PersonaX
Sign in

Biometric Privacy

Biometric Data Privacy Notice

Prepared pursuant to the Illinois Biometric Information Privacy Act (740 ILCS 14), the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–1798.199.100), and the Washington My Health MY Data Act (RCW 70.372).

Effective date: 1 January 2025

01. Who This Notice Applies To

This notice applies to all individuals who are residents of Illinois, California, Washington, Texas, or any other US state with a biometric or general privacy law, and who use PersonaX Digital Content Services ('PersonaX', 'we', 'us'). If you reside outside the United States, please refer to our KVKK Privacy Notice (Turkey) or Privacy Policy.

02. What Biometric Data We Collect

PersonaX collects the following categories of biometric data:

  • Voice samples and derived voice frequency patterns ('biometric voice identifier') — collected during the digital twin onboarding process
  • Facial geometry data extracted from face-reference video recordings ('biometric face identifier') — collected during the digital twin onboarding process
  • Digital voice and avatar profiles derived from the above

03. Purpose and Use of Biometric Data

We collect biometric data solely for the following purposes:

  • Creating, testing, and operating your personalized AI voice clone for approved content production
  • Creating, testing, and operating your digital avatar for approved video production
  • Verifying identity for content approval workflows
  • No biometric data is used for advertising, profiling, or any purpose outside your service agreement

04. Illinois BIPA — Specific Disclosures (740 ILCS 14)

If you are an Illinois resident, the following disclosures apply in addition to the general provisions above:

Written Release

PersonaX collects biometric data only after obtaining a written release from you. The consent form you signed during onboarding constitutes the written release required by BIPA Section 15(b).

Retention Schedule

PersonaX retains biometric data for the shorter of: (a) 3 years from the date of collection, or (b) 30 days after the termination of your service agreement, or (c) 30 days after you withdraw consent. Upon reaching the retention limit, biometric data is destroyed using a NIST 800-88-compliant deletion method.

Prohibition on Sale or Profit

PersonaX will not sell, lease, trade, or profit from your biometric data. Biometric data is shared with third-party AI providers (ElevenLabs, HeyGen, Tavus, etc.) solely for service delivery under data processing agreements that prohibit independent use.

Disclosure to Third Parties

PersonaX will not disclose your biometric data to any party other than the AI providers listed in Section 6 of this notice, unless: (a) you consent in writing; (b) disclosure is required by state or federal law; or (c) disclosure is required to complete a financial transaction you requested.

BIPA Enforcement

Illinois residents have a private right of action under BIPA. Liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation are available. PersonaX has designed this compliance program specifically to meet BIPA's requirements and avoid violations.

05. California CCPA/CPRA — Specific Disclosures

If you are a California resident, the following disclosures apply:

Sensitive Personal Information

Under Cal. Civ. Code § 1798.121, biometric voice and facial geometry data constitutes Sensitive Personal Information (SPI). PersonaX uses SPI only to the extent necessary to provide the services you have contracted for.

Your Right to Limit Use

You have the right to direct PersonaX to limit the use of your SPI to the purposes necessary to deliver the requested service. To exercise this right, contact support@mypersonax.com.

No Sale or Sharing

PersonaX does not sell, share, or disclose your biometric data to third parties for cross-context behavioral advertising.

Right to Delete

You may request deletion of your biometric data at any time. PersonaX will fulfill deletion requests within 45 days and will confirm deletion in writing.

06. Washington My Health MY Data Act — Specific Disclosures

If you are a Washington resident, biometric data derived from voice and facial recordings may constitute regulated health data under RCW 70.372. PersonaX complies as follows:

  • We will not sell your biometric health data without your valid authorization.
  • You have the right to withdraw consent at any time. Upon withdrawal, your biometric data will be deleted within 30 days.
  • We will not use a geofence to collect biometric data near health-related facilities.
  • To exercise your rights, contact support@mypersonax.com.

07. Third-Party AI Providers

PersonaX transfers biometric data to the following service providers solely for the purpose of producing your contracted content. Each provider has signed a Data Processing Agreement (DPA) restricting use to your service scope:

  • Voice synthesis: ElevenLabs Inc. (USA), Cartesia AI Inc. (USA), PlayHT Inc. (USA)
  • Avatar and video production: HeyGen Inc. (USA), Tavus Inc. (USA), Synthesia Ltd. (UK), D-ID Ltd. (Israel)
  • All transfers are governed by Standard Contractual Clauses where applicable
  • No provider may use your biometric data to train general-purpose AI models without separate written authorization from you

08. Data Security

  • Biometric data is stored in isolated storage environments, separate from other client data
  • All stored biometric files are protected by AES-256 encryption
  • Access is restricted by role-based access control (RBAC) to personnel with a specific need
  • All access events are recorded in immutable audit logs
  • Data in transit is protected by TLS 1.2 or higher

09. Retention and Destruction Schedule

Published at this URL pursuant to BIPA Section 15(a):

  • Voice biometric data: destroyed at the earlier of 3 years from collection, 30 days after termination, or 30 days after consent withdrawal
  • Facial biometric data: destroyed at the earlier of 3 years from collection, 30 days after termination, or 30 days after consent withdrawal
  • Derived profiles (voice clone, avatar model): destroyed within 30 days of termination or consent withdrawal
  • Destruction method: cryptographic erasure of encryption keys + secure deletion per NIST 800-88
  • Audit records confirming destruction: retained for 7 years

10. How to Exercise Your Rights

To exercise any right described in this notice, submit a written request to support@mypersonax.com with your full name and the email address associated with your PersonaX account. We will respond within:

  • Illinois BIPA requests: within 30 days
  • California CCPA requests: within 45 days (extendable to 90 days with notice)
  • Washington MHMD requests: within 30 days
  • All other requests: within 30 days
  • We will not discriminate against you for exercising privacy rights.

11. Changes to This Notice

PersonaX may update this notice to reflect legislative changes or service updates. Material changes will be communicated by email at least 30 days before taking effect. The current version is always available at mypersonax.com/bipa-notice.

Biometric privacy inquiries

support@mypersonax.com
PersonaX