← Legal center

Biometric Data Policy

Effective Date: | Last Updated:

Counsel review note: This policy is a product-level template describing how the Aion assistive system handles biometric information. It is not legal advice and must be reviewed, localized, and finalized by qualified counsel before publication or reliance. Consent language, retention periods, and jurisdictional scope must be confirmed for each market in which Aion is offered.

1. Purpose and Scope

This Biometric Data Policy explains how Xheight (, "Xheight," "we," "our," or "us") collects, uses, stores, protects, and destroys biometric identifiers and biometric information processed through Aion assistive AI and companion software (collectively, "Aion"). It is intended to satisfy, among other requirements, the Illinois Biometric Information Privacy Act ("BIPA") and Article 9 of the EU General Data Protection Regulation ("GDPR"), which treat biometric data used to uniquely identify a person as a special category of personal data.

Aion is designed for people who are blind or have low vision. This policy should be read together with our Privacy Policy and our Data Rights page.

2. Biometric Identifiers We Process

"Biometric identifiers" and "biometric information," as used in this policy, refer to the following data derived from a person's physiological characteristics:

  • Face embeddings: mathematical vector representations computed from a facial image. These are not photographs; they are numeric templates used to compare one face against another.
  • Voiceprints: mathematical vector representations of the acoustic characteristics of a person's voice, used to distinguish one speaker from another.

We do not use biometric identifiers for advertising, profiling, scoring, surveillance, law-enforcement, or any purpose other than the single assistive purpose described below.

3. Single Assistive Purpose

Biometric identifiers are processed for one purpose only: to help a blind or low-vision user of Aion recognize people the user has chosen to remember, so that Aion can announce who is present. This restores a capability that sighted people rely on every day and is central to the accessibility function of the product.

Recognition operates only against the individual user's own private set of remembered people. Biometric templates are never shared, pooled, or matched across users, devices, sessions, or tenants.

4. Consent: Explicit, Opt-In, and Revocable

Biometric processing is strictly opt-in. Aion does not create, store, or match any biometric identifier unless the user has first provided explicit, informed, written consent through an accessible consent flow. The person-recognition feature is off by default.

  • Consent is obtained before any biometric identifier is captured or stored.
  • The consent flow is presented in an accessible format (audio and screen-reader compatible) so it is meaningful for blind and low-vision users.
  • Consent discloses what is collected, the single purpose, how long it is retained, and how to withdraw it.
  • You may use Aion's core vision, reading, and navigation features without enabling person recognition.
  • Users must be at least 16 years old to consent to biometric processing.

Sample consent statement (illustrative only; final wording subject to counsel review):

"I authorize Xheight to collect and store a face embedding and/or voiceprint derived from images and audio I choose to save, solely so that Aion can help me recognize the people I add. I understand these biometric identifiers are stored encrypted and pseudonymized, are never sold or shared, and are permanently deleted when I remove the person, disable recognition, delete my account, or after the retention period stated in this policy. I understand I can withdraw this consent at any time."

5. How We Protect Biometric Data

Aion uses a hybrid edge and cloud architecture. Face and voice embeddings are computed on the device and are protected using the following safeguards:

  • Encrypted at rest: biometric templates are encrypted with AES-256-GCM.
  • Pseudonymized: templates are keyed to a one-way anonymized identifier with no plaintext linkage to a person's name.
  • Never stored in plaintext: if no encryption key is available, the biometric is dropped rather than stored in the clear (fail-closed).
  • Never returned to the client: raw or encrypted biometric templates are never exposed through the client application or API; only server-side recognition components can decrypt them.
  • Consent-gated: storage and matching occur only while valid consent is in effect.
  • Access-controlled: access is limited to the systems that perform recognition, under strict access controls and audit logging.

6. Third-Party Faces and Voices

When a user adds another person to be recognized, that person is a third party whose biometric data is involved. We take the following measures to respect third-party rights:

  • User attestation: the user attests that they have the permission and lawful basis to add each person and that they will inform that person as required by applicable law.
  • Per-person reference consent: where a reference photo or voice sample is used to enroll a person, the user confirms that the person consented to being enrolled for the purpose of assisting the user's recognition.
  • Right to be removed: a third party may request that their biometric data be deleted, and the user or Xheight will honor that request.

Xheight does not independently collect biometric data about non-users; enrollment is initiated and controlled by the consenting user for their personal assistive use.

7. Retention and Destruction

We retain biometric identifiers only as long as they are needed for the single assistive purpose and as permitted by law. Biometric identifiers are permanently and irreversibly destroyed on the earliest of:

  • the user removing the associated person from their remembered set;
  • the user disabling person recognition;
  • the user deleting their account;
  • withdrawal of consent by the user or the enrolled person; or
  • the expiry of our published retention period, which will not exceed the maximum period permitted by applicable law (for example, the BIPA schedule requiring destruction when the purpose is satisfied and no later than three years after the last interaction) .

8. No Sale, Lease, Trade, or Profit

Xheight does not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information. We do not disclose biometric identifiers to any third party except as strictly required by law and only after exhausting available legal protections, or with the separate express consent of the individual.

9. Withdrawal of Consent and Deletion

You may withdraw consent to biometric processing at any time. Withdrawing consent disables person recognition and triggers destruction of the associated biometric identifiers. You, or an enrolled third party, may request deletion by contacting us.

Privacy and biometric requests: support@xheight.com

Legal: legal@xheight.com

Accessible formats: accessibility@xheight.com

Mail: Xheight, Tel-Aviv, Israel

Related rights and self-service options are described on our Data Rights page.

10. Governing Law and Changes

This policy is governed by . We may update this policy to reflect changes in law or our practices and will post the updated version with a new effective date. For broader information about how we handle personal data, see our Privacy Policy.