‍

This public privacy statement explains how Auror’s Crime Intelligence Software (the Software) helps retailers and law enforcement authorities to gather, use, and share information about events and retail crime lawfully and respectfully, and how we at Auror work with those retailers and law enforcement authorities to process personal information that is uploaded to the Software as a controller in some limited circumstances. It also sets out how we at Auror use personal information when you interact with us as a potential client and/or when you use our website (www.auror.co).  

References to “Auror”, “we”, “us”, or “our” in this Privacy Statement relate to Auror Europe Ltd and this Privacy Statement captures the processing of personal information by Auror Europe Ltd in Ireland. We take information privacy and security extremely seriously, and we take steps to ensure that we, our Software and our customers (where we act as joint controllers) adhere to all relevant privacy legislation. We want to create a safe society and enable retailers and law enforcement to protect themselves and their communities by bringing offenders and crime groups to justice. We believe that providing the right information to the right people at the right time will help to reduce crime.

The Software is designed to protect retailers, their customers and the community more broadly from harm by giving retailers, law enforcement agencies, and their staff (our “Users”) a safe and secure way to gather and use personal information about incidents and risks occurring in their premises. The Software then enables Users to access and share data in a controlled and responsible way.

If your personal information is on the Software, it is because you or a User (a retailer or law enforcement agency) you have interacted with has chosen to upload your information.

‍

1. Auror’s data protection role
2. Updates
3. Auror helps retailers to collect personal information responsibly: the use of the Software to report events (where Auror is a processor)
4. What personal information we may hold about you
5. Where we obtain your personal information
6. How we use your personal information 
7. Our lawful bases
8. Sharing your personal information 
9. International data transfers
10. Keeping your personal information safe 
11. Retaining your personal information 
12. Your rights‍
13. Contacting us or Complaining about the processing of your personal information

Auror’s data protection role

Under applicable data protection legislation, organisations can have different ‘roles’ (and therefore different responsibilities) from a data protection perspective. Under the GDPR and Irish data protection legislation, organisations can be ‘controllers’ or ‘processors’: 

• In providing the Software, Auror stores and processes certain personal information on behalf of Users and according to the instructions of those Users. Auror is a processor of this personal information to the extent that Users upload it to the Software for the purposes of logging and/or reporting events. 
• For certain other purposes of processing the personal information, Auror is a joint controller with the relevant User in each case: this means that for limited activities, Auror and the relevant User are jointly responsible under the applicable data protection legislation for processing the personal information. In particular, Auror and each relevant User will be joint controllers of personal information that is used for the following purposes:
• to create certain ‘Software Insights’: these are high-level, aggregated insights created using the personal information uploaded to the Software by different Users. Software Insights match data points across events to provide Users with an overall picture of offending behaviour (e.g. the total number of incidents attributed to an individual and the total value of those incidents), but in a way that avoids disclosing specific details of each and every event to every User. These Software Insights enable Users to better understand individuals’ offending behaviour in a holistic way, and to take actions to prevent further events or suspected criminal activity accordingly; 

• as part of our ‘Connect the Dots’ (“CTD”) Module. Where Users opt in to this module, Auror uses machine learning and artificial intelligence to process personal information uploaded by different Users relating to various events or suspected criminal activity, so that Users can have a fuller picture of individuals’ offending behaviour (in other words, to understand where an individual was potentially involved in different events). Although Auror uses machine learning and artificial intelligence as part of Connect the Dots, this technology only ‘suggests’ to Users where an individual may have been involved in more than one event: this suggestion must always be confirmed by a person (i.e. a human) at a User; 
• Auror is an independent controller in business-as-usual processing where we process the personal data of our actual or potential Users. We also act as an independent controller when we anonymise data provided by Users to understand anonymised global trends and statistics in relation to events recorded on the Software.

This privacy statement gives you detailed information on why and when personal information is collected as part of the Software, how we use your personal information when we act as a controller, how we keep it secure, and how you can let us know if you would like us to change how we manage it. 

Updates 

We regularly undertake Data Protection Impact Assessments, and so we may update this statement from time to time. These changes may reflect changes to privacy regulation or the Software, so we will inform you of any significant changes via our website where appropriate. This statement was last updated in June 2025.

Auror helps retailers to collect personal information responsibly: the use of the Software to report events (where Auror is a processor)

We wanted to take the opportunity in the first instance to provide some information about how the Software works where Users upload personal information to report and/or investigate events or suspected criminal activity. As noted above, Auror is a processor of personal information in this context, but we wanted to provide some information to you about how Users might make use of the Software and the steps that we have taken to ensure that personal information is used by Users lawfully and responsibly, even when we act as a processor. 

