Invite HeroHome

InviteHero — Biometric Data Notice and Written Release

Effective date: May 1, 2026

Last updated: May 1, 2026

This Biometric Data Notice is provided by Month, Inc. (d/b/a InviteHero) in compliance with:

  • the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. ("BIPA");
  • the Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001 ("CUBI");
  • Washington's biometric law, RCW 19.375;
  • the biometric provisions of state comprehensive privacy laws (including California CCPA/CPRA, Colorado CPA, Connecticut CTDPA, Delaware DPDPA, Oregon OCPA, Utah UCPA, Texas TDPSA, Virginia VCDPA); and
  • the Washington My Health My Data Act to the extent facial data is treated as consumer health data.

This Notice, together with the click-through acceptance collected at the biometric consent step of the intake flow, constitutes the written release required by BIPA § 15(b).

Service not offered in Illinois or Texas. InviteHero does not currently offer the Service to residents of Illinois or Texas. We block orders originating from IP addresses and billing ZIP codes associated with those states. If you are located in Illinois or Texas, please do not attempt to use the Service. We may expand availability to those states in the future, and if we do we will update this Notice and engineer a jurisdiction-specific consent flow before accepting any orders from those states.

1. What biometric data we collect

When you upload a photograph to the Service, the following biometric data is created and processed:

  • Biometric identifier. A scan of face geometry of the subject of the photograph, including spatial relationships and proportions between facial features, derived from the uploaded photograph.
  • Biometric information. A prepared reference image that encodes those facial features in a format usable by our video-generation provider.

For clarity, this Notice covers biometric identifiers and biometric information whether the subject is an adult or a child. If the subject is a child under 13, this Notice also operates in conjunction with the Children's Privacy section of our Privacy Policy.

2. Purpose of collection and use

We collect and use biometric identifiers and biometric information solely to:

  • Generate the personalized video ordered by the host;
  • Run safety and content-moderation checks on the uploaded photograph and on the generated video;
  • Provide support, regenerations, and debugging for that specific order.

We do not collect, capture, purchase, receive through trade, or otherwise obtain biometric data for any other purpose.

We do not use biometric data to:

  • Identify any individual across sessions, accounts, orders, or products;
  • Train artificial-intelligence or machine-learning models, whether first-party or third-party;
  • Sell, rent, lease, or otherwise profit from biometric data — this prohibition is absolute;
  • Enroll the subject in any face-recognition database or biometric gallery;
  • Support surveillance, advertising, cross-context behavioral advertising, profiling, or any use unrelated to fulfilling the host's order.

3. Length of term and retention

The length of term for which biometric identifiers and biometric information are collected, stored, and used is:

The earlier of (a) ninety (90) days after upload, (b) thirty (30) days after the stated party date, (c) the date of a deletion request from the subject or the subject's parent/guardian, (d) satisfaction of the initial purpose for collection, or (e) termination of the Service.

This term is at all times shorter than BIPA's outer limit of three (3) years from the individual's last interaction and is consistent with the principle that biometric data be destroyed when the initial purpose has been satisfied.

4. Destruction procedure

Destruction at the end of the term above is permanent. Our destruction procedure is:

  1. Automated deletion of the source photograph, the prepared reference image, any derived biometric identifiers or biometric information, and the generated video from primary storage (object storage, database records, application caches);
  2. Written instruction to each service provider (content moderation, video generation) to destroy its copies and confirm destruction in writing on a schedule not to exceed thirty (30) days;
  3. Expiration of backups through backup-lifecycle rules within an additional thirty (30) days;
  4. Retention of a log entry noting the date of deletion and the order identifier, but no retention of the underlying biometric data itself.

Upon written request, we will provide a destruction certificate to the subject or the subject's parent/guardian.

5. Disclosure to service providers

We do not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information. We disclose, redisclose, or disseminate such data only:

  • To the limited service providers listed below, each bound by a written agreement that (i) restricts use to providing services to InviteHero, (ii) requires reasonable security, (iii) requires destruction on completion of processing, (iv) prohibits training of AI/ML models on the data, and (v) prohibits any further disclosure;
  • As required by a valid subpoena, court order, or warrant;
  • To law enforcement and the National Center for Missing & Exploited Children, as required by 18 U.S.C. § 2258A, if the Service is misused to create or distribute child sexual abuse material;
  • To the subject of the biometric data or the subject's legally authorized representative, upon verified request.

