Privacy Policy of Luxand, Inc.
Effective Date: February 26, 2025 Last Updated: February 26, 2025
1. Introduction
Luxand, Inc. ("Luxand," "we," "us," or "our") provides facial recognition technology, AI image generation services, and related software products. We are committed to protecting the privacy of individuals whose data we process.
This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we retain it, and what rights you have. It applies to all Luxand websites, products, and services, including:
- luxand.cloud — Cloud-based Face Recognition API
- BabyFaceGenerator.com (and similar entertainment services such as Luxand BabyMaker and in20years.co) — AI-powered image generation
- liveness.luxand.com — Passive liveness detection
- Luxand FaceSDK — On-premises face recognition SDK
- Luxand mobile applications
- luxand.com — Corporate website
This policy does not cover third-party websites or services linked from our sites. We encourage you to review the privacy policies of any third-party services you use.
2. Data Controller
Luxand, Inc. 700 N Fairfax Street, Suite 614C Alexandria, VA 22314 United States
Contact: info@luxand.com
For purposes of the EU General Data Protection Regulation ("GDPR"), Luxand, Inc. is the data controller. For purposes of US state privacy laws, Luxand, Inc. is the business that collects your personal information.
3. Types of Data We Collect
Depending on which Luxand products and services you use, we may collect the following categories of personal data:
Account and Contact Data
- Name, email address, phone number, company name, country, mailing address
- Account credentials (username, password hash)
- Payment and billing information (processed by third-party payment providers; we do not store full payment card numbers)
Biometric Identifiers and Biometric Information
- Facial recognition templates (mathematical representations of facial geometry) extracted from photographs uploaded to the Luxand.cloud Face API
- Photographs uploaded for biometric analysis, including liveness detection at liveness.luxand.com and face enrollment via the Luxand.cloud API
- Associated metadata (person UUIDs, face UUIDs, creation dates, last activity dates)
Photographs (Non-Biometric)
- Photographs uploaded to entertainment services (BabyFaceGenerator.com, BabyMaker, in20years.co) for AI image generation — no biometric identifiers are extracted from these photographs
Device and Technical Data
- Device type, operating system, browser type and version
- IP address, approximate geographic location (city/region level)
- Device identifiers (UDID, advertising identifiers such as IDFA or Google Advertising ID)
- Camera, photo library, and storage permissions (when granted by you on mobile devices)
Usage Data
- Pages visited, features used, timestamps, session duration
- API usage logs (request timestamps, endpoints called, API key used)
- App interaction data (collected via analytics SDKs)
Cookies and Tracking Technologies
- Cookies, web beacons, pixels, and similar tracking technologies
- See Section 12 (Cookies and Tracking Technologies) for details
4. Product-Specific Data Practices
4.1. Luxand.cloud Face API
What this service does: Luxand.cloud is a cloud-based API that enables customers to detect faces in photographs, extract facial recognition templates, enroll faces for recognition, and perform face matching, verification, and search operations.
BIOMETRIC DATA NOTICE: The Luxand.cloud Face API collects and stores biometric identifiers and biometric information as defined under applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.). Specifically, the API extracts and stores scans of face geometry (facial recognition templates) from photographs uploaded by API customers.
What we collect:
- Photographs uploaded via the API for face detection, recognition, and enrollment
- Facial recognition templates (mathematical representations of facial geometry) extracted from uploaded photographs
- Person metadata (person UUID, name if provided, creation date, last activity date)
- Face metadata (face UUID, associated person, creation date)
- API usage logs (request timestamps, endpoints called, API key used)
How we use it: Facial recognition templates are created and stored solely to provide face recognition, verification, and search services as requested by the API customer. We do not use biometric data for any other purpose. We do not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information. Biometric data is not used for advertising, marketing, or any form of behavioral targeting.
Customer obligations: Luxand.cloud is a business-to-business (B2B) service. API customers are responsible for:
- Providing all notices required by applicable law to individuals whose biometric data is processed through the API
- Obtaining all required consents (including written consent where required by law) from those individuals before enrolling their biometric data
- Complying with all applicable biometric privacy laws in the jurisdictions where they operate
- See our Terms of Service for detailed customer compliance obligations
Retention:
- Default retention: 1 year from the last API activity (enrollment, update, match, or verification) referencing that template
- Maximum retention: 3 years from last activity, regardless of customer configuration
- Customers may configure shorter retention periods via their account settings
- See Section 6 (Biometric Data Retention and Destruction Policy) for full details
Deletion: Customers can delete biometric data at any time using the deletion endpoints provided in the API. Upon account termination, all associated biometric data is permanently destroyed within 30 days.
