Centro legal

Biometric Information Privacy Policy

1. Purpose

The purpose of this policy is to ensure that Blockchain.com Inc. (the “Company”) complies with its legal requirements under the Illinois Biometric Information Privacy Act (“BIPA”). This policy outlines the procedures that the Company follows for the collection, use, storage, and destruction of an individual’s biometric data.

This web version of this Policy is made publicly available on the Company’s website.

2. Scope

This policy applies to all biometric identifiers and biometric information (collectively, “biometric data”) collected, stored, or used by Blockchain.com Inc. When the Company engages a vendor or third-party service provider to perform services involving biometric data on behalf of the Company, the Company ensures that the provider meets the requirements of this Policy.

3. Definitions

4. Requirements

4.1 Notice and Written Release

The Company, or its vendors, inform an individual in writing that biometric data is being collected and stored. The Company also informs the individual in writing of the specific purpose and length of term for which the biometric data is being collected, stored, and used. The Company obtains a Written Release from the individual before collecting any biometric data.

4.2 Purpose Limitation

The Company collects and uses biometric data for the sole purpose of identity verification and account security, including fraud prevention and compliance with regulatory requirements. The Company does not use biometric data for any other purpose without obtaining separate consent.

4.3 Data Retention and Destruction

The Company retains biometric data only until the initial purpose for its collection has been satisfied, or for three (3) years following an individual’s last interaction with the Company, whichever occurs first. Upon expiration of the retention period, the Company permanently destroys the biometric data using a secure method.

4.4 Prohibition on Sale and Disclosure

The Company does not sell, lease, trade, or otherwise profit from an individual’s biometric data. Further, the Company does not disclose or disseminate biometric data to any third party unless it obtains the individual’s consent or the disclosure is required by law or a valid court order or the disclosure is made to complete a financial transaction requested or authorized by the individual.

When the Company engages a vendor or third-party service provider to perform services all vendor contracts include obligations requiring the vendor to: (i) comply with BIPA; (ii) follow this Policy’s retention and destruction schedule; (iii) implement appropriate security measures; and (iv) refrain from selling, disclosing, or otherwise profiting from biometric data.

4.5 Data Security

The Company uses a reasonable standard of care to store, transmit, and protect biometric data from disclosure. This standard of care will be the same as, or more protective than, the manner in which the Company stores, transmits, and protects its other confidential and sensitive information. The Company is ISO 27001:2022 certified and has successfully completed SOC 2 Type 2 audits, evidencing its adherence to recognized international standards of information security and biometric data protection.

5. Changes to the Policy

The Company regularly reviews this Policy and reserves the right to modify it at any time in accordance with applicable laws. Any changes and clarifications will take effect immediately upon their publication on our website. Please review the Policy from time to time to stay updated on the changes.