Covenant

No-Biometrics Covenant

Effective: May 24, 2026. TinyGuard LLC, 7428 SW Ashford St, Tigard, OR 97224. Questions: privacy@tinyguard.co. This page describes a hard architectural and contractual covenant about what TinyGuard does not do with the video that runs through its platform.

⛔ The covenant — short version

TinyGuard does not collect, store, process, derive, generate, or transmit biometric data of any kind, from any subject, on any surface of the platform.

1. What's covered by the covenant

"Biometric data" in this covenant means every modality the term covers under U.S. state and federal biometric statutes — not a narrower marketing definition. Specifically TinyGuard will not capture, derive, or transmit:

Face geometry — facial-recognition templates, facial-landmark vectors, or any mathematical representation of a face derived from camera footage or photographs.
Voice prints — speaker-identification vectors or any mathematical representation of a voice.
Fingerprints or palm prints (capture, hash, or template).
Iris or retina scans.
Gait analysis or movement-signature recognition.
DNA, vein-pattern, or any other physiological identifier.

The covenant applies to TinyGuard's own platform code, to TinyGuard's AI providers under our control, and to TinyGuard's subprocessors. It is not contingent on whether the data is stored, retained, or merely transient — even transient derivation is out.

2. How the covenant is enforced

Layer	What enforces the covenant at that layer
Master Service Agreement	Every TinyGuard MSA — childcare (TG-MSA-001) and elder care (TG-MSA-E-001) — contains §3 No-Biometrics as a standalone covenant, carved out of the liability cap. A breach of this covenant uncaps damages.
State addenda	The covenant is reaffirmed in every state addendum that has a biometric statute on the books: Illinois (BIPA — 740 ILCS 14), Washington (RCW 19.375), New York City (LL3 of 2021), and others as we expand. Adding a new state with a biometric statute auto-triggers a per-state reaffirmation.
Architecture	TinyGuard's video pipeline is designed to forbid the operations that would produce biometric data. Cameras stream H.264 to the on-premises Raspberry Pi; live video is broadcast via Cloudflare Calls SFU as encoded video, not as derived features; incident-footage segments are encrypted AV1 byte streams, not feature vectors. There is no code path that takes a face crop and produces a recognition template.
AI providers	Our AI subprocessors (Anthropic, OpenAI, Google) receive structured text, metadata, and — for opt-in photo features such as care-suggestions and parent-photo descriptions — still images of the moment. They do not receive video frames, face crops, or biometric templates. AI calls are scoped to behavioral and safety descriptions of a scene, not identity extraction. None of these providers are sent footage to derive biometric features on our behalf.
Vendor selection	We do not source cameras with on-device facial-recognition firmware enabled, and where such a feature exists in firmware (some Tapo + Reolink models), the feature is left off and the on-device telemetry that would surface it is not subscribed to by the Pi.

3. Why we wrote it as a covenant, not a "best practice"

Biometric data has the sharpest legal exposure surface of any data category in childcare or elder care today:

Illinois BIPA (740 ILCS 14) creates a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional violation, per individual, per instance. Settlements under this statute are routinely seven to eight figures (Facebook $650M, TikTok $92M, multiple smaller-vendor cases in the same range).
Washington RCW 19.375 requires notice and written consent before enrolling biometrics for any commercial purpose. AG enforcement under the Consumer Protection Act.
Texas CUBI ($25,000 per violation) and NYC LL3 of 2021 add commercial-establishment restrictions.
California CCPA / CPRA treats biometric data as "sensitive personal information" with rights to limit use and request deletion.
New York BPPA, Colorado, Oregon, Maryland have 2026 sessions with biometric legislation under active consideration.

A "best practice" can be relaxed quietly under product pressure. A covenant — contractual, audit-defensible, carved out of the liability cap — is what gives our customers a defensible answer when a parent, a regulator, or a plaintiff's lawyer asks "what does your camera vendor do with the kids' faces." The answer is "nothing, by contract."

4. What this means for customer facilities

For your facility, the covenant means three operational things you can rely on:

You do not need to obtain BIPA-style biometric consent from parents or residents for the TinyGuard platform to operate. The consent regime your facility runs is for the broadcast/video features (controlled by enrollment, signage, and the Center attestation), not for biometric capture — because there is none.
No BIPA-style retention schedule applies to anything TinyGuard generates from the video, because TinyGuard does not generate biometric data. The retention rules for video (live-only on most surfaces, incident footage on the edge device, plan-tiered cloud archive when enabled) live in the Privacy Policy and your BAA/DPA.
Procurement teams can verify the covenant in writing. The MSA §3 language is the same in every signed agreement. Counsel should be comfortable countersigning without negotiating a biometric-specific carve-in; if they want a stronger statement, the covenant is already standalone-carve-out-from-liability-cap, which is the strongest form we've seen requested.

5. What would have to change for TinyGuard to ever do biometrics

⚠️ What's required to break the covenant

The covenant is intentionally hard to unwind. The path is not "TinyGuard ships a feature flag and turns it on for some accounts." The path is: a written amendment, separately negotiated per-facility, that names the specific biometric modality being added, the specific lawful basis, the specific retention schedule, and the specific liability allocation — and that explicitly amends MSA §3.

There are no internal feature flags, configuration switches, or partial rollouts that can turn on biometric processing for a TinyGuard customer. The covenant is binary by design — there is no "limited beta" or "opt-in pilot" path. Any future biometric feature is a separately negotiated amendment, not a setting.

6. Cross-references

BAA §3 (elder care) — biometric covenant restated as a subprocessor obligation.
Privacy Policy §6 — what we do collect from video (broadcast frames, incident footage), and the retention rules that apply.
Subprocessor List — the third parties that touch any customer data; none receive video frames for biometric derivation.
Terms of Service §4 — your facility's obligations around consent collection (those are about video broadcast consent, not biometric consent, because we don't do biometrics).

7. Effective date and changes

This covenant became operative on TinyGuard's first paying customer date and is restated as v1.0 of the public covenant page on May 24, 2026. Material changes to the covenant (which would only happen through the §5 amendment path) would be announced via direct facility-administrator email and a 60-day notice on this page.

8. Contact

Covenant or biometric-policy questions: privacy@tinyguard.co
Procurement / counsel review: del@tinyguard.co
Phone: (510) 686-3357
TinyGuard LLC, 7428 SW Ashford St, Tigard, OR 97224