Service providers that receive biometric data:

ProviderData receivedLocation
Amazon Web Services, Inc. (or equivalent U.S.-domiciled cloud host)Encrypted storage of all biometric dataUnited States
Content moderation provider (a U.S.-domiciled provider)Uploaded photographUnited States
Kling 3.0 (Kuaishou Technology Co., Ltd.)Prepared reference image and template parametersPeople's Republic of China

Cross-border transfer to Kling — important disclosure. The prepared reference image derived from the uploaded photograph is transmitted to Kling 3.0 for video generation, and is processed on infrastructure operated by Kuaishou Technology Co., Ltd. in the People's Republic of China. We require Kling, by written data-processing agreement, to (i) use the data solely to generate the video ordered, (ii) not use the data to train any AI/ML model, (iii) not retain the data beyond the time needed to generate the video and in no event longer than 90 days, (iv) not disclose the data to any third party, (v) implement reasonable security controls, and (vi) promptly notify InviteHero of any government or law-enforcement request for the data. By clicking to accept this Notice and the written release in Section 7, you consent to this cross-border transfer.

6. Security

We protect biometric data using the reasonable standard of care applicable to our industry, and in a manner that is at least as protective as the standard applied to other confidential and sensitive information. Controls include:

  • Encryption at rest and in transit (TLS 1.2 or higher);
  • Role-based access controls and least-privilege permissions;
  • Audit logging of all internal access to biometric data;
  • Written data-processing agreements with all service providers handling biometric data;
  • Annual training of personnel with access to biometric data; and
  • An incident-response plan that includes notification to affected individuals and applicable state authorities.

7. Written release

By clicking to accept this Notice at the biometric consent step of the intake flow and by uploading a photograph, you affirm, warrant, and release as follows:

  1. You are (a) the subject of the photograph, (b) the parent or legal guardian of the child shown in the photograph, or (c) a person who has obtained the verifiable written consent of the subject (or the subject's parent or legal guardian) to provide the photograph.
  2. You have read and understand this Notice, including the categories of biometric data collected, the specific purpose, the length of term, the destruction procedure, and the cross-border transfer of the prepared reference image to Kling 3.0 in the People's Republic of China.
  3. You consent to InviteHero's collection, storage, and use of the biometric identifiers and biometric information derived from the photograph, solely for the purposes described in Section 2 and only for the length of term described in Section 3.
  4. You consent to the cross-border transfer of the prepared reference image to Kling 3.0 described in Section 5.
  5. Your consent is given voluntarily and may be revoked at any time by emailing support@invitehero.app with subject line "Biometric Request: Revoke", subject to the understanding that revocation will result in termination of the corresponding order.

This Section 7, together with the click-through acceptance, is intended to constitute written, informed consent under any biometric privacy law that applies to you.

8. Your rights

You, or the parent/legal guardian of a subject under 18, may at any time:

  • Access. Request a summary of the biometric data we have collected about the subject.
  • Delete. Require us to permanently destroy the biometric data.
  • Revoke consent. Direct us to cease further collection or use and destroy all biometric data previously collected.
  • Receive a destruction certificate upon written request.

To exercise any of these rights, email support@invitehero.app with subject line "Biometric Request" or write to the address in Section 11. We will verify the request against information already associated with the account or order and respond within ten (10) business days.

9. Interaction with children's privacy

For any subject under 13, we additionally follow the procedures described in the Children's Privacy section of our Privacy Policy, including verifiable parental consent and the retention limits described there.

10. Changes to this Notice

We will post material changes to this Notice at https://invitehero.app/biometric and notify registered hosts by email before the changes take effect with respect to previously collected data. We will obtain fresh written release where required by applicable law.

11. Contact

Month, Inc. (d/b/a InviteHero)
Attn: Privacy Officer
74 E Glenwood Ave Unit #5647, Smyrna, DE 19977
Email: support@invitehero.app (subject line: "Biometric Request")

This Notice is a plain-English draft. It is not legal advice. Before publishing, have it reviewed by a licensed attorney familiar with BIPA, CUBI, Washington's biometric and My Health My Data laws, Executive Order 14117 / 28 C.F.R. Part 202, and the biometric provisions of the state comprehensive privacy laws.