Data storage and sharing: Biometric data is stored on servers located in the United States, hosted by Amazon Web Services (AWS), Google Cloud, or IBM Cloud. These hosting providers act as service providers / data processors under contract and are prohibited from using biometric data for their own purposes. We do not share biometric data with any other third parties except as required by law.
4.2. Entertainment Services (BabyMaker, BabyFaceGenerator.com, in20years.co)
What these services do: Our entertainment services, including Luxand BabyMaker, BabyFaceGenerator.com, and in20years.co, use AI image generation technology (Stable Diffusion) to create entertainment images — such as predicted baby photos or aged/future appearance photos — based on photographs you upload.
No biometric processing: These services use AI image generation to process and transform your uploaded photographs into entertainment images. No facial geometry is extracted, no biometric templates are created, and no biometric identifiers or biometric information (as defined under BIPA or other biometric privacy laws) are collected or stored through these services.
What we collect:
- Photographs you upload for image generation
- Generated output images (e.g., baby photos, aged photos)
How we use it: Uploaded photographs are used solely to generate the requested entertainment images. We do not use your uploaded photographs for advertising, marketing, training AI models, or any purpose other than providing the requested service.
Retention:
- Uploaded photographs and generated images: retained for the duration of your account, so you can access them at any time
- Upon account deletion or termination, all associated photographs and generated images are permanently deleted within 90 days
Data storage and sharing: Photographs are processed and stored on servers located in the United States, hosted by Amazon Web Services (AWS), Google Cloud, or IBM Cloud. Your uploaded photographs are not shared with any third parties other than these hosting infrastructure providers. We do not sell your photographs.
Deletion: You can delete individual photos or generated images through your account. To delete your account and all associated data, or for any other deletion requests, contact us at info@luxand.com.
4.3. Passive Liveness Detection (liveness.luxand.com)
What this service does: The passive liveness detection service at liveness.luxand.com allows users to test our liveness detection algorithm by uploading photographs.
BIOMETRIC DATA NOTICE: When you upload photographs to liveness.luxand.com, your photographs are analyzed for biometric characteristics (facial liveness indicators). This constitutes the collection and processing of biometric information as defined under applicable biometric privacy laws.
What we collect:
- Photographs you upload (including both real and simulated/spoofed images)
- Technical parameters of your browser or device (device type, camera type, browser type)
How we use it: Uploaded photographs are used to perform the liveness detection check. If you separately consent to algorithm improvement, your photographs may also be used to train, test, and validate our passive liveness detection algorithms. We do not use your photographs for advertising, marketing, or any other purpose. We do not sell your photographs.
Consent: Before uploading photographs, you will be asked to:
- Consent to the liveness check (required): You consent to Luxand analyzing your photos for biometric characteristics (facial liveness indicators) to perform the liveness check, and confirm that you have read this Privacy Policy and our Terms of Service.
- Consent to algorithm improvement (optional): You may separately consent to Luxand retaining and using your photos to train, test, and validate liveness detection algorithms. This consent is not required to use the service.
Your consent is the legal basis on which we rely when processing your photographs. You may withdraw your consent at any time by contacting us at info@luxand.com.
Retention:
- With algorithm improvement consent: Photos are retained for up to 1 year from the date of upload, then permanently deleted via automated purge
- Without algorithm improvement consent: Photos are deleted within 90 days of upload
- Photographs are not associated with your name or email address; however, they may be associated with technical parameters of your browser or device
- See Section 6 (Biometric Data Retention and Destruction Policy) for full details
Data storage and sharing: Photographs are stored on servers located in the United States, hosted by Amazon Web Services (AWS), Google Cloud, or IBM Cloud. We do not transfer or disclose your photographs to any third parties other than these hosting infrastructure providers, which act as service providers under contract. We do not sell your photographs.
Deletion: If you wish to request deletion of your photographs, contact us at info@luxand.com with details sufficient to identify your submission (e.g., approximate date and time of upload, device used). We will make commercially reasonable efforts to locate and delete your photographs. Because photographs are not linked to identifying information, we may not always be able to locate specific photos; however, all photographs are automatically purged after 1 year (or 90 days if algorithm improvement consent was not given).
