The Privacy Imperative

Face recognition is powerful, but biometric data is among the most sensitive personal information. Building privacy-first is not just ethical — it's increasingly a legal requirement.

Key Regulations

GDPR (EU)

Biometric data is a "special category" requiring explicit consent, legitimate purpose, and data protection impact assessments.

BIPA (Illinois, US)

Requires written consent before collecting biometric data, and prohibits selling it.

LGPD (Brazil)

Similar to GDPR — biometric data requires heightened protection.

Southeast Asian Regulations

Privacy-by-Design Principles

1. Purpose Limitation

Only collect face data for a specific, stated purpose. Don't repurpose attendance data for surveillance.

2. Data Minimization

Process the minimum data needed. ARSA's API processes images in real-time and doesn't store photos unless you explicitly register faces.

3. Consent

Obtain clear, informed consent before processing anyone's face. Explain what data is collected, how it's used, and how to withdraw consent.

4. Data Isolation

Use per-user isolated databases (ARSA provides this by default) so one customer's face data can't be accessed by another.

5. Right to Deletion

Provide a way for individuals to request deletion of their face data:

Delete a specific face from the database
requests.delete(
    "https://faceapi.arsa.technology/api/v1/face_recognition/delete_face",
    headers={"x-key-secret": API_KEY, "x-face-uid": "user_123"}
)

Or delete all faces
requests.delete(
    "https://faceapi.arsa.technology/api/v1/face_recognition/reset_db",
    headers={"x-key-secret": API_KEY}
)

6. Self-Hosted Option

For maximum data control, consider self-hosted deployment — data never leaves your infrastructure.

Transparency Checklist

Building Trust

Privacy-first face recognition builds user trust and ensures compliance. ARSA provides the tools — per-user data isolation, deletion APIs, and self-hosted options — to build compliant systems.