We take our responsibility for effective data handling and privacy seriously.
This public privacy statement explains how Auror’s Crime Intelligence Software (the Software) helps retailers and other organisations to gather, use, and share information about events and retail crime lawfully and respectfully, and how we at Auror might work with those retailers and organisations to use personal information that is uploaded to the Software in some, limited circumstances. It also sets out how we at Auror might use personal information when you interact with us as a potential customer and/or when you use our website (www.auror.co).
References to “Auror”, “we”, “us”, or “our” in this Privacy Statement relate to Auror Europe Ltd and, where relevant, its related bodies corporate. This Privacy Statement captures the processing of personal information by Auror in the UK. We take information privacy and security seriously, and we take steps to ensure that we, our Software, and our customers adhere to all relevant privacy legislation. Our goal is to create a safer society and enable retailers and law enforcement to protect themselves and their communities by detecting, addressing and therefore reducing criminal activity in retail environments. We believe that providing the right information to the right people at the right time will help to reduce crime.
The Software is designed to protect retailers, their customers and the community more broadly from harm by giving retailers, organisations, law enforcement agencies, and their staff (our “Users”) a safe and secure way to collect and use information about incidents and risks that occur within retail environments. The Software then enables Users to access and share data in a controlled and responsible way.
If your personal information is on the Software, it is because a retailer you have interacted with, or a law enforcement agency, has chosen to upload your information.
Under certain pieces of legislation, organisations can have different ‘roles’ (and therefore different responsibilities) from a data protection perspective. For example, under the UK data protection legislation, organisations can be ‘controllers’, ‘processors’, and in some cases ‘joint controllers’:
This privacy statement gives you detailed information on why and when personal information is collected as part of the Software, how we use your personal information, how we keep it secure, and how you can let us know if you would like us to change how we manage it.
We regularly undertake Data Protection Impact Assessments, and so we may update this statement from time to time. These changes may reflect changes to privacy regulation or the Software, so we will inform you of any significant changes via our website where appropriate. This statement was last updated in April 2025.
We want to take the opportunity in the first instance to provide some information about how the Software works when Users upload personal information to report and/or investigate events. As noted above, although Auror is a processor of personal information in this context, we want to provide further information to you about how Users might make use of the Software and the steps that we have taken to ensure that personal information is used by Users lawfully and responsibly.
Our Users upload information to the Software using an online reporting form. Users may collect this information directly from an alleged offender, from a staff member or customer who has witnessed an alleged offence, or from CCTV footage they have captured using their own cameras. The event reporting form is designed to ensure that Users upload and share only personal information that is relevant, accurate and up to date. Users rely on the Software to collate information about retail crime and other similar events to provide them, and the other Users in their chosen community, with intelligence that assists with the prevention of crime and the protection of people and assets. The Software is designed to control the use and sharing of personal information, reducing the reliance on ad hoc and insecure information sharing and questionable public shaming techniques.
Users, including law enforcement agencies, may also generate personal information within the Software by commenting on events, or by identifying links between events and offenders. To the extent that we process personal information as a processor on behalf of our Users, the Software allows its Users to process personal information to:
We also provide Users with an ANPR Module on an opt-in basis, which allows Users to use the Software to store and process personal information collected by that User’s existing automatic number plate recognition (“ANPR”) cameras, so that Users can review footage, receive alerts when specific ‘vehicles of interest’ enter their premises and act accordingly (including by notifying the police where required). NB Auror does not operate any ANPR cameras: it simply processes the data collected by its customers’ existing cameras. We would encourage you to read the signage and/or notices provided by retailers relating to their use of ANPR cameras.
We encourage our customers and Users to be open with the public about the personal information they may upload and share with their chosen community as part of the Software (including Auror’s role in that process). They may do this by displaying signage on their premises and/or within their own privacy statements (or equivalent documents). We encourage you to read such statements and/or signage carefully. Our Terms of Use also require our Users to ensure that they have evidence of an alleged offence or event before uploading details about it to the Software.
We have also built safeguards into the Software that control the way information can be processed by our Users. All our Users must agree to Terms of Use that limit access to the Software and the ways in which they can use the Software.
Here are some specific things the Software does not facilitate for Users:
Auror has also developed a process to ensure that we always consider privacy when we innovate and improve the Software.
In particular, we will always do our best to make sure a change enables our Users to:
Personal information is any information that relates to an individual. It does not include information where the identity of the individual has been fully and effectively removed (anonymised data). The Software is designed to limit the personal information Users can upload, to ensure that they only retain and use relevant, accurate and necessary information that will assist with public safety and crime prevention. The Software also enables Users to obscure any images of innocent bystanders (either via cropping or redacting) to ensure that they are not identifiable in the information captured and shared by the Users on the Software.
