upon request, VertiSource HR. VertiSource HR provides a template written notice and release form (the “Biometric Consent Form”) to Clients as part of the biometric-integration activation checklist. The Biometric Consent Form is available to prospective and existing Clients upon written request to privacy@vertisourcehr.com.

Device-level notice at enrollment. In addition to the written notice and written consent obtained by the Client before enrollment, the biometric time-clock kiosks used in VertiSource HR integrations display an on-screen biometric collection warning at the moment a Worker begins the fingerprint-enrollment flow. The on-screen notice tells the Worker that a biometric identifier is about to be captured, what it will be used for (time-clock punch authentication), and how to exit the enrollment flow without enrolling. This device-level notice is a secondary safeguard that supplements, but does not replace, the Client’s written notice and written consent obligations under BIPA § 15(b) and comparable state statutes.

Collection, Storage, and Security

Biometric Identifiers and Biometric Information are:

• Transmitted from the Time-Clock Vendor’s device to VertiSource HR’s HRIS using transport-layer encryption (TLS 1.2 or higher);
• Stored at rest in encrypted form using AES-256 or equivalent industry-standard encryption;
• Accessible within VertiSource HR only by personnel with a role-based, need-to-know basis, with privileged access protected by multi-factor authentication;
• Subject to the same or greater standard of care that we apply to other Sensitive Personal Information (see Section 7 of the Privacy Policy).

VertiSource HR does not transmit Biometric Identifiers or Biometric Information outside of its HRIS infrastructure except (a) to the Time-Clock Vendor acting as subprocessor, (b) to the Client controller, or (c) where compelled by valid legal process.

Retention Schedule

Consistent with BIPA § 15(a), VertiSource HR will permanently destroy a Worker’s Biometric Identifier and any Biometric Information derived from it no later than the first of the following to occur:

1. The date on which the initial purpose for collecting or obtaining the Biometric Identifier has been satisfied, including (without limitation) the date on which the Worker separates from the Client;
2. Three (3) years after the Worker’s last interaction with the biometric time-clock kiosk or the VertiSource HR HRIS, whichever occurs first;
3. The date on which the Worker (or the Worker’s authorized representative) submits a verified written request for destruction to the Client or VertiSource HR; or
4. The date on which the Client terminates its biometric time-clock integration with VertiSource HR, after which VertiSource HR will destroy all Biometric Identifiers and Biometric Information received from that Client within ninety (90) days, subject to any litigation hold.

Destruction is performed via cryptographic erasure of the encrypted storage or via secure overwrite of the underlying data stores, consistent with NIST SP 800-88 media sanitization guidance. Destruction is logged in an auditable record retained for the period required by applicable law.

Prohibited Uses

VertiSource HR does not and will not:

• Sell, lease, trade, or otherwise profit from a Worker’s Biometric Identifier or Biometric Information;
• Disclose Biometric Identifiers or Biometric Information to any third party other than the Client, the Time-Clock Vendor subprocessor, or as required by law or valid legal process;
• Use Biometric Identifiers or Biometric Information for any purpose other than time-clock-punch authentication and the related payroll workflows the Worker has been notified of and consented to;
• Collect, store, or use voiceprints, iris scans, or retina scans unless a Client specifically activates a feature requiring those modalities and the Worker consents;
• Use Biometric Identifiers or Biometric Information to infer characteristics about a Worker.

Worker Rights & Redress

A Worker whose Biometric Identifier is or has been processed by VertiSource HR may:

• Request access: confirm whether VertiSource HR is processing the Worker’s Biometric Identifier and request a copy of the written consent on file;
• Withdraw consent: request that enrollment be terminated and the Biometric Identifier be destroyed (subject to Section 6);
• Request correction: request correction of associated personnel metadata (name, employee ID) linked to the Biometric Identifier;
• Appeal denial: appeal any denied request within sixty (60) days of denial.

Workers should direct these requests first to their employer’s HR representative. Escalations and requests that cannot be resolved at the employer level may be submitted by email to privacy@vertisourcehr.com with “Biometric Request” in the subject line or by mail to the Privacy Officer at the address in Section 11. VertiSource HR will respond within forty-five (45) days of a verified request, extendable by an additional forty-five (45) days for complex requests.

Incident Response

In the event of an actual or suspected unauthorized acquisition or access to Biometric Identifiers or Biometric Information, VertiSource HR will:

1. Promptly investigate, contain, and remediate the incident;
2. Notify the affected Client as soon as reasonably practicable and no later than seventy-two (72) hours after confirmation, to enable the Client’s notification obligations to Workers and regulators;
3. Cooperate with the Client’s Worker-notification process;
4. Report to state attorneys general and regulatory authorities where required by applicable state breach-notification statutes.

Subprocessors

VertiSource HR uses third-party Time-Clock Vendors as subprocessors for biometric-kiosk capture. Each Time-Clock Vendor subprocessor operates under a written data-processing agreement that flows down the protections of this Policy, BIPA, and applicable state biometric-privacy laws. A current list of Time-Clock Vendor subprocessors is available to Clients upon written request to privacy@vertisourcehr.com, and is governed by VertiSource HR’s Data Processing Addendum, which is made available to Clients as part of the biometric-integration activation checklist.

Changes to This Policy

VertiSource HR will update this Policy as necessary to reflect changes in practice or applicable law. The “Last Updated” date at the top of this Policy will reflect the date of the most recent update. Material changes will be communicated to active Clients at the primary billing contact email on file.

Contact