Biometric Privacy Notice

This Biometric Privacy Notice explains how MHA / MCI ("MHA / MCI", "we", "us", or "our") supports the collection, use, sharing, retention, and destruction of Biometric Data in connection with the identity verification services we provide. This Notice applies only to individuals located in the United States.

Definition of Biometric Data

For purposes of this Notice:

• "Biometric identifiers" are data generated by measurements of your biological characteristics, such as a retina or iris scan, fingerprint, voiceprint, or a scan of hand or face geometry. Biometric identifiers do not include (i) writing samples, signatures, photographs, human biological samples used for scientific testing, demographic data, tattoo descriptions, or physical descriptions such as height, weight, or eye color; or (ii) information collected or used in a health care setting covered by HIPAA.
• "Biometric information" means information derived from a biometric identifier that is used to identify you.

Together, these are referred to as "Biometric Data".

MHA / MCI Collection and Use of Biometric Data

MHA / MCI does not directly collect, analyze, or store Biometric Data.

Instead:

• We use a third-party identity verification provider to perform identity verification and fraud prevention on our behalf.
• During the verification process, you may be asked to submit images of yourself (e.g., a selfie) or images of your government-issued identification.
• Our third-party provider may generate, process, or analyze Biometric Data from those images solely to confirm your identity or detect fraud.

MHA / MCI receives only the verification results and does not receive, possess, or retain the underlying biometric scans or templates created by the third-party provider.

MHA / MCI Disclosure of Biometric Data and Customer Obligations

MHA / MCI does not sell, lease, trade, or profit from your Biometric Data.

Biometric Data may be disclosed only to:

• Our contracted identity-verification provider(s)
• Law enforcement or regulators if required by applicable law
• Other parties with your documented consent or as permitted by law

Our third-party providers are contractually required to:

1. Use Biometric Data solely for identity verification and fraud prevention
2. Maintain reasonable security measures to protect Biometric Data
3. Follow applicable legal retention and destruction requirements (including BIPA for Illinois residents)

Data Retention and Destruction

Because MHA / MCI does not store Biometric Data, we rely on the retention policies of our third-party identity-verification provider. Those providers are contractually required to follow applicable biometric-privacy laws, including:

Illinois or Texas Residents

Biometric Data must be permanently deleted when the earliest of the following occurs:

1. The initial purpose for collection has been fulfilled, or
2. Three (3) years have passed since your last interaction,

unless earlier deletion is required by law or by MHA / MCI.

Residents of Other States

Biometric Data is retained only for the time allowed under applicable laws and contractual requirements and is then permanently destroyed so it cannot be reconstructed.

Data Storage and Security

Although MHA / MCI does not store Biometric Data, we require our third-party providers to:

• Use industry-standard administrative, technical, and physical safeguards
• Apply security measures equal to or greater than the protections used for other sensitive data
• Transmit and store biometric information securely and in encrypted form where applicable

Your Release and Consent

Before completing identity verification, you will be asked to indicate your agreement, such as by checking a box or clicking a button to:

• This Biometric Privacy Notice, and
• The collection, processing, and limited use of your Biometric Data by our third-party identity-verification provider

If you do not consent, verification cannot be completed, and certain services may be unavailable.