Our Users upload information to the Software using an online reporting form. Users may collect this information directly from an alleged offender/person involved in an incident/event, from a staff member or customer who has witnessed an alleged offence/incident, or from CCTV footage they have captured. The event reporting form is designed to ensure that Users upload and share only personal information that is relevant, accurate and up to date.  Users rely on the Software to collate information about alleged retail crime and other similar events to provide them, and the other Users in their chosen community, with intelligence that assists with the prevention of alleged crime/incidents and the protection of people and assets. The Software is designed to control the use and sharing of personal information, reducing the reliance on ad hoc and insecure information sharing.

Users, including law enforcement agencies, may also generate personal information within the Software by editing or commenting on events, or by creating links between events and alleged offenders. To the extent that we process personal information as a processor on behalf of our Users, the Software allows its Users to process personal information to:

• Record information about alleged crime and security incidents that have occurred in store.
• Take action to prevent any events (including the commission of alleged criminal offences) occurring in their premises that may present a risk to a User, the User’s staff, or to the public.
• Investigate an event or alleged criminal offence.
• Identify repeat offenders and organised crime groups.
• Notify Police and Law Enforcement that an event or suspected criminal offence has occurred.
• Provide real-time alerts to other Users.
• Prosecute or otherwise take legal action in respect of an event or alleged criminal offence.

We require our Users to be open with the public about the personal information they may upload and share with their chosen community as part of the Software (including Auror’s role in that process). They do this by displaying signage on their premises and within their own privacy statements (or equivalent documents). We encourage you to read such statements and/or signage carefully. Our Terms of Use also require our Users to ensure that they have evidence of an alleged offence or event before uploading details about it to the Software. 

We have also built safeguards into the Software that apply to the way information is processed by our Users. All our Users must agree to Terms of Use that limit access to the Software and the ways in which they can use the Software.

Here are some specific things the Software does not facilitate for Users:

• Racial profiling
• Predictive profiling or analytics
• Solely automated decision-making about people
• Biometric categorisation, behavioural detection or emotional recognition
• On-selling personal information to third parties.

Auror has also developed a process to ensure that we always consider privacy when we innovate and improve the Software.

In particular, we will always do our best to make sure a change enables our Users to:

1. use data for good.
2. collect and share only relevant and necessary personal information.
3. keep data safe and secure.
4. be transparent about data use and help data subjects embrace their privacy rights.

What personal information we may hold about you 

Personal information is any information that relates to an individual. It does not include information where the identity of the individual has been fully and effectively removed (anonymised data). The Software is designed to limit the personal information Users can upload, to ensure that they only retain and use relevant, accurate and necessary information that will actually assist with public safety and crime prevention. The Software also enables Users to crop and obscure any images of innocent bystanders to ensure that they are not identifiable in the information captured and shared by the Users on the Software.

As noted above, we will be a processor of personal information on behalf of Users to the extent that those Users upload, share or otherwise use that information to report and/or investigate a particular event or suspected criminal offence. 

We will be joint controllers with each User of the personal information to the extent that we use it to provide certain features of the Software to Users, including: (i) Software Insights, and (ii) CTD.  

We may collect (as processor) the following “Event Information” from our Users as part of the Software: 

• Any available image and video (NB we would encourage you to read any notices and signage provided by retailers in relation to the use of image/video surveillance technology, including CCTV)

• Names
• Age, Height, Gender, Build
• Distinguishing features and behavioural characteristics
• Details of the event, including date, time, location, and any products involved.

We may also collect the following “Business-as-usual Information” as part of our general, day-to-day interactions with you when you use the Software as an employee of a retailer or law enforcement agency that has subscribed to (or is considering subscribing to) the Software: 

• Names, 
• Contact Details (including email address and phone number); 
• Job title.

Sensitive Personal Information 

Under data protection legislation, certain personal information is considered more ‘sensitive’, including data relating to actual or alleged criminal offences (sometimes known as ‘criminal offence data’). The nature of the Software means that Users are likely to upload criminal offence data.

Where we obtain your personal information

As noted above. we may collect personal information about you from different sources, including from: 

• You directly, if you: 

• provide information about an event that you have witnessed via the Software, or you are providing your details as part of signing up to use the Software as an employee of a User; 
• contact us via email, phone, in person or by post; and/or 

• Users (whether retailers or law enforcement) when they report an event, or provide a comment about an event that you were involved in via the Software. 

