Privacy Policy

This Privacy Policy explains how identifind ("identifind," "we," "us," or "our") collects, uses, retains, shares, and protects information when you use the identifind service at https://identifind.ai and any related applications (the "Service").

The Service helps runners find photos of themselves from running-club events. Photos are uploaded to the Service by event photographers and club organizers; identifind uses biometric face matching to surface photos that depict you, so that you do not have to scroll through entire galleries to find your own pictures.

We take particular care with biometric information. The "Biometric Information" section below sets out, in writing, what biometric data we collect, the specific purpose for which we collect it, the length of time we retain it, the third-party processor that handles the matching, and how you may revoke your consent. The verbatim consent text you affirmatively agreed to at sign-up is preserved in our records and is available to you on request.

Who we are

The Service is operated by identifind. You can reach us about this policy at privacy@identifind.ai. For requests under specific privacy laws (such as access, deletion, or correction requests), see the "Your privacy rights" section below.

The information we collect

We collect the following categories of information:

Information you give us directly.

• Your name, email address, and any profile details you choose to add.
• Your club memberships and the role you hold in each club (member, organizer, photographer).
• Your communication and notification preferences.
• A reference selfie photograph, if you choose to enable face matching.
• The contents of any messages you send us, including support requests.

Information we collect automatically when you use the Service.

• Basic device and connection information (browser type, operating system, IP address, approximate region inferred from IP).
• Usage information such as the pages you visit on the Service, the photos you view, and timestamps.
• Service-operational logs needed to keep the Service running, secure, and debuggable.

We do not use third-party analytics, advertising trackers, or behavioral-advertising pixels on the Service.

Information from third parties.

• Authentication information from Clerk, our identity provider. Clerk verifies your email address and (if you choose) any social-login linkages, and tells us your account identifier so that we can recognize you across sessions. We do not store your password — Clerk handles authentication.
• Photos uploaded by club organizers and authorized event photographers to club galleries you belong to. Those photos may depict you.

How we use your information

We use the information we collect to:

• Create and maintain your account, and authenticate you when you sign in.
• Find photos of you in the galleries of clubs you belong to, using the face-matching process described in the "Biometric Information" section below.
• Notify you when new matched photos are available and deliver them to your /my-photos page.
• Communicate with you about the Service, including service announcements, security notices, and responses to your inquiries.
• Operate, secure, and improve the Service, including diagnosing problems and preventing abuse.
• Comply with legal obligations and enforce our Terms of Service.

We do not use your information to make automated decisions that produce legal or similarly significant effects about you. Face matching is used solely to surface candidate photos for your review on your own photo page; you decide what to do with those matches.

Biometric Information

This section is the written notice that some biometric-information laws (including the Illinois Biometric Information Privacy Act, "BIPA") require us to provide. The discrete affirmative consent step is captured separately, at sign-up, as an unchecked-by-default checkbox adjacent to verbatim consent language.

What we collect. If you choose to enable face matching, we collect a single reference selfie that you upload at onboarding, and we generate a mathematical representation of your facial geometry (a "face vector" or "face template") from that selfie. We treat both the selfie and the face vector as biometric information.

Specific purpose. We use your face vector for one purpose only: matching your face against photos uploaded to clubs you are a member of on the Service, so that those photos appear on your personal photo page. We do not use your face vector for advertising, profiling, surveillance, identity verification outside the Service, law-enforcement queries, training of general-purpose machine-learning models, or any other purpose.

How matching works. When a photographer uploads a photo to a club gallery, our face-matching processor analyzes the photo and compares any faces it finds to the face vectors of the members of that club. If a face in the photo matches your face vector above a confidence threshold, the photo is added to your personal photo page and you receive a notification.

Third-party processor. Face vectors are computed and matched using Amazon Web Services' Amazon Rekognition service, acting as a subprocessor on our behalf under AWS's standard Data Processing Addendum. Your face vector is stored in an AWS Rekognition collection scoped to identifind users, in the AWS US East (N. Virginia) region. AWS does not use your face vector for AWS's own purposes.

Retention. We retain your face vector and your reference selfie for as long as you are an active member of at least one club on the Service, and for up to three (3) years following your last interaction with the Service, after which they are automatically purged unless you have re-consented in the interim. You may revoke your consent and trigger immediate deletion at any time, as described below.

