Biometric Information Privacy Policy and Notice

Thumbies, LLC (“Thumbies”, "Company", "we", "us", "our") has established this Biometric Information Privacy and Security Policy (“Policy”) to define its policy and procedures for collection, use, safeguarding, storage, retention, and destruction of biometric data collected by or provided to the Company as a result of the Company’s operations, its Partners, and customers designing, creating and purchasing products and/or services. It is the Company’s policy to protect biometric data of its customers and potential customers (“Customers”) in accordance with the applicable laws regarding biometric information and privacy including, but not limited to laws of Arkansas, California, Illinois, Texas and Washington.

To be clear, the Company’s Partners are responsible for developing and ensuring that their own practices comply with applicable law regarding biometric data and information.

Biometric Data Defined

As used in this Policy, “Biometric data” means personal information about an individual’s physical characteristics used to identify that person, specifically including “biometric identifiers” and “biometric information” as defined in the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1, et seq. “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s Biometric identifier used to identify an individual. “Biometric data” also includes biometric information, as defined by Cal. Civil Code 1798.140(b), meaning “an individual's physiological, biological, or behavioral characteristics, including an individual's deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity...this includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”

Under current laws and case law, Biometric data, Biometric identifiers and Biometric Information does not include information of deceased individuals or pets. Even though Biometric data, identifiers and information do not include the Prints or information of deceased individuals or pets, Thumbies will still strive to keep Prints and information of deceased individuals and pets confidential. Additionally, should there be any change in law that provides additional protection to the Prints or information of deceased individuals or pets, Thumbies will update this Biometric Privacy policy and its practices to comply with such.

Purpose and Procedure

Thumbies makes jewelry, keepsakes and other products. Customers can use the Company’s services to design and/or purchase products from the Company that include an individual’s fingerprint, handprint, foot-prints, handwriting, soundwave/voice/audio recording, pet print and/or other user-generated print, photo/image, and/or audio recording (“Print”) that is provided by the customer. The Print submitted by customers are often from a deceased loved one. The Company uses its proprietary process and software to create a mold and/or imprint of the Print that is used to create products purchased by the customer. The Print and information collected by the Company may be considered to be Biometric data or information, but it is not used by the Company to identify the individual whose fingerprint, handprint, foot-print, handwriting, soundwave/voice/audio recording, pet print and/or other user-generated print, photo/image, and/or audio recording is provided by the customer.

When a customer seeks to design a product or service using an Print, they can use the Company’s Website, Mobile App, electronic devices, paper application or other medium or have a Partner of the Company use an electronic device, paper application or other medium to provide the Print that the customer wants to use. The Print is collected, stored, used, disclosed and/or transmitted by the Company and/or its Partners to design, create, and process orders and/or purchases of products for the customer and/or individual whose data it is (or their authorized legal representative). The Company will not sell, lease, or trade any Print that it collects or receives from its Partners or directly from customers, except for with respect to designing, creating and processing products for the customer that provided the Print.

Out of an abundance of caution and to ensure complete disclosure to its customers the Company and its Partners will take the following actions when collecting, reviewing, capturing, using or otherwise obtaining an individual’s fingerprint, handprint, foot-prints, handwriting, soundwave/voice/audio recording, pet print and/or other user-generated print, photo/image, and/or audio recording from a customer:

  1. Inform the customer and individual (or authorized legal representative of the individual) whose information is being provided and used to design or make a product, in writing that the Company and its Partners may be collecting, capturing, using or otherwise obtaining information that could be considered Biometric data.
  2. Inform the customer and individual (or authorized legal representative of the individual) whose information is being provided and used to design or make a product, of the specific purpose and length of time for which the Company collects, stores and uses information that could be considered Biometric data.
  3. Obtain a written consent signed by the customer and/or individual (or the individual’s legally authorized representative) whose Biometric Information is being used authorizing the Company and its DCS vendor to collect, store, use, and/or retain information that could be considered Biometric data for the specific purposes disclosed by the Company, and for the Company to provide such information to its vendors.

When the information is for a deceased individual, the written consent to store, use and retain the Print must be provided by the legal personal representative of the deceased estate or in charge of the decedent’s property (i.e. executor, administrator, surviving spouse, appointed by court, etc.).

Disclosure

Other than to create the products that a customer wants to purchase, the Company will not sell, lease, trade, or otherwise profit from Prints or any other the information that could be considered Biometric data that it or its Partners collect.

The Company will not disclose or disseminate any Print or any other the information that could be considered Biometric data to anyone, other than with the Company’s Partner who collected it, to allow customers to design products using their Print and in creating a product purchased by a customer, without/unless:

  • First obtaining written consent from the customer who provided it and individual whose information it is to such disclosure or dissemination;
  • The disclosed data completes a financial transaction requested or authorized by the customer and/or and the individual’s whose information it is;
  • Disclosure is required by state or federal law or municipal ordinance; or
  • Disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

The Company will take commercially reasonable measures to confirm its Partner that collects Print of or for a customer does not sell, lease, trade, or otherwise profit from any biometric data of the customer or the individual that the Print is collected from; provided, however, that Company may pay its Partner for services of collecting and transmitting the information to the Company.

Data Storage

The Company shall use a commercially-reasonable standard of care when storing, transmitting and in protecting from disclosure, any Print or any other the information that could be considered Biometric data collected. Such storage, transmission, and protection from disclosure shall be performed in a manner that is the same as or more protective than the manner in which the Company stores, transmits and protects from disclosure other confidential and sensitive information, including personal information that can be used to uniquely identify an individual.

Retention Schedule

Except as otherwise provided, the Company shall retain customer’s Prints and any information that could be considered Biometric data only until the first of the following occurs:

  • The initial purpose for collecting or obtaining such Print or information that could be considered Biometric Data has been satisfied, such as the customer requesting that the Print be permanently destroyed; or
  • For Prints that could be considered Biometric data – the customer does not interact with the Company for three (3) years, such as logging into their account, using their account to design a product or purchases a product through their account.
  • For Prints of deceased individuals and/or pets that is not Biometric data - the customer does not interact with the Company for ten (10) years, such as logging into their account, using their account to design a product or purchase a product through their account.

Once one of those events occurs, the Company will destroy the data that it is storing and will request that its Partners and any Service Providers permanently destroy such data, unless required to be preserved under federal, state or local laws.

Policy Modifications

This Policy replaces and supersedes all previous policies related to Prints and/or biometric information. The Company reserves the right to modify this Policy at any time. In the event the Company expands its use of biometric information or begins collecting biometric information for any additional purpose, the Company will update this policy, and require an additional consent. Nothing in this policy creates any contractual obligations or any greater obligations, protections, or liabilities than required by applicable law between the Company and any customer, especially with respect to any information or Prints that are not considered Biometric information or data.