This Privacy Policy explains how Corsight processes personal data across its business activities. It applies to circumstances in which Corsight acts as a data controller and to those in which it acts as a data processor. It is designed for publication as Corsight’s external B2B privacy policy.

1. Corporate Identity and Scope

This Privacy Policy applies to the Corsight group of companies (“Corsight”, “we”, “us”, “our”).

• Corsight AI Ltd (Israel) – Headquarters and Research & Development.
• Corsight AI Ltd (United Kingdom).
• Corsight AI Inc (United States).

Each entity may act as a data controller or data processor depending on the context of processing, the contractual arrangements in place, and the jurisdiction concerned.

Where required, the relevant contracting entity will be identified in customer agreements. The relevant contracting entity is responsible for compliance with applicable legal obligations within its jurisdiction.

2. Introduction

Corsight is a business-to-business (B2B) provider of facial recognition and video analytics software solutions. We supply technology to government agencies, law enforcement authorities, and enterprise customers. We do not operate consumer platforms and do not provide direct-to-consumer facial recognition services.

This Policy explains how we process personal data when acting as controller and when acting as processor.

3. Our Role in Data Processing

Corsight develops and supplies facial recognition technology. Operational deployment decisions, including watchlist selection, activation, alert thresholds, and investigative actions, are determined solely by customers acting as independent data controllers.

When acting as a data processor, customers determine the purpose, legal basis, watchlists, system configuration, and retention periods. Corsight does not determine the operational purpose for which facial recognition technology is deployed by customers and does not control watchlist content, field-of-view configuration, or investigative use decisions.

We process personal data strictly in accordance with documented instructions and under Data Processing Agreements. Customers are responsible for providing any required operational privacy notices to data subjects in connection with deployment of Corsight technology.

When acting as a data controller, we determine the purposes and means of processing for corporate administration, human resources, supplier management, website operations, marketing communications, research and development, compliance, and security management.

4. Categories of Personal Data

Corsight processes personal data solely for legitimate business purposes including product development, system testing, customer support, compliance management, corporate administration, and contractual performance. Personal data is not processed for consumer profiling or unrelated commercial exploitation.

• Corporate contact data, including name, business email address, role, and company details.
• Website, mobile app, and technical data, including IP address, device information, operating system, browser type, application version, logs, login history, and usage data relating to our website, mobile applications, online services, demos, and other digital resources. Where enabled by device settings, user permissions, or service configuration, this may also include approximate location data, network information, and diagnostic data used for security, support, analytics, and service functionality.
• Employee and contractor data, including HR, payroll, and professional records.
• Product development and testing data where lawfully obtained, including facial images, biometric templates, and associated metadata. Biometric templates generated by our systems are algorithmic representations derived from image data. These templates are not human-readable and are not capable of being reconstructed into facial images. Raw image data is not retained within development or testing environments unless required for specific lawful purposes.

Corsight does not operate a publicly searchable biometric database and does not provide consumer identification services. Corsight does not aggregate biometric data for consumer profiling or public identification services. System configuration, watchlist management, and operational retention are controlled by customers acting as data controllers. Corsight does not collect biometric data directly from members of the public for commercial identification purposes. Biometric data processed within development or testing environments is obtained from lawfully sourced datasets and is not made publicly accessible.

We do not sell biometric data and do not use biometric data for advertising or marketing.

5. Special Category and Biometric Data

Where biometric data is processed, it is handled in accordance with the Israeli Protection of Privacy Law 5741-1981 (as amended), including Amendment 13, and other applicable data protection laws. Biometric data is treated as sensitive data under applicable Israeli law and is subject to enhanced security and governance controls. Security measures are implemented in accordance with the risk-based classification requirements under the Israeli Privacy Protection Regulations (Data Security) 2017.

Where processing falls within the scope of the EU GDPR or UK GDPR, such processing is conducted in accordance with Article 9 and other relevant provisions governing special category data.

Processing may rely on substantial public interest, legal claims, explicit consent where required, security purposes, or other lawful grounds.

Safeguards include encryption, strict access controls, environment separation, pseudonymisation where feasible, and audit logging.

6. Lawful Bases for Processing

• Performance of a contract.
• Compliance with legal obligations.
• Legitimate interests, including cybersecurity, service administration, and product improvement.
• Explicit consent where required by law.
• Substantial public interest where applicable.
• Establishment, exercise, or defence of legal claims.

