HeyGen Biometric Information Privacy Notice

1. Introduction

HeyGen is an independent platform for creating synthetic media, allowing users to convert their text to video.

‍

This Biometric Information Privacy Notice ("Notice") describes how HeyGen Technology Inc. ("HeyGen", "we", "us", "our") collects, uses, discloses, and protects your biometric information when you use our services. It also details our data retention and destruction policies. Before we start to collect biometric information from you, we will present you with a request for consent and ask for your authorization, with reference to this notice. Through this notice, we explain our practices.

This Notice applies globally to all users of our Services. Where you are located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, the processing of your biometric information is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, or the Swiss Federal Act on Data Protection ("FADP"), as applicable. In such cases, biometric data processed for the purpose of uniquely identifying you constitutes a "special category of personal data" under Article 9(1) GDPR, and we apply the additional safeguards described in this Notice accordingly. This Notice supplements, and should be read together with, our Privacy Policy.

Please read this Notice carefully to understand your rights and our obligations.

2. What is Biometric Information?

"Biometric information" means personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person. The precise legal definition and applicable obligations vary by jurisdiction:

Under the GDPR (Article 4(14)) and UK GDPR, "biometric data" means personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. Processing of biometric data for the purpose of uniquely identifying a natural person constitutes processing of special category data under Article 9(1) and requires an explicit legal derogation under Article 9(2).

Under the Illinois Biometric Information Privacy Act (BIPA), "biometric identifier" includes a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. "Biometric information" means any information based on a biometric identifier used to identify an individual (740 ILCS 14/10).

Under the Texas CUBI, "biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry (Tex. Bus. & Com. Code § 503.001).

For the purposes of our Services, we primarily collect and process face geometry and may collect voiceprint data derived from video footage you provide.

3. What Biometric Information Do We Collect and On What Legal Basis?

When you choose to create a custom avatar, we collect biometric information — specifically face geometry and, where applicable, voiceprint data — derived from the video footage, images, or audio you provide. We process this information only for the following specific and limited purposes:

a. Avatar Creation.

Our primary purpose for collecting your face geometry (and, where applicable, voiceprint) is to generate the synthetic media avatar you have requested.

US legal basis: Your consent, obtained prior to collection.

GDPR legal basis: This processing involves biometric data used to create a digital representation of you but, where the processing does not involve uniquely identifying you against other individuals, it constitutes processing of personal data under Article 6(1)(b) GDPR (performance of our contract with you to deliver the avatar creation service). Where the avatar creation process does involve processing biometric data for the purpose of uniquely identifying you (for example, during the consent verification step described in paragraph (b) below), we rely on your explicit consent under Article 9(2)(a) GDPR, obtained through a clear affirmative action prior to any such processing.

b. Identity Verification, Security, and Fraud Prevention.

We process your face geometry to verify that the person consenting to avatar creation is the same person depicted in the submitted footage, and to detect and prevent unauthorized use of our Services such as deepfake creation or impersonation. This verification involves comparing biometric data points extracted from your submission against biometric data points extracted from a separate verification recording in order to confirm a match — a process that constitutes processing of biometric data for the purpose of uniquely identifying you.

US legal basis: Your consent (BIPA jurisdictions); our legitimate interest in platform security and fraud prevention (other US jurisdictions).

GDPR legal basis: Because this verification processing involves using biometric data to uniquely identify you, it constitutes processing of special category data under Article 9(1) GDPR. We rely on your explicit consent under Article 9(2)(a) GDPR as the derogation permitting this processing. This consent is obtained through a clear, specific, and informed affirmative action during the avatar creation workflow, separate from general terms acceptance. You may withdraw your consent at any time by contacting [email protected]; however, withdrawal will not affect the lawfulness of processing carried out prior to withdrawal and may prevent you from using avatar creation features that require biometric verification. As a supplementary basis under Article 6(1), we rely on our legitimate interest (Article 6(1)(f)) in maintaining platform integrity and preventing fraud. We have conducted a balancing assessment and determined that this interest is not overridden by your rights, given that: (i) processing is limited to the minimum data necessary for verification; (ii) biometric data used solely for verification is deleted promptly upon completion of the comparison, typically within minutes; and (iii) the processing directly protects you from having your likeness misused.

c. Service Improvement and AI Model Training.

