Data Protection

This Data Protection notice explains how we handle your personal data — especially your iris photo, which is treated as biometric information under GDPR (EU/UK), CCPA (California), and BIPA (Illinois).

For our complete privacy practices (cookies, analytics, marketing), see our Privacy Policy. This page focuses on biometric data and your rights as a data subject.

Your iris is biometric data

Your iris pattern is biometric information — a unique biological identifier that doesn't change throughout your life. Several jurisdictions classify it as a "special category" of personal data, which means it gets stronger legal protections.

We treat your iris photo accordingly:

• Encrypted at rest and in transit using industry-standard TLS and AES-256.
• Stored in access-controlled servers in the United States and European Union.
• Used only to craft the piece you ordered — never for AI training, biometric identification, surveillance, or any secondary purpose.
• Never sold, rented, or shared with third parties, advertisers, government agencies, or law enforcement (unless required by a valid legal order, in which case we will notify you).

Lawful basis for processing

Under GDPR, we rely on the following lawful bases:

• Contract performance (Article 6(1)(b)) — we need your iris photo to fulfill your order
• Explicit consent (Article 9(2)(a)) — for processing your biometric data, you give explicit consent at checkout when you upload your iris
• Legitimate interest (Article 6(1)(f)) — to detect fraud, improve quality, and provide customer support

You can withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

Your rights under GDPR (EU/UK)

If you are in the European Union or United Kingdom, you have the following rights:

• Right of access — request a copy of all personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — request deletion of your iris photo and personal data
• Right to restrict processing — limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interest, including profiling
• Right to withdraw consent — at any time, without affecting the lawfulness of past processing
• Right to lodge a complaint with your supervisory authority (e.g., the UK ICO or your local Data Protection Authority)

To exercise any of these rights, contact us. We respond within 30 days (extendable by 60 days for complex requests, with notice).

Your rights under CCPA (California)

California residents have the right to:

• Know what categories of personal information we collect, use, and disclose
• Access the specific personal information we hold about you
• Delete your personal information (subject to limited exceptions)
• Opt out of "sale" of personal information (we don't sell, but you can confirm this in writing)
• Non-discrimination for exercising your rights — we won't deny services or charge different prices

Your rights under BIPA (Illinois)

Illinois residents are protected by the Biometric Information Privacy Act (BIPA). Specifically:

• We obtain written consent before collecting your iris (at checkout, when you upload)
• We do not sell, lease, trade, or otherwise profit from your biometric data
• We store and protect your biometric data using the same standard of care as other confidential and sensitive information
• We destroy biometric data when the initial purpose is satisfied or within 3 years of last interaction, whichever comes first — unless you ask us to keep it for re-orders

How long we keep your data

Data type	Retention period
Iris photo	Until you request deletion, or 3 years after your last interaction (whichever first)
Order history	7 years (for tax and accounting compliance)
Customer account	Until you delete your account
Marketing email subscription	Until you unsubscribe
Analytics cookies	Up to 2 years (varies by provider)

Data transfers outside the EU/UK

If you are in the EU or UK, your personal data may be transferred to and processed in the United States, where some of our service providers (Shopify, Klaviyo, Google, Meta) are located.

For these transfers, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable (UK–EU)
• Additional safeguards such as encryption and access controls

You can request a copy of the SCCs we use by contacting us.

Data Protection Officer

For all data protection questions, deletion requests, or to exercise your rights, contact us via the email below. We respond within one business day.

Subject line tip: write "Data Protection — [your request]" so it routes to the right team.

Changes to this notice

We may update this Data Protection notice as our practices evolve or as the law changes. The date above reflects the most recent change. For material changes affecting your biometric data, we will notify you by email.