PalmID Service GDPR-Compliant Privacy Policy
Last Updated: 01/06/2026
This Privacy Policy describes how Redrock Biometrics (“we”, “us”, “PalmID”) processes biometric information when providing the PalmID Service to third-party customers under the EU General Data Protection Regulation (GDPR). PalmID is designed from the ground up as a fully anonymized biometric matching system that does not store personal data or personally identifiable information (PII).
This document is intended for third-party organizations (“Controllers”) that integrate PalmID into their products or services.
1. Data Controller and Data Processor Roles
1.1 Redrock Biometrics as Processor
Redrock Biometrics acts as a Data Processor under GDPR. We process biometric signatures solely on documented instructions from the Controller.
1.2 Third-Party Customers as Controllers
Organizations that integrate PalmID into their systems act as Data Controllers and are responsible for establishing a legal basis for biometric processing, obtaining user consent where required, and complying with GDPR obligations.
2. Categories of Data Processed
PalmID is engineered to process only anonymized biometric signatures.
2.1 Biometric Signatures (Non-Identifiable)
The PalmID Edge SDK captures palm images on the user’s device and converts them into proprietary biometric signatures. These signatures:
- Cannot be reversed to reconstruct palm images.
- Cannot identify a person without external data held by the Controller.
- Are stored in the PMS using system-generated random user identifiers.
2.2 Random User IDs
The PMS assigns a randomly generated user ID. No personal identifiers (names, emails, phone numbers) are stored.
2.3 Optional Low-Resolution Palm Images
When explicitly requested by the Controller, PalmID may store low-resolution palm images for audit or claim resolution.
2.4 Anonymized Matching Logs
Upon Controller request, PalmID may store anonymized logs of matching requests and outcomes.
3. Purposes and Legal Basis of Processing
3.1 Purposes
PalmID processes biometric signatures exclusively to provide: - Registration of biometric records - Verification (1:1 matching) - Identification (1:N matching) - Deletion of biometric records
3.2 Legal Basis
Controllers typically rely on explicit consent or legitimate interest/security purposes as permitted by law. PalmID acts on the Controller’s documented instructions (GDPR Art. 28).
4. Data Minimization and Anonymization
PalmID is designed to:
- Avoid storing personal data in the PMS. - Exclude personal attributes from logs.
- Maintain only anonymized biometric signatures.
PalmID cannot identify an individual without additional data from the Controller.
5. Security Measures (GDPR Art. 32)
We implement robust technical and organizational measures, including:
- Encryption of biometric data at rest and in transit
- Strict access control and authentication
- Isolation of PMS environments
- Prevention of biometric signature export via APIs
Redrock Biometrics may access biometric signatures only with explicit Controller authorization.
6. Access to Data
6.1 Access by Redrock Biometrics
Redrock Biometrics may access biometric signatures only for:
- Fraud investigation
- Security or accuracy improvement
Such access requires explicit Controller authorization.
6.2 Access by Third Parties
PalmID does not share biometric signatures with any third parties.
7. International Data Transfers
If PMS servers are hosted outside the EEA, Controllers are responsible for ensuring appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.
8. Data Retention and Deletion
Biometric signatures are retained only as required by the Controller. Deletion occurs via the PMS API upon Controller request. Redrock Biometrics does not retain independent backups of deleted records.
9. End-User Rights
As PalmID stores no personal data and cannot identify individuals, end-users must exercise GDPR rights (access, rectification, erasure, restriction, portability, objection) directly with the Controller.
PalmID provides technical means to support these rights, such as record deletion.
10. Responsibilities of the Controller
Controllers are responsible for:
- Establishing a lawful basis for processing biometric data
- Providing user-facing privacy notices
- Managing all PII associated with biometric enrollment
- Ensuring full compliance with GDPR and other applicable laws
PalmID provides anonymized biometric matching; Controllers remain responsible for personal data.
11. Changes to This Policy
Redrock Biometrics may update this Privacy Policy periodically. Controllers will be notified of material changes.
12. Contact Information
For GDPR inquiries or Data Processing Agreements (DPAs), contact:
Redrock Biometrics – PalmID Service
contact@redrockbiometrics.com
Appendix: Data Processing Agreement (DPA)
1. Subject Matter and Duration
This Data Processing Agreement (DPA) governs the processing of biometric signatures and related anonymized data by Redrock Biometrics (Processor) on behalf of the Controller. The DPA remains in effect for the duration of the service relationship.
2. Nature and Purpose of Processing
The Processor provides biometric matching services, including registration, verification, identification, and deletion of anonymized biometric signatures. No personal data is stored or processed unless provided indirectly by the Controller.
3. Types of Data and Data Subjects
* Data types: Anonymized biometric signatures, random user IDs, optional low-resolution palm images, anonymized matching logs.
* Data subjects: End-users of the Controller’s system. The Processor has no ability to identify data subjects.
4. Obligations of the Controller
The Controller shall:
- Provide lawful instructions for processing under GDPR Articles 6 and 9.