As noted above, we will be a processor of personal information on behalf of Users to the extent that those Users upload, share or otherwise use that information to report and/or investigate a particular event. We will be joint controllers with each User of the personal information to the extent that we use it to provide certain features of the Software to Users, including: (i) Software Insights, and (ii) CTD.
We may collect the following “Event Information” from our Users as part of the Software:
We may also collect the following “Business-as-usual Information” as part of our general, day-to-day interactions with you when you use the Software as an employee of a retailer or law enforcement agency that has subscribed to (or is considering subscribing to) the Software:
Sensitive Personal Information
The nature of the Software means that Users may upload personal information that is considered more ‘sensitive’ including data relating to actual or alleged criminal offences (often referred to as ‘criminal offence data’) and some forms of special category data that may be incidental information to a reported event (Auror does not enable Users to collect information concerning health, skin colour or ethnicity). .
As noted above. we may collect personal information about you from different sources, including from:
Software Insights
We may use your personal information as joint controllers with each relevant User to aggregate and/or anonymise that information and create Software Insights, and to provide those insights to Users so that we and they can take steps to understand trends, research crime patterns and behaviours:
Connect the Dots (“CTD”)
We may use your personal information as joint controllers with each relevant User in the context of CTD. CTD allows retailer Users (who have opted in to use CTD) to ‘merge’ profiles where an individual was potentially involved in more than one Event (which in turn allows a retailer to have a fuller picture of an individuals’ offending behaviour), in three ways:
For the avoidance of doubt, neither CTD nor any other parts of the Software use solely automated decision-making: any use of artificial intelligence or machine learning must always be verified by an appropriate person at the relevant User.
Business-as-usual Information
If you are an employee of a User, we might also use your personal information to:
When you access the Software or our website, we also collect “Technical Information” about your computer, including, where available, your IP address, operating system, and browser type. We do this for system administration purposes, including to analyse trends and gather broad demographic information for aggregate use so that we can improve the site, and deliver customised, personalised content.
To the extent that we collect or use personal information as a joint controller with a relevant User, we will only do so when the law allows us to (i.e., where we have a ‘lawful basis’). Most commonly, we will use your personal information in the following circumstances:
Names
Creation of Software Insights (including to enable Users to understand individuals’ offending behaviour, and to enable Auror to anonymise data to improve the Software).Processing as part of CTD to surface possible ‘merges’ to retailer Users.
Legitimate Interests – in particular legitimate interests of (i) Auror to provide and improve its services, (ii) Users to detect, report, investigate and prevent crime, and (iii) the broader public in ensuring that retail crime is appropriately reported and investigated so that communities are kept safe (per Article 6(1)(f) UK GDPR).
NB If a User is a Law Enforcement authority, they will rely on the basis that the processing is necessary for the performance of a task carried out for law enforcement purposes (per section 35(2)(b) Data Protection Act 2018).
Age, Height, Gender, Build
Creation of Software Insights (including to enable Users to understand individuals’ offending behaviour, and to enable Auror to anonymise data to improve the Software).
Processing as part of CTD to surface possible ‘merges’ to retailer Users (though NB information relating to gender is not used for this purpose).
Legitimate Interests – in particular legitimate interests of (i) Auror to provide and improve its services, (ii) Users to detect, report, investigate and prevent crime, and (iii) the broader public in ensuring that retail crime is appropriately reported and investigated so that communities are kept safe (per Article 6(1)(f) UK GDPR).
NB If a User is a Law Enforcement authority, they will rely on the basis that the processing is necessary for the performance of a task carried out for law enforcement purposes (per section 35(2)(b) Data Protection Act 2018).
Distinguishing features and behavioural characteristics
Creation of Software Insights (including to enable Users to understand individuals’ offending behaviour, and to enable Auror to anonymise data to improve the Software).
Legitimate Interests – in particular legitimate interests of (i) Auror to provide and improve its services, (ii) Users to detect, report, investigate and prevent crime, and (iii) the broader public in ensuring that retail crime is appropriately reported and investigated so that communities are kept safe (per Article 6(1)(f) UK GDPR).
To the extent that this personal information constitutes criminal offence data or special category data, Auror and the User rely on the condition that the processing is necessary for the prevention or detection of crime (per paragraph 10 Schedule 1 Data Protection Act 2018).
NB If a User is a Law Enforcement authority, they will rely on the basis that the processing is necessary for the performance of a task carried out for law enforcement purposes (per section 35(2)(b) Data Protection Act 2018).
To the extent that a Law Enforcement authority carries out sensitive processing, it will rely on the conditions that processing is necessary: (i) for the exercise of a function conferred on a person by an enactment or rule of law and for reasons of substantial public interest (per paragraph 1 Schedule 8 Data Protection Act 2018) or (ii) for the administration of justice (per paragraph 2 Schedule 8 Data Protection Act 2018).