How we use your personal information 

We use your personal information as joint controllers with each relevant User to aggregate and/or anonymise that information and create Software Insights, and to provide those insights to Users so that we and they can take steps to understand trends, research suspected crime patterns and behaviours: 

• Users use aggregated information (e.g. the total number of events and total loss attributed to an individual), to understand the full picture of individuals’ alleged offending behaviour and take actions to prevent further suspected criminal activity accordingly, e.g. through investigations, data informed store policy, worker safety, product protection, and deploying guarding resources. 

Connect the Dots (“CTD”)

If a retailer has opted in to use our CTD functionality, we use your personal information as joint controllers with each relevant User in this context. CTD allows retailer Users (who have opted in to use CTD) to ‘merge’ profiles where an individual was potentially involved in more than one Event (which in turn allows a retailer to have a fuller picture of an individuals’ suspected offending behaviour), in two key ways: 

• ‘User-suggested merges’ – Users can ‘suggest’ merges to other Users through the use of comments. These comments indicate to the relevant User that an individual which a User has included on the Software as part of an event may also have been involved in a different event: CTD will flag that suggestion to the User who is then asked to approve or reject the merge. 

• Machine learning model, using profile details (“ML Suggestions”) – CTD uses a machine learning model which finds high probability matches across different events and/or potential perpetrators of those events, based on the information provided about the individual and/or events by different Users (including e.g. the individual’s name, age, build, Event time and location, Event value and associated vehicles). The model suggests merges to a retailer User, but again such a merge must be approved or rejected by a person at the retailer User. 

For the avoidance of doubt, neither CTD nor any other parts of the Software use solely automated decision-making: any use of artificial intelligence or machine learning must always be verified by an appropriate person at a User.

Business-as-usual Information

If you are an employee of a User, we might also use your personal information to: 

• enable you to make use of the Software
• learn from your experience and feedback to develop our work and the Software
• contact you with important information relating to your use of the Software or your account. 

When you access the Software or our website, we also collect “Technical Information” about your computer, including, where available, your IP address, operating system, and browser type. We do this for system administration purposes, including to analyse trends and gather broad demographic information for aggregate use so that we can improve the site, and deliver customised, personalised content.

We are an independent controller when anonymising personal information for the purpose of generating high-level statistics and understanding global trends relating to retail crime.

Our lawful bases

To the extent that we collect or use personal information as a joint controller with a relevant User, we will only do so when the law allows us to (i.e., where we have a ‘lawful basis’). Most commonly, we will use your personal information in the following circumstances: 

Event information

Business-as-usual Information

‍

We may also process personal information where this is necessary to comply with a legal obligation on us (for example, reporting to regulators or other government bodies). 

Where we process your personal data on the basis of legitimate interests, you have the right to object to, or seek restriction of, that processing. Please see the “Your Rights” section below for further information.

We will not typically rely on consent to process personal information, but where we do so, you can withdraw your consent at any time by emailing us at privacy@auror.co.

Please note that the table above only captures the processing of personal information for which we act as a controller (whether independently or jointly): to the extent that a User processes your personal information as an independent controller, please see the relevant privacy statement (or equivalent) of that User for the details of any lawful bases that the User relies on.

Sharing your personal information

Where we process your personal information as a controller (whether jointly or independently), we may share your personal information with third parties. Including: 

• With a User or other third parties that the User (whether retailers or Law Enforcement) wishes to share data with as part of the Software. A User can determine which trusted third parties it wishes to share its information with (if any). 
• With contractors or other third parties that provide services on our behalf as a processor – note that the only processor we currently use is Microsoft Azure, which hosts the Software; 
• Pursuant to a subpoena, court order or other legal process or as otherwise required or requested by law or regulation, or to protect our rights or the rights or safety of third parties; 
• In the event of a business reorganisation, merger, sale, or other corporate transaction;
• With your consent or as otherwise disclosed to you at the time of data collection or sharing. 

International data transfers

As noted, the Software is hosted by Microsoft Azure and our data is stored in data centres located in proximity to the User, including US (if a User is in North America), Australia (if a User is in New Zealand or Australia), or the UK (if a User is in the UK or Ireland). This means that if you are in Ireland, the personal information we hold, as described in this privacy statement, is transferred outside of the EEA to the UK. We rely on the European Commission’s adequacy decision in respect of these transfers. A copy of the adequacy decision is available here.  

