<h1>Insurer app using face and fingerprint biometrics for health metrics raises GDPR Article 9, consent, retention, security risks</h1> An insurer launched a mobile app feature using face and finger biometric scans to generate health metrics via a third-party rPPG technology provider, raising legal considerations around collection and processing of sensitive health and biometric data, informed consent, data minimization, security measures, retention limits, and applicable data protection and medical-device or health-regulation compliance. Contractual allocation of liability and data-sharing with partners, cross-border transfers, user terms and disclosures, and regulatory approvals for health claims or diagnostics should be reviewed to mitigate privacy, consumer protection, and regulatory risk.