pepelwerk Biometric Data Consent Effective Date: July 1, 2026 This Biometric Data Consent and Policy ("Biometric Consent") describes how pepelwerk ("pepelwerk," "we," "us," or "our") collects, captures, receives, creates, processes, uses, stores, retains, discloses, and protects certain Biometric Data in connection with pepelwerk websites, software, applications, products, accounts, transactions, services, employer, education, government, marketplace, program management, identity verification, analytics, security, and business activities (collectively, the "Services"). pepelwerk may collect, capture, receive, create, process, use, store, retain, disclose, and protect Biometric Data only as described in this Biometric Data Consent and Policy, in our Terms of Service, in our Privacy Policy, and as permitted or required by applicable law. Biometric Data will not be used to train general-purpose artificial intelligence models unless explicitly disclosed, authorized, and permitted by applicable law.
1. Consent and Authorization
Consent Required. pepelwerk will collect, capture, receive, process, use, store, or disclose Biometric Data only after the individual has received clear notice and provided explicit, informed, affirmative consent through a clear authorization mechanism, except where a different basis is permitted or required by applicable law. Where applicable law requires express, written, electronic, opt-in, separate, or additional consent, pepelwerk will seek that consent before collecting or processing Biometric Data covered by that law. Continued use of the platform alone does not constitute consent for biometric processing. How Consent Is Given. Consent may be provided by selecting "I Agree," signing electronically, completing a biometric verification process after receiving this notice, or using another express authorization mechanism made available by pepelwerk. Any consent obtained under this section authorizes pepelwerk to collect, use, process, store, and disclose Biometric Data only for the purposes described in this Biometric Consent, the Data Privacy Policy, applicable pepelwerk service terms, and as permitted or required by applicable law. What Happens If No Consent Is Provided. If an individual does not provide required biometric consent, pepelwerk may be unable to provide certain identity verification, account security, fraud prevention, credentialing, wallet access, marketplace participation, transaction verification, program participation, or other Services that depend on biometric verification. Where available, pepelwerk may offer a reasonable alternative verification method, subject to security, fraud-prevention, legal, and operational requirements. Withdrawal Right. Individuals may request withdrawal of consent for future processing. Withdrawal does not affect processing that occurred prior to the request or retention required for legal, security, or contractual obligations. Withdrawal may prevent pepelwerk from providing certain Services that depend on biometric verification. Requests involving deletion, destruction, restriction, or retention of Biometric Data are addressed in the Retention, Deletion and Destruction section.
2. What Is Biometric Data
For purposes of this Biometric Consent, "Biometric Data" means biometric identifiers, biometric information, biometric templates, biometric measurements, biometric- derived data, and similar information that is based on or derived from an individual’s physical, biological, physiological, or behavioral characteristics and that is used, or intended to be used, to identify, verify, authenticate, secure, or provide pepelwerk Services to that individual. Biometric Data may include, where collected or processed by pepelwerk or its authorized service providers: facial geometry, faceprints, identity images or photographs used to create or compare biometric templates, photographic matching data, video or liveness-check data, voiceprints, iris or retina scans, fingerprints, palmprints, hand geometry, gait, keystroke or device-interaction patterns, fraud- prevention signals, identity-verification signals, and other biometric identifiers or biometric information defined by applicable law. pepelwerk does not collect genetic, DNA, health diagnostic, or biological-sample data as part of its standard identity verification, account security, marketplace, wallet, program management, or workforce analytics services unless a separate pepelwerk service expressly describes that collection and the individual provides any legally required separate authorization. If pepelwerk later offers or integrates a service involving genetic, genotype, health-related, biological-sample, or similarly sensitive data, pepelwerk will provide additional notice and obtain separate consent where required by law before collecting or processing that data. Behavioral or device signals will only be treated as Biometric Data where they are used to uniquely identify or authenticate an individual and where required by applicable law.