4.4. Luxand FaceSDK
What this service does: Luxand FaceSDK is an on-premises, cross-platform software development kit for face recognition. The SDK runs entirely on the customer's own hardware and infrastructure. Luxand does not receive, process, or store any biometric data (facial templates, photographs, or face geometry) through FaceSDK.
What we collect: When you download and use Luxand FaceSDK, we automatically collect the following device information for license activation purposes:
- Device type and hardware identifier
- Operating system name and version
- IP address
- License key used for activation
- Information about other Luxand license keys
- Software and hardware configuration
How we use it: This information is used solely for license activation, enforcement, and product compatibility purposes. It is not used for advertising or marketing.
Biometric data: Luxand does not collect, receive, store, or process any biometric data through FaceSDK. All biometric processing occurs on the customer's own infrastructure. Customers deploying FaceSDK are solely responsible for complying with all applicable biometric privacy laws, including providing notices, obtaining consents, and establishing retention and destruction policies. See our [FaceSDK License Agreement] for customer compliance obligations.
4.5. Mobile Applications
What we collect: When you download and use our mobile applications, we automatically collect:
- Device type, operating system version, device identifier (UDID)
- Advertising identifier (IDFA on iOS, Google Advertising ID on Android)
- App usage analytics via Facebook SDK and AppsFlyer SDK
How we use it: Device and usage data is used for app analytics, performance monitoring, and advertising attribution. Advertising identifiers may be shared with advertising partners for ad measurement and attribution purposes — see Section 8 (Third-Party Services) for details.
Push notifications: Our mobile applications may send push notifications for service updates, marketing communications, or location-based alerts. You can opt out of push notifications at any time through your device settings.
4.6. Website and Account Services
When you visit our websites, create an account, contact us, or subscribe to communications, we collect:
- Information you provide directly: name, email address, phone number, company name, country, website URL
- Information collected automatically: IP address, browser type, device information, pages visited, usage patterns
- Cookies and tracking technologies — see Section 12
5. How We Use Your Data
We use personal data for the following purposes:
Providing our services
- Operating the Luxand.cloud Face API, entertainment services, liveness detection, FaceSDK, and mobile applications as described in Section 4
- Processing payments and managing subscriptions
- Providing customer support
Improving our services
- Analyzing usage patterns to improve product features and performance
- Testing and improving algorithms (e.g., liveness detection accuracy), using only data for which we have obtained consent
Communications
- Sending transactional emails (account confirmations, API usage notifications, password resets)
- Sending marketing communications (newsletters, product updates) — you may opt out at any time
Advertising and analytics
- Measuring advertising effectiveness via conversion tracking pixels
- Analyzing website traffic and user behavior via analytics tools
- Displaying targeted advertisements on third-party platforms based on your interactions with our websites (this applies to website usage data only — biometric data, photographs, and liveness data are never used for advertising)
Security and fraud prevention
- Protecting against unauthorized access, spam, and abuse
- Bot detection and CAPTCHA verification
Legal compliance
- Complying with applicable laws and regulations
- Responding to legal process and law enforcement requests
6. Biometric Data Retention and Destruction Policy
This policy applies to biometric identifiers and biometric information collected, stored, or processed by Luxand, Inc. through its services, as required by the Illinois Biometric Information Privacy Act (740 ILCS 14/15(a)), the Colorado biometric identifier amendments (Colo. Rev. Stat. 6-1-1314), and other applicable biometric privacy laws.
6.1. What We Store
| Data Type | Service | Description |
|---|---|---|
| Facial recognition templates | Luxand.cloud Face API | Mathematical representations of facial geometry extracted from photographs |
| Photographs for biometric analysis | liveness.luxand.com | Photos uploaded for liveness detection testing |
| Template metadata | Luxand.cloud Face API | Person UUID, face UUID, creation date, last activity date |
We do NOT store biometric identifiers or biometric information in connection with:
- BabyFaceGenerator.com, BabyMaker, or in20years.co (entertainment services — no biometric extraction)
- Luxand FaceSDK (all processing occurs on customer infrastructure)
6.2. Retention Schedule
| Data Type | Default Retention | Maximum Retention | Basis |
|---|---|---|---|
| Luxand.cloud face templates | 1 year from last API activity referencing that template (enrollment, update, match, or verification) | 3 years from last activity | Purpose satisfaction + legal compliance |
| Luxand.cloud template metadata | Same as associated template | Same as associated template | Linked to template lifecycle |
| Liveness detection photos (with training consent) | 1 year from upload date | 1 year | Algorithm training, testing, and validation |
| Liveness detection photos (without training consent) | 90 days from upload | 90 days | Service delivery only |
| Entertainment service photos | Duration of user account | 90 days after account deletion | User-accessible content |
- "Last API activity" means the most recent API call that referenced a specific template, including enrollment, update, match, verification, or search operations.
