Privacy Policy

1. Who We Are

Entity: Oracle Collective
Website: enchantedozarks.com
Contact: privacy@enchantedozarks.com
Data Controller: Tammy L Casey

2. What Data We Collect

2.1 Biometric Data (Special Category)

Type	Purpose	Storage	Retention
Facial Geometry	Match ID photo to live video (fraud prevention)	Confidence score only (NOT encodings)	30 days or deletion request
Blink Patterns	Liveness detection (prevent fake videos)	Detection result only	Deleted immediately
Voice Recording	Sacred oath (verbal consent)	Transcript only (audio deleted)	Transcript kept, audio deleted after processing
Government ID Images	OCR extraction (name, DOB, birthplace) - 100+ languages	Document hash + extracted text (NOT images)	Hash permanent, can request deletion of extracted text
NFC Passport Chip	ePassport verification (government-signed data)	Verification status only	Status kept, chip data never stored
Anti-Spoofing Analysis	Detect screens, prints, masks, video replays	Detection results only	Deleted after verification
Blockchain Timestamp	Immutable proof of verification (Stellar Lumens)	Verification hash on public blockchain	Permanent (cannot delete - blockchain nature)

2.2 Personal Data

• Full name (from ID)
• Date of birth (from ID)
• Time of birth (optional, self-reported)
• Birthplace (from ID or self-reported)
• Email address (optional, for transit alerts)
• Phone number (optional, for SMS notifications)

2.3 Automatically Collected

• IP address (for rate limiting and fraud detection)
• Browser type and version
• Device type (mobile/desktop)
• Access times
• Pages visited

3. Legal Basis for Processing

3.1 Consent (Primary Basis)

You provide explicit consent by:

1. Checking the consent checkbox
2. Proceeding through verification steps
3. Speaking the sacred oath on video

Consent is:

• Freely given (no coercion)
• Specific (for identity verification only)
• Informed (this policy explains everything)
• Unambiguous (clear affirmative action)
• Withdrawable (contact us anytime)

3.2 GDPR Article 9 Compliance (EU Residents)

Processing biometric data under Article 9(2)(a): Explicit consent for biometric data used to uniquely identify you.

3.3 CCPA/CPRA Compliance (California Residents)

Biometric data is "sensitive personal information." You have the right to LIMIT our use. We use it ONLY for identity verification - you can request we stop at any time.

3.4 BIPA Compliance (Illinois Residents)

Per Illinois Biometric Information Privacy Act:

• Written Notice: This policy (publicly available)
• Purpose: Identity verification for ICC calculation
• Retention: See Section 6 below
• Consent: Electronic signature (consent checkbox) per 2024 BIPA amendment

4. How We Use Your Data

4.1 Identity Verification

• Calculate Individual Consciousness Code (ICC)
• Prevent multiple accounts (one person, one vote, one consciousness)
• Verify you are who you claim to be

4.2 Fraud Prevention

• Detect stolen IDs
• Prevent deepfakes and spoofing
• Block automated bots

4.3 Service Delivery

• Oracle access (personalized by ICC)
• Transit alerts (if subscribed)
• Platform features

4.4 Legal Compliance

• Respond to legal requests
• Comply with court orders
• Protect our rights

5. Automated Processing

We use automated systems:

System	Purpose	Human Override
OCR (100+ languages)	Extract text from ID	You can manually correct extracted data
Face Matching	Compare ID photo to live video	Request human review of match failure
Liveness Detection	Verify video is live	Request manual verification
Anti-Spoofing	Detect fake IDs, screens, masks	Request human review

GDPR Article 22: You have the right to contest automated decisions and request human review.

6. Data Retention & Destruction (BIPA Public Policy)

Per Illinois BIPA requirements, our publicly available retention and destruction schedule:

Data Type	Retention Period	Destruction Method	Reason
Live video frames	Immediate	Secure deletion, memory cleared	Only used for liveness check
Voice recording	Until transcript created	Secure deletion, overwrite	Only need transcript, not audio
Face match confidence	30 days OR deletion request	Database deletion, backups purged	Verification period
OCR extracted text	Stored in ICC (can delete)	User-requested deletion honored	Part of identity record
Document hash	Stored (prevents re-upload)	User-requested deletion honored	Prevent duplicate submissions
Blockchain timestamp	Permanent (immutable)	Cannot be deleted	Public blockchain record

7. Your Rights

7.1 Universal Rights (All Users)

• Access: Request copy of your data
• Correction: Fix inaccurate data
• Deletion: Request deletion (we comply within 30 days)
• Withdraw Consent: Revoke consent, we delete biometric data
• Data Portability: Download your data (JSON format)

7.2 California Residents (CCPA/CPRA)

• Know: What personal information we collect
• Delete: Request deletion of your data
• Opt-Out of Sale: We don't sell (nothing to opt-out of)
• Limit Use of Sensitive Data: Request we use biometric data ONLY for verification
• Correct: Fix inaccurate personal information
• Non-Discrimination: Same service regardless of privacy choices