Disclosure. We do not sell, lease, trade, share, or otherwise disclose your biometric information to any third party, except (i) to the subprocessor named above strictly to perform the matching the Service is built to perform; (ii) as required to comply with a valid subpoena, court order, or other legal process; or (iii) with your separate, specific, written authorization. We do not disclose your biometric information for marketing or advertising, ever.

Safeguards. We protect your biometric information using a standard of care that is at least as protective as the standard used to protect other confidential and sensitive information, and in a manner that is the same as or more protective than the manner in which we store, transmit, and protect other confidential and sensitive information.

How to revoke your consent. You may revoke your consent to face matching at any time from your account settings page at /settings. Upon revocation, we will (a) delete your face vector from the AWS Rekognition collection, (b) delete the stored copy of your reference selfie, and (c) stop using your face for any new match processing. Photos that were previously matched to you will remain on your personal photo page unless you separately delete them. If you later choose to re-enable face matching, you will be asked to upload a new selfie and to provide consent again — your prior face vector cannot be recovered after revocation.

Public summary. A non-binding plain-language explainer of the biometric flow is available at /legal/biometric-consent.

Our destruction schedule for biometric information

Consistent with applicable biometric-information laws, we maintain and follow a written retention schedule and destruction guideline for biometric information. The triggering events for destruction are:

• You revoke your consent. Destruction of the face vector and reference selfie occurs promptly upon receipt of the revocation, with target completion within thirty (30) days, subject to operational reconciliation.
• You delete your account. Destruction of the face vector and reference selfie occurs alongside account deletion, on the same target timeline.
• Inactivity timeout. If three (3) years pass after your last interaction with the Service and you have not re-consented, your face vector and reference selfie are automatically purged.
• Purpose exhausted. If we discontinue face matching as a Service feature, all face vectors and reference selfies are destroyed within a commercially reasonable period after the discontinuation announcement.

We do not retain biometric information indefinitely. The schedule above is the operative rule.

What happens when you delete your account

When you delete your account from the /settings page, three things happen on the same request:

• Your face vector is physically erased from the AWS Rekognition collection.
• Every version of your reference selfie is physically erased from our object storage.
• Your identity record on identifind is soft-deleted — that is, marked deleted with a timestamp and treated as deleted for all read paths, while a minimal row is preserved so that historical event photos can continue to be attributed to a real account for our audit obligations and so that the verbatim consent record you affirmatively agreed to remains intact under biometric and privacy law.

Photos that depict you and were uploaded to clubs you belonged to remain with those clubs (their photographers and organizers own those photos under their separate agreements with the clubs). They are no longer surfaced on a personal photo page belonging to you, because there is no longer a face vector against which to match.

The auth-provider account (managed by our identity provider, Clerk) is requested to be physically deleted as part of the same flow. In the unlikely event that the auth-provider deletion does not complete on the first try, the identifind-side of the deletion still completes; you will be told and you can email privacy@identifind.ai to finish the auth-provider side.

If you would prefer that the soft-deleted identity record itself be erased (subject to our legal-claims-defense and consent-ledger obligations), email privacy@identifind.ai and we will act on that request consistent with the rights described in "Your privacy rights" below.

How we share information

We share information only as described in this section:

• With the subprocessors that operate the Service. We use the following subprocessors and they are contractually bound to process information only on our behalf and only to provide their part of the Service: Amazon Web Services (AWS) for hosting, storage, compute, email delivery, and the Amazon Rekognition face-matching service (region: US East, N. Virginia); Clerk for identity and authentication; and Vercel for webapp hosting and content delivery for the Next.js application. Each subprocessor has executed a data processing agreement with us. We do not authorize subprocessors to use your personal information for their own purposes.
• With clubs you join. Club organizers can see that you are a member of their club and can see the photos uploaded to their club's galleries. They cannot see your face vector, your reference selfie, or any biometric information.
• With other photographers and club members. They see only what you choose to make visible through your profile and through your activity in the club; they do not see your biometric information.
• For legal reasons. We may disclose information when we believe in good faith that disclosure is required by law, by valid legal process, by a court order, or to protect our rights, your safety, or the safety of others. We will, to the extent permitted by law, notify you of any such disclosure before complying.
• In a business transaction. If we are involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. You will receive notice and an opportunity to make choices about your information before any transfer becomes effective in a way that materially changes how your information is used.

We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"). We have not done so in the preceding twelve months and we do not intend to do so.

