Huh? They’re collecting and saving them, at least up to the point of confirming all new user accounts which happens sometime after they scan irises. I might have missed it but I don’t see anywhere in their docs where it says they discard the hashes even after they’ve minted a unique user account for the new user. They need to store the hashes at least until they’ve registered all possible users - how else will they confirm that a new user hasn’t previously registered.
I think it's the idea of collecting them in the first place that most people are uncomfortable with. It's still a lot of trust to put in the hands of a private company. It reminds of the whole brouhaha with Apple and their CSAM privacy measures.
