Biometric Privacy Policy

Last Update: January 2, 2026

1. Purpose and Scope

This Biometric Privacy Policy (“Policy”) is adopted by Guru to comply with the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”), and other applicable biometric privacy laws. This Policy applies to Biometric Identifiers and Biometric Information (collectively, “Biometric Data”) processed through the Guru Online Service.

This Policy is publicly available and applies to employees, candidates, and other authorized persons who access or use Guru’s Platform either (a) in their organization’s capacity as an administrative person authorized by Guru’s Customer (as defined below), or (b) in an individual capacity (collectively, “Users” and each, a “User”).

2. Definitions (BIPA-Consistent)

“Biometric Identifier” has the meaning set forth in BIPA and includes a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric Identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.

“Biometric Information” means any information, regardless of how it is captured, converted, stored, or shared, that is based on an individual’s Biometric Identifier and is used to identify an individual. Biometric Information does not include information derived from items or procedures excluded from the definition of Biometric Identifiers.

“Customer” means the organization or legal entity subscribed to the Service by execution of an Order Form with Guru under which the Platform and Service are made available to Users. The Customer legal entity may be identified within the “About this Software” link on the Platform.

“Order Form” has the meaning ascribed to it in the online version of the Master Agreement between Guru and Customer.

“Platform” means the Software Services, an all-in-one HR software platform that may include time and attendance, payroll, benefits administration, and human resources information management, and may provide access to Third Party Service Provider services via the Website, Kiosk, or Mobile App.

“Guru” means the Service Provider legal entity identified in the applicable Customer Order Form. The Service Provider legal entity may be identified within the “About this Software” link on the Platform.

“Service Provider” means the legal entity identified as Service Provider in the applicable Customer Order Form.

“Website” means the specific subdomain(s) assigned to Customer by Guru and/or Third Party Service Provider websites made accessible by Guru for Customer’s use of the Software Services and the Service.

3. Role of Guru and Customers

Guru provides technology services to employers using the Platform (“Customers”). Customers determine whether Biometric Data is collected and are responsible for providing required notices and obtaining any legally required written releases or consents from their employees or job applicants.

Guru relies on Customer representations that all Biometric Data made available to Guru has been collected in compliance with BIPA and other applicable laws.

4. Collection and Use of Biometric Data (BIPA §15(b))

Biometric Data is collected and used solely for lawful employment-related purposes, including identity verification, timekeeping, and workforce management, as directed by Customer.

Guru does not collect Biometric Data for its own independent purposes.

5. Prohibition on Sale or Profit (BIPA §15(c))

Guru does not sell, lease, trade, or otherwise profit from Biometric Data.

6. Disclosure and Dissemination (BIPA §15(d))

Guru will not disclose, redisclose, or otherwise disseminate Biometric Data unless one or more of the following conditions is satisfied:

  1. The individual or the individual’s legally authorized representative has provided a legally valid written release;
  2. The disclosure completes a financial transaction requested or authorized by the individual or the individual’s legally authorized representative;
  3. Disclosure is required by state or federal law or municipal ordinance; or
  4. Disclosure is required pursuant to a valid warrant, subpoena, or court order.

7. Data Storage and Safeguards (BIPA §15(e))

Guru stores Biometric Data using a reasonable standard of care within its industry and in a manner that is at least as protective as the manner in which Guru stores, transmits, and protects other confidential and sensitive information.

Biometric Data is converted into an encrypted data string and transmitted and stored using commercially reasonable security measures.

8. Retention Schedule and Destruction Guidelines (BIPA §15(a))

Guru retains Biometric Data only for as long as necessary to fulfill the purpose for which it was collected or as required by applicable law.

Unless a shorter period is required by law or contract, Biometric Data will be permanently destroyed upon the earlier of:

  1. The satisfaction of the initial purpose for collecting or obtaining the Biometric Data; or
  2. Three (3) years after the individual’s last interaction with the applicable Customer.

Customers may configure retention settings within the Guru Online Service; however, such configurations operate subject to the maximum retention periods permitted under BIPA and this Policy.

9. Active Customer Data Retention (Operational Defaults)

For active Customers, Guru applies default retention settings that may be modified by the Customer, subject to applicable law:

  1. Biometric Identifiers: retained during active employment and up to one (1) year post-termination
  2. Banking records: retained during active employment and up to one (1) year post-termination
  3. Employee HR records: retained for five (5) years
  4. Payroll records: retained for five (5) years
  5. Employee and applicant personal records: retained during active employment and up to three (3) years post-termination

10. Terminated Customer Data Retention

For Customers that have terminated the Guru Online Service, Customer data is retained until all required governmental filings are completed and for up to one (1) year thereafter. Following completion of such filings, Customer data is archived offline and may be made available for retrieval for up to five (5) years to comply with legal obligations, including audits, subpoenas, or court orders.

Guru may retain Customer data beyond five (5) years if required to comply with legal obligations, including audits, subpoenas, or court orders.

11. Contact Information

Should you have inquiries regarding this Policy, please reach out to your organization’s human resources department.

If you have questions about the Platform, you may find current contact information for Guru by accessing the “About this Software” link on the Platform.