Privacy Policy

Last updated — 1st October 2018

1. Introduction

We are Cortexica Vision Systems Limited. You can find further details about us and how to contact us in section 10. In this notice, “we”, “us” and “our” refer to Cortexica Vision Systems Limited.

This notice explains how we process the personal data we obtain about our website visitors, customers and customers’ end users. For the purposes of EU data protection law, we are the ‘controller’ of this personal data (meaning that we determine why and how it is processed).

Please note that this notice does not explain how we handle personal data as a processor on behalf of our customers. This processing is instead set out in and governed by the contract between us and the customer.

2. How we use your personal data

Types of personal data we process

The types of personal data we process in the normal course of our business are:

  • Website usage data: data about website visitors’ use of our public website (https://www.cortexica.com/), such as IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths. This data is collected automatically by our analytics tracking system (Google Analytics). Some of the data collection is carried out using cookies – see section on ‘Our use of cookies’ below for more information on this.
  • Customer service usage data: data about our customers’ use of our services via our web platform site (https://clients.cortexica.com/) such as IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths. This data is collected automatically by our analytics tracking system (Google Analytics). Some of the data collection is carried out using cookies – see section on ‘Our use of cookies’ below for more information on this.
  • End user usage data: data about our customers’ application end users (such as a shopper in one of our customer’s retail premises) that is collected when an end user submits a query using one of our customers’ applications. This data will include the end user’s IP address, device ID and any data they send in their query. This data is collected automatically by our analytics tracking system. Some of the data collection is carried out using cookies – see section on ‘Our use of cookies’ below for more information on this.
  • Contract data: data relating to our customers and our customers’ personnel and representatives collected in connection with entering into contracts with us, such as names, business email addresses, postal addresses and telephone numbers and job titles. This data might be provided by you directly and/or by other personnel or representatives of your organisation.
  • Account data: data collected in connection with setting up customer accounts to enable access to our services, such as names, usernames and email addresses. This might be provided by you directly and/or by other personnel or representatives of your organisation.
  • Correspondence data: information contained in or relating to any communications between us, including any personal data contained in the communication content, address and contact details and any metadata associated with the communication. When you use our website contact form, we will collect the details we ask you to provide in the form and our website will generate metadata associated with your communication. When you use our chat widget, we collect your IP address along with the details we ask you to provide.
  • Demo application data: when you use a demo application on our website we collect your IP address and device ID, along with any personal data contained in any content that you upload to the demo application.
  • Marketing data: information collected in connection with any marketing subscription or opt-out request, such as email addresses and marketing preferences, and business contact details relating to representatives of potential customers that we obtain from third party or publicly available sources as part of our business development activities.
  • AI & Machine Learning training data: video footage of individuals wearing particular objects (for example personal protective equipment) or performing particular actions that we obtain when individuals choose to participate in such filming activities, for example at a trade fair.
Core processing purposes

The purposes for which we use personal data in the normal course of our business, the types of personal data we use for those purposes and our legal bases for doing so are set out in the table below. An explanation of what the different legal bases mean can be viewed here.

Purposes of processing Types of personal data Legal basis
Analysing website visitors’ use of our public website Website usage data Our legitimate interests in monitoring, improving and protecting our website, network, systems and data
Analysing our customers’ use of our services via our web platform site Customer service usage data

End user usage data

Our legitimate interests in monitoring, improving and protecting our website, network, systems and data
Entering into contracts and communicating with customers and their personnel or representatives in connection with performing contracts Contract data The legitimate interests of us and our customers in entering into and performing contracts for providing and receiving requested services
Enabling and controlling online access to our services via our web platform site Account data

Customer service usage data

Our legitimate interests in enabling our customers to access and use our services and ensuring the security of our website, network, systems and data
Monitoring customers’ use of our services via our web platform site for billing purposes Account data

