Book A Demo
This Privacy Policy applies to the Corsight group of companies (“Corsight”, “we”, “us”, “our”).
The entities covered by this Policy include:
Each entity may act as a data controller or data processor depending on the context of processing, contractual arrangements, and jurisdiction.
Where required, the relevant contracting entity will be identified in customer agreements.
The relevant contracting entity is responsible for compliance with applicable legal obligations within its jurisdiction.
Corsight is a business-to-business (B2B) provider of facial recognition and video analytics software solutions.
We supply technology to government agencies, law enforcement authorities, and enterprise customers.
We do not operate consumer platforms and do not provide direct-to-consumer facial recognition services.
This Policy explains how we process personal data when acting as controller and when acting as processor.
Corsight develops and supplies facial recognition technology. Operational deployment decisions, including watchlist selection, activation, alert thresholds, and investigative actions, are determined solely by customers acting as independent data controllers
When acting as Data Processor, customers determine the purpose, legal basis, watchlists, system configuration, and retention periods. Corsight does not determine the operational purpose for which facial recognition technology is deployed by customers and does not control watchlist content, field-of-view configuration, or investigative use decisions.
We process personal data strictly in accordance with documented instructions and under Data Processing Agreements. Customers are responsible for providing any required operational privacy notices to data subjects in connection with deployment of Corsight technology
When acting as Data Controller, we determine purposes and means for corporate administration, HR, supplier management, website operations, marketing communications, R&D, compliance and security management.
Corsight processes personal data solely for legitimate business purposes including product development, system testing, customer support, compliance management, corporate administration, and contractual performance. Personal data is not processed for consumer profiling or unrelated commercial exploitation.
Corporate Contact Data (name, business email, role, company details).
Website and Technical Data (IP address, device information, logs).
Employee and Contractor Data (HR, payroll, professional records).
Product Development and Testing Data where lawfully obtained (facial images, biometric templates, associated metadata). Biometric templates generated by our systems are algorithmic representations derived from image data. These templates are not human-readable and are not capable of being reconstructed into facial images. Raw image data is not retained within development or testing environments unless required for specific lawful purposes
Corsight does not operate a publicly searchable biometric database and does not provide consumer identification services. Corsight does not aggregate biometric data for consumer profiling or public identification services. System configuration, watchlist management, and operational retention are controlled by customers acting as data controllers. Corsight does not collect biometric data directly from members of the public for commercial identification purposes. Biometric data processed within development or testing environments is obtained from lawfully sourced datasets and is not made publicly accessible.
We do not sell biometric data and do not use biometric data for advertising or marketing.
Where biometric data is processed, it is handled in accordance with the Israeli Protection of Privacy Law 5741-1981 (as amended), including Amendment 13, and other applicable data protection laws. Biometric data is treated as sensitive data under applicable Israeli law and is subject to enhanced security and governance controlsSecurity measures are implemented in accordance with the risk-based classification requirements under the Israeli Privacy Protection Regulations (Data Security) 2017.
Where processing falls within the scope of the EU GDPR or UK GDPR, such processing is conducted in accordance with Article 9 and other relevant provisions governing special category data
Processing may rely on substantial public interest, legal claims, explicit consent where required, security purposes, or other lawful grounds.
Safeguards include encryption, strict access controls, environment separation, pseudonymisation where feasible, and audit logging.
Performance of a contract.
Compliance with legal obligations.
Legitimate interests including cybersecurity and product improvement.
Explicit consent where required by law.
Substantial public interest where applicable.
Establishment, exercise or defence of legal claims.
Corsight maintains a structured AI governance and risk management framework designed to support compliance with applicable data protection, security, and emerging AI regulatory requirements.
Our governance framework is anchored in:
Corsight’s AI governance framework incorporates:
Where required by law or contract, we support customers in conducting impact assessments and compliance evaluations relevant to their deployment environments.
Corsight continuously reviews its governance framework to reflect evolving regulatory requirements and best practices in AI accountability and biometric data protection.
Corsight maintains internal accountability documentation and records.
Personal data is retained only for as long as necessary for contractual, regulatory, security, audit, or legitimate business purposes.
Retention of operational deployment data is determined by the customer acting as controller.
As a global organisation operating from Israel, the UK and the United States, personal data may be transferred internationally.
Safeguards may include Standard Contractual Clauses, UK International Data Transfer Addendum, adequacy decisions, and technical and organisational protections. Where required under applicable data protection law, Corsight implements appropriate transfer safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum.
Such safeguards are incorporated into contractual arrangements with customers, partners, and affiliates where personal data is transferred outside the originating jurisdiction without the benefit of an adequacy decision
Security measures are implemented in accordance with the risk-based classification requirements under the Israeli Privacy Protection Regulations (Data Security) 2017.
Encryption in transit and at rest.
Role-based access controls and multi-factor authentication.
Network segmentation and secure development practices.
Penetration testing, vulnerability management, and incident response procedures.
Where Corsight acts as controller, individuals may exercise rights of access, rectification, erasure, restriction, objection, and portability where applicable. Where required by applicable law, including Israeli data protection law, Corsight notifies relevant authorities and affected parties of data security incidents. Where Corsight processes personal data for direct marketing purposes (including B2B communications), individuals have the right to object at any time to such processing.
Individuals may opt out of marketing communications by using the unsubscribe mechanism included in communications or by contacting [email protected]
Where Corsight acts as processor, requests must be directed to the relevant controller.
Identity verification is conducted before responding to requests. Requests must include sufficient information to verify identity and enable location of records.
Corsight provides biometric matching technology but does not independently make legal or similarly significant decisions about individuals. Corsight’s technology is designed with human in the loop architecture. It is not designed nor structured for automated decision making.
Corsight does not initiate identification actions, issue alerts, or take enforcement decisions regarding individuals. Deployment decisions remain under customer control and may include human review mechanisms
Concerns regarding data processing may be directed to [email protected].
Individuals may lodge complaints with relevant supervisory authorities including the UK ICO, EU supervisory authorities, the Israeli Privacy Protection Authority, or relevant U.S. regulators.
Corsight AI Ltd (Israel) – Tuval 40, Floor 28, Ramat Gan, 5252247
Corsight AI Ltd (United Kingdom) – 30 Old Bailey, London, United Kingdom, EC4M 7AU
Corsight AI Inc (United States) – 3 Germay Dr., Unit 4 #2808, Wilmington, DE 19804
Email: [email protected]
Data Protection Officer: Tony Porter OBE QPM LLB
This Policy may be updated periodically to reflect legal, regulatory, or operational changes.
The most recent version will be published on our website.
Version Updates
Version 0.1
Date: 03/03/2026
Description: Version 1
Author: Tony Porter
Approver: Tony Porter
Last Updated: 3 March 2026
Document Owner: Corsight Privacy Team
Approved By: Chief Executive Officer
Next Review Date: 28 May 2026