If we transfer your personal information to another third country outside of the EEA, we will take steps to ensure that your personal information is protected in accordance with applicable laws and appropriate safeguards. For example, where available we will rely on a decision of the European Commission that the third country offers an adequate level of protection. A list of adequacy decisions is available on the European Commission website. In the absence of an adequacy decision, we will rely on the appropriate safeguards under data protection legislation, such as standard contractual clauses approved by the European Commission to protect your personal information.

Keeping your personal information safe 

We take all reasonable steps to keep all data uploaded by Users, including personal information, safe and secure.

We encrypt all information in transit to and from Auror using SSL 256-bit encryption. Transport Layer Security (TLS/SSL) is used to protect the transfer of information to our hosted servers. The Software is also securely encrypted and Microsoft Azure complies with industry leading security policies and standards, including SOC 1/SSAE 16/ISAE 3402, SOC 2, and ISO 27001/27002. Microsoft sets out all its security features in detail on its website.

We also have policies, procedures, and contracts that ensure the people who use the Software play their part in keeping data secure. The Software limits the information a particular User can view on the basis of that User’s role, selected preferences, and the preferences of other Users in their community; All use of the Software is logged and can be audited by Users to ensure that the personal information it contains is not misused.

While we seek to use appropriate organisational, technical and administrative measures to protect personal information within our organisation, unfortunately no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contact us” section below.

Retaining your personal information

The Software is configured to help Users ensure that personal information is retained only for as long as they have a lawful purpose to use it. When a User no longer needs to retain personal information in an identifiable form, they can ask us to delete or anonymise it, so it can be used for statistical and predictive analysis. Please see the privacy statements (or similar) of our relevant Users to understand their retention periods. 

Where personal information is used to create Software Insights, those insights are updated automatically as and when the underlying personal information is deleted or updated by the relevant User, and Auror does not retain any historical insights. 

Similarly, when a User has opted into the use of CTD and then deletes their data from the Software, that data will no longer be part of CTD (in other words, the personal information will not be processed, by Auror or otherwise, after the User has deleted it). 

When a User terminates their agreement with Auror, we delete all personal information they uploaded to the Software. We do not retain User personal information for our own purposes, though, as noted, we may retain anonymised data in order to continuously improve our Software, products and services.

Your rights

You have important privacy rights with respect to your personal information.

You have the right to:

• Request access to the personal information about you on the Software;
• Request that your personal information held on the Software is corrected about you if it is wrong;
• Request that your personal information is restricted, in certain circumstances;
• Object to the processing of your personal information on the Software in certain circumstances;
• Request that your personal information is deleted;
• Receive certain of your information which you provided in a structured, commonly used and machine-readable format and to transmit such information to another controller.  

Please be aware that we may be unable to comply with your request in certain circumstances, for example if we are legally prevented from doing so or can rely on applicable exemptions.

Please note that if you make a request where we are a processor of your personal information, Auror cannot make a decision on your request, but we can help our Users to process requests made in that context.

If you are in the Republic of Ireland you have the right to lodge a complaint against Auror with the Data Protection Commission. For more information please see the following section on Contacting us or Complaining about the processing of your personal information.

If you believe your personal information has been uploaded to the Software by a User: We have entered into an agreement with each User to make clear that the User should be your primary contact point for any rights requests you make (and you can find those contact details in the privacy statement or equivalent of the relevant User). However, we’re committed to making sure you can exercise your rights easily, and so we’ve created pathways for you to make requests to the Users that have uploaded personal information to the Software. To exercise any of the rights set out above, please contact us by:

• emailing us at privacy@auror.co
• using our contact form here 

We’ll need your full name and the time and location of the possible event in order to verify your identity or authority before responding to your request. In certain cases we may need to ask for additional information if there is a reasonable doubt as to your identity. Once we’ve verified who you are, we’ll notify the User which uploaded your information and help them process your request as soon as possible, and no later than one calendar month after it has been received, unless we need to extend the deadline for responding to your request and are permitted to do so under applicable data protection laws (for example if your request is sufficiently complex).

Contacting us or Complaining about the processing of your personal information

If you have any concerns about the way we or a User have collected or processed your personal information on the Software, you have the right to complain to the Data Protection Commission (DPC). We would always appreciate the opportunity to resolve your concerns directly, so would be grateful if you could contact the relevant User and/or us (at privacy@auror.co) directly before complaining to the DPC. 

If you do decide to issue a complaint to the DPC, you can do so here.

If you have any questions about this Privacy Statement, you can contact us by email at: privacy@auror.co. If you are based in the UK, you can also contact us via post at: 49 Greek Street, London, United Kingdom, W1D 4EG.

‍

‍