We do not disclose biometric information to any party other than the subprocessor named in the "Biometric Information" section, except as required by valid legal process or with your separate written authorization.

Where your information is stored and processed

We store and process information in the United States, in Amazon Web Services' US East (N. Virginia) region. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. See the "Information for residents of the European Economic Area, United Kingdom, and Switzerland" section below for information about international transfers.

How we secure your information

We use commercially reasonable administrative, technical, and physical safeguards to protect the information we collect, including:

• Encryption in transit (HTTPS / TLS) for all webapp and API traffic.
• Encryption at rest for stored data, using AWS-managed and customer-managed keys as appropriate.
• Access controls limiting employee and contractor access to the minimum needed.
• Audit logging of access to sensitive resources, including biometric information.
• Time-limited access tokens for image delivery, with strict per-user scope.
• Regular security review.

No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and, where required, the appropriate regulators, consistent with the requirements of applicable law.

How long we keep your information

We retain personal information for as long as your account is active and for a reasonable period afterward to defend legal claims, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

• Account profile information (name, email, club memberships): retained for the life of the account.
• Biometric information (face vector, reference selfie): retained per the destruction schedule in the "Biometric Information" section above.
• Communications and support records: retained for up to three (3) years after the last related contact.
• Service-operational logs: retained for up to one (1) year, then aggregated or deleted.
• Records required by law (for example, consent records used to demonstrate compliance with biometric and privacy laws): retained for as long as required by the applicable law, and then destroyed.

If you delete your account, we will delete or de-identify your personal information within a commercially reasonable period (target: thirty days), except for the categories above that we are required or permitted to retain for legal-claims-defense or legal-obligation reasons.

Your privacy rights

You have the following rights with respect to your personal information. Some of these rights are granted by specific state or country laws and apply to residents of those jurisdictions; others we extend to all users of the Service. You can exercise these rights by emailing privacy@identifind.ai, or by using the in-product controls on your /settings page where available.

• Access. You can request a copy of the personal information we hold about you, and the consent records we hold for your biometric consent.
• Correction. You can correct or update inaccurate or incomplete personal information.
• Deletion. You can request deletion of your personal information, including your biometric information. Some information may be retained as described in "How long we keep your information."
• Portability. You can request a copy of your personal information in a structured, commonly used, machine-readable format.
• Revoke biometric consent. You can revoke your consent to face matching at any time, as described in the "Biometric Information" section. Revocation triggers deletion of your face vector and reference selfie.
• Opt out of sale or sharing. We do not sell or share your personal information as defined under the CCPA/CPRA. If we ever change this, we will update this policy and provide a clear opt-out mechanism before any such sale or sharing begins.
• Limit use of sensitive personal information. California residents may direct us to limit our use and disclosure of sensitive personal information (which includes biometric information) to the uses necessary to provide the Service. The face-matching feature itself is opt-in; opting out of biometric processing has the same effect as a request to limit use.
• Non-discrimination. We will not discriminate against you for exercising any of your privacy rights.

We will respond to verifiable requests within the timeframes required by applicable law. For California residents, we will respond to most requests within 45 days, with a 45-day extension where reasonably necessary and where you have been notified. For requests under other state laws or the GDPR, we will respond within the applicable statutory timeframe.

You may authorize an agent to make a request on your behalf, in which case we will require evidence of the authorization and may require you to verify your identity directly with us.

If we are unable to verify your identity, we may decline to act on the request, and we will tell you why.

California residents — CCPA/CPRA disclosures

This section provides additional information for California residents.

Categories of personal information collected, used, disclosed. In the twelve months preceding the date of this policy, we collected the categories listed in "The information we collect" above. These map to the following CCPA/CPRA categories: identifiers (name, email, account identifier, IP address); customer records information (selfie photograph); commercial information (none collected as of this policy); biometric information (face vector, reference selfie); internet or other electronic network activity information (usage logs); geolocation data (approximate region inferred from IP); and inferences drawn from any of the above (none used to create a profile reflecting preferences, behavior, or attitudes for advertising or similar purposes). We treat biometric information as sensitive personal information.

Sources of the information. Directly from you, automatically through your use of the Service, and from our identity provider (Clerk) for authentication-related identifiers.

Business or commercial purposes. Providing and improving the Service; security and fraud prevention; compliance with legal obligations; the specific face-matching purpose set out above.