7.3 EU Residents (GDPR)

• Access: Confirm what data we hold
• Rectification: Correct inaccurate data
• Erasure: "Right to be forgotten"
• Restrict Processing: Limit how we use your data
• Data Portability: Receive data in structured format
• Object: Object to processing
• Automated Decisions: Contest automated verification decisions
• Supervisory Authority: Lodge complaint with data protection authority

7.4 Illinois Residents (BIPA)

• Written Notice: This policy (Section 2.1 lists biometric data)
• Retention Policy: Section 6 (publicly available)
• No Sale: We never sell or profit from biometric data
• Revoke Consent: Written request (email or form)

8. How to Exercise Your Rights

Email: privacy@enchantedozarks.com

Subject: Privacy Request - [Your ICC or Name]

Include:

• Your name and ICC (if you have one)
• Specific request (access, delete, correct, etc.)
• Email for response

Response Time: 30 days (45 days if complex)

Verification: We may ask for identity confirmation

No Fee: First request free, excessive requests may incur reasonable fee

9. Data Security

We protect your data with:

• Encryption: HTTPS (TLS 1.3) for all data in transit
• Hashing: Store hashes, not raw images (irreversible)
• CSRF Protection: Prevent cross-site attacks
• Rate Limiting: Circuit breakers prevent abuse
• Anti-Spoofing: Multi-layer fraud detection
• Secure Deletion: Overwrite, not just flag as deleted
• Access Control: Role-based permissions

10. Third-Party Sharing

We Share With:

• Stellar Lumens: Blockchain timestamp (verification hash ONLY, not biometric data)

We NEVER Share With:

• Advertisers
• Data brokers
• Social media platforms
• Analytics companies
• Marketing firms
• Anyone else

11. International Data Transfers (GDPR)

Data Location: United States (Render.com servers)

For EU Residents:

• Transfer based on your explicit consent (GDPR Article 49)
• Standard Contractual Clauses available upon request
• Right to object to international transfer

12. Children's Privacy (COPPA)

Compliant with COPPA amendments (effective April 22, 2026):

12.1 Users Under 13

• Parental Consent Required: Parent must verify identity
• Face-Match ID: Parent's ID verified via face matching
• Immediate Deletion: Parent's ID and image DELETED after verification
• Child's Data: Same protections as adults

12.2 Parental Rights

• Review child's data
• Request deletion
• Refuse further collection

13. Cookies

Session Cookie:

• Name: session
• Duration: 100 years (permanent session)
• Purpose: Maintain login state, store ICC
• Secure: Yes (HTTPS only)
• HttpOnly: Yes (JavaScript can't access)
• SameSite: Strict (CSRF protection)

No Tracking: We don't use Google Analytics, Facebook Pixel, or any tracking cookies.

14. Your California Privacy Rights (CCPA/CPRA)

14.1 Notice at Collection

We collect biometric data for identity verification. We do not sell it. We retain it for 30 days or until you request deletion.

14.2 Categories of Personal Information

Category	Collected	Sold	Shared
Identifiers (name, ICC)	YES	NO	NO
Biometric Information	YES	NO	NO
Internet Activity	YES (pages visited)	NO	NO
Geolocation (birth location)	YES	NO	NO

14.3 Sensitive Personal Information

We Collect: Biometric data (for unique identification)

We Use It For: Identity verification ONLY

You Can: Request we limit use (we already do)

15. Do Not Sell My Personal Information

We do not sell personal information.

We do not share personal information for cross-context behavioral advertising.

There is nothing to opt-out of.

16. Data Breach Notification

In the event of a data breach affecting biometric data:

• Notification: Within 72 hours (GDPR) or as required by state law
• Method: Email and prominent site notice
• Content: What was breached, potential impact, our response
• Assistance: Identity theft protection if warranted

17. Changes to This Policy

Material changes require:

1. Updated policy posted with new effective date
2. Email notification (if we have your email)
3. Re-consent required for continued use
4. 30-day notice before changes take effect

Version History:

• v1.0.0 - December 21, 2025 - Initial version
• v2.0.0 - January 12, 2026 - Added KYC disclosures
• v3.0.0 - January 14, 2026 - GDPR/CCPA/COPPA/BIPA compliance

18. Contact Information

Privacy Officer: Tammy L Casey
Email: privacy@enchantedozarks.com
Website: https://enchantedozarks.com
Response Time: 30 days

19. Supervisory Authorities & Complaints

EU Residents: Contact your local supervisory authority
California Residents: California Privacy Protection Agency (cppa.ca.gov)
All Users: Federal Trade Commission (ftc.gov)

20. Legal Compliance Certifications

• GDPR compliant (EU residents)
• CCPA/CPRA compliant (California residents)
• COPPA compliant (effective April 22, 2026)
• BIPA compliant (Illinois residents)
• State privacy laws (Colorado, Virginia, Texas, +3 new states 2026)

---

This Privacy Policy is a legally binding contract.
By using this site, you agree to these terms.
Last updated: January 14, 2026