Customer service usage data
End user usage data

Our legitimate interests in billing customers for use of our services based upon their usage
Billing customers for use of our services Contract data Our legitimate interests in billing customers for use of our services based upon their usage
Communicating with you, for example in response to an enquiry or complaint Correspondence data Our legitimate interests in administering our business, services and website and communicating with customers, potential customers and users of our website and services
Demonstrating our products to website users and potential customers Demo application data Our legitimate interests in administering our business, services and website and promoting our products to drive sales and sustain and grow our business
Providing (non-marketing) service information relevant to our customers generally, such as any maintenance work or problems affecting access to or use of our services Contract data

Account data

Our legitimate interests in administering our business, services and website and communicating important service information to customers and service users
Sending marketing communications (see more on this in the ‘Using personal data for marketing purposes’ section below) Marketing data

Contract data

Our legitimate interests in promoting our business, products and services to drive sales and sustain and grow our business
Training our AI deep learning systems to recognise moving images of people and objects AI & Machine Learning training data Our legitimate interests in developing software products and growing our business
Using personal data for marketing purposes

We may use email addresses comprised in marketing data and relevant contract data for the purposes of sending marketing communications in the following circumstances:

  • if you are a customer, or a representative or member of personnel of a customer, that has bought products and services from us
  • if you have indicated that you want to receive marketing communications from us, for example by clicking on a subscribe option or newsletter opt-in made available on our website

You can opt-out of receiving these communications at any time by replying to the email or using the unsubscribe links made available in every email and account dashboard made available via MailChimp or by emailing dataprotection@cortexica.com.

We may also carry out direct marketing to business contacts using marketing data we obtain as part of our business development activities. We may do this using Linkedin’s advertising and emailing services and by cold-calling and conducting telemarketing campaigns. You can object to us using your personal data for these purposes at any time by emailing dataprotection@cortexica.com.

Other processing purposes

In addition to the core processing activities set out above, we may also process personal data if and to the extent necessary for the following purposes:

Purpose Legal basis
Establishing, exercising or defending legal claims Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of you and others
Obtaining or maintaining insurance coverage, managing risks or obtaining professional advice Our legitimate interests in protecting our business against risks
Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator Compliance with a legal obligation
In order to protect your vital interests or the vital interests of another natural person Protection of vital interests
Explanation of legal bases

It is only lawful to process personal data if there is a legal basis for doing it. Below is an explanation of the legal bases referred to in this notice.

  • Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.
  • Protection of vital interests: processing is necessary in order to protect the vital interests of you or another individual.
  • Performance of a contract: processing of personal data is necessary for the performance of a contract with an individual or in order to take steps at the request of an individual prior to entering into a contract.

3. Recipients of personal data

We may share the personal data described in this notice with the following categories of recipients, where and to the extent necessary for the purposes described in this notice:

  • Insurers
  • Professional advisers: such as lawyers, accountants, consultants
  • Service providers: see below for detail of our current service providers
  • Organisations or individuals engaged by us in the course of providing our services: such as individual consultants or their personal service companies
  • Prospective buyer: if we propose to sell or do sell any business or assets
Our service providers
Service provider name Product Purpose
Google LLC G Suite Email, calendar, video conferencing, document repository
Google Analytics Analytics (website)
Dropbox, Inc. Dropbox Document repository
Intercom R&D Unlimited Company Intercom Website chat
MongoDB, Inc. Mongo Search request metadata
Rapid 7 Ireland Ltd LogEntries System logs
Amazon Web Services, Inc. Amazon Web Services Cloud hosting
Atlassian, Inc Confluence Project planning
Salesforce.com EMEA Limited Salesforce Client management
Zendesk, Inc. Zendesk Customer service
The Rocket Science Group LLC d/b/a MailChimp MailChimp Email marketing
Xero Ltd Xero Financial accounting

There may also be circumstances in which we need to share personal data with other organisations or individuals, such as where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above.

In all cases, we will only share personal data with such recipients where and to the extent reasonably necessary for the relevant processing purpose and in accordance with applicable data protection law.

4. International transfers of personal data

The personal data described in this notice is hosted in Dublin, Ireland using an AWS datacentre and processed by Cortexica staff within the European Economic Area (including the UK).