7. AI Governance and Regulatory Alignment

Corsight maintains a structured AI governance and risk management framework designed to support compliance with applicable data protection, security, and emerging AI regulatory requirements.

Our governance framework is anchored in:

• The Israeli Protection of Privacy Law, 5741-1981 (as amended), including Amendment 13.
• The Privacy Protection Regulations (Data Security) 2017.
• Applicable constitutional privacy protections under Israeli law.
• The EU General Data Protection Regulation (GDPR) and UK GDPR where applicable.
• The EU Artificial Intelligence Act obligations applicable to providers of high-risk AI systems, where our systems fall within scope.
• Relevant U.S. federal and state regulatory requirements applicable to biometric and surveillance technologies.

Corsight’s AI governance framework incorporates:

• Risk identification and mitigation processes across the AI lifecycle.
• Dataset sourcing due diligence and validation controls.
• Dataset documentation and traceability measures.
• Data minimisation and purpose limitation principles.
• Secure development lifecycle practices.
• Human oversight and system configuration controls.
• Bias monitoring and performance evaluation processes.
• Technical documentation and audit readiness controls.
• Security-by-design and privacy-by-design principles.

Where required by law or contract, we support customers in conducting impact assessments and compliance evaluations relevant to their deployment environments.

Corsight continuously reviews its governance framework to reflect evolving regulatory requirements and best practices in AI accountability and biometric data protection. Corsight maintains internal accountability documentation and records.

8. Data Retention

Personal data is retained only for as long as necessary for contractual, regulatory, security, audit, or legitimate business purposes. Retention of operational deployment data is determined by the customer acting as controller.

9. International Data Transfers

As a global organisation operating from Israel, the United Kingdom, and the United States, personal data may be transferred internationally.

Safeguards may include Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, and appropriate technical and organisational protections. Where required under applicable data protection law, Corsight implements appropriate transfer safeguards, including the European Commission’s Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum.

Such safeguards are incorporated into contractual arrangements with customers, partners, and affiliates where personal data is transferred outside the originating jurisdiction without the benefit of an adequacy decision.

10. Data Security

Security measures are implemented in accordance with the risk-based classification requirements under the Israeli Privacy Protection Regulations (Data Security) 2017.

• Encryption in transit and at rest.
• Role-based access controls and multi-factor authentication.
• Network segmentation and secure development practices.
• Penetration testing, vulnerability management, and incident response procedures.

Where location data or mobile application data is processed, such data is collected only where relevant to the functionality, security, support, or administration of the relevant service, and subject to applicable device permissions and legal requirements.

11. Data Subject Rights

Where Corsight acts as controller, individuals may exercise rights of access, rectification, erasure, restriction, objection, and portability where applicable. Where required by applicable law, including Israeli data protection law, Corsight notifies relevant authorities and affected parties of data security incidents. Where Corsight processes personal data for direct marketing purposes, including B2B communications, individuals have the right to object at any time to such processing.

Individuals may opt out of marketing communications by using the unsubscribe mechanism included in communications or by contacting [email protected].

Where Corsight acts as processor, requests must be directed to the relevant controller.

Identity verification is conducted before responding to requests. Requests must include sufficient information to verify identity and enable the location of relevant records.

12. Automated Decision-Making

Corsight provides biometric matching technology but does not independently make legal or similarly significant decisions about individuals. Corsight’s technology is designed with human-in-the-loop architecture. It is not designed or structured for fully automated decision-making.

Corsight does not initiate identification actions, issue alerts, or take enforcement decisions regarding individuals. Deployment decisions remain under customer control and may include human review mechanisms.

13. Complaints

Concerns regarding data processing may be directed to [email protected]. Individuals may lodge complaints with relevant supervisory authorities including the UK Information Commissioner’s Office, EU supervisory authorities, the Israeli Privacy Protection Authority, or relevant U.S. regulators.

14. Contact Details

• Corsight AI Ltd (Israel) – Tuval 40, Floor 28, Ramat Gan, 5252247.
• Corsight AI Ltd (United Kingdom) – 30 Old Bailey, London, United Kingdom, EC4M 7AU.
• Corsight AI Inc (United States) – 3 Germay Dr., Unit 4 #2808, Wilmington, DE 19804.
• Email: [email protected].
• Data Protection Officer: Tony Porter OBE QPM LLB.

15. Policy Updates

This Policy may be updated periodically to reflect legal, regulatory, or operational changes. The most recent version will be published on our website.