Recipients of the information. The subprocessors named in "How we share information." We do not sell or share personal information.

Retention. As described in "How long we keep your information." Biometric information is governed by the destruction schedule in the "Biometric Information" section.

California rights. California residents have the rights to know, delete, correct, opt out of sale and sharing, limit use of sensitive personal information, and non-discrimination, as described above. You can exercise these rights by emailing privacy@identifind.ai.

Shine the Light (Cal. Civ. Code §1798.83). We do not share personal information with third parties for their direct marketing purposes.

Residents of other US states with comprehensive privacy laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Montana, Iowa, Indiana, Delaware, New Jersey, New Hampshire, Nebraska, Minnesota, Maryland, Kentucky, Rhode Island, or any other US state that has enacted a comprehensive consumer privacy law applicable to the Service, you have substantially equivalent rights to those described above, exercisable in substantially the same way. You may have an additional right to appeal a denied request; if you receive a denial that you wish to appeal, reply to the email containing the denial and we will treat it as an appeal.

We treat biometric information as sensitive data under each of these laws and process it only with your opt-in consent, consistent with each state's requirements.

Information for residents of Illinois — BIPA disclosures

The "Biometric Information" section above is the written notice required by 740 ILCS 14/15(b). The destruction schedule in "Our destruction schedule for biometric information" is the written retention schedule and destruction guidelines required by 740 ILCS 14/15(a). The discrete written release required by 740 ILCS 14/15(b)(3) is captured separately at the time you enable face matching, as an affirmative checkbox adjacent to verbatim consent language; a copy of the verbatim text you agreed to is preserved with your consent record and is available to you on request.

We do not sell, lease, trade, or otherwise profit from your biometric information, consistent with 740 ILCS 14/15(c).

Information for residents of the European Economic Area, United Kingdom, and Switzerland

If you are in the EEA, the UK, or Switzerland, the General Data Protection Regulation (or its UK equivalent) applies to our processing of your personal data. For the purposes of those laws, identifind is the controller of your personal data.

Lawful basis. We process your personal data on the following lawful bases: contract performance (Art. 6(1)(b)) for processing necessary to provide the Service you have signed up for; explicit consent (Art. 9(2)(a)) for processing of your biometric data for the face-matching feature, which you give at sign-up and may withdraw at any time without affecting the lawfulness of processing before withdrawal; legal obligation (Art. 6(1)(c)) for processing required to comply with law; and legitimate interests (Art. 6(1)(f)) for security, fraud prevention, and Service operation where those interests are not overridden by your rights and freedoms.

Your rights. You have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), and not to be subject to a decision based solely on automated processing (Art. 22). You also have the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority.

International transfers. Personal data is transferred to the United States for processing. Where required, we rely on the European Commission's Standard Contractual Clauses (or the UK equivalents) in our agreements with subprocessors, and on supplementary measures as appropriate.

EU/UK contact. Email privacy@identifind.ai.

Children

The Service is not directed to children under the age of 18 and we do not knowingly collect personal information from anyone under 18. Account sign-up enforces a minimum age. If you believe a child under 18 has provided us with personal information, please contact privacy@identifind.ai and we will delete the information promptly.

Cookies and similar technologies

We use a small number of cookies and similar technologies needed for the Service to function, including authentication cookies set by Clerk to keep you signed in across sessions; short-lived image-access cookies set by our content delivery layer to authorize delivery of your photos for a brief window (no longer than fifteen minutes), scoped to your user account; and preference cookies used to remember your settings within the Service.

We do not use cookies for cross-site advertising or third-party behavioral tracking. Most browsers allow you to manage or block cookies; doing so may prevent parts of the Service from working.

Do Not Track

The Service does not respond to "Do Not Track" browser signals, because there is no widely adopted standard for what compliance with such signals requires. Our practices do not depend on these signals: we do not engage in cross-site behavioral advertising in any case.

Changes to this policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top. Material changes — including any change that would expand the scope of biometric collection or use — will be announced in advance through the Service or by email, and where required by law we will obtain your renewed consent before the change takes effect. The version of the policy in effect at the time of any particular processing is the version that governs that processing.

Contact

For privacy questions, requests under any of the rights described above, or to revoke biometric consent without using the in-product control, email privacy@identifind.ai.

For questions about your use of the Service that are not privacy-specific, see our Terms of Service.