Except for enterprise customers, if you have granted consent, we may use your videos and associated face geometry to train, improve, and refine the AI models that power our Services. This processing enhances the quality, accuracy, and safety of the platform for all users. You may withdraw your consent at any time by contacting us at: [email protected]

US legal basis: Your consent, which you may withhold without affecting your use of the primary avatar creation service.

GDPR legal basis: We rely on our legitimate interest under Article 6(1)(f) in improving the accuracy and safety of our AI models. We have conducted a balancing assessment considering the following safeguards: (i) where technically feasible, training data is pseudonymized or de-identified prior to use; (ii) trained models do not reproduce or expose individual biometric data from the training set; (iii) training is conducted in a secure, access-controlled environment; and (iv) you have the right to object to this processing at any time under Article 21(1) GDPR by contacting [email protected]. Where this processing involves biometric data for the purpose of uniquely identifying you, we will obtain your explicit consent under Article 9(2)(a) GDPR separately from consent for avatar creation. You can use our service to create an avatar without consenting to this purpose, and your decision will not negatively impact your use of the core service.

4. How Do We Disclose Biometric Information?

We are committed to protecting the privacy of your biometric information. We do not sell, lease, trade, or otherwise profit from your biometric information. Furthermore, we do not "share" your biometric information with third parties for the purpose of cross-context behavioral advertising.

We may disclose your biometric information to a limited set of third parties who act as our service providers or processors. These providers are contractually bound to protect your data and are only permitted to use it to perform the specific services we have engaged them for. The categories of these service providers include:

• Cloud Infrastructure Providers: To securely host your video data and perform the necessary computations to create your avatar and operate our service.
• Identity Verification Services: To assist in our security and fraud prevention efforts.

We will not otherwise disclose your biometric information to any other third party unless we are required to do so by law, such as in response to a valid warrant, subpoena, or other legal process issued by a court of competent jurisdiction.

Where you are located in the EEA, UK, or Switzerland, your biometric information may be transferred to, and processed in, the United States and other countries outside your jurisdiction. For transfers from the EEA, UK, or Switzerland to the United States, we rely on HeyGen's certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, as applicable. Where the DPF does not apply to a particular transfer, we implement Standard Contractual Clauses approved by the European Commission (or the UK equivalent) and conduct transfer impact assessments to ensure an adequate level of protection for your biometric information. Given the heightened sensitivity of biometric data, supplementary technical measures — including encryption in transit and at rest, access controls limited to personnel with a need-to-know, and contractual prohibitions on onward transfer without equivalent safeguards — are applied to all cross-border transfers of biometric information.

5. Data Security

We are committed to protecting the security of your biometric information. We implement and maintain reasonable administrative, technical, and physical security practices and procedures designed to protect your data from unauthorized access, acquisition, use, or disclosure. The standard of care we use is appropriate to the volume and nature of the biometric information we process and is consistent with the reasonable standard of care within our industry. This standard is the same as, or more protective than, the manner in which we protect our other confidential and sensitive information.

Where required under Article 35 of the GDPR, we have conducted a Data Protection Impact Assessment ("DPIA") in respect of our biometric data processing activities. In particular, processing biometric data for the purpose of uniquely identifying individuals on a large scale triggers the mandatory DPIA requirement under Article 35(3)(b). Our DPIA evaluates the necessity and proportionality of the processing, assesses the risks to data subjects' rights and freedoms, and identifies the measures implemented to mitigate those risks. The DPIA is reviewed and updated periodically or when there is a material change to the processing activities. A summary of the DPIA is available to supervisory authorities upon request and, where appropriate, to data subjects upon request to our Data Protection Officer at [email protected].

6. Data Retention

Our policy is to retain biometric information only for the limited time needed to fulfill the specific purpose for which it was collected. We do not retain your biometric information indefinitely.

