This public privacy statement explains how the Auror Crime Intelligence Platform (the Platform) helps retailers to gather, use, and share information about events and retail crime lawfully and respectfully. We take information privacy and security seriously, and we ensure that our Platform and our customers adhere with all relevant privacy legislation. We want to create a safe society and reduce the anonymity of offenders and crime groups. We believe that providing the right information to the right people at the right time will help to reduce crime.
The Platform is designed to protect retailers, their customers and the community from harm by giving retailers, organizations, law enforcement agencies, and their staff (our “Users”) a safe and secure way to gather and use personal information about incidents and risks. The Platform then enables Users to access and share their data in a controlled and responsible way.
If your personal information is on the Platform, it is because a User (a retailer or law enforcement agency) you have interacted with has chosen to upload your information.
The Platform stores and processes personal information on behalf of Users and according to the instructions of Users. Auror is a data processor, which means we do not use personal information uploaded by our Users for our own purposes.
We regularly undertake Privacy Impact Assessments, and so we may update this statement from time to time. These changes may reflect changes to privacy regulation or the Platform, so please check in again occasionally to see what might have changed. This statement was last updated in September 2019.
We’re data custodians
Auror helps retailers to collect personal information lawfully
Our Users upload information to the Platform using an online reporting form. Users may collect this information directly from an alleged offender, from a staff member or customer who has witnessed an alleged offence, or from CCTV footage they have captured. The event reporting form is designed to ensure that Users upload and share only personal information that is relevant, accurate and up to date.
Users, including law enforcement agencies, may also generate personal information within the Platform by editing or commenting on events, or by creating links between events and offenders.
Ensuring data collection is kept to a minimum
The Platform is designed to limit the personal information Users can upload, to ensure that they only retain and use relevant, accurate and necessary information that will actually assist with public safety and crime prevention.
The personal information a User may upload to the Platform about a person may include:
• Any available image and video
• Age, Height, Gender, Build
• Distinguishing features and behavioral characteristics
• Details of the event, including date, time, location, and any products involved
• Details of any vehicles involved in the event
The Platform enables Users to crop and obscure any images of innocent bystanders to ensure that they are not identifiable in the information captured and shared by the Users on the Platform.
Enabling lawful and respectful processing of personal information
Users rely on the Platform to collate information about retail crime and other similar events to provide them, and the other Users in their chosen community, with intelligence that assists with the prevention of crime and the protection of people and assets. The Platform is designed to control the use and sharing of personal information, reducing the reliance on ad hoc information sharing and questionable public shaming techniques.
To achieve this, the Platform allows its Users to process personal information to:
• Prevent any events that may present a risk to a User or to the public.
• Investigate an event or criminal offence.
• Prevent criminal offences.
• Identify repeat offenders and organized crime groups.
• Notify Police and Law Enforcement that an event has occurred.
• Provide real-time alerts to other Users.
• Prosecute or otherwise take legal action in respect of an event or criminal offence.
• Research crime patterns and behaviors.
Customers can determine which trusted third parties it wishes to share its information with (if any). The Platform limits the information a particular User can view on the basis of that User’s role, selected preferences, and the preferences of other Users in their community.
Where Auror receives a third-party request for personal information, we will always direct this request to the relevant User (unless we are prevented by law from doing so). Auror does not use or disclose the personal information uploaded by Users for its own purposes.
We prevent processing that isn’t respectful
Here are some specific things the Platform does not facilitate for Users:
• Racial profiling.
• On-selling personal information to third parties.
• Automated decision-making about people.
• Sharing information about minors with other Users (though such information may be used by law enforcement agencies to intervene and assist minors to stay out of trouble).
Auror has also developed a process to ensure that we always consider privacy when we innovate and improve the Platform.
We will always make sure a change enables our Users to:
1. use data for good.
2. collect and share only relevant and necessary personal information.
3. keep data safe and secure.
4. be transparent about data use and help customers embrace their privacy rights.
We securely and safely store personal information
The Platform is hosted by Microsoft Azure and our data is stored in data centers located in proximity to the User, including US (if a User is in North America), Australia (if a User is in New Zealand or Australia), or the UK (if a User is in the UK/EU). This means the personal information we hold is not generally transferred to, or accessed from, countries or regions outside the User’s location. We endeavor to store and process data only in countries that have strong privacy regulations in place.
We take all reasonable steps to keep all User data, including personal information, safe and secure.
We encrypt all information in transit to and from Auror using SSL 256-bit encryption. Transport Layer Security (TLS/SSL) is used to protect the transfer of information to our hosted servers. The Platform is also securely encrypted and Microsoft Azure complies with industry leading security policies and standards, including SOC 1/SSAE 16/ISAE 3402, SOC 2, and ISO 27001/27002. Microsoft sets out all its security features in detail here.
We also have policies, procedures, and contracts that ensure the people who use the Platform play their part in keeping data secure. All use of the Platform is logged and can be audited by Users to ensure that the personal information it contains is not misused.
We make sure Customers don’t hold on to personal information forever
The Platform is configured to help Users ensure that personal information is retained only for as long as they have a lawful purpose to use it. When a User no longer needs to retain personal information in an identifiable form, they can ask us to delete or anonymise and aggregate it, so it can be used for statistical and predictive analysis.
When a User terminates their agreement with Auror, we delete all personal information they uploaded to the Platform. We do not retain User personal information for our own purposes, though we may retain anonymised and aggregated data in order to continuously improve our Platform, products and services.
We help customers respect their customers’ privacy rights
You have important privacy rights with respect to the retailers that collect and use your personal information. While you can make requests directly to your retailers, we’re committed to making sure you can exercise your rights easily, and so we’ve created pathways for you to make requests to the Users that have uploaded personal information to the Platform. To exercise any of the rights set out below, please contact us by:
• emailing us at email@example.com
• using our contact form here
We’ll need your full name, date of birth and the time and location of the possible event in order to verify your identity or authority before responding to your request. Once we’ve verified who you are, we’ll notify the User which uploaded your information and help them process your request as soon possible, and no later than 20 working days (one calendar month) after it has been received. Please note that Auror cannot make a decision on your request, but we can help our Users to process requests.
You may have the right to:
• know if a User holds personal information about you on the Platform and get a copy of it if they do.
• correct personal information held on the Platform about you if it is wrong.
• object to the processing of your personal information on the Platform by the User (this right may not apply if the User has a lawful basis to use your information).
• Ask the User to delete the personal information they have uploaded to the Platform about you (this right may not apply if the User has a lawful basis to hold your information).
Complaining about a User’s use of the Platform
If you have any concerns about the way a User has collected or processed your personal information on the Platform, you should contact that User directly and let us know at firstname.lastname@example.org. If the User cannot resolve your concerns, you have the right to complain to the data protection authority in the country you live. Ask the User if you’re not sure which authority to contact, or ask us and we’ll try our best to point you in the right direction.