- Customers may configure shorter retention periods for Luxand.cloud templates via their account settings.
- Luxand reserves the right to apply a default retention period and to purge inactive data, subject to reasonable notice to customers.
6.3. Destruction Guidelines
- When the purpose for collecting biometric data has been satisfied, or upon expiration of the applicable retention period (whichever comes first), biometric data will be permanently destroyed.
- Destruction methods include secure deletion from primary databases and removal of backup copies within 30 days of primary deletion.
- Upon customer account termination, all associated biometric data will be permanently destroyed within 30 days.
- Automated purge processes run on a regular schedule to enforce retention limits.
6.4. How to Request Deletion
- Luxand.cloud customers: Use the deletion endpoints provided in the API documentation for immediate deletion.
- Liveness demo users: Contact info@luxand.com. All liveness photos are also automatically purged after 1 year.
- General requests: Contact info@luxand.com.
6.5. Prohibition on Sale of Biometric Data
Luxand does not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information. Biometric data is not disclosed to any third party for advertising, marketing, or any commercial purpose. The only third parties that may come into contact with biometric data are our hosting infrastructure providers (AWS, Google Cloud, IBM Cloud), which act as service providers / data processors under contract and are prohibited from using biometric data for their own purposes.
7. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing services you requested | Performance of a contract (Art. 6(1)(b) GDPR) |
| Processing biometric data (luxand.cloud, liveness) | Explicit consent (Art. 9(2)(a) GDPR) |
| Processing photos for entertainment services | Performance of a contract (Art. 6(1)(b) GDPR) |
| Analytics and service improvement | Legitimate interests (Art. 6(1)(f) GDPR) |
| Marketing communications | Consent (Art. 6(1)(a) GDPR) |
| Legal compliance | Legal obligation (Art. 6(1)(c) GDPR) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f) GDPR) |
You may withdraw consent at any time by contacting info@luxand.com. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.
8. Third-Party Services and Data Sharing
We disclose personal data to the following categories of recipients. Disclosure to service providers acting on our behalf under written contract does not constitute a "sale" or "sharing" of personal information under California or other US state privacy laws.
8.1. Service Providers (Data Processors)
These companies process data on our behalf under contract. They are prohibited from using your data for their own purposes.
| Category | Providers | Data Processed |
|---|---|---|
| Cloud infrastructure and hosting | Amazon Web Services (AWS), Google Cloud, IBM Cloud | All stored data, including biometric data |
| Content delivery and security | Cloudflare | Traffic data, IP addresses |
| Payment processing | PayPal, Stripe, PayPro Global | Payment and transaction data |
| Email delivery | Sendgrid | Email addresses, email content |
| Customer relationship management | Close.io | Customer contact data (names, emails, phone numbers, company info) |
| Productivity and communication | Google Workspace | Internal email and documents |
8.2. Third Parties — Analytics
These companies receive data for their own analytics purposes. Disclosure of data to analytics providers may constitute a "sale" under certain US state privacy laws. You have the right to opt out — see Section 10.
| Provider | Data Shared |
|---|---|
| Google Analytics (including GA4, Universal Analytics) | Cookies, usage data, IP address (anonymized where applicable) |
| Amplitude Analytics | Cookies, usage data |
| AppsFlyer | App usage data, device identifiers |
| Branch Attribution | App usage data, cookies |
| Meta Events Manager | Usage data, trackers |
| Facebook Analytics for Apps | App usage data, trackers |
8.3. Third Parties — Advertising ("Sale" and/or "Sharing")
We share website and app usage data with these companies for advertising, remarketing, and conversion measurement. This constitutes a "sale" and/or "sharing" of personal information under California law (CCPA/CPRA) and may constitute a "sale" or use for "targeted advertising" under other US state privacy laws. You have the right to opt out — see Section 10.
