RENAISSANT BIOMETRIC INFORMATION POLICY

Effective Date: May 19, 2026 | Version: 1.0

1. Purpose and Scope

Renaissant, Inc. (“Renaissant,” “we,” “us,” or “our”) provides this Biometric Information Policy (the “Policy”) to inform individuals about our collection, use, storage, disclosure, retention, and destruction of biometric identifiers and biometric information. This Policy is published in accordance with the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”), and applies to all biometric data Renaissant collects in any jurisdiction, including Illinois, Texas, Washington, and other states with biometric privacy laws.

This Policy applies to all individuals from whom Renaissant collects Biometric Information, including without limitation Renaissant’s customers’ employees, drivers, contractors, and other personnel who use the Renaissant platform or whose Biometric Information is processed by Renaissant on a customer’s behalf.

2. Definitions

“Biometric Identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric Identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.

“Biometric Information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s Biometric Identifier used to identify an individual. Biometric Information does not include information derived from items or procedures excluded from the definition of Biometric Identifier.

Together, “Biometric Identifiers” and “Biometric Information” are referred to in this Policy as “Biometric Data.”

3. Biometric Data We Collect and Why

Renaissant may collect, capture, store, or otherwise obtain Biometric Data, including scans of facial geometry and fingerprint templates, for the following limited purposes:

  • Identity verification of users accessing the Renaissant platform and Services.

  • Access control, including authentication at customer facilities, vehicles, or assets where the customer has deployed Renaissant’s identity verification features.

  • Security and fraud prevention, including detection of unauthorized access attempts.

  • Compliance with the customer’s recordkeeping, safety, or regulatory obligations, where the customer has configured the Services to require biometric verification.

Renaissant does not use Biometric Data for marketing, advertising, profiling, or any purpose unrelated to identity verification and security.

4. Written Notice and Release

Renaissant will not collect, capture, purchase, receive through trade, or otherwise obtain a person’s Biometric Data unless Renaissant first:

  • Informs the individual in writing that Biometric Data is being collected or stored;

  • Informs the individual in writing of the specific purpose and length of term for which the Biometric Data is being collected, stored, and used; and

  • Receives a written release executed by the individual or the individual’s legally authorized representative.

Where Renaissant collects Biometric Data through a customer’s deployment of the Services, the customer is responsible for providing the required notice and obtaining the required written release from each individual before any Biometric Data is collected. Renaissant requires customers to make this commitment contractually and to maintain records of notice and consent.

5. Retention Schedule

Renaissant retains Biometric Data only for as long as necessary to fulfill the purpose for which it was collected. In accordance with BIPA §15(a), Renaissant will permanently destroy Biometric Data when the first of the following occurs:

  • The initial purpose for collecting or obtaining the Biometric Data has been satisfied (for example, the individual is no longer a user of the Services or no longer requires access); or

  • Three (3) years have elapsed since the individual’s last interaction with Renaissant.

This retention period applies regardless of any longer retention period that might otherwise apply under Renaissant’s general Data Retention Policy. Where a customer terminates its agreement with Renaissant, Biometric Data associated with that customer’s deployment will be destroyed in accordance with this schedule and the applicable customer agreement, unless retention is required by law.

6. Destruction Standards

Renaissant destroys Biometric Data using methods designed to render it permanently unrecoverable, including:

  • Cryptographic erasure of encrypted Biometric Data;

  • Secure deletion from all production systems, with confirmation logged in Renaissant’s audit trail;

  • Removal from backups through the standard backup rotation cycle (rolling 90 days), after which Biometric Data is not restored from backup except as required by law; and

  • Written confirmation from any service provider or subprocessor that has held Biometric Data on Renaissant’s behalf.

7. Disclosure and No Sale

Renaissant does not sell, lease, trade, or otherwise profit from an individual’s Biometric Data.

Renaissant will not disclose, redisclose, or otherwise disseminate Biometric Data to any third party unless one of the following applies:

  • The individual (or the individual’s legally authorized representative) has provided written consent to the disclosure;

  • The disclosure completes a financial transaction the individual requested or authorized;

  • The disclosure is required by federal, state, or local law or municipal ordinance; or

  • The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Renaissant may share Biometric Data with the customer on whose behalf it was collected, and with service providers and subprocessors that support the Services. These service providers and subprocessors are contractually required to apply protections at least as protective as those in this Policy, to use Biometric Data only as instructed, and to destroy or return Biometric Data upon completion of services.

8. Storage and Safeguards

Renaissant stores, transmits, and protects Biometric Data using the reasonable standard of care within Renaissant’s industry, and in a manner that is the same as or more protective than the manner in which Renaissant stores, transmits, and protects other confidential and sensitive information. Safeguards include:

  • Encryption of Biometric Data both in transit and at rest;

  • Role-based access controls limiting access to Biometric Data to authorized personnel with a documented business need;

  • Logging and monitoring of access to systems storing Biometric Data;

  • Vendor risk management for service providers and subprocessors that handle Biometric Data;

  • Incident response procedures specifically addressing potential exposure of Biometric Data; and

  • Security controls aligned with the SOC 2 Trust Services Criteria.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Receive information about the Biometric Data we hold about you;

  • Withdraw any prior written release for the future collection of your Biometric Data;

  • Request deletion of your Biometric Data, subject to applicable law; and

  • Lodge a complaint with a competent regulatory authority.

Where Renaissant processes Biometric Data on behalf of a customer, the customer is generally the appropriate point of contact for these requests, and Renaissant will assist the customer as required by law and the applicable agreement. To submit a request directly to Renaissant, contact privacy@renaissant.com.

10. Children

Renaissant does not knowingly collect Biometric Data from children under the age of 18. Where Renaissant becomes aware that Biometric Data of a minor has been collected, Renaissant will work with the relevant customer and the minor’s parent or legal guardian to delete the data and confirm appropriate consent before any further collection.

11. Changes to This Policy

Renaissant may update this Policy from time to time to reflect changes in law, business practices, or risk. The most current version of this Policy will be available at https://renaissant.com/biometric-policy/ (or a successor URL). Material changes will be communicated through appropriate channels.

12. Contact Us

Questions or concerns regarding this Policy or Renaissant’s handling of Biometric Data should be directed to:

Renaissant, Inc.

Attn: Chief Information Security Officer

W263N6209 Ridge Dr.

Sussex, WI 53089

privacy@renaissant.com

Version History