A permanent platform boundary

Zero Biometric Data.

We do not use facial recognition. We do not hash faces. We do not store or process biometric identifiers. We believe there is no safe way to handle biometric data in consumer photo delivery.

Back to FYP Read the argument

The argument | Consent and exceptions | Industry signal | Visual model

This page explains our design position and threat model. It is not legal advice.

The argument

Why we refuse biometrics in guest photo delivery

We are not saying biometric systems are always malicious. We are saying they create a class of risk that is irreversible in consumer workflows. If something goes wrong, you cannot meaningfully rotate a face the way you rotate a link, code, or password. Our platform stays safer by never entering that category.

Point 1

Biometrics are not rotatable

Links, codes, passwords

If exposed, you revoke, regenerate, and move on.

Biometric identifiers

If exposed, there is no reliable re-issue. That is the core asymmetry.

Point 2

Hashing is not an escape hatch

To hash, you must first extract

Any system that can match later must create a stable template now. A template that can match a person is still a biometric identifier.

Stability is the danger

It is designed to persist across time, devices, and contexts.

Point 3

Consent breaks in real venues

Mixed scenes are normal

Families, groups, minors, crowds, school events, public venues.

Opt-outs create exceptions forever

That exception lane is where accidental processing happens.

What we do instead

Simple access, clear boundaries

Guests find galleries using links and access codes, and studios control sharing rules. This keeps the platform rotatable, auditable, and predictable.

See: Consent and exceptions Studio delivery on FYP

Gallery links

Fast, familiar, shareable. Controlled by the studio.

Access codes

Low friction for high volume programs, no enrollment required.

Studio-managed sharing

Studios decide how access works. FYP enforces controls.

Consent and exceptions

To exclude a face, you still have to process it

In real venues, consent is not universal. The moment one person opts out, your workflow becomes a permanent exception engine. That exception engine is exactly where accidental processing and compliance failures happen.

The paradox

Opt-out requires recognition

Option A: do not take the photo

In many programs, this is not realistic. Group photos, crowds, minors, and public venues create constant overlap.

Option B: take the photo but do not ingest

To enforce that promise, the system must reliably identify the opted-out person each time they appear. That means you either process faces at upload, maintain an exclusion identity, or require manual tagging forever.

Core point

The moment you say “we will not process this person,” your workflow still has to process enough signal to enforce that promise. That is the paradox.

Operational reality

The forever-tag problem

“Do not process” must follow the image forever

If an image is uploaded once, copied, resized, re-exported, watermarked, transcoded, or moved across storage tiers, the exclusion rule must survive every transformation.

Every downstream step becomes a checkpoint

Upload, ingestion, indexing, search, AI tools, support workflows, analytics, backups, vendor tooling. One missed handler becomes accidental processing.

Mixed scenes collapse “only after consent”

Guests move, mingle, and appear in each other’s photos. A single opt-out forces reduced coverage or permanent exception routing.

The exception lane

Where compliance breaks

Once opt-outs exist, every image must be routed through rules, forever

This is not a one-time check. It is a permanent enforcement surface across the entire pipeline.

Upload

files arrive from capture systems

Ingest

processing and routing decisions

Index

search and retrieval structures

what results can appear

simple lane

Links, codes, and passwords are enforced at access time.
If exposed, rotate, invalidate, regenerate.
Storage and search stay generic, auditable, and consistent.

exception lane

You must identify opt-outs reliably at ingest, every time.
Every copy, resize, export, backup, and tool must honor the rule.
One missed handler becomes accidental processing.

This is why we refuse biometric identifiers entirely. The safest exception engine is no engine.

Design choice

We build “find your pictures” using links, access codes, and operator-controlled sharing. We refuse biometrics so the platform stays rotatable, auditable, and safe by design.

The Privacy Paradox

Why "Voluntary" Face-Tagging is a Myth

Mary (The User)

Mary uploads a selfie to find her photos. She "consents" to the scan. She thinks the system is only looking for her.

Steve (The Bystander)

Steve is in the background of 40 photos. He never used the app. He never consented.

The Reality

To find Mary, the AI must check her selfie against a "Ghost Index" of every face in the gallery—including Steve's.

