← Back to home

Biometrics Policy

RALCO BIOMETRIC INFORMATION PRIVACY POLICY

Last Updated: February 1, 2026

1. Purpose

Ralco Compliance Limited (“RALCO,” “we,” “us,” or “our”) is a company incorporated in Ireland (company number 759312) with its registered office at 17 Percy Place, Dublin 4, D04 V250, Ireland. RALCO is the parent company of Ralco Inc., a Delaware corporation. RALCO respects your privacy and is committed to protecting your biometric information. This Biometric Information Privacy Policy (“Biometric Policy”) describes our practices regarding the collection, use, storage, and destruction of biometric identifiers and biometric information (collectively, “Biometric Data”) in connection with the RALCO platform and the RALCO Worker mobile application (the “Service”).

This Biometric Policy is intended to comply with: (a)the Illinois Biometric Information Privacy Act(“BIPA”),740 ILCS 14/1et seq.; (b)the Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001; (c)other applicable state biometric privacy laws; and (d) the General Data Protection Regulation (EU) 2016/679 (“GDPR”), which applies to RALCO by virtue of its establishment in Ireland.This policy supplements our general Privacy Policy.

2. Definitions

Biometric Identifiermeans a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.

Biometric Informationmeans any information, regardless of how it is captured, converted, stored, or shared, based on anindividual’sbiometric identifier used to identify an individual.

Biometric Dataas used in this policy refers collectively to Biometric Identifiers and Biometric Information.

Under the GDPR, biometric data processed for the purpose of uniquely identifying a natural person constitutes “special category data” within the meaning of Article 9. The processing of Biometric Data under this policy falls within this classification, and RALCO processes such data in accordance with Article 9(2)(a) (explicit consent of the data subject).

3. Biometric Data We Collect

In connection with the Service, RALCO collects the following categories of Biometric Data from End Users (employees and workers of our Customers who use the RALCO Worker app):

Facial Geometry Data:When you enroll in and use the RALCO Worker app, we capture images of your face and use facial recognition technology to create a mathematical representation of your facial geometry (a“faceprint”).This faceprint is used to verify your identity each time you clock in or clock out using the app.

Electronic Signatures:We collect and store electronic signatures that you provide when acknowledging documents, forms, and other records within the Service, including Pre-Task Plans and incident witness statements.

4. Purpose of Collection

RALCO collects, uses, and stores Biometric Data solely for the following purposes:

Identity Verification:To verify your identity at the time of clock-in and clock-out, ensuring accurate time and attendance records and preventing time fraud.

Document Authentication:To authenticate that you have reviewed and acknowledged documents, forms, and other records by applying your stored electronic signature only after your identity has been verified.

Fraud Prevention:To prevent unauthorized individuals from clocking in or out on your behalf or signing documents in your name.

Under the GDPR, the legal basis for processing Biometric Data is your explicit consent (Article 9(2)(a)), obtained through the clickwrap consent mechanism in the RALCO Worker app prior to enrollment.

5. Disclosure of Biometric Data

We do not sell, lease, trade, or otherwise profit from your Biometric Data.

We do not disclose your Biometric Data to any third party except:

Service Providers/ Sub-processors:We use Amazon Web Services (AWS) for secure cloud storage and Amazon Rekognition for facial recognition processing. These service providers process Biometric Data solely on our behalf and pursuant to contractual obligations(including data processing agreements incorporating appropriate safeguards under the GDPR)to maintain the confidentialityand securityof such data. A current list of sub-processors is maintained in our Data Processing Agreement.

With Your Consent:We may disclose Biometric Data if you provide explicit written consent to such disclosure.

Legal Requirements:We may disclose Biometric Data when required by law, valid legal process, or as necessary to comply with a valid warrant, subpoena, or court order.

6. Storage and Security

Biometric Data is stored on secure Amazon Web Services (AWS) servers located in the United States(Northern Virginia region). RALCO personnel in Ireland may access Biometric Data remotely in order to provide technical support and fulfill obligations under our Data Processing Agreement.

We implement and maintain a reasonable standard of care to protect Biometric Data from unauthorized access, acquisition, or disclosure, using safeguards that are the same as or more protective than the manner in which we store, transmit, and protect other confidential and sensitive information. In accordance with Article 32 of the GDPR, these measures include:

• Encryption of Biometric Data both in transit(TLS)and at rest(AES-256 or equivalent);

• Access controls limiting access to Biometric Data to authorized personnelon a need-to-know basis;

• Multi-factor authentication for administrative access to systems containing Biometric Data;

• Regular security assessments, penetration testing,and monitoring; and

• Secure authentication protocols for accessing Biometric Data.

7. Retention Schedule

RALCO retains Biometric Data only for as long as necessary to fulfill the purposes for which it was collected, as described in Section 4 above, or as required by law.In accordance with the GDPR’s data minimization principle (Article 5(1)(e)), Biometric Data shall not be kept in an identifiable form for longer than is necessary.Specifically:

Active Users:Biometric Data is retained while you remain an active End User of the Service (i.e., while your employer maintains an active RALCO account and your user profile remains active within that account).

