BIPA Policy - Amylu Foods

BIPA Policy

Biometric Data Privacy Policy

Amylu Foods, LLC (the “Company”) maintains a time management system provided by Paycor, a third- party service provider that supports the time management system, to ensure all employee and temporary employee time is accurately captured. The Company’s time management system utilizes certain Biometric Data (defined below) solely for these purposes. The Company established this Policy to ensure such data is reasonably safeguarded and not retained for longer than is necessary. Because Biometric Data may be created during the timekeeping process, this policy is intended to comply with all potentially applicable laws, including, but not limited to, the Illinois Biometric Information Privacy Act.

Definition of Biometric Data
Under this Policy, Biometric Data is the data generated from the scan of an individual’s finger on the Company’s time clock and any information that is derived therefrom. The phrase “Biometric Data” is used in this policy to include, but is not limited to, all potentially applicable legal definitions of “biometric identifiers” or “biometric information,” which can include, but are not limited to, data generated from the scan of a finger. For purposes of this policy, information derived from a scan of an employee’s finger during the timekeeping process is referred to as “Biometric Data” even though it may not meet the definition of “biometric information” or “biometric identifiers” under applicable law.

Collection of Biometric Data
The Company’s time management system works by digitally converting representations of geometric measurements of a finger generated by a time clock into a template. The template is securely stored on the time clock and is securely stored on a server database hosted by Paycor. No fingerprint or image of a fingerprint is ever captured by the time management system, only a template generated from the digital conversion of representations of a finger, which is used for purposes of verification.

The Company will obtain a written release/consent, as applicable, from employees in the form approved by the Company. The form will inform the employee about the data being collected; the purpose of the collection; and the period of time the Biometric Data is being collected, stored, and used.

Use of Biometric Data
The Company will use the Biometric Data solely for purposes of administering the time management system, including by verifying employee identity and ensuring that all hours worked are accurately recorded, and other lawful purposes. These purposes shall include, but not be limited to, time management verification processes and related audits and investigations.

Access to Biometric Data
In general, Company employees and agents are permitted to access personal information, including Biometric Data, as necessary and appropriate to carry out their assigned job responsibilities. Consistent with the Company’s access management procedures, certain employees are designated to administer the time management system and, as such, may from time to time need access to Biometric Data.

Disclosure of Biometric Data
As described above and disclosed in the referenced written release/consent, the Company currently stores Biometric Data locally on the time clock. Further, Biometric Data is securely stored on a server database hosted by Paycor, or otherwise made available or disclosed to Paycor, as needed, to operate and maintain the time management system and as otherwise described above. Further, the Company may in the future disclose Biometric Data to Company-retained attorneys and/or accountants as necessary to assist the Company with compliance, conduct audits and investigations, provide related services, or as otherwise permitted or required by law or legal process. In the event additional parties need access to Biometric Data for technical support, administration or other lawful purposes, the Company will only provide such access in accordance with applicable law and other best practices.

Retention and Destruction of Biometric Data
The Company shall retain Biometric Data only until the initial purpose for collecting or obtaining such information has been satisfied. In general and except as otherwise required by law or legal process, the Company will destroy an employee’s Biometric Data which is stored on the time clock and on the server database hosted by Paycor, or in other backup systems or repositories (if any) as soon as practicable following the termination of an employee’s employment with the Company or when an employee otherwise discontinues use of the time management system. In no event shall Biometric Data be retained for longer than one year following an employee’s last interaction with the Company.

Safeguarding Biometric Data
Consistent with the Company’s information security policies, procedures and practices, which are incorporated herein by reference, as applicable, the Company shall safeguard Biometric Data, regardless of format, from unauthorized access, acquisition or disclosure. Such safeguards shall include but not be limited to:

• Limiting access to Biometric Data
• Using only the minimum necessary Biometric Data for a particular permissible purpose
• Encrypting Biometric Data when stored
• Using a mathematical algorithm that cannot be reverse-engineered to produce a fingerprint

Amendment, Enforcement and Violations
The Company reserves the right to amend this Policy at any time for any reason.

Employees who violate this Policy shall be subject to discipline up to and including termination of employment.
4838-3930-1616, v. 4