The "Ghost Indexing" Problem

Face-finding AI doesn't work in a vacuum. For a system to "match" Mary, it must first biometrically hash every single person in the photographer's upload.

Non-Consensual Processing: Steve's biometric identifier was created without his knowledge the moment the gallery was ingested.
The Comparison Liability: Every time a user searches by face, the system "processes" the biometric data of every innocent bystander in the database to rule them out.
The Regulatory Trap: Under laws like BIPA and GDPR, Steve is the primary victim. You cannot obtain consent from a crowd, yet the AI requires the crowd's data to function.

The FYP Solution

We refuse to build the "Ghost Index." Guests find photos via Studio Links and Access Codes. We protect Mary's convenience without violating Steve's rights.

Industry signal

This risk has a history, even at big platforms

We are not building a legal case here. This is a product risk signal. When biometric pipelines meet consumer reality, the failure modes are expensive, high scrutiny, and hard to unwind.

Examples below are provided for context only. They are not legal advice, and they are not an exhaustive list.

Example

Illinois (BIPA) lawsuits and settlements

Illinois’ Biometric Information Privacy Act became a major litigation driver and produced large reported settlements, including a widely reported settlement involving Facebook’s photo tagging related claims (reported at $650M).

Example

State enforcement actions

Some disputes are not “just class actions.” State-level enforcement can produce very large outcomes. For example, Texas announced a reported $1.4B settlement with Meta over facial recognition related claims.

Example

Scraping and repurposing concerns

Facial datasets can be built from scraped images, then repurposed. Litigation around companies accused of scraping faces highlights how quickly a “helpful feature” becomes a broader surveillance concern.

Our takeaway

We refuse the category

The safest way to avoid biometric disputes, edge cases, and exception routing is not to build the biometric pipeline at all. We choose rotatable access methods that can be audited and repaired when something goes wrong.

Visual model

Risk does not scale evenly

These charts are illustrative. They do not use customer data, and they are not claims of absolute measurement. They exist to show why we treat biometric identifiers as a different risk class.

Illustrative risk profile

Biometric identifiers vs link/code access

illustrative

Interpretation: biometric systems concentrate irreversible risk in fewer failure modes (breach, misuse, repurposing).

Rotatability test

What you can reset after exposure

core issue

Interpretation: links, codes, and passwords can be rotated quickly. Biometric identifiers cannot be meaningfully re-issued.

Threat model

How biometric risk enters a photo workflow

Biometric flow (what we refuse)

Capture face data, create templates, store templates, match templates later. Each step increases the blast radius if anything goes wrong.

Capture

A face is scanned in a consumer context.

Template

A biometric representation is created.

Storage

Templates must be stored and protected.

Matching

Templates are used for retrieval decisions.

Blast radius grows

A password leak can be mitigated. A biometric leak is persistent and hard to meaningfully undo.

Our platform is designed to avoid this entire branch, permanently.

What we commit to

Clear commitments

No facial recognition features

We do not offer “find by face” workflows for guests.

No hashing of faces

We do not create or store face templates, hashes, or biometric identifiers.

Studios control access

Links, codes, passwords, and sharing are studio-managed by design.

Clarity over cleverness

We prefer predictable guest flows that scale without biometric risk.

Talk to us about studio delivery

Guests: if you need help finding your gallery, use Guest Help on the main site.

FAQ

Common questions

Short answers for operators and partners.

Hashing and templating do not remove biometric sensitivity. If it can match a person later, it is still a biometric identifier. Our position stays simple: we do not collect, store, or process biometric identifiers.

Guests typically arrive via a link or access code from the studio or event. That path is fast, familiar, and works across devices without enrolling a face. Studios retain control of sharing and password rules.

Permanent. This is a platform boundary. We are building guest access and studio delivery that do not require biometric shortcuts.

Yes. Studios manage links, access codes, passwords, and sharing rules. That keeps control with the operator and keeps the platform out of biometric territory.

You can, but then your entire pipeline must treat that tag as a permanent compliance rule across every transformation: resizing, exports, indexing, search, AI tooling, support workflows, analytics, backups, and vendor tools. One missed handler becomes accidental processing. We avoid the category entirely.

Guest Help Studio Log In