However, we use a number of service providers that provide various products and services that we use in our business, as set out above. Some of these service providers or their group companies or service providers are based outside the EEA, and any data processing by those companies in the course of providing those products and services to us may involve a transfer of personal data outside the EEA. Our use of Xero may involve transfers to countries that the European Commission has deemed to provide adequate protection for personal data (like New Zealand), or to a third party where Xero has approved transfer mechanisms in place such as Standard Contractual Clauses or EU-U.S. Privacy Shield certification (for transfers to US-based third parties). Our other service providers (or their U.S. group companies) self-certify to the EU-U.S. Privacy Shield. The relevant service providers and links to their Privacy Shield Registrations are set out below:

In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based outside the European Economic Area in connection with the purposes described in the ‘Other processing purposes’ section above. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.

Explanation of terms:

5. Retention and deletion of personal data

We will only retain the personal data described in this notice for as long as necessary to fulfil the processing purposes described in this notice.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means, and applicable legal requirements.

We will apply the following general retention periods and/or retention criteria to the personal data described in this notice:

  • Website usage data: this is retained for 2 years via our Google Analytics account, in a form that does not enable us to identify individual users.
  • Customer service usage data: this is retained for 2 years via our Google Analytics account, in a form that does not enable us to identify individual users.
  • End user usage data: this is retained in a form that can identify individual users for a period of 30 days. After that period the data is anonymised and both us and our customers have access to that anonymised data for as long as the customer uses our services.
  • Contract data: 10 years after the relevant customer contract has terminated
  • Account data: 12 months after the relevant customer contract has terminated
  • Correspondence data: data collected using our chat widget is kept for 12 months. Correspondence data collected using our website contact form or by any other means of communication with us is kept for 12 months, unless you or your organization become a customer of ours, in which case we will keep this data for 10 years after the relevant customer contract has terminated.
  • Demo application data: we keep this data for 30 days.
  • Marketing data and contract data used for marketing: we will continue to use this data until we receive an opt-out request or objection to our marketing, after which time we will retain the relevant email address and/or other contact details and marketing preference information to ensure that we do not use those contact details for marketing purposes.
  • AI & Machine Learning training data: we will continue to use this data for as long as it remains useful for training our AI deep learning systems to recognise moving images of people and objects.

These retention periods are subject to any longer retention periods that may be necessary for compliance with a legal obligation or in order to protect your vital interests or the vital interests of another natural person.

Upon expiry of the relevant retention period we will securely destroy the personal data in accordance with applicable laws and regulations.

6. Security of personal data

We will take appropriate technical and organisational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data.

We recognise the need for a comprehensive approach to detecting and preventing potential cyber-criminal attacks: these include independent verification and testing of our information security defences.

Our cyber security policies, standards, processes and procedures are formed using a tripartite approach: using guidance from the National Cyber Security centre (NCSC), ISO27001 Information Security Management System (ISMS) and CIS Critical Security Controls.

This interwoven approach assists us in helping sustain our regulatory, legislative, contractual and corporate commitments to enforce the continued security of our data in addition to that of our clients, partners and customers.

If you have an account to access our services via our website, you must ensure that your password is not susceptible to being guessed, whether by a person or a computer program. You are responsible for keeping your password confidential. We will not ask you for your password (except when you log in to our website).

We will notify you and any applicable regulator of any personal data breach where we are legally required to do so.

7. Your rights

You have a number of different rights you might be able exercise against us in relation to personal data about you that we process. These are rights to:

  • access, obtain rectification or erasure, restrict processing and object to processing of your personal data
  • have your personal data ‘ported’ to you or another organisation
  • complain to a supervisory authority about our processing of your personal data
  • withdraw consent to our processing of your personal (where you have given consent)

The availability of these rights varies depending on the legal basis that we rely on for processing the relevant personal data. Below we have summarised these rights and explained how you can request to exercise them.

