Privacy Policy

1. Who we are

Custody Lens Limited is the organization responsible for personal data described in this Privacy Policy where we act as a controller (for example, when you visit our website or contact us directly).

Controller contact:

• Custody Lens Limited
• Whitehall Place, 47 The Terrace, Gravesend, England, DA12 2DL
• Email: contact@geoevident.com

2. Scope: what this Privacy Policy covers

This Privacy Policy covers personal data processed in the following contexts:

1. Website visitors and business contacts — People who visit our website, request a demo, download security materials, or communicate with us (e.g., by email).
2. Customer onboarding (KYB / contracting) — Authorized representatives of prospective customers, for verification and contracting.
3. GeoEvident customers and authorized users — Individuals acting on behalf of our customers (B2B/B2G users with provisioned accounts).
4. GeoEvident customer content and case data — Photos, video frames, case notes, and outputs submitted to/processed by GeoEvident (which may include personal data depending on content).

3. Controller vs Processor roles

Depending on the context, Custody Lens may act as either:

3.1 We act as Controller when:

• You browse our website;
• You contact us, request a demo, or receive marketing/security materials;
• We conduct KYB and contracting checks on a prospective customer.

3.2 We act as Processor when:

• We process customer-submitted content and case data within GeoEvident on our customer's instructions.

In those cases, the customer is typically the controller of the content and determines the lawful basis for processing, retention periods, and who the data relates to. If you have questions about case content processed by GeoEvident on behalf of a customer, you should first contact the customer organization (the controller).

4. Personal data we collect and process

4.1 Website and communications data

We may process:

• Contact details (name, work email, organization, job title, phone number);
• Your message content and inquiry details (e.g., use case, deployment requirements);
• Website technical data (IP address, device/browser information, pages visited, timestamps) collected via server logs and similar technologies. For details on cookies and similar technologies, see our Cookies Policy.

4.2 Customer onboarding (KYB / contracting)

Because GeoEvident is available only to verified organizations, we may process:

• Company details (legal name, registration identifiers, business address, VAT/tax IDs where relevant);
• Information about authorized signatories/representatives;
• Identification or verification information required to complete KYB and contractual due diligence (e.g., corporate ownership/beneficial ownership confirmations, where applicable and proportionate).

4.3 Account and access management (authorized users)

For GeoEvident users provisioned by a customer, we may process:

• Work email, name, organization, and role/permissions (RBAC);
• Authentication and security data (login events, access attempts, session metadata);
• Where enabled on certain cloud plans, SSO attributes provided by your organization's identity provider (e.g., identifiers and group/role mappings).

4.4 GeoEvident service data (customer content and case workflow)

Depending on the customer's use, GeoEvident may process:

• Uploaded photos and/or extracted video frames;
• Case metadata (case name/ID, timestamps, analyst notes added by users);
• System-generated outputs (ranked candidates presented as Hotel / Apartment / Street View, supporting visual matches);
• Audit logs (e.g., who accessed a case, who uploaded content, what actions were performed).

5. How we use personal data (purposes)

5.1 Website and communications

We use personal data to:

• Respond to demo requests and inquiries;
• Provide requested materials (e.g., a Security Pack);
• Manage sales and account relationships with organizations;
• Improve our website and communications;
• Maintain the security of our website and systems.

5.2 KYB / contracting and compliance

We use data to:

• Verify organizations and authorized representatives;
• Conduct contractual due diligence and onboarding;
• Prevent fraud and misuse (especially given the investigative nature of the product);
• Maintain records necessary for compliance and business operations.

5.3 Providing GeoEvident (service delivery)

We use data to:

• Provide, maintain, and secure the GeoEvident service;
• Enforce RBAC, monitor for suspicious activity, and maintain auditability;
• Provide customer support and troubleshooting;
• Operate cloud deployment features (where applicable) and support on-prem deployments (including offline update procedures where agreed).

