Privacy

GDPR and face recognition: how Picsaris keeps your biometric data safe

GDPR treats face data as "special." It requires explicit consent, data minimization, and the ability to delete. This post walks through the technical architecture of how Picsaris handles biometric data to meet all three requirements — and why it matters.

What makes face data special under GDPR

GDPR Article 9 restricts processing of "special categories" of personal data — including biometric data for identification purposes. This doesn't mean you can't use face recognition. It means:

• Explicit consent required. Not buried in a 40-page ToS. Clear, separate, affirmative action.
• Data minimization. Store only what you need, nothing more.
• Right to deletion. If someone asks to delete their data, it's gone — immediately, completely.
• Privacy by design. The system must be architected to protect the data from the start.

How Picsaris implements each requirement

1. Explicit Consent (not optional)

When you sign up to an event:

• Before taking your selfie, you see a consent screen specific to face matching: "We'll use your photo to find you in event photos. Your photo will be deleted; only the face vector stays encrypted."
• You must tap "I agree" — there's no default checkbox, no "consent by continuing," no burying it in a privacy policy.
• This consent is logged per-event. Different event = separate consent required.
• You can withdraw consent anytime from your profile; we stop matching immediately.

2. Data Minimization (we store the minimum)

What we store:

• The face vector (512 numbers): Encrypted at rest using AES-256. This vector is the only "biometric" data we keep — it's a mathematical fingerprint, not an image.
• The profile thumbnail (200×200 pixels): A small JPEG used as your avatar in the app. You can delete it anytime.
• Which photos you appear in: Just an ID list linking your vector to photo IDs. No names, no email, just the connection.

What we delete immediately:

• Your original sign-up selfie (deleted 2 seconds after vector extraction).
• Any raw biometric data beyond the vector itself.
• Event logs that contain your vector (purged after 90 days).

3. Right to Deletion (instant and complete)

When you delete your account or withdraw consent:

• Your vector is deleted from our database immediately.
• Your profile thumbnail is deleted.
• The system stops matching you to event photos in real-time.
• Any cached vector references are purged within 24 hours.
• You can request a confirmation email — "Your data has been deleted" — within minutes.

Photos you uploaded remain (they belong to the event), but you're no longer matched to anything. If someone else uploaded a photo with you in it, that photo stays; you just stop being surfaced your own copy.

Why vectors, not images

The core principle: a vector cannot be reversed back into an image.

A 512-number vector is a one-way mathematical fingerprint. Even if someone gained access to your vector, they couldn't reconstruct your face. They also couldn't use it to identify you outside of Picsaris (vectors are model-specific and don't work across systems).

Compare this to storing your actual selfie: if someone breaches that, they have your face image forever. A vector breach is far less harmful because the data itself is useless for identification outside the event context.

Encryption and infrastructure

• At rest: All vectors encrypted with AES-256. Keys managed by AWS KMS (Hardware Security Module backed).
• In transit: HTTPS TLS 1.3. All API calls encrypted end-to-end.
• Database: Vectors stored in encrypted AWS RDS with read replicas on separate infrastructure.
• Backups: Encrypted copies retained for 30 days only (we delete old backups per GDPR retention limits).
• Access control: Engineers can't access raw vectors; system uses role-based access with audit logging.

Third-party compliance

Picsaris has had our data handling practices reviewed by external privacy counsel specializing in GDPR. Our consent flows, data retention, and deletion mechanisms are compliant with EU regulations. We're also transparent about:

• How the model works (publicly available research; we use industry-standard embedding models).
• Where data is processed (AWS EU regions for EU users; all data stored in-region).
• How deletions work (immediate deletion of the vector; confirmation available).

The user's responsibility

Picsaris is designed for compliance, but hosts (event organizers) have a responsibility too:

• Make sure guests know photos will be collected and matched by face.
• Include opt-out language: "If you don't want to participate, don't scan the QR."
• For corporate events, mention face recognition in the invitation or post-event privacy notice.

The bottom line

GDPR-compliant face recognition is possible. It requires:

• Real consent (not hidden), checked at sign-up.
• Minimal storage (vectors, not images).
• Instant deletion (not "anonymization later").
• Privacy by design (encryption from the start).

That's Picsaris. If a platform can't explain its architecture clearly, can't show you how to delete your data, or hides consent in a privacy policy — that's a red flag. You deserve transparency.