- Ensure biometric processing is supported by a valid legal basis.
- Provide all required privacy notices to end-users.
- Maintain PII mapping outside of the PalmID system.
- Manage end-user rights requests.
5. Obligations of the Processor
The Processor shall:
- Process data only on documented Controller instructions.
- Implement appropriate security measures under GDPR Art. 32.
- Ensure personnel confidentiality.
- Assist the Controller in fulfilling GDPR obligations where technically feasible.
- Notify the Controller of any personal data breach without undue delay.
- Not subcontract processing without prior written authorization.
6. Security Measures
Security measures include:
- Encryption at rest and in transit.
- Strict access control and authentication.
- Controlled and logged access to PMS environments.
- Prohibition on exporting biometric signatures via API.
7. Subprocessors
The Processor may use subprocessors for infrastructure hosting. A current list shall be provided upon request. The Processor remains responsible for subprocessors’ compliance with GDPR.
8. International Data Transfers
International transfers shall comply with GDPR Chapter V using SCCs or other approved safeguards. The Processor will provide relevant documentation upon request.
9. Assistance with Data Subject Rights
Because the Processor stores no personal data and cannot identify users, it can only support the Controller by:
- Deleting biometric signatures upon instruction.
- Providing logs or confirmations tied to Controller-provided user IDs.
10. Audits and Inspections
The Controller may audit the Processor’s compliance through:
- Review of available documentation, or
- A mutually agreed remote or onsite audit, subject to reasonable notice and non-disruption requirements.
11. Data Deletion or Return
Upon termination of service, the Processor shall delete all biometric signatures and anonymized logs unless retention is required by law. No data is returned, as PalmID stores no PII.
12. Liability and Indemnification
Each party is responsible for compliance with its respective GDPR obligations. The Controller indemnifies the Processor for any misuse of PalmID contrary to this DPA.
13. Governing Law
This DPA is governed by the laws applicable to the main service agreement between the Controller and Processor.
Appendix: US-Specific Addendum (CCPA/CPRA, BIPA, Texas Capture Act)
This US-Specific Addendum supplements the Privacy Policy and DPA for Controllers operating within the United States or processing data of US residents. It addresses compliance obligations under the California Consumer Privacy Act (CCPA/CPRA), the Illinois Biometric Information Privacy Act (BIPA), and emerging state biometric regulations including the Texas Capture or Use of Biometric Identifier Act (CUBI).
1. CCPA/CPRA (California)
PalmID functions as a Service Provider to the Controller. Under CCPA/CPRA:
- PalmID does not collect or store personal information, and does not sell or share data.
- Biometric signatures processed by PalmID are anonymized and cannot identify an individual without Controller-held data.
- Any personal information (names, emails, identifiers) remains solely in the Controller’s systems.
- PalmID uses data exclusively for providing contracted services.
1.1 Assistance with Consumer Rights
Because PalmID stores no personal information: - All access, deletion, or correction requests must be directed to the Controller. - PalmID will support the Controller by deleting biometric signatures upon instruction.
1.2 No Sale or Sharing of Data
PalmID does not:
- Sell biometric information.
- Share biometric information for cross-contextual advertising.
- Use biometric information for independent commercial purposes.
2. BIPA (Illinois)
PalmID is designed to meet and exceed BIPA’s requirements. Specifically:
- PalmID stores only anonymized biometric signatures and no PII.
- PalmID cannot identify an individual without external data held by the Controller.
2.1 Written Release
The Controller is fully responsible for obtaining a written release from users prior to biometric collection.
2.2 Notice and Retention Schedule
PalmID supports retention limits through:
- Controller-managed user ID and enrollment lifecycle.
- PMS API deletion functionality.
2.3 No Disclosure
PalmID does not disclose biometric data to third parties except:
- With Controller authorization, or
- As required by law.
2.4 Biometric Data Security
PalmID uses:
- Encryption at rest and in transit,
- Access-control restrictions,
- Logging and anomaly monitoring.
3. Texas Capture or Use of Biometric Identifier Act (CUBI)
PalmID supports compliance with Texas CUBI by ensuring:
- Biometric identifiers are used only with Controller authorization.
- No biometric identifiers are sold, leased, or traded.
- Biometric data is destroyed upon Controller instruction.
4. Other State Biometric Laws
If the Controller operates in states with biometric privacy statutes (e.g., Washington, Colorado, Maryland), the Controller is responsible for ensuring:
- Adequate notice and consent mechanisms,
- Compliance with retention and destruction requirements,
- Fulfillment of any state-specific user rights.
PalmID provides the technical means to support these obligations but does not manage end-user identity.
5. Liability Allocation
The Controller is solely responsible for:
- Managing PII associated with biometric data,
- Obtaining consent,
- Providing notices,
- Maintaining legal compliance.
PalmID remains responsible only for anonymized biometric processing and security controls within its technical domain.
6. Conflicts
Where this Addendum conflicts with other sections of the Privacy Policy or DPA, the interpretation most protective of data subjects under applicable US law shall prevail.