Privacy Policy

1. Who We Are & How to Contact Us

Servelens is an AI-powered CCTV and video intelligence company registered in India. We provide the following Services to business and enterprise clients:

• AI-based CCTV monitoring and real-time video analytics
• Live and recorded video footage processing and cloud-based storage
• Facial recognition and biometric identification (where enabled by client)
• People counting, crowd management, and movement/behavioural analytics
• Anomaly detection, intruder alerts, and incident reporting
• Remote monitoring dashboards and mobile application access
• License plate recognition and vehicle detection (where deployed)

For all privacy-related matters, please contact our Grievance Officer (see Section 17).

2. Scope of This Policy

This Privacy Policy applies to:

• Visitors to our website servelens.in
• Business clients and organisations that subscribe to our CCTV AI Services
• Employees, contractors, or authorised representatives of our clients who access our platforms or dashboards
• Third parties (employees, visitors, members of the public) whose images, movements, or biometric data may be captured by CCTV cameras installed or managed under our Service Agreements

This Policy does not apply to third-party websites linked from our website. We are not responsible for the privacy practices of those websites (see Section 15).

3. Information We Collect

3.1 Information You Provide Directly

We collect information you voluntarily provide when you:

• Fill in a contact, demo-request, or inquiry form — name, email address, phone number, company name, job title, and message content.
• Register for or use our software platform — account credentials, billing details, and organisation information.
• Subscribe to newsletters or marketing communications — email address and preferences.
• Contact our support team — communication records and support ticket content.

3.2 Camera, Video & AI-Processed Data (Platform Clients)

As a core part of our Services, we process the following categories of surveillance data on behalf of our clients:

• Live video streams from IP cameras connected to the platform
• Recorded video footage stored on-premises (NVR/DVR) or on secure cloud servers
• Still images and snapshots extracted from video for incident reporting or analysis
• Metadata: timestamps, camera ID, location tags, and event trigger logs

Our AI systems may derive the following additional data from video footage:

• Facial recognition data and biometric identifiers — only where explicitly enabled and consented to by the client
• Body movement patterns and behavioural analytics
• People count, crowd density, and dwell time
• Vehicle detection and license plate data (where deployed)
• Anomaly and intrusion detection event logs

3.3 Automatically Collected Website Data

When you visit our website, we and our service providers may automatically collect:

• Log data: IP address, browser type, operating system, referring URL, pages visited, and time/date of visits.
• Device information: Hardware model, unique device identifiers, and mobile network information.
• Usage data: Features used, configuration settings, and interaction patterns within our platform.
• Cookies and similar technologies: See Section 8 for full details.

3.4 Information from Third Parties

We may receive information about you from business partners, analytics providers, or publicly available sources, which we may combine with other information we hold. We will handle such information in accordance with this Policy.

4. How We Use Your Information

4.1 Service Delivery

• Installation, configuration, and operation of CCTV AI systems at client premises
• Real-time video monitoring, alert generation, and incident response
• Cloud storage and retrieval of video footage per agreed retention periods
• Providing access to live and recorded footage via dashboard and mobile applications
• AI analytics, reporting, and insights as contracted

4.2 Business Operations

• Processing and responding to demo requests, inquiries, and support tickets
• Creating and managing user accounts, processing billing, and fulfilling contractual obligations
• Sending transactional communications: account alerts, invoices, and service notices
• Sending marketing communications where you have provided consent or we have a legitimate interest — you may opt out at any time

4.3 Security & Fraud Prevention

• Supporting clients’ security operations and investigation of incidents
• Detecting and preventing fraud, abuse, and unauthorised access
• Assisting law enforcement or regulatory authorities when lawfully required

4.4 Product Improvement (Anonymised Only)

• Improving AI model accuracy using anonymised and aggregated data only
• Analysing usage trends and developing new features

5. Legal Basis for Processing

5.1 Under India’s DPDPA 2023

For processing personal data of individuals in India, we rely on:

• Consent: Where individuals have given free, specific, informed, and unambiguous consent — particularly for biometric data and sensitive personal information.
• Legitimate Uses: Processing necessary for a lawful purpose including contractual obligations, employment, legal compliance, and safety.
• Legal Obligation: Processing required to comply with Indian law or court orders.

5.2 Under GDPR (for EU/UK Clients or Data Subjects)

Where GDPR applies, we rely on:

• Contract Performance: Processing necessary to fulfil a contract with you or take pre-contractual steps at your request.
• Legitimate Interests: Processing for fraud prevention, improving Services, and direct marketing to existing customers — provided those interests are not overridden by your rights.
• Consent: Where you have given clear, specific consent (e.g., subscribing to newsletters or accepting non-essential cookies).
• Legal Obligation: Processing necessary to comply with EU/UK legal requirements.

