Biometric Use Policy
Last Updated: January 1, 2020
This Biometric Information Use Policy (“Biometric Policy”) describes the policy and procedures for the collection, use, safeguarding, storage, retention, and destruction of Biometric Data (defined below) that is collected or received by Cake Corporation (“Cake”, “we”, or “us”) as a result of the use by Cake customers and their Users (“Restaurants” or “You”) of Cake applications, services, programs, and other products (collectively, the “Services”). Restaurants are responsible for maintaining their own data collection, disclosure, retention, and storage policies as may apply to them under the law.
By using the Services and/or providing us with your Biometric Data (as the Restaurant or User (defined below) as applicable), you agree to the processing and use of Biometric Data in the manner and subject to the requirements set out in this Biometric Policy.
The Restaurant and any User may revoke consent (by notifying us at firstname.lastname@example.org) or decline to provide Biometric Data, however, you may experience a complete or partial loss of Services functionality as well as a reduced user experience.
I. Definition of biometric information
As used in this policy, biometric data includes “biometric identifiers” and “biometric information” as defined in the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.
II. Collection and purposes
Restaurants are responsible for compliance with applicable law and for adopting their own biometric data privacy policies as pertain to use of Restaurant’s owned or operated systems by its employees or other systems users (“Users”). Restaurant agrees to indemnify and hold harmless Cake and its affiliates for any claim arising from Restaurant’s failure to comply with the applicable laws governing Restaurant’s collection and use of Biometric Data (including any failure by Restaurant to secure any User’s consent to the use of Biometric Data). Cake may offer biometric authentication functionality through the Services (“Biometric Functionality) and to the extent Restaurants in their discretion opt to use such functionality then Cake will collect, use, and retain Biometric Data for the purpose of providing such functionality and in accordance with the Restaurant instructions and applicable law. As of the date of this Biometric Policy the Biometric Functionality enables Restaurants to grant designated authorized users access to applicable Cake Services, document clock in/out time(s) and locations and for the purposes of workplace security, fraud prevention and other employment-related purposes and accordingly Cake shall use such Biometric Data to achieve such purposes.
Restaurant customers agree that to the extent that they use Biometric Functionality it is their obligation to do the following:
a. Inform the User in writing that biometric data is being collected, stored, and used;
b. Indicate the specific purpose(s) for collecting the biometric data and length of time for which it is being collected, stored, and used; and
c. Receive a written release from the User (or his or her legally authorized representative) of the biometric data authorizing the Restaurant, Cake and/or Cake’s authorized licensors or vendors to collect, store, and retain the Biometric Data, and authorizing the Restaurant to provide such data to Cake and Cake’s authorized licensors or vendors.
III. Disclosure / sharing
Cake will not sell, lease, or trade Biometric Data and shall only disclose, redistribute, or disseminate Biometric Data with third parties where (a) the User has provided his or her consent, (b) there is a legitimate need for the purposes of delivering the Services, or (c) disclosure is mandated by applicable law or qualifying judicial or government requirement.
Cake is not responsible for Restaurant’s biometric data generally. However, in conformance with Restaurant’s instructions and for the purposes of delivering the Services Cake shall use a standard of care to store, transmit and protect from disclosure any paper or electronic Biometric Data it receives from Restaurant and its Users that is at least the same as or more protective than the manner in which Cake stores, transmits, and protects other personal information that can be used to uniquely identify an individual or an individual’s account or property but in no case a standard that is less than required by applicable law.
V. Storage, retention and destruction
Cake will retain User Biometric Data until Cake receives reasonable notice that (1) a User’s access to the Biometric Functionality or consent to this Biometric Policy has been revoked (e.g., the employee is terminated); or (2) the Restaurant otherwise has discontinued using Biometric Functionality with respect to that User or generally. Upon the occurrence of either of the foregoing, the Biometric Data in Cake’s possession (as pertains specifically to a User or generally to the Restaurant as applicable) will be destroyed as soon as is required by applicable law but in any event no later than one year after the date on which the purpose for collecting the Biometric Data expires, subject to any right or requirement (if any) of Cake to keep the relevant Biometric Data on file for fraud prevention purposes or other authorized legal purposes under applicable law.