1. Purpose of This Policy
Clone U Studios, LLC ("Clone U," "we," "us," or "our") collects and processes biometric data as a core part of our memory preservation services. This policy is provided in compliance with the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), the California Consumer Privacy Act (CCPA), and other applicable biometric data protection laws.
This policy explains what biometric data we collect, why we collect it, how it is processed and stored, who we share it with, how long we retain it, and what rights you have regarding your biometric data.
2. Biometric Data We Collect
We collect two categories of biometric identifiers:
Voiceprint Data Voice Biometric
What it is: A mathematical representation of the unique characteristics of a person's voice, including pitch, tone, cadence, and speech patterns.
How it is captured: During your in-person preservation session, our Session Director records audio of the session subject speaking. This audio is uploaded to ElevenLabs, Inc. for voiceprint extraction and voice clone creation.
Processor: ElevenLabs, Inc., operating under a data processing agreement with Clone U Studios.
Facial Geometry Data Facial Biometric
What it is: A scan or mapping of the geometric features of a person's face, including the distance between eyes, nose shape, jawline contour, and other facial landmarks used to create a digital avatar.
How it is captured: During your session, photographs and video of the session subject are captured. These images are uploaded to HeyGen, Inc. for facial geometry extraction and avatar rendering.
Processor: HeyGen, Inc., operating under a data processing agreement with Clone U Studios.
3. Purpose of Collection
We collect biometric data solely for the following purposes:
- Voice Clone Creation: To generate an AI-powered voice replica that can speak in the session subject's voice, enabling interactive storytelling within the Memory Capsule.
- Avatar Creation: To generate a photorealistic or stylized digital avatar of the session subject for visual storytelling and interactive features.
- Quality Assurance: To verify the accuracy and quality of voice clones and avatars before delivery to clients.
We do not use biometric data for identification, surveillance, tracking, advertising, or any purpose other than those listed above.
4. Consent Process
We never collect biometric data without your explicit, informed, written consent. Consent is obtained through our booking process before any biometric data is captured. You may decline biometric consent and still use non-biometric services.
Our consent process includes the following steps:
- Disclosure: During the booking process, we clearly disclose what biometric data will be collected, why it is needed, who will process it, and how long it will be retained.
- Written Consent: You (or the parent/guardian of a minor) must affirmatively check a consent checkbox acknowledging the biometric data disclosure and granting consent.
- Confirmation: A copy of your biometric consent is emailed to you immediately and stored separately in our compliance system.
- Right to Revoke: You may revoke consent at any time by emailing hello@cloneustudios.com with "Revoke Biometric Consent" in the subject line.
Consent for Minors
If the session subject is under 18 years of age (such as clients using our Future Founder service line), we require verifiable parental consent from a parent or legal guardian before collecting any biometric data. The parent/guardian maintains full control over the minor's biometric data and may request deletion at any time.
5. Storage and Protection
Biometric data is protected with the following security measures:
| Measure | Details |
|---|---|
| Encryption at Rest | AES-256 encryption on all stored biometric data |
| Encryption in Transit | TLS 1.3 for all data transfers between Clone U, ElevenLabs, and HeyGen |
| Access Controls | Role-based access; only authorized personnel can access biometric data |
| Separation of Data | Biometric consent records stored separately from booking and session data per BIPA requirements |
| Background Checks | All employees with biometric data access undergo background checks |
| Audit Logging | All access to biometric data is logged and auditable |
| Vendor Security | ElevenLabs and HeyGen maintain SOC 2 Type II compliance |
6. Retention Schedule
| Data Type | Retention Period | Deletion Process |
|---|---|---|
| Active voice clones | Duration of portal access (1, 3, or lifetime depending on package) | Deleted from ElevenLabs and Clone U within 30 days of access expiration |
| Active avatars | Duration of portal access | Deleted from HeyGen and Clone U within 30 days of access expiration |
| Raw voice recordings | 90 days after capsule delivery (QA purposes) | Permanently deleted; not recoverable |
| Raw photos/video | 90 days after capsule delivery | Permanently deleted; not recoverable |
| Consent records | 3 years after deletion of associated biometric data (legal compliance) | Securely destroyed after retention period |
| On consent revocation | N/A | All biometric data deleted within 30 days of revocation request |
When biometric data reaches the end of its retention period, it is permanently and irreversibly deleted from all systems, including backups, within 30 days.
7. Third-Party Sharing
We share biometric data only with the following third-party processors, and only for the specific purposes described below:
| Provider | Biometric Data Received | Purpose |
|---|---|---|
| ElevenLabs, Inc. | Voice recordings, voiceprint data | Voice clone creation and hosting |
| HeyGen, Inc. | Photos, video, facial geometry data | Avatar creation and rendering |
No sale of biometric data. Clone U Studios will never sell, lease, trade, or otherwise profit from your biometric data. We will never share biometric data with any party other than the processors listed above, except as required by law or court order.
Both ElevenLabs and HeyGen operate under data processing agreements that require them to:
- Process biometric data only for the purposes specified by Clone U
- Maintain industry-standard security measures
- Delete biometric data upon Clone U's instruction
- Not use biometric data to train their own AI models without separate explicit consent
- Notify Clone U of any data breach involving biometric data within 72 hours
8. Your Rights
8.1 Rights Under BIPA
Under the Illinois Biometric Information Privacy Act (740 ILCS 14), you have the right to:
- Be informed of the collection and storage of your biometric data before it occurs
- Provide written consent (or decline to consent) before biometric data is collected
- Know the specific purpose and duration of biometric data collection
- Request the permanent destruction of your biometric data
- Bring a private right of action for violations of BIPA
8.2 Rights Under CCPA
California residents have the following additional rights regarding biometric data:
- Right to know what biometric data has been collected and how it is used
- Right to request deletion of all biometric data
- Right to opt out of the sale of biometric data (we do not sell biometric data)
- Right to non-discrimination for exercising your privacy rights
8.3 Exercising Your Rights
To exercise any of these rights, contact us at:
Email: hello@cloneustudios.com
Subject line: "Biometric Data Request"
We will verify your identity and respond within 15 business days. If your request involves deletion, all biometric data will be permanently removed from our systems and our third-party processors within 30 days of verification.
9. Data Breach Notification
In the event of a data breach involving biometric data, Clone U will:
- Notify all affected individuals within 72 hours of discovering the breach
- Notify applicable regulatory authorities as required by law
- Provide details of what data was compromised, what steps we are taking, and what you can do to protect yourself
- Offer appropriate remediation, which may include credit monitoring or identity theft protection
10. Changes to This Policy
We may update this Biometric Data Policy as laws change or as our services evolve. When we make material changes:
- We will notify you by email at least 30 days before changes take effect
- We will post the updated policy on our website with a new effective date
- Material changes to biometric data handling may require renewed consent
11. Contact Us
Clone U Studios, LLC
Oakland, California
General: hello@cloneustudios.com
Biometric data requests: hello@cloneustudios.com with "Biometric Data Request" in the subject line
We aim to respond to all biometric data inquiries within 15 business days.