Biometric data, photographs, liveness data, and facial recognition templates are NEVER shared with advertising partners.
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Ads, Google Ad Manager, Google AdSense | Ad serving, conversion tracking, remarketing | Cookies, usage data, trackers |
| Meta/Facebook (Audience Network, Lookalike Audience, Custom Audience, Remarketing) | Ad targeting, conversion tracking, remarketing | Cookies, usage data, device identifiers, email address (Custom Audience) |
| LinkedIn (conversion tracking, Website Retargeting) | Conversion tracking, remarketing | Cookies, usage data, device information |
| Microsoft Advertising (including Universal Event Tracking) | Ad serving, conversion tracking | Cookies, usage data, trackers, device identifiers |
8.4. Third Parties — Social Features and Content
These third-party services provide social features, content display, or interactive functionality on our websites. They may set their own cookies and collect usage data.
| Provider | Purpose | Data Shared |
|---|---|---|
| Facebook Comments | User commenting on content | Cookies, usage data |
| Facebook Like button and social widgets | Social interaction | Cookies, usage data |
| YouTube video widget | Embedded video content | Cookies, usage data |
| Google reCAPTCHA | Bot detection and spam protection | User interaction data (mouse movements, keystrokes, scroll patterns), cookies |
8.5. Biometric Data — Sharing Restrictions
Biometric data (facial recognition templates, photographs used for biometric analysis) is NOT sold, shared, or disclosed to any third party for advertising, marketing, analytics, or any other commercial purpose. The only entities that process biometric data on our behalf are our hosting infrastructure providers listed in Section 8.1, which act as service providers / data processors under contract.
8.6. Other Disclosures
We may also disclose personal data:
- To comply with law: In response to a subpoena, court order, or other legal process, or to comply with applicable laws or regulations
- To protect rights and safety: To protect the rights, property, or safety of Luxand, our users, or others
- In a business transfer: In connection with a merger, acquisition, reorganization, or sale of assets, in which case we will notify you of any change in ownership or control of your personal data
- With your consent: When you have given us specific permission to share your data
9. Data Transfers
Luxand is based in the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States. We implement appropriate safeguards for international data transfers:
- EU/EEA/UK/Switzerland: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other applicable transfer mechanisms under GDPR
- Other jurisdictions: We comply with applicable data transfer requirements under local law
10. US State Privacy Rights
This section applies to residents of US states with applicable privacy laws, including California, Virginia, Colorado, Connecticut, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, Montana, Utah, Arkansas, and other states with comprehensive privacy laws in effect.
10.1. Notice at Collection (California)
The following table identifies the categories of personal information we have collected in the preceding 12 months, the purposes for collection, the retention period, and whether that category is sold, shared for cross-context behavioral advertising, or used for targeted advertising.
| Category | Examples of PI Collected | Purposes | Retention | Sold or Shared | Targeted Advertising |
|---|---|---|---|---|---|
| Identifiers | Name, email, phone, IP address, account ID, device identifiers, advertising IDs | Providing services, account management, analytics, advertising, communications | Duration of account relationship + 3 years, or as required by law | Yes (advertising identifiers shared with ad partners) | Yes (advertising identifiers used for ad targeting) |
| Commercial information | Purchase records, subscription data, payment history | Payment processing, account management, communications | Duration of account relationship + 7 years (financial records) | No | No |
| Internet or other electronic network activity information | Browsing history, pages visited, search queries, cookies, usage data, trackers | Analytics, advertising, service improvement, security | 26 months (analytics data) or duration of cookie | Yes (shared with analytics and advertising partners) | Yes (used by advertising partners for ad targeting) |
| Geolocation data | Approximate location (city/region from IP) | Service delivery, analytics, security | 26 months (analytics data) | No | No |
| Biometric information | Facial recognition templates (luxand.cloud), photographs analyzed for biometric characteristics (liveness detection) | Providing Luxand.cloud Face API services, liveness detection testing | 1 year from last activity (templates, max 3 years); 1 year (liveness photos with training consent) or 90 days (without) | No | No |
| Audio, electronic, visual, or similar information | Photographs uploaded to entertainment services (BabyMaker, BabyFaceGenerator, in20years.co) | AI image generation entertainment services | Duration of user account; deleted within 90 days of account deletion | No | No |
| Inferences | Bot likelihood scores (from Cloudflare, reCAPTCHA) | Security, spam protection | Duration of session | No | No |
Sensitive Personal Information: We collect the following categories of sensitive personal information:
- Biometric information (facial recognition templates, liveness detection photos) — used solely to provide our face recognition and liveness detection services as described in Section 4. We do not use biometric information for advertising or any purpose other than providing the requested service. You have the right to limit the use of your sensitive personal information — see Section 10.3 below.
