POLICY GOVERNING COLLECTION, USAGE AND RETENTION OF BIOMETRIC IDENTIFIERS AND/OR INFORMATION

When authorized to do so, Vayan Group, LLC (the “Company”) from time to time, collects, uses and/or stores employee information that may qualify as a biometric identifier or biometric information – namely, information collected from employees’ fingerprints or finger scans – in connection with time keeping and/or providing access to Company-owned cell phones. Accordingly, the Company has established this Policy outlining the Company’s retention schedule and guidelines for destroying such information.

The Company, in its sole discretion, reserves the right to amend this Policy at any time.

Please note that under no circumstances will the Company sell, lease, trade, or otherwise profit from employees’ potential biometric identifiers or biometric information. Furthermore, absent each employee’s consent or unless required by law (such as federal laws and regulations, a valid warrant or subpoena), the Company will not disclose or disseminate such information to third parties.

Retention Schedule

The Company (when authorized) retains information collected from employees that may qualify as biometric identifiers or biometric information for the entirety of those employees’ employment and until the initial purpose for collecting or obtaining such information has been satisfied or within three (3) years of each employee’s separation from employment, whichever occurs first. During that time, the Company exercises reasonable care in protecting such information and does so in a manner that is the same or more protective than the manner in which it protects other confidential and sensitive information.

Guidelines for Destruction

Unless further retention is required by law (e.g., federal laws and regulations, a valid warrant, subpoena, or litigation hold notice), the Company will permanently delete and/or destroy all potential employee biometric information or identifiers from all Company systems, files and back­ups, including, but not limited to, its cloud storage systems, when the initial purpose for collecting or obtaining such information has been satisfied or within three (3) years of each employee’s separation from employment, whichever occurs first. In doing so, the Company will continue to take reasonable measures to protect this information (to the same extent it protects other confidential and sensitive information) and ensure it is not inadvertently disclosed or disseminated to third parties.

To the extent any employee has authorized disclosure of possible biometric identifiers or information to any third party, the Company will instruct that third party to permanently delete such information from all of its systems, files and/or back-ups when the initial purpose for collecting or obtaining such information has been satisfied or within three (3) years of each employee’s separation from employment, whichever occurs first, unless further retention is required by law. The Company shall require all such third parties to which/whom disclosure has been authorized to provide a sworn verification attesting that it has permanently deleted and/or destroyed each such employee’s potential biometric identifiers and biometric information in accordance with this policy (except, as set forth above, if such third parties are required to retain such information by law). During that time, such third parties shall exercise reasonable care in protecting such information and do so in manner that is the same or more protective than the manner in which it protects other confidential and sensitive information.