3. What Biometric Data We Collect
When a user signs up or uses the Services we may collect the following Biometric Data: Facial Biometrics and Identity Images: pepelwerk may ask or require you to upload, capture, or submit a government-issued identification document, other identity document, photographic image, selfie, video, liveness check, or similar image or recording through a mobile device, computer, kiosk, partner system, or other technology. pepelwerk may use these materials and related measurements to create, compare, validate, or store facial geometry, faceprints, liveness indicators, fraud prevention signals, identity assurance records, eligibility records, account integrity records, and related biometric templates or biometric-derived data. pepelwerk may use these materials to verify identity, support background check or eligibility workflows, prevent fraudulent or duplicate accounts, secure transactions, support user authentication, improve Services, and provide other disclosed functionality permitted by law. Images should depict your real self and should not include memes, caricatures, avatars, or other images that are not intended to identify you accurately. Voiceprints and Audio Biometrics: pepelwerk may ask or require you to provide a voice recording, participate in a recorded call, use audio features, or otherwise submit speech or audio that may be used to create or compare a voiceprint or other voice- related biometric signal. pepelwerk may use voice-related Biometric Data for identity verification, authentication, fraud prevention, account protection, service delivery, support quality, transaction verification, accessibility, security, and other disclosed business purposes. Genetic, Genotype, Health-Related, or Biological Data: If pepelwerk offers, receives, processes, or integrates services involving genetic, genotype, health-related, biological, or similar sensitive data, pepelwerk will collect and use that information only as disclosed, as authorized by the user, as necessary to provide the requested Services, or as otherwise permitted by applicable law. pepelwerk will not disclose individual-level genetic or biological data to an employer, insurer, public database, or other third party for employment, insurance underwriting, eligibility denial, or unrelated marketing purposes without legally valid authorization, unless disclosure is required by valid legal process or applicable law. Device, Behavioral, and Usage Signals: pepelwerk may collect device, usage, behavioral, liveness, fraud prevention, and security signals for account integrity, security, fraud prevention, software performance, analytics, or service improvement. Behavioral or device signals will only be treated as Biometric Data where they are used to uniquely identify or authenticate an individual and where required by applicable law.
4. How We Use Biometric Data
pepelwerk may use Biometric Data for the following purposes, each of which is intended to be reasonably necessary, proportionate, and consistent with the Services and applicable law: Biometric Data is used for identity verification, authentication, security, fraud prevention, and for making recommendations on certain activities, features and functions. Final decisions are at the discretion of the end user.
- To verify your identity when you visit the website, create an account, access an
account, enroll in a program, request Services, complete onboarding, participate in a transaction, or interact with pepelwerk, its customers, partners, or software;
- To authenticate account use, software use, electronic signatures, transactions,
program participation, communications, and access to restricted features or data;
- To detect, investigate, prevent, and respond to fraud, duplicate accounts,
unauthorized access, impersonation, misuse, abuse, security incidents, identity theft, and violations of pepelwerk policies or contracts;
- To comply with legal, contractual, regulatory, audit, tax, grant, government, law
enforcement, dispute resolution, and risk management obligations, including valid legal process where disclosure is not prohibited by law;
- To create, improve, test, validate, secure, monitor, and operate pepelwerk
products, software, workforce and skills services, Community Data, personalization, matching, eligibility, identity assurance, and service quality systems, using personal, de-identified, aggregated, pseudonymized, or non- personally identifying data as permitted by law. pepelwerk does not use biometric identifiers or biometric information to train general-purpose artificial intelligence models unless separately disclosed, authorized, and permitted by law. De- identified, aggregated, or pseudonymized information derived from verification activity may be used only where it cannot reasonably identify a specific individual and where permitted by applicable law and contractual safeguards.
- To protect pepelwerk, its users, customers, employers, educational institutions,
government agencies, workforce partners, service providers, affiliates, and the public from harm, fraud, unauthorized access, data misuse, improper payments, ineligible benefits, account compromise, and other risks.
5. Limited Disclosure of Biometric Data
pepelwerk may disclose Biometric Data only as reasonably necessary for one or more limited purposes: identity verification, authentication, security, fraud prevention, eligibility confirmation, program compliance, legally required reporting, service delivery, response to valid legal process, preservation or enforcement of rights, prevention of harm, or other purposes expressly authorized by the user or permitted by applicable law. Any disclosure must be limited to the data reasonably necessary for the applicable purpose and subject to applicable law, required consent, confidentiality obligations, security safeguards, and strict contractual limitations where appropriate.
- pepelwerk customers, sponsors, employers, educational institutions, workforce
partners, government agencies, benefit administrators, or program administrators, but only to the extent reasonably necessary for identity verification, security, fraud prevention, eligibility confirmation, program compliance, legally required reporting, service delivery, or user-authorized purposes tied to the applicable program, transaction, account, or Service;
- Service providers, processors, contractors, vendors, cloud hosting providers,
identity verification providers, security providers, customer support providers, and other operational providers, but only to provide, secure, support, verify, monitor, or operate authorized Services for the limited purposes described above, and only under restrictions that prohibit use of Biometric Data except to provide the authorized service, protect security, comply with law, or follow pepelwerk’s documented instructions;
- Courts, regulators, auditors, law enforcement, government authorities, legal
counsel, successors, assigns, acquirers, or other legally authorized recipients, but only where legally required or reasonably necessary to comply with applicable law, respond to valid legal process, make legally required reports, preserve evidence, enforce or defend legal rights, complete a permitted corporate transaction, prevent fraud, address unauthorized access or security incidents, or protect against harm. pepelwerk does not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information. pepelwerk will not disclose Biometric Data for unrelated advertising, unrelated marketing, employment discrimination, insurance underwriting, or similar purposes without legally valid authorization. pepelwerk may disclose de- identified, aggregated, pseudonymized, or non-personally identifying information that cannot reasonably be used to identify a specific individual, subject to applicable law and contractual safeguards.