- Account credentials (username/password) — used solely for account access and authentication
10.2. Your Rights
Depending on your state of residence, you may have some or all of the following rights:
- Right to know / right of access: Request information about what personal data we collect, use, disclose, and sell, and obtain a copy of your personal data
- Right to correct: Request correction of inaccurate personal data
- Right to delete: Request deletion of your personal data
- Right to data portability: Receive your personal data in a portable, usable format
- Right to opt out of sale: Direct us not to sell your personal information
- Right to opt out of sharing / targeted advertising: Direct us not to share your personal information for cross-context behavioral advertising or use it for targeted advertising
- Right to limit use of sensitive personal information: Direct us to limit our use of sensitive personal information (including biometric data) to only what is necessary to provide the services you requested
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
- Right to appeal: If we deny your request, you may appeal by contacting us
Additional rights by state:
- Minnesota and Maryland: You have the right to obtain a list of specific third parties to which we have disclosed your personal data
- Minnesota: You have specific rights related to profiling, including the right to question profiling results, be informed of the reasons for profiling decisions, and review personal data used in profiling
- Colorado: You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects
10.3. How to Exercise Your Rights
To exercise any of the rights described above, contact us at:
- Email: info@luxand.com
- Subject line: "Privacy Rights Request — [Your State]"
We will verify your identity before processing your request. We will respond within the timeframe required by applicable law (generally 45 days, with extensions as permitted by law). We do not charge a fee to process your request unless the request is manifestly unfounded or excessive.
To opt out of Sale, Sharing, and Targeted Advertising:
- Contact us at info@luxand.com, or
- Use the privacy choices link on our websites, or
- Submit a request via a user-enabled Global Privacy Control (GPC) signal — we will honor GPC signals
Note: Opting out of sale/sharing/targeted advertising will stop us from sharing your website usage data with advertising partners. It does not affect our use of your data for providing the services you requested (including biometric processing, which is never used for advertising in any case).
10.4. Categories of Sources
We collect personal information from:
- Directly from you: When you create an account, upload photos, use our API, contact us, or fill out forms
- Automatically: Through cookies, analytics tools, and similar technologies when you interact with our websites and applications
- From third parties: Analytics and advertising partners (e.g., Google Analytics, Meta) may provide us with usage insights and advertising performance data
10.5. California "Do Not Sell or Share My Personal Information"
We sell or share (for cross-context behavioral advertising) only the following categories of personal information, and only with the advertising and analytics partners listed in Sections 8.2 and 8.3:
- Identifiers (advertising identifiers, device IDs)
- Internet or other electronic network activity information (cookies, browsing data, usage data)
We do NOT sell or share:
- Biometric information
- Photographs or visual information
- Payment or commercial information
- Geolocation data
- Inferences drawn from personal information for security purposes
10.6. State-Specific Notices
Illinois (BIPA): If you are a resident of Illinois, we collect and store biometric identifiers and biometric information (scans of face geometry / facial recognition templates) through the Luxand.cloud Face API and liveness detection service. We do not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information. Our Biometric Data Retention and Destruction Policy is set forth in Section 6. Customers of Luxand.cloud are contractually required to provide written notice and obtain written consent from individuals before enrolling their biometric data.
Texas (CUBI): We do not capture biometric identifiers for a commercial purpose without first providing notice and obtaining consent. Biometric data is destroyed within a reasonable time, not to exceed 1 year after the purpose for collection expires, unless a longer retention period is required by law. Customers of Luxand.cloud are contractually required to provide notice and obtain consent before capturing biometric identifiers.
Washington (Biometric Identifiers Law, RCW 19.375): We do not enroll biometric identifiers in a database for a commercial purpose without providing notice and obtaining consent, or providing a mechanism to prevent subsequent commercial use. Customers of Luxand.cloud are contractually required to comply with these requirements.