5.3 Client Responsibility

Clients deploying our surveillance Services are independently responsible for identifying and maintaining a valid legal basis for monitoring individuals at their premises. This includes, where required, conducting Data Protection Impact Assessments (DPIAs) and obtaining individual consent.

6. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data or video footage. We may share data only in the following limited circumstances:

6.1 With Client Authorised Users

Video footage and analytics are shared only with the Client’s designated authorised users as configured in the access control settings of the dashboard.

6.2 With Service Providers / Subcontractors

We share data with trusted third-party vendors who assist us in delivering our Services, including cloud hosting providers, payment processors, email delivery platforms, analytics providers, and customer-support tools. All such providers are bound by contractual obligations to use data only as instructed by us and to maintain appropriate security standards.

6.3 With Law Enforcement & Regulatory Bodies

We may disclose footage or personal data to law enforcement, courts, or regulatory authorities when required by law, court order, or in response to a valid governmental request. Where legally permitted, we will notify the affected Client prior to such disclosure.

6.4 Business Transfers

If Servelens is involved in a merger, acquisition, or sale of business assets, Client data may be transferred as part of that transaction. We will notify Clients before their data becomes subject to a different privacy policy.

6.5 Protection of Rights

We may disclose information where necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, threats to the safety of any person, or illegal activities.

6.6 With Your Consent

We may share your data with third parties for any other purpose with your explicit prior written consent.

7. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required by law.

7.1 Video & Surveillance Data

• Live video feed: Real-time access only; not archived unless an event trigger activates recording.
• Standard recorded footage: 30-day rolling retention by default, unless extended by Client in Service Order.
• Event-triggered recordings (alerts, intrusions, incidents): 90 days, or as specified in the Service Order.
• AI analytics logs and event metadata: 12 months.
• Facial recognition / biometric data: Retained only for the duration of active deployment; deleted within 30 days of service termination or client instruction.

7.2 Client & Account Data

• Account and contract data: Duration of contract plus 7 years for legal and accounting compliance (as required under Indian financial regulations).
• Support communications: 3 years from closure of ticket.
• Marketing data: Until you withdraw consent or opt out, or until we determine the data is no longer current.
• Website analytics data: Anonymised and aggregated within 26 months.

When retention periods expire, we securely delete or irreversibly anonymise the data. Clients may request earlier deletion or extended retention in writing, subject to legal obligations.

8. Cookies & Tracking Technologies

8.1 What We Use

Our website uses cookies and similar technologies (pixels, local storage) to distinguish you from other users, remember your preferences, analyse traffic, and improve your experience.

8.2 Types of Cookies

• Strictly Necessary: Essential for website functionality (session management, security tokens). These cannot be disabled.
• Analytics: Help us understand how visitors interact with our website (e.g. Google Analytics). We use anonymised or aggregated data only.
• Functional: Enable enhanced functionality such as remembering language or region preferences.
• Marketing: Used to deliver relevant advertisements and track marketing campaign effectiveness. Set only with your explicit consent.

8.3 Your Choices

When you first visit our website, a cookie consent banner allows you to accept or decline non-essential cookies. You can update your preferences at any time via the cookie settings link in our website footer. Most browsers also allow you to refuse or delete cookies through their settings; however, disabling essential cookies may affect website functionality.

9. Data Security

We implement industry-standard technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:

• Encryption in transit: TLS 1.2 / 1.3 for all video streams and data communications.
• Encryption at rest: AES-256 for all data stored in cloud infrastructure.
• Role-based access controls (RBAC) and multi-factor authentication (MFA) for all platform access.
• Regular vulnerability assessments and penetration testing.
• Intrusion detection systems and network monitoring.
• Physical access controls for server rooms and data centres.
• Employee training on data privacy, security best practices, and incident handling.
• Formal incident response procedures and breach notification processes.

Despite our efforts, no security system is completely impenetrable. In the event of a data breach that is likely to result in significant harm to individuals, we will:

• Notify the affected Client within 72 hours of becoming aware of the breach.
• Notify the relevant regulatory authority (Data Protection Board of India, or relevant EU/UK supervisory authority) as required by applicable law.
• Provide full details of the breach, data affected, likely consequences, and remediation measures taken.

If you believe your data has been compromised, please contact us immediately using the details in Section 17.

10. International Data Transfers

Servelens’ primary data processing and storage infrastructure is located within India. In cases where cloud infrastructure, disaster recovery, or subcontractor arrangements involve data centres outside India:

• We ensure that appropriate contractual safeguards are in place — including Standard Contractual Clauses (SCCs) approved by the European Commission for EU/UK data transfers.
• We rely on adequacy decisions, binding corporate rules, or other legally recognised transfer mechanisms where applicable.
• Clients will be notified of any cross-border transfer arrangements that apply to their data.