• Retention for Avatar Creation: For the purpose of creating your avatar, we will permanently destroy the biometric information (face geometry) collected from your video upload immediately after it is no longer necessary for keep on providing you with the services you requested and maintaining your avatars.
• Notwithstanding the above, our retention periods are subject to the following maximum timeframes as required by applicable law:`
  • For Illinois Residents: In compliance with the Illinois Biometric Information Privacy Act (BIPA), we will permanently destroy your biometric information when the initial purpose for collecting it is satisfied or within maximum three (3) years of your last interaction with our service, whichever occurs first.
  • For Texas Residents: In compliance with the Texas Capture or Use of Biometric Identifier Act (CUBI), we will permanently destroy your biometric information within a reasonable time, which will not exceed one (1) year after the purpose for collecting it has expired.

For individuals in the EEA, UK, and Switzerland: In accordance with the GDPR storage limitation principle (Article 5(1)(e)), we retain biometric information only for as long as strictly necessary to fulfill the specific purpose for which it was collected:

• Verification biometric data (face geometry extracted for identity matching under Section 3(b)): deleted immediately upon completion of the verification comparison, typically within minutes of submission. This data is not stored beyond the active verification session.
• Avatar creation biometric data (face geometry used to generate and maintain your avatar under Section 3(a)): retained for the duration that the associated avatar remains active on the platform. Upon deletion of the avatar by you or by the Customer on whose behalf you use the Service, or upon account termination, biometric data is permanently destroyed within 60 days.
• AI training biometric data (where consent is provided under Section 3(c)): retained in de-identified or pseudonymized form for the duration necessary to complete the relevant training cycle. Upon withdrawal of consent under Article 21 or upon your request under Article 17 GDPR, we will cease processing your biometric data for this purpose and delete identifiable biometric data within 60 days, to the extent technically feasible without compromising the integrity of already-trained models. Where biometric data has been irreversibly incorporated into model weights in a non-extractable form, it is no longer considered personal data within the meaning of Article 4(1) GDPR.

When biometric information is no longer needed, we permanently destroy it using secure methods that render the data unreadable and unrecoverable.

‍

For any questions regarding your biometric information, or to withdraw your consent, please contact us by email at [email protected]. Otherwise, for more information about how we process personal information, as well as your rights and choices regarding our data practices, please review our Privacy Policy.

7. Your Rights Under the GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights in relation to the biometric information we process about you, in addition to any rights described in our Privacy Policy:

• Explicit consent and withdrawal (Articles 7 and 9(2)(a)): Where we process your biometric data on the basis of your explicit consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, contact [email protected].
• Access (Article 15): You have the right to request confirmation of whether we process your biometric data, and to obtain a copy of that data.
• Rectification (Article 16): You have the right to request correction of inaccurate biometric data.
• Erasure (Article 17): You have the right to request deletion of your biometric data where, among other grounds, consent has been withdrawn and no other legal basis applies, or the data is no longer necessary for the purpose for which it was collected.
• Restriction (Article 18): You have the right to request restriction of processing in certain circumstances, including where you contest the accuracy of the data or have objected to processing pending verification of our legitimate grounds.
• Objection (Article 21): Where we process your biometric data on the basis of legitimate interest (Sections 3(b) and 3(c)), you have the right to object to such processing on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Portability (Article 20): Where processing is based on your consent and carried out by automated means, you have the right to receive your biometric data in a structured, commonly used, and machine-readable format.
• Automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing of your biometric data that produces legal effects concerning you or similarly significantly affects you. Our biometric verification process involves automated comparison, but the outcome (avatar approval or rejection) does not produce legal effects; if you believe otherwise, you may request human review by contacting [email protected].
• Lodge a complaint: You have the right to lodge a complaint with your local supervisory authority. For the EEA and EU, our lead supervisory authority is the Irish Data Protection Commission (www.dataprotection.ie). For the UK, you may contact the Information Commissioner's Office (ico.org.uk). For Switzerland, you may contact the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch).

To exercise any of these rights, contact [email protected]. We will respond within one month of receiving your request, as required by Article 12(3) GDPR, and will inform you if an extension is necessary.