Details of the event, including date, time, location, and any products involved (including event value)
Creation of Software Insights (including to enable Users to understand individuals’ offending behaviour, and to enable Auror to anonymise data to improve the Software).
Processing as part of CTD to surface possible ‘merges’ to retailer Users.
Legitimate Interests – in particular legitimate interests of (i) Auror to provide and improve its services, (ii) Users to detect, report, investigate and prevent crime, and (iii) the broader public in ensuring that retail crime is appropriately reported and investigated so that communities are kept safe (per Article 6(1)(f) UK GDPR).
To the extent that this personal information constitutes criminal offence data or special category data, Auror and the User rely on the condition that the processing is necessary for the prevention or detection of crime (per paragraph 10 Schedule 1 Data Protection Act 2018).
NB If a User is a Law Enforcement authority, they will rely on the basis that the processing is necessary for the performance of a task carried out for law enforcement purposes (per section 35(2)(b) Data Protection Act 2018).
To the extent that a Law Enforcement authority carries out sensitive processing, it will rely on the conditions that processing is necessary: (i) for the exercise of a function conferred on a person by an enactment or rule of law and for reasons of substantial public interest (paragraph 1 Schedule 8 Data Protection Act 2018) or (ii) for the administration of justice (paragraph 2 Schedule 8 Data Protection Act 2018).
Details of any vehicles involved in the event
Creation of Software Insights (including to enable Users to understand individuals’ offending behaviour, and to enable Auror to anonymise data to improve the Software).
Processing as part of ANPR to alert retailers about presence of vehicles of interest (and in turn allow retailers to notify law enforcement, review footage and/or take other appropriate steps).
Processing as part of CTD to surface possible ‘merges’ to retailer Users.
Legitimate Interests – in particular legitimate interests of (i) Auror to provide and improve its services, (ii) Users to detect, report, investigate and prevent crime, and (iii) the broader public in ensuring that retail crime is appropriately reported and investigated so that communities are kept safe (per Article 6(1)(f) UK GDPR).
To the extent that this personal information constitutes criminal offence data or special category data, Auror and the User rely on the condition that the processing is necessary for the prevention or detection of crime (per paragraph 10 Schedule 1 Data Protection Act 2018).
NB If a User is a Law Enforcement authority, they will rely on the basis that that the processing is necessary for the performance of a task carried out for law enforcement purposes (per section 35(2)(b) Data Protection Act 2018).
To the extent that a Law Enforcement authority carries out sensitive processing, it will rely on the conditions that processing is necessary: (i) for the exercise of a function conferred on a person by an enactment or rule of law and for reasons of substantial public interest (paragraph 1 Schedule 8 Data Protection Act 2018) or (ii) for the administration of justice (paragraph 2 Schedule 8 Data Protection Act 2018).
Facial biometric information generated using images captured from a User’s existing CCTV cameras located within retail premises
Processing as part of CTD to surface possible ‘merges’ to retailer Users.
Legitimate Interests – in particular legitimate interests of (i) Auror to provide and improve its services, (ii) Users to detect, report, investigate and prevent crime, and (iii) the broader public in ensuring that retail crime is appropriately reported and investigated so that communities are kept safe (per Article 6(1)(f) UK GDPR).
To the extent that this personal information constitutes criminal offence data or special category data, Auror and the User rely on the condition that the processing is necessary for the prevention or detection of crime (per paragraph 10 Schedule 1 Data Protection Act 2018).
NB If a User is a Law Enforcement authority, they will rely on the basis that the processing is necessary for the performance of a task carried out for law enforcement purposes (per section 35(2)(b) Data Protection Act 2018).
To the extent that a Law Enforcement authority carries out sensitive processing, it will rely on the conditions that processing is necessary: (i) for the exercise of a function conferred on a person by an enactment or rule of law and for reasons of substantial public interest (paragraph 1 Schedule 8 Data Protection Act 2018) or (ii) for the administration of justice (paragraph 2 Schedule 8 Data Protection Act 2018).
Names
Enable User (and relevant staff) to make use of the Software.
Legitimate Interests, including the legitimate interests of Auror to provide its services and User staff to make use of those services.
Contact Details
Enable User (and relevant staff) to make use of the Software.
Legitimate Interests, including the legitimate interests of Auror to provide its services and User staff to make use of those services.
Job titles
Enable User (and relevant staff) to make use of the Software.
Legitimate Interests, including the legitimate interests of Auror to provide its services and User staff to make use of those services.
We may also process personal information where this is necessary to comply with a legal obligation on us (for example, reporting to regulators or other government bodies).
We will not typically rely on consent to process personal information, but where we do so, you can withdraw your consent at any time by emailing us at privacy@auror.co.