  • Access: You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing that the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
  • Rectification: You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. We may need to verify the accuracy of the new data you provide to us.
  • Erasure: You have the right to the erasure of your personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them, you successfully object to our processing, you object to our use of your personal data for direct marketing purposes, we have processed your personal data unlawfully, or an applicable law requires the relevant personal data to be erased. However, there are exclusions to the right to erasure, including where we have overriding legitimate grounds to continue processing the relevant personal data or are required to do so by applicable law or where we need it to establish, exercise or defend a legal claim.
  • Restriction: You have the right to restrict our processing of your personal data where you contest the accuracy of the personal data, our processing is unlawful, we no longer need the personal data for our purposes but you require it to establish, exercise or defend a legal claim, or you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it to establish, exercise or defend a legal claim, to protect the rights of another natural or legal person or for reasons of important public interest or with your consent.
  • Object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis for the processing. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
  • Object to processing for direct marketing purposes: You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes).
  • Data portability: where our processing of your personal data is based on performance of a contract and is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
  • Complain to a supervisory authority: If you consider that our processing of your personal data infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
  • Withdraw consent: where any of our processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
  • How to exercise these rights against us: You can exercise any of your rights in relation to your personal data that require any action by us by emailing your request to dataprotection@cortexica.com, in addition to any other methods specified in this policy.
  • How to complain to a supervisory authority: To make a complaint to a supervisory authority, you may contact the supervisory authority of your choice using contact details made available by that supervisory authority. Relevant contact details for the UK supervisory authority, the ICO, can be found here: https://ico.org.uk/concerns/.

8. Updating your personal data

Please let us know if any of the personal data that we hold about you needs to be corrected or updated.

9. Our use of cookies

What is a cookie?

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by our web server to your web browser when you visit our website and is stored by your browser. The identifier is then sent back to our server each time your browser requests a page from our server.

Cookies are either “persistent” cookies or “session” cookies: a persistent cookie will be stored by your web browser and remain valid until its set expiry date, unless deleted by you before the expiry date; a session cookie, on the other hand, will expire when you close your web browser.

Cookies can be ‘first party’ cookies, meaning they are placed by the website with the domain name you are visiting, or ‘third party’ cookies, meaning they are placed by a website with a different domain from the website you are visiting.

Cookies do not typically contain any information that personally identifies a website user, but we might theoretically be able to identify individuals by linking any personal data we already have with information stored in and obtained from cookies.

Cookies that we use on our website:
Category Purpose Relevant cookies Expiry Cookie type
webchat to identify you when you use our web chatbot intercom-id-l7gkzj3b 9 months third party

(Intercom)

analysis* to help us to analyse the use and performance of our website and services _ga

_gid

_gat_gtag_[ID]

2 years

24 hours

1 minute

third party

(Google Analytics)

cookie consent to remember your preference when you accept our cookies policy gatAccCookies 30 days first party

(Cortexica)

login status to remember your preference when you log in to our services clients_session 1 hour first party (Cortexica)

* We use Google Analytics to analyse the use of our public website (https://www.cortexica.com/) by visitors and our web platform site (https://clients.cortexica.com/) by our customers. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google’s privacy policy is available at: https://www.google.com/policies/privacy/.

Managing cookies

Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

You may also be able to find information about managing cookies using the “help” function within your browser or by visiting www.aboutcookies.org, which contains comprehensive information on cookies on a wide variety of browsers.

Blocking all cookies will have a negative impact upon the usability of many websites, and if you block cookies, you will not be able to use all the features on our website.

10. Our details

This website is owned and operated by Cortexica Vision Systems Ltd. We are registered in England and Wales under registration number 06657602, and our registered office is at 6th Floor, WeWork South Bank Central, 30 Stamford Street, London, England, SE1 9LQ.

You can contact us with any enquiries relating to this notice:

11. Data protection registration

We are registered as a data controller with the UK Information Commissioner’s Office. Our data protection registration number is Z2069126.

12. Changes to this notice

We may update this notice from time to time by publishing a new version on our website and, where any changes materially affect you, we will also make reasonable efforts to notify you.