You may request a copy of the relevant transfer safeguards by contacting us at the details in Section 17.

11. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

11.1 Rights Under India’s DPDPA 2023

• Right to Access: Request a summary of personal data being processed and the purposes of processing.
• Right to Correction & Erasure: Request correction of inaccurate data or erasure of data no longer required.
• Right to Grievance Redressal: Lodge a complaint with Servelens’ Grievance Officer (Section 17) or the Data Protection Board of India.
• Right to Nominate: Nominate another individual to exercise rights on your behalf in the event of death or incapacity.

11.2 Additional Rights Under GDPR (EU/UK Clients)

• Right to Restriction: Request that we limit how we use your data in certain circumstances.
• Right to Portability: Receive your data in a structured, machine-readable format and have it transferred to another controller.
• Right to Object: Object to processing based on legitimate interests or for direct-marketing purposes.
• Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
• Right Against Automated Decisions: Not be subject to solely automated decisions producing significant legal effects, unless permitted by law or consented to.
• Right to Lodge a Complaint: With your local supervisory authority — e.g., the ICO (UK) or relevant EU data protection authority.

11.3 How to Exercise Your Rights

To exercise any of these rights, please contact our Grievance Officer using the details in Section 17. We will respond within 30 days (or within any shorter period required by applicable law). We may need to verify your identity before processing certain requests.

12. Biometric & Sensitive Personal Data

Biometric data (including facial recognition, fingerprint, or other physical identifiers) and certain categories of surveillance data constitute sensitive personal data under the SPDI Rules 2011 and attract heightened protection under the DPDPA 2023.

Where our Services involve the collection or processing of biometric data, Servelens will:

• Only process biometric data where the Client has obtained explicit, written, informed consent from the individuals concerned.
• Ensure biometric data is encrypted at rest and in transit at all times.
• Not share biometric data with any third party except as strictly necessary for Service delivery and with appropriate contractual protections.
• Delete all biometric data within 30 days of service termination or upon written instruction from the Client.
• Maintain a record of all biometric processing activities and make it available to the Client on request.

13. CCTV Surveillance — Client Obligations

Clients who deploy Servelens’ CCTV AI systems at their premises are the Data Fiduciary / Data Controller for all individuals captured on camera. As such, Clients are solely responsible for:

• Displaying clearly visible CCTV warning signage at all monitored entry points and areas, as required by applicable law.
• Providing adequate notice to employees, visitors, and any individuals who may be monitored.
• Obtaining any consents required by applicable law for monitoring, recording, or biometric processing.
• Conducting Data Protection Impact Assessments (DPIAs) where required.
• Ensuring surveillance does not extend to private areas (e.g. restrooms, changing rooms) where prohibited by law.
• Handling individual access requests and erasure requests in respect of footage captured at their premises.
• Complying with all applicable surveillance, workplace, and data protection legislation in their jurisdiction.

Servelens will provide reasonable technical assistance to Clients in fulfilling these obligations as part of our service relationship.

14. Children’s Privacy

Our Services are not directed to children under the age of 18 (as defined under the DPDPA 2023). We do not knowingly collect personal data directly from children under 18. If you believe we have inadvertently collected personal information from a child, please contact our Grievance Officer immediately and we will take prompt steps to delete the data.

Where CCTV systems are deployed at premises that may capture images of children (such as schools, childcare facilities, playgrounds, or residential communities), Clients must implement additional safeguards, consents, and notices as required by applicable law. Servelens recommends that Clients seek specific legal advice for such deployments.

15. Third-Party Links

Our website may contain links to third-party websites, plug-ins, and applications. Clicking on those links may allow third parties to collect or share data about you. We do not control those websites and are not responsible for their privacy practices. We encourage you to read the privacy notice of every website you visit.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, technology, or legal requirements. When we make material changes, we will:

• Post the updated Policy on servelens.in with a revised “Last Updated” date.
• Notify existing clients via email or dashboard notification at least 30 days prior to material changes taking effect.
• For changes required by law, notification will be given as soon as reasonably practicable.

Your continued use of our website or Services after the effective date of any updated Policy constitutes your acceptance of the revised terms.

17. Grievance Officer & Complaints

In accordance with the Digital Personal Data Protection Act, 2023 and the IT (SPDI) Rules 2011, Servelens has appointed a Grievance Officer to address privacy concerns and data protection complaints.

We aim to acknowledge all privacy-related requests within 48 hours and respond fully within 30 days. For complex requests, we will notify you of the extended timeline.

If you are dissatisfied with our response, you have the right to escalate your complaint to:

• Data Protection Board of India (once constituted under DPDPA 2023) — for Indian residents
• The Information Commissioner’s Office (ICO) — for UK residents
• The relevant EU data protection supervisory authority — for EU residents