Privacy & biometrics

Biometrics, done right.

Face matching is regulated biometric data — we built for that from day one, not as an afterthought.

Embeddings, never images
Your scan becomes 512 numbers. Source frames are deleted by a scheduled cleanup job — not just flagged.
[0.031, −0.482, 0.117, 0.905, −0.244, …]
Explicit, versioned consent
Matching is opt-in with plain-language consent. Every consent records its version — currently v1 — and is revocable any time.
Append-only access log
Every read and write touching biometric tables is recorded. Nothing touches your template silently.
09:14:02 read  face_templates  fusion_matcher09:14:07 write detections     fusion_matcher09:20:41 read  consents       api11:02:13 delete face_templates  user_request
RLS on every table · encrypted at rest · isolated biometric schema
Real deletion
Delete your account and templates, identity links and cluster claims go with it. Detections revert to anonymous.
Under-18s blocked · strangers blurred
No minor enrollment until guardian consent ships. Non-enrolled faces are blurred in every public preview.
Consent text lives in the open — versioned in the repository, shown in full at enrollment.Enroll with confidence