Privacy Notice for Facewatch Users

Facewatch Ltd provides the Facewatch web application to help businesses prevent and detect crime.

Facewatch Ltd is the data controller for personal data processed through the Facewatch application.

Data collected from Facewatch users

• Name
• Email address
• Contact details
• User account activity and audit logs
• IP address
• Approximate location derived from mobile application (used solely for security and fraud-prevention purposes)

Data collected via third-party identity providers
Where users sign in using a third-party identity provider (such as Google or Microsoft), we receive only:

• Name
• Email address

We do not access any other data.

We process user personal data in order to:

• Authenticate and manage access to the Facewatch web application
• Maintain system security and integrity
• Attribute actions within the system to individual authorised users
• Investigate misuse

Our legitimate interests are ensuring the secure operation of the Facewatch platform, preventing misuse, and maintaining accountability and auditability of system access. These interests are balanced against users' rights through strict access controls, limited data collection, and clear retention rules.

User contact details (such as name and email address) are used solely for:

• Account creation and management
• Authentication and access control
• Security monitoring and audit purposes

We do not use user data for:

• Advertising
• Profiling
• Marketing
• Any purpose unrelated to operation and security of the Facewatch service

User personal data is not shared with third parties except:

• Where required by law, or
• Where necessary to maintain the security and integrity of the system (e.g. incident investigation)

We do not sell personal data.

User data is stored on servers located in the United Kingdom.

We protect personal data using appropriate technical and organisational measures, including:

• Encryption in transit (TLS) and at rest
• Role-based access controls
• Regular vulnerability and penetration testing
• Mandatory data protection training for staff
• An ISO 27001-aligned Information Security Management System

We retain user personal data for as long as the user account remains active.

If an account is closed, personal data is securely deleted within 90 days.

Under the UK GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Request erasure of your data in certain circumstances
• Restrict processing in certain circumstances
• Object to processing based on legitimate interests

You also have the right to raise a concern with us and, if necessary, to complain to the Information Commissioner's Office.