Washington (My Health My Data Act, RCW 19.373): Biometric data is included in the definition of "consumer health data" under the Washington My Health My Data Act. We collect biometric data only with notice and consent, do not sell biometric data, and comply with the deletion and access requirements of this law.
New York City (Biometric Identifier Information Law): Customers deploying Luxand products in commercial establishments within New York City must comply with the NYC Biometric Identifier Information Law, including posting conspicuous signage disclosing the collection of biometric identifier information. Luxand does not sell, lease, trade, or share biometric identifier information for profit.
Colorado (Biometric Identifier Amendments): Our written biometric identifier policy, including retention schedule and destruction guidelines, is set forth in Section 6. We obtain informed consent before collecting biometric identifiers through our services.
Maryland (MODPA): We do not sell sensitive personal data, including biometric information.
Portland, OR (Facial Recognition Ordinance): Customers deploying Luxand facial recognition products must comply with all applicable local ordinances, including the Portland Facial Recognition Ordinance, which prohibits the use of facial recognition technology by private entities in places of public accommodation within the City of Portland. It is the customer's responsibility to determine whether their use case is subject to this ordinance.
11. European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the GDPR:
- Right of access (Art. 15) — obtain a copy of your personal data
- Right to rectification (Art. 16) — correct inaccurate personal data
- Right to erasure (Art. 17) — request deletion of your personal data
- Right to restriction of processing (Art. 18) — restrict how we use your data
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent (Art. 7) — withdraw consent at any time for processing based on consent (including biometric data processing)
- Right to lodge a complaint — with your local data protection authority
To exercise these rights, contact us at info@luxand.com. We will respond within 30 days (extendable by 60 days for complex requests).
Data Processing Agreements: We maintain Data Processing Agreements (DPAs) with our data processors as required by Article 28 GDPR. To request a copy of our DPA, contact info@luxand.com.
12. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on our websites for the following purposes:
| Category | Purpose | Examples | Consent Required |
|---|---|---|---|
| Strictly necessary | Website functionality, security, authentication | Session cookies, CSRF tokens, Cloudflare security | No (required for site operation) |
| Analytics | Understanding website usage and performance | Google Analytics, Amplitude | Yes |
| Advertising | Serving relevant ads and measuring ad effectiveness | Google Ads, Meta Pixel, LinkedIn Insight Tag, Microsoft UET | Yes |
| Functionality | Remembering your preferences | Language, display preferences | Yes |
You can manage your cookie preferences through our cookie consent tool. You may also control cookies through your browser settings.
For more information, see our Cookie Policy.
13. Data Security
We implement industry-appropriate technical and organizational security measures to protect personal data against unauthorized access, disclosure, alteration, or destruction, including:
- Encryption of data in transit (TLS) and at rest
- Access controls and authentication requirements
- Regular security assessments
- Secure deletion procedures for biometric data (see Section 6)
No method of transmission or storage is 100% secure. If you have reason to believe your data has been compromised, contact us immediately at info@luxand.com.
14. Children's Privacy
Our services are not directed to children under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child without appropriate consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, contact us at info@luxand.com.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Post the updated policy on this page with a revised "Last Updated" date
- Notify you by email (if we have your email address) or by prominent notice on our websites
- Where changes affect processing based on consent (including biometric data processing), obtain new consent as required by applicable law
We encourage you to review this policy periodically.
16. Contact Us
If you have any questions about this Privacy Policy, our data practices, or your rights, contact us at:
Luxand, Inc. 700 N Fairfax Street, Suite 614C Alexandria, VA 22314 United States
Email: info@luxand.com
For privacy rights requests, please include "Privacy Rights Request" in your email subject line and specify your state or country of residence.
17. Additional Jurisdictions
17.1. Brazil (LGPD)
If you are located in Brazil, you have rights under the Lei Geral de Protecao de Dados (LGPD), including the right to access, correct, delete, and port your personal data, and the right to revoke consent. To exercise these rights, contact info@luxand.com.
17.2. Switzerland (FADP)
If you are located in Switzerland, your personal data is protected under the Federal Act on Data Protection (FADP). You have rights similar to those described in Section 11 (European Privacy Rights). To exercise these rights, contact info@luxand.com.
This privacy policy was last updated on February 26, 2025.