Purpose
This Biometric Information Retention Policy (“Retention Policy”) outlines the collection, retention, safeguarding, and permanent destruction of biometric identifiers and biometric information by Ingram Micro, in accordance with the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq and similar state biometric privacy laws in the United States.
Definitions
- Biometric identifier: A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.
- Biometric information: Any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier and used to identify an individual.
Scope
This Retention Policy applies to all employees, contractors, and other individuals whose biometric identifiers or biometric information are collected, stored, or used by Ingram Micro in Illinois, Washington, Texas, or other states that may enact similar laws from time to time.
Policy Statement
(1) Ingram Micro will not collect, capture, buy, receive through trade, or otherwise obtain an individual’s biometric identifiers or biometric information without first:
- Informing the individual or their legally authorized representative in writing that such data is being collected or stored;
- Stating the specific purpose and length of term for which the data is being collected, stored, and used;
- Receiving a written release from the individual or their legally authorized representative.
(2) Ingram Micro will develop and implement a retention schedule and guidelines for the permanent destruction of biometric identifiers and biometric information, as set forth in this Retention Policy.
Retention Schedule and Destruction Guidelines
- Ingram Micro will permanently destroy all biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied, or within three years of the individual’s last interaction with Ingram Micro, whichever occurs first.
- Ingram Micro will contractually obligate any vendors, service providers, or data processors who process biometric identifiers or biometric information on behalf of Ingram Micro to comply with the foregoing deletion requirements.
- Destruction will be accomplished in a manner that ensures the data cannot be reconstructed or retrieved (e.g., deletion from all servers, secure destruction of physical media, and/or erasure from backup systems, as appropriate).
Making This Policy Public
- Ingram Micro will make this Retention Policy publicly available by hyperlinking it within the documentation provided to individuals in the context of providing disclosures and seeking written release for the collection and processing of biometric identifiers or biometric information. Ingram Micro will update this policy as necessary to maintain compliance with BIPA.
Security
- Ingram Micro restricts access to biometric data to those authorized employees and third parties who require access to fulfill the purpose of the disclosed.
- Ingram Micro protects stored biometric identifiers and biometric information using a reasonable standard of care, and in a manner that is the same or more protective than the manner in which it protects other confidential and sensitive information.
- If a vendor, service provider, or data processor will process biometric identifiers or biometric information on behalf of Ingram Micro, Ingram Micro will contractually obligate such third party to implement and maintain appropriate safeguards to protect such information, encompassing physical, technical, and administrative controls.
Contact
Questions about this policy or Ingram Micro’s privacy practices should be directed to privacy@ingrammicro.com.
Effective Date: September 19, 2025