Privacy Policy
Version 1.0 — DRAFT for review · Effective date: [EFFECTIVE DATE]
⚠ DRAFT — NOT LEGAL ADVICE. Review by a qualified solicitor / data‑protection adviser is required before publication. Complete all [bracketed placeholders].
This Privacy Policy explains how [Pariah Ltd] ("Pariah", "we") handles personal data for which we are the controller — namely data about visitors to our website, people who enquire about or use our Platform, and our customers' account and billing contacts.
Important — two different roles. When our customers use the Platform to process facial images and biometric templates of individuals at their premises, the customer is the data controller and Pariah acts as a processor on their behalf. That processing is governed by our Data Processing Agreement (/legal/dpa), not this Policy. If you have been recorded by a venue using Pariah, please contact that venue to exercise your rights; we will support them as processor.
1. Who we are
Controller: [Pariah Ltd], company no. [COMPANY NUMBER], registered office [REGISTERED OFFICE ADDRESS]. ICO registration [ICO REGISTRATION NUMBER]. Data protection contact: [email protected] (or [email protected]).
2. What we collect (as controller)
- Account data — name, work email, username, role, organisation, company number/verification status.
- Billing data — plan, transaction records, card metadata (brand/last four). Full card details are handled by Stripe; we do not store full card numbers.
- Usage and technical data — log data, device/app information, IP address, and diagnostics needed to run and secure the service.
- Communications — enquiries, support requests, and marketing preferences.
- Website/cookies — see our Cookie Policy (/legal/cookies).
We do not act as controller of the end‑subject facial/biometric data processed through the Platform on our customers' behalf.
3. Why we use it and our lawful basis (UK GDPR Article 6)
| Purpose | Lawful basis |
|---|---|
| Providing and securing the Platform; managing your account | Performance of a contract |
| Billing, fraud prevention, company verification | Contract; legitimate interests; legal obligation |
| Service emails (verification, security, billing) | Contract / legitimate interests |
| Product analytics and improvement | Legitimate interests |
| Marketing to business contacts | Legitimate interests or consent (you may opt out anytime) |
| Meeting legal/regulatory and accounting duties | Legal obligation |
Where we rely on legitimate interests, we have balanced those against your rights and will provide our assessment on request.
4. Who we share it with
We use vetted sub‑processors to run the service, including:
- Amazon Web Services — cloud facial‑search (AWS Rekognition), invoked only for manual mobile searches.
- Cloudflare — content delivery, tunnels, and object storage (R2).
- Hetzner — server hosting.
- Stripe — payment processing.
- Postmark — transactional email.
A current list with locations and roles is maintained in the DPA sub‑processor schedule (/legal/dpa). We may also disclose data where required by law or to protect our rights.
5. International transfers
Some providers may process data outside the UK. Where they do, we rely on appropriate safeguards — UK adequacy regulations, the UK International Data Transfer Agreement/Addendum, or Standard Contractual Clauses. Note that continuous NVR detection runs locally on‑premises (no cloud transfer of those biometric templates); cloud facial search via AWS is limited to manual mobile lookups.
6. Retention
We keep account and billing data for the life of your account and as required for legal, tax, and accounting purposes. Following subscription suspension, Customer Data is retained for 90 days before deletion (see DPA). Marketing data is kept until you opt out.
7. Your rights
Subject to UK GDPR, you may request access, rectification, erasure, restriction, portability, and object to certain processing, and withdraw consent. To exercise these (for data we control), contact [email protected]. You may complain to the Information Commissioner's Office (ico.org.uk), though we'd appreciate the chance to help first.
8. Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit and at rest, role‑based access control, and audit logging. See the DPA security annex for detail.
9. Changes
We will update this Policy as needed and post the revised version with a new effective date.
Privacy queries: [email protected]