Biometric Data Retention and Destruction Schedule
Last updated: July 12, 2026
This schedule is the written, publicly available policy of Valteris GmbH (operator of the Longevity Cities platform) establishing our retention schedule and guidelines for permanently destroying biometric identifiers and biometric information, as required by applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (740 ILCS 14) and the Texas Capture or Use of Biometric Identifier Act.
1. What we process
Photo Age Test: when you start a scan, your facial photo is transmitted over an encrypted connection to our own analysis service (AWS, Frankfurt, Germany) and processed in volatile memory to estimate an age. To the extent this transient processing involves a scan of face geometry, it is the only biometric identifier we ever possess. rPPG scanner and VO2max heart-rate step: the camera video is processed entirely on your device, in your browser. No video frames, images, or facial geometry ever reach our systems; we never take possession of a biometric identifier through these features. We never use any of the above to identify a person, and we collect no fingerprints, voiceprints, iris or retina scans.
2. Retention and destruction
Facial photo (Photo Age Test): retained only in volatile memory for the seconds required to compute the estimate. It is never written to disk, database, cache, or log. It is permanently destroyed, by release and overwriting of the memory, immediately upon completion of the analysis, and in every case within the same processing session. This satisfies destruction upon fulfilment of the initial purpose of collection. Derived numeric results (estimated age, heart rate, HRV, stress, vascular age): these numbers are not biometric identifiers, but we treat them protectively as health data. They are stored only if you choose to save them, remain private by default, and are retained until you delete the entry or your account, at which point they are permanently deleted. Anonymous event results are deleted no later than 12 months after the event. Backups: encrypted database backups rotate within a maximum of 90 days; deletions are re-applied after any restore, so destroyed data does not reappear.
3. Consent
Before every scan, we display a notice describing the processing and obtain your informed electronic consent, which constitutes your written release where required by law. A timestamped consent receipt is stored (for account holders on the account; for anonymous scans as a minimal technical receipt).
4. No sale or disclosure
We do not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information. We do not disclose them to anyone, except that transient processing occurs on infrastructure operated by our contracted hosting processor (Amazon Web Services, Frankfurt) under confidentiality and data-processing obligations, and except where disclosure is required by law.
5. Security
Biometric data in transit is protected by TLS encryption; processing runs in isolated environments with strict access controls, using a standard of care at least equal to that with which we protect other confidential information.
Contact: Valteris GmbH, Am Kaiserkai 59, 20457 Hamburg, Germany, info@longevity-germany.com
See also our Privacy Policy, Terms & Conditions, and Imprint.
