LEGAL DOCUMENT · canopyintel.ai · Effective: 1 June 2025

Data Privacy &
Security Policy

AI-Powered Smart Camera Monitoring & Analytics Platform
Global Deployment · Reviewed: May 2025

GDPR SOC 2 CCPA UAE PDPL Privacy by Design Zero PII Stored

Introduction

This Privacy Policy describes how our AI-powered smart camera monitoring and analytics platform (the "Platform", "we", "us") collects, processes, stores, and safeguards data across all deployment contexts. The Platform uses camera-based computer vision and AI capabilities — including occupancy monitoring, safety compliance detection, access management, crowd analytics, and operational intelligence — deployable across environments such as retail and commercial spaces, industrial facilities, logistics hubs, public venues, and smart city infrastructure.

This policy applies to all clients, authorised operators, and individuals who may be affected by Platform deployments in any jurisdiction in which the Platform is operated. We are committed to transparency, responsible data stewardship, and full compliance with all applicable privacy, data protection, and artificial intelligence regulations in each country of operation.

Core Privacy Commitment

We do not store raw footage or personally identifiable data. Canopy processes camera data in-stream, anonymising faces and plates at the device level before any frame ever leaves it. We deliver metrics and intelligence — not images of individuals. You retain full control of any footage on your own infrastructure.

1.

Data We Collect & Process

The Platform is designed on a data-minimisation principle: only data that is operationally necessary for the specific use case configured by the client is collected. All data is captured exclusively through camera-based systems and processed locally within the client's deployment environment.

Categories of Data Collected

Camera Footage
Video streams captured by cameras installed within the monitored environment. Raw footage is processed in-stream by the AI pipeline and is not retained beyond the configured retention period unless required for evidence or audit purposes.
Detected Events & Classifications
AI-generated outputs derived from camera footage, such as object detections, occupancy counts, safety compliance flags (e.g. PPE status, restricted zone breaches), and behavioural indicators. Stored as structured records separate from raw footage.
Timestamps & Dwell Metrics
Entry, exit, and dwell-time records associated with detected events. For individual tracking (e.g. vehicle identification via ANPR), timestamps are linked to a unique identifier. For persons, only aggregate flow and occupancy counts are derived by default.
Unique Identifiers
Where applicable and permitted by the deployment configuration, unique identifiers — such as vehicle number plates captured via Automatic Number Plate Recognition (ANPR) — are extracted from camera footage to enable tracking within a defined zone.
Operational Metadata
System-generated data including camera health status, processing logs, and platform configuration records used for operational maintenance and internal audit purposes.
Aggregate Analytics
Anonymised summaries and statistical outputs derived from camera-captured data. Once aggregated and anonymised, this data no longer constitutes personal data under applicable law.

Deployment Contexts

Depending on the environment and modules configured by the client, the Platform's camera systems may be deployed for purposes including but not limited to:

  • Retail and commercial spaces: footfall analytics, queue management, zone occupancy, and customer flow intelligence
  • Industrial and construction sites: PPE compliance monitoring, restricted zone enforcement, and safety event detection
  • Logistics and warehousing: vehicle throughput, dock occupancy, and operational flow analytics
  • Public venues and smart city infrastructure: crowd density monitoring, people flow, and event management support
  • Commercial buildings and campuses: access zone monitoring, occupancy optimisation, and operational efficiency
Privacy by Design

The Platform is built on a privacy-by-design approach. Camera-based data collection is scoped to the minimum necessary for each specific use case. Capabilities such as demographic analysis or individual-level identification are enabled only with explicit client configuration, applicable regulatory approval, and — where required — appropriate data subject notifications.

2.

Data Retention & Deletion

We retain data only for as long as is necessary to fulfil the operational purposes for which it was collected, or as required by applicable law. The following retention framework applies across all deployment contexts:

30
days
Default Retention Period

Applies to all data — camera footage, detection records, timestamps, unique identifiers, and operational metadata.

Configurable Retention

Retention periods are fully configurable by the platform administrator to meet the client's operational, legal, or regulatory requirements.

Automated Deletion

Data is automatically purged via a scheduled deletion job upon expiry. Secure deletion practices ensure data is irrecoverable post-deletion.

On-Demand Deletion

Authorised administrators may trigger immediate, on-demand deletion of any data set at any time, prior to the scheduled automated purge.

Camera footage is processed in-stream and retained for the same default period for evidence and operational audit purposes. Beyond this window, footage is automatically purged unless extended retention has been explicitly configured by the client with documented legal justification.

3.

Data Access & Governance

Access to all collected data is governed by a strict Role-Based Access Control (RBAC) model. Data is accessible only on a need-to-know basis, with full audit logging of all access events.