Please note that the table above only captures the processing of personal information for which we are a joint controller or independent controller: to the extent that a User processes your personal information as an independent controller, please see the relevant privacy statement (or equivalent) of that User for the details of any lawful bases that the User relies on.
Where we process your personal information as a joint controller with a User, we may share your personal information with third parties. This includes:
As noted, the Software is hosted by Microsoft Azure and our data is stored in data centres located in proximity to the User, including US (if a User is in North America or Canada), Australia (if a User is in New Zealand or Australia), or the UK (if a User is in the UK). This means the personal information we hold is not generally transferred to, or accessed from, countries or regions outside the User’s location. We endeavour to store and process data only in countries that have strong privacy regulations in place.
If we do intend to transfer your personal information outside of the UK, we will take steps to ensure that your personal information is protected in accordance with applicable laws and appropriate safeguards. For example, if a User is located in the UK and we intend to transfer personal information out of that jurisdiction (especially where the recipient country is not considered to be adequate under UK law, as applicable), we will rely on the appropriate safeguards under data protection legislation, such as standard contractual clauses approved by the European Commission, together with the UK addendum to those clauses (as applicable) to protect your personal information.
We take all reasonable steps to keep all data uploaded by Users, including personal information, safe and secure.
We encrypt all information in transit to and from Auror using SSL 256-bit encryption. Transport Layer Security (TLS/SSL) is used to protect the transfer of information to our hosted servers. The Software is also securely encrypted and is SOC 2 Type II compliant, and Microsoft Azure complies with industry leading security policies and standards, including SOC 1/SSAE 16/ISAE 3402, SOC 2, and ISO 27001/27002. Microsoft sets out all its security features in detail on its website.
We also have policies, procedures, and contracts that ensure the people who use the Software play their part in keeping data secure. The Software limits the information a particular User can view on the basis of that User’s role, selected preferences, and the preferences of other Users in their community. All use of the Software is logged and can be audited by Users to ensure that the personal information it contains is not misused.
While we seek to use appropriate organisational, technical and administrative measures to protect personal information within our organisation, unfortunately no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contact us” section below.
The Software is configured to help Users ensure that personal information is retained only for as long as they have a lawful purpose to use it. When a User no longer needs to retain personal information in an identifiable form, they can either delete it (manually or via automated deletion when a preconfigured retention period expires) or ask us to anonymise it so that it can be used for statistical analysis. Please see the privacy statements (or similar) of our relevant Users to understand their retention periods.
Where personal information is used to create Software Insights, those insights are updated automatically as and when the underlying personal information is deleted or updated by the relevant User, and Auror does not retain any historical insights.
Similarly, when a User has opted into the use of CTD or ANPR modules and then deletes their data from the Software, that data will no longer be part of CTD or ANPR (in other words, the personal information will not be processed, by Auror or otherwise, after the User has deleted it).
When a User terminates their agreement with Auror, we delete all personal information they uploaded to the Software upon their instruction. We do not retain User personal information for our own purposes, though, as noted, we may retain anonymised and aggregated data in order to continuously improve our Software, products and services.
Notwithstanding the above, we have our own retention periods in relation to CTD and ANPR (meaning that we may delete the personal information used for these modules even when relevant Users haven’t told us to):
You have important privacy rights with respect to your personal information. We have entered into an agreement with each User to make clear that the User should be your contact point for any rights requests you make (and you can find those contact details in the privacy statement or equivalent of the relevant User). However, we’re committed to making sure you can exercise your rights easily, and so we’ve created pathways for you to make requests to the Users that have uploaded personal information to the Software. To exercise any of the rights set out below, please contact us by:
We’ll need your full name, date of birth and the time and location of the possible event in order to verify your identity or authority before responding to your request. Once we’ve verified who you are, we’ll notify the User which uploaded your information and help them process your request as soon as possible, and no later than one calendar month after it has been received, unless we need to extend the deadline for responding to your request and are permitted to do so under applicable data protection laws (for example if your request is sufficiently complex).
You have the right to:
Please be aware that we may be unable to comply with your request in certain circumstances, for example if we or the User are legally prevented from doing so or an exemption applies.
Please note that if you make a request where we are a processor of your personal information, Auror cannot make a decision on your request, but we can help our Users to process requests made in that context.
If you have any concerns about the way we or a User have collected or processed your personal information on the Software, you have the right to complain to the UK Information Commissioner’s Office (“ICO”). We would always appreciate the opportunity to resolve your concerns directly, so would suggest that you contact the relevant User and/or us (at privacy@auror.co) directly in the first instance before contacting the ICO.
If you do decide to issue a complaint to the ICO, you can do so here.
If you have any questions about this Privacy Statement, you can contact us by email at: privacy@auror.co. If you are based in the UK, you can also contact us via post at: 49 Greek Street, London, United Kingdom, W1D 4EG.