Inactive Users:If you do not clock in or out using the Service for a period of twelve (12) consecutive months, your Biometric Data will be scheduled for destruction in accordance with Section 8 below, unless your employer (our Customer) confirms your continued employment and expected future use of the Service.

Terminated Users:Upon notification from your employer that your employment has ended, or upon termination of theCustomer’saccount with RALCO, your Biometric Data will be scheduled for destruction in accordance with Section 8 below.

Maximum Retention Period:In no event will Biometric Data be retained for more than three (3) years following your last interaction with the Service, unless a longer retention period is required by law.

8. Destruction of Biometric Data

RALCO will permanently destroy Biometric Data when the initial purpose for collecting such data has been satisfied or within three (3) years of your last interaction with the Service, whichever occurs first, unless:

• alonger retention period is required by applicable law or regulation;

• retention is necessary to comply with a valid legal hold, subpoena, warrant, or court order; or

• you provide written consent to extended retention.

Destruction Timeline:Once Biometric Data is scheduled for destruction pursuant to Section 7 above, RALCO will permanently and irreversibly destroy such data within sixty (60) days.

Destruction Method:Biometric Data will be destroyed by permanently deleting it from our systems and the systems of our service providers, including AWS, such that it cannot be recovered, reconstructed, or otherwise accessed.Destruction will be documented and a record of destruction maintained for audit purposes.

9. Consent

Before collecting any Biometric Data, RALCO will:

• Inform you in writing that Biometric Data will be collected or stored;

• Informyou in writing of the specific purpose and length of time for which your Biometric Data will be collected, stored, and used; and

• Obtainyour written release authorizing RALCO to collect, store, and use your Biometric Data for the purposes described in this Biometric Policy.

This consent is obtained through the RALCO Worker app at the time of enrollment, before any Biometric Data is collected. You must affirmatively acknowledge this Biometric Policy and provide consent before the facial recognition enrollment process begins.

GDPR requirements:Under the GDPR, consent for the processing of special category data must be “explicit” (Article 9(2)(a)). The consent mechanism used in the RALCO Worker app is designed to satisfy this standard, as well as the BIPA written release requirement. Consent is:

• Freely given — presented separately from the general End User Terms of Use;

• Specific — limited to the purposes described in this Biometric Policy;

• Informed — this Biometric Policy is presented in full before consent is requested; and

• Unambiguous — requires an affirmative action (tap/click to consent).

You have the right to withdraw consent at any time (see Section 10 below). Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

10. Your Rights

You have the following rights with respect to your Biometric Data:

10.1 Rights Under US State Laws

Right to Information:You may request information about what Biometric Data we have collected about you, the purposes for which it is used, and how long it will be retained.

Right to Deletion:You may request deletion of your Biometric Data. Upon receipt of a valid deletion request, we will permanently destroy your Biometric Data within sixty (60) days, unless retention is required by law. Note that deletion of your Biometric Data may prevent you from using certain features of the Service that require biometric verification.

Right to Withdraw Consent:You may withdraw your consent to the collection and use of Biometric Data at any time by contacting us at the address below. Withdrawal of consent will be treated as a deletion request and processed accordingly.

10.2 Additional Rights Under the GDPR

Because RALCO is established in Ireland, you may also have the following rights under the GDPR:

Right of Access (Article 15):You have the right to obtain confirmation as to whether your Biometric Data is being processed and to access that data, including a copy of your Biometric Data in a commonly used format.

Right to Rectification (Article 16):You have the right to have inaccurate Biometric Data corrected.

Right to Erasure (Article 17):You have the right to request erasure of your Biometric Data where the data is no longer necessary for the purpose for which it was collected, or where you withdraw consent.

Right to Restriction (Article 18):You have the right to request restriction of processing in certain circumstances, such as where you contest the accuracy of the data.

Right to Data Portability (Article 20):You have the right to receive your Biometric Data in a structured, commonly used, machine-readable format.

Right to Object (Article 21):You have the right to object to processing of your Biometric Data in certain circumstances.

Right to Complain:You have the right to lodge a complaint with a supervisory authority, including the Irish Data Protection Commission (details in Section 12 below).

Where RALCO acts as a data processor on behalf of your employer (the data controller), we will redirect data subject requests to your employer unless otherwise instructed. We will assist your employer in responding to such requests in accordance with our Data Processing Agreement.

To exercise any of these rights, please contact us using the information in Section 12 below.

11. Changes to This Policy

We may update this Biometric Policy from time to time. If we make material changes to how we handle Biometric Data, we will notify you through the Service and obtain your consent to the updated practices before they take effect.Under the GDPR, any change to the purposes or scope of Biometric Data processing will require fresh explicit consent.

12. Contact Us

If you have questions about this Biometric Policy, wish to exercise your rights, or need to report a concern about the handling of your Biometric Data, please contact us at:

Ralco Compliance Limited

17 Percy Place, Dublin 4, D04 V250, Ireland

Email: privacy@ralco.io

Phone: +353 (0)1 513 4400

Data Protection Officer / Privacy Contact:

Ciara Nolan, Data Protection Officer — privacy@ralco.io

Supervisory Authority:

Irish Data Protection Commission

21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Website: www.dataprotection.ie

Phone: +353 (0)1 765 0100 / 1800 437 737