Party Access Level Conditions & Safeguards
Internal Platform Team Authorised administrators and deployment engineers only Strictly need-to-know; NDAs signed by all personnel; all access events logged and audited
Client Operations Staff Dashboards and aggregated analytics only No access to raw footage or event records; access scoped to operational views relevant to their role
Client Senior Administrators Full access including raw footage logs and identifiers Role-restricted; subject to full audit logging; client governs internal access and user management
Third-Party Subcontractors No access to personal data by default Data Processing Agreements (DPAs) mandatory; access limited in scope and duration and fully audited
Government / Law Enforcement No proactive disclosure Data disclosed only on receipt of a lawful formal request under applicable law; all disclosures documented through a formal internal review process

Audit logs of all data access events are maintained and available for client review upon request. No data is sold, rented, or transferred to any third party for commercial purposes under any circumstances.

4.

Data Residency & Security Measures

By default, all data processed and stored by the Platform is held within the geographic region of the client's deployment. The Platform is designed for on-premise or in-country cloud infrastructure deployment, and no cross-border data transfer occurs without explicit written client approval and documented legal justification. Where a specific jurisdiction imposes data residency requirements, the Platform is configured to comply with those requirements as part of the deployment agreement.

Technical Security Measures

  • End-to-end encryption of data in transit using TLS 1.2 / 1.3
  • Encryption of data at rest using AES-256
  • Network segmentation and firewall policies restricting access to the camera processing environment
  • Role-based access control (RBAC) with comprehensive audit logging of all data access events
  • Regular vulnerability assessments and penetration testing
  • Anonymisation of aggregate and non-identifiable outputs where individual identification is not required

Organisational Security Measures

  • Documented data handling policies and staff access controls
  • Non-disclosure agreements (NDAs) for all personnel with access to data or platform systems
  • Formal incident response plan covering breach detection, containment, client notification, and remediation
  • Regular internal security reviews and staff data-handling training
  • Data Processing Agreements (DPAs) executed with all subcontractors prior to any data access
Breach Notification

In the event of a confirmed data breach, our incident response plan provides for prompt client notification in accordance with the applicable regulatory requirements of the jurisdiction in which the breach occurs. Containment, investigation, and remediation are initiated immediately upon detection. The nature, scope, and resolution of any incident are fully documented.

5.

Regulatory Compliance & Certifications

Our development, deployment, and operational practices are aligned with internationally recognised regulatory frameworks and ethical standards for AI and data protection. Where the Platform is deployed in a specific jurisdiction, the applicable local legal framework governs.

AI Ethics Principles

Developed in adherence to internationally recognised AI ethics principles — fairness, transparency, accountability, human oversight, and privacy by design. Aligned with national AI ethics guidelines wherever deployed.

Data Protection Law Compliance

Operations comply with the applicable data protection and privacy legislation of each country in which the Platform is deployed. Our framework accommodates major international standards including GDPR and equivalent national laws.

Governance Standards

Built to meet enterprise and government-grade governance requirements. Where client deployments involve regulated sectors or government infrastructure, supplementary governance agreements and controls are implemented as required.

Documentation & Audits

Compliance documentation, certifications, and recent audit reports are available upon formal request and in accordance with applicable disclosure protocols and confidentiality obligations.

SOC 2 GDPR CCPA UAE PDPL ISO 27001 Aligned

We maintain an ongoing compliance programme encompassing regular internal reviews, staff training, and external audits where applicable. Clients operating within regulated sectors — including retail, healthcare, industrial, hospitality, or government — may request sector-specific or jurisdiction-specific compliance documentation or supplementary data protection impact assessments.

6.

Rights of Individuals

To the extent that personally identifiable data is captured through the Platform's camera systems — for example, vehicle number plates via ANPR, or individual-level detection records where configured by the client — individuals may exercise the following rights in accordance with the applicable data protection law of the jurisdiction in which the Platform is deployed:

Right of Access

Request confirmation of whether your personal data is held by the Platform and obtain a copy of such data.

Right to Deletion

Request erasure of your personal data where retention is no longer necessary or lawful, subject to any overriding legal or contractual obligations.

Right to Correction

Request correction of inaccurate or incomplete personal data held within the Platform.

Right to Object

Object to the processing of your personal data in circumstances where you have grounds to do so under the applicable data protection law of the relevant jurisdiction.

To exercise any of these rights, please contact our data protection point of contact using the details provided in Section 7. All verified requests will be acknowledged promptly and responded to within a reasonable timeframe in accordance with our legal obligations.

Aggregate & Anonymised Data

Where data has been fully anonymised and aggregated — for example, occupancy counts, flow statistics, or compliance summary reports — it no longer constitutes personal data under applicable law. Individual rights of access or deletion do not apply to such anonymised data sets.

7.

Contact & Data Protection Enquiries

If you have any questions regarding this Privacy Policy, wish to exercise your individual data rights, or wish to report a data protection concern, please contact us using the details below. All enquiries are treated in strict confidence.

Canopy Intel
Company Canopy Intel
Location UAE (Global Deployments)
Subject Line Data Privacy Enquiry – [Your Name / Reference]
Send a Privacy Enquiry
This Policy may be updated periodically to reflect changes in our practices, technology, deployment contexts, or applicable legal requirements. The effective date at the top of this document reflects the most recent revision. Clients and users will be notified of material changes through appropriate communication channels.