6. Legal bases (where Custody Lens is the controller)

We rely on lawful bases consistent with Article 6 GDPR / UK GDPR when acting as a controller. Common bases include:

• Contract / steps prior to contract: to respond to procurement inquiries, prepare a demo or proposal, onboard a customer, and deliver contracted services.
• Legitimate interests: to market and grow our business in a B2B context, maintain security, prevent abuse, and improve our services — balanced against your rights.
• Legal obligation: to comply with applicable laws (e.g., recordkeeping obligations).

Where we act as a processor for customer content, our legal basis is determined by the customer as controller, and our processing is governed by contract and documented instructions.

7. Sharing and disclosure of personal data

We may share personal data with:

• Service providers (subprocessors) that help us operate our website and services (e.g., hosting, email delivery, security monitoring, analytics, customer support tooling), under contractual confidentiality and data protection obligations.
• Professional advisers (legal, accounting, audit) where necessary.
• Authorities where disclosure is required by law or necessary to protect rights, safety, or investigate wrongdoing.

For on-premise deployments, customer service data can be designed to remain within the customer's environment, depending on the agreed architecture and operational model.

A list of current subprocessors (where applicable) can be provided to customers upon request, typically under NDA.

8. International transfers

If personal data is transferred outside the UK/EEA, we use appropriate transfer mechanisms, such as:

• Transfers to jurisdictions covered by an adequacy decision (where applicable); or
• Standard Contractual Clauses (SCCs) and supplementary measures as needed.

9. Security measures

We implement technical and organizational measures designed to protect personal data, including (as applicable to deployment model):

9.1 Cloud deployments

• Role-based access control (RBAC);
• Full audit logging for user and case actions;
• Encryption in transit (e.g., TLS) and protective security controls around infrastructure;
• SSO on select plans (where enabled by customer).

9.2 On-premise deployments

• RBAC and audit logging;
• Support for network isolation including fully offline/air-gapped operation (where required);
• Offline update workflows using controlled update packages (subject to customer environment policies and agreed procedures).

No security measure is perfect, but we design controls to be appropriate for investigative and regulated environments.

10. Data retention

We retain personal data only as long as necessary for the purposes described above, unless a longer period is required by law or contract.

Typical retention logic:

• Website inquiries: retained to manage the commercial relationship and maintain reasonable business records.
• KYB and contracting: retained for the life of the relationship and for a reasonable period thereafter to meet legal/accounting needs.
• GeoEvident service data: retention is governed by customer contract and configuration, and differs by Cloud vs On-Prem deployment.

Where we act as a processor, retention terms are normally defined by the customer controller, subject to agreed service constraints.

11. Your rights

Individuals have rights under applicable data protection law, including (subject to conditions and exemptions):

• Right to be informed;
• Right of access;
• Right to rectification;
• Right to erasure;
• Right to restrict processing;
• Right to data portability;
• Right to object; and
• Rights related to automated decision-making (where applicable).

How to exercise rights: Email us at contact@geoevident.com with sufficient information for us to verify identity and locate relevant data.

Processor scenario: If your data is contained in GeoEvident cases processed on behalf of a customer (controller), we may refer your request to the relevant customer or support them in responding, depending on contractual roles and legal requirements.

12. Complaints

If you believe your data protection rights have been infringed, you can:

1. Contact us first so we can try to resolve the issue; and/or
2. Lodge a complaint with the relevant supervisory authority.

For the UK, you can contact the Information Commissioner's Office (ICO).

13. Children

GeoEvident is intended for organizational use only. We do not knowingly solicit personal data from children through our website for consumer purposes.

14. Third-party links

Our website may contain links to third-party websites. We are not responsible for their privacy practices. Please review their privacy policies independently.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on our website and update the "Effective date" above. Material changes may also be communicated through contractual channels for customers.

16. Contact

For privacy inquiries, rights requests, or security/privacy documentation requests:

• contact@geoevident.com