Biometric Data Processing Addendum
Version: 1.0.0
Effective Date: 01 January 2025
Approved By: Placeholder UAB (Lithuania)
Contact: legal@motiw8.com
Jurisdiction: Republic of Lithuania (EU GDPR)
1. Introduction and Purpose
This Biometric Data Processing Addendum ("Addendum") forms part of the Motiw8 Terms & Conditions and Privacy Policy. It defines how Placeholder UAB ("Motiw8", "we", "us") processes biometric identifiers and biometric information as part of our identity verification and fair-play compliance system used for fitness competitions.
This Addendum applies when a user participates in challenges involving financial stakes, high-stakes challenges (≥ €50 / $50), or evidence-based verification requiring the capture of facial images, video, or other biometric signals.
2. Definitions
Biometric Data (GDPR Article 9)
For the purposes of this Addendum, biometric data includes:
- Facial images captured in photos or videos
- Video streams used for face liveness detection
- Facial feature vectors ("embeddings") created by AWS Rekognition Face Compare
- Geometric pattern data derived from face landmarks
- Liveness scores and face similarity scores
Other Data Covered
- Timestamp screenshots (image-based OCR)
- Scale display photos containing visible facial features
- Full-body photos used for participation verification
These all qualify as "biometric identifiers" or "biometric information" when used for identity verification under GDPR Article 9.
3. Legal Basis for Processing
The processing of biometric data is based on:
3.1 GDPR Article 6 lawful bases
- Art. 6(1)(b) – Processing necessary for the performance of a contract (challenge participation, prize eligibility, fraud prevention)
- Art. 6(1)(f) – Legitimate interests of maintaining fair competition and preventing fraud
- Art. 6(1)(a) – Explicit user consent for biometric data processing
3.2 GDPR Article 9 special category basis
Biometric data is processed under:
- Art. 9(2)(a) – Explicit consent for processing biometric data for identity verification
- Art. 9(2)(g) – Processing necessary for substantial public interest (fraud prevention)
Users must provide explicit consent before participating in any evidence verification workflow.
4. Categories of Biometric Data Collected
4.1 Photos
- Scale display close-up photos
- Full-body photos (face visible)
- Timestamp screenshot photos
4.2 Videos
- 3–10 second verification videos for liveness detection
- Face movement recording during identity confirmation
4.3 Derived / Computed Biometric Data
- Facial embeddings stored in Supabase
- Face similarity scores
- Liveness scores
- OCR-extracted numerical values (scale weight)
5. Purposes of Processing
Biometric data is processed strictly for the following purposes:
- Identity verification in challenges involving financial stakes
- Ensuring that the user submitting evidence is the same user who joined the challenge
- Preventing fraud, cheating, identity manipulation, and impersonation
- Verifying timestamps and proof of real-time submission
- Calculating challenge results fairly and accurately
- Confirming eligibility for payouts
No biometric data is used for marketing, advertising, automated profiling, or any purpose unrelated to fair-play verification.
6. Data Processors and Transfers
6.1 AWS Rekognition
Motiw8 uses AWS Rekognition (EU-central-1, Frankfurt) for:
- Face Liveness v7.0
- CompareFaces
- DetectText
- DetectModerationLabels
- DetectLabels
AWS acts as a data processor under a DPA. All processing is ephemeral except:
- Face embeddings stored in the Rekognition collection for comparison
6.2 Supabase (Database)
- Stores face embeddings and verification metadata
- Stores evidence files (photos/videos)
- Stores risk flags and verification results
6.3 Stripe (Optional KYC)
When KYC is activated, Stripe Identity may process face images for ID verification.
6.4 Cross-border transfers
All biometric processing is performed exclusively in the EU (Frankfurt). Backups stored outside the EU use SCCs and supplementary measures.
7. Retention Periods
| Data Type | Retention |
|---|---|
| Photos (baseline, weekly, final) | 180 days after challenge end |
| Videos (verification) | 90 days after challenge end |
| Timestamp images | 180 days |
| Face embeddings (vectors) | Retained until user deletes account or requests erasure |
| Verification results | 3 years (fraud analysis) |
| Risk flags | 3 years |
Users may request deletion of all biometric identifiers at any time via legal@motiw8.com.
8. User Rights
Users have the right to:
- Access all biometric data processed
- Request deletion ("right to be forgotten")
- Withdraw consent at any time
- Request correction of erroneous verification results
- Object to processing where applicable
- Request restriction of processing
- File complaints with the Lithuanian DPA
Withdrawal of consent may result in inability to participate in verification-required challenges.
9. Security Measures
- Encrypted storage (AES-256 at rest)
- Encrypted transfer (TLS 1.2+)
- Limited IAM permissions (least privilege)
- Signed URL access to evidence files
- Supabase RLS policies for all biometric tables
- Automatic purge jobs for old evidence
- No biometric data used for machine-learning training
10. Withdrawal of Consent
Users may withdraw consent at any time. However, withdrawing consent:
- Prevents continued participation in verification-based challenges
- May invalidate eligibility for payouts
- Does not affect previous lawful processing
11. Contact
Email: legal@motiw8.com
Supervisory Authority: Lithuanian State Data Protection Inspectorate