6. Retention, Deletion and Destruction
pepelwerk retains Biometric Data only for as long as reasonably necessary to satisfy the purpose for which it was collected or obtained, provide the Services, maintain account and transaction integrity, prevent fraud, comply with legal, regulatory, contractual, audit, tax, grant, recordkeeping, dispute resolution, security, and risk management obligations, or protect pepelwerk, its users, customers, partners, and the public. Unless a shorter period is required by applicable law, Biometric Data associated with personally identifiable information may be retained for the longer of: (i) the period necessary to provide the Services or maintain the account, transaction, program, or business relationship; (ii) the period required by law, contract, audit, government program, or dispute preservation obligation; or (iii) up to seven and one- half years after the user’s last interaction with pepelwerk, account deactivation, or termination of the applicable business relationship. pepelwerk will permanently delete, destroy, or, where permitted by applicable law, de- identify Biometric Data associated with an identifiable individual when the initial purpose for collecting or obtaining the Biometric Data has been satisfied and no lawful retention basis remains. De-identification may be used as a destruction alternative only when the resulting data is not reasonably capable of identifying, authenticating, or being linked to a specific individual and is maintained subject to appropriate safeguards. Where applicable law requires a shorter retention period, earlier destruction, or a specific destruction method, pepelwerk will follow the legally required standard. For Illinois residents, pepelwerk will destroy covered Biometric Data when the initial purpose for collecting or obtaining the data has been satisfied or within three years of the individual’s last interaction with pepelwerk, whichever occurs first, unless retention is required by applicable law, valid legal process, or a litigation hold. pepelwerk may retain de-identified, aggregated, pseudonymized, or non-personally identifying data derived from Biometric Data where permitted by applicable law, provided that such data is not reasonably capable of identifying a specific individual and is maintained subject to appropriate contractual, technical, and organizational safeguards. pepelwerk may decline, limit, or delay a deletion, destruction, restriction, or revocation request where retaining or using Biometric Data is reasonably necessary to complete a pending transaction, verification, program, service request, or contract; maintain account integrity, identity assurance, security, fraud prevention, auditability, or compliance records; comply with legal, regulatory, contractual, government, tax, grant, recordkeeping, or law-enforcement obligations; preserve evidence; investigate misconduct; prevent harm, fraud, unauthorized access, improper payments, or misuse; protect pepelwerk, its users, customers, partners, service providers, or the public; or exercise, establish, or defend legal claims. If pepelwerk denies, limits, or delays a deletion, destruction, restriction, or revocation request, pepelwerk will explain the reason where required by applicable law and will apply the request to the extent legally and operationally permitted.
7. Storage and Security
pepelwerk will store, transmit, and protect Biometric Data using reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the data and consistent with applicable law. These safeguards may include encryption in transit and at rest, access controls, authentication controls, role-based permissions, vendor due diligence, contractual restrictions, monitoring, logging, employee training, incident response procedures, secure deletion practices, and separation or minimization of personally identifying information where practical. pepelwerk’s practices are intended to align with leading technology and sensitive-data practices, including clear notice, user control where feasible, limited purpose use, encryption, restricted access, de-identification where appropriate, and separate authorization for sensitive research or data sharing where required by law.
8. Alignment With Current Biometric Privacy Practices
pepelwerk’s biometric practices are designed to reflect the current legal environment in which biometric and genetic information is treated as sensitive data under a growing patchwork of state privacy laws. pepelwerk’s approach is informed by leading practices used by technology, software, identity, voice, facial recognition, and genetic- data companies, including practices such as: clear notice before collection; consent or opt-in where required; user control where feasible; limited use for disclosed product, security, identity, fraud prevention, or service purposes; encryption and access restrictions; retention and deletion schedules; separate authorization for sensitive research or third-party sharing where required; and de-identification or aggregation before using data for product improvement when appropriate.
9. Changes to Terms, Usage and Consent
pepelwerk reserves the right to change or modify this Biometric Consent at any time. If pepelwerk makes material changes involving Biometric Data, we may provide notice through the website, account interface, email, in-product notice, updated policy posting, or another legally valid method. Material changes that require new or additional consent under applicable law will apply to covered Biometric Data only after the individual provides the required consent through the authorization process described in the Consent and Authorization section. If this Consent conflicts with the Terms of Use or another applicable written agreement, the Terms of Use or applicable written agreement controls to the extent of the conflict.