Corsight Group of Companies
This Privacy Policy explains how Corsight processes personal data across its business activities. It applies
to circumstances in which Corsight acts as a data controller and to those in which it acts as a data
processor. It is designed for publication as Corsight's external B2B privacy policy.
This Privacy Policy applies to the Corsight group of companies ("Corsight", "we", "us", "our").
• Corsight AI Ltd (Israel) – Headquarters and Research & Development.
• Corsight AI Ltd (United Kingdom).
• Corsight AI Inc (United States).
Each entity may act as a data controller or data processor depending on the context of processing, the
contractual arrangements in place, and the jurisdiction concerned.
Where required, the relevant contracting entity will be identified in customer agreements. The relevant
contracting entity is responsible for compliance with applicable legal obligations within its jurisdiction.
Corsight is a business-to-business (B2B) provider of facial recognition and video analytics software
solutions. We supply technology to government agencies, law enforcement authorities, and enterprise
customers. We do not operate consumer platforms and do not provide direct-to-consumer facial
recognition services.
This Policy explains how we process personal data when acting as controller and when acting as
processor.
Corsight develops and supplies facial recognition technology. Operational deployment decisions,
including watchlist selection, activation, alert thresholds, and investigative actions, are determined
solely by customers acting as independent data controllers.
When acting as a data processor, customers determine the purpose, legal basis, watchlists, system
configuration, and retention periods. Corsight does not determine the operational purpose for which
facial recognition technology is deployed by customers and does not control watchlist content, field-of-
view configuration, or investigative use decisions.
We process personal data strictly in accordance with documented instructions and under Data
Processing Agreements. Customers are responsible for providing any required operational privacy
notices to data subjects in connection with deployment of Corsight technology.
When acting as a data controller, we determine the purposes and means of processing for corporate
administration, human resources, supplier management, website operations, marketing
communications, research and development, compliance, and security management.
Corsight processes personal data solely for legitimate business purposes including product
development, system testing, customer support, compliance management, corporate administration,
and contractual performance. Personal data is not processed for consumer profiling or unrelated
commercial exploitation.
• Corporate contact data, including name, business email address, role, and company details.
• Website, mobile app, and technical data, including IP address, device information, operating system,
browser type, application version, logs, login history, and usage data relating to our website, mobile
applications, online services, demos, and other digital resources. Where enabled by device settings,
user permissions, or service configuration, this may also include approximate location data, network
information, and diagnostic data used for security, support, analytics, and service functionality.
• Employee and contractor data, including HR, payroll, and professional records.
• Product development and testing data where lawfully obtained, including facial images, biometric
templates, and associated metadata. Biometric templates generated by our systems are algorithmic
representations derived from image data. These templates are not human-readable and are not
capable of being reconstructed into facial images. Raw image data is not retained within
development or testing environments unless required for specific lawful purposes.
Corsight does not operate a publicly searchable biometric database and does not provide consumer
identification services. Corsight does not aggregate biometric data for consumer profiling or public
identification services. System configuration, watchlist management, and operational retention are
controlled by customers acting as data controllers. Corsight does not collect biometric data directly from
members of the public for commercial identification purposes. Biometric data processed within
development or testing environments is obtained from lawfully sourced datasets and is not made
publicly accessible.
We do not sell biometric data and do not use biometric data for advertising or marketing.
Where biometric data is processed, it is handled in accordance with the Israeli Protection of Privacy
Law 5741-1981 (as amended), including Amendment 13, and other applicable data protection laws.
Biometric data is treated as sensitive data under applicable Israeli law and is subject to enhanced
security and governance controls. Security measures are implemented in accordance with the risk-
based classification requirements under the Israeli Privacy Protection Regulations (Data Security) 2017.
Where processing falls within the scope of the EU GDPR or UK GDPR, such processing is conducted in
accordance with Article 9 and other relevant provisions governing special category data.
Processing may rely on substantial public interest, legal claims, explicit consent where required,
security purposes, or other lawful grounds.
Safeguards include encryption, strict access controls, environment separation, pseudonymisation where
feasible, and audit logging.
• Performance of a contract.
• Compliance with legal obligations.
• Legitimate interests, including cybersecurity, service administration, and product improvement.
• Explicit consent where required by law.
• Substantial public interest where applicable.
• Establishment, exercise, or defence of legal claims.
Corsight maintains a structured AI governance and risk management framework designed to support
compliance with applicable data protection, security, and emerging AI regulatory requirements.
Our governance framework is anchored in:
• The Israeli Protection of Privacy Law, 5741-1981 (as amended), including Amendment 13.
• The Privacy Protection Regulations (Data Security) 2017.
• Applicable constitutional privacy protections under Israeli law.
• The EU General Data Protection Regulation (GDPR) and UK GDPR where applicable.
• The EU Artificial Intelligence Act obligations applicable to providers of high-risk AI systems, where our
systems fall within scope.
• Relevant U.S. federal and state regulatory requirements applicable to biometric and surveillance
technologies.
Corsight's AI governance framework incorporates:
• Risk identification and mitigation processes across the AI lifecycle.
• Dataset sourcing due diligence and validation controls.
• Dataset documentation and traceability measures.
• Data minimisation and purpose limitation principles.
• Secure development lifecycle practices.
• Human oversight and system configuration controls.
• Bias monitoring and performance evaluation processes.
• Technical documentation and audit readiness controls.
• Security-by-design and privacy-by-design principles.
Where required by law or contract, we support customers in conducting impact assessments and
compliance evaluations relevant to their deployment environments.
Corsight continuously reviews its governance framework to reflect evolving regulatory requirements and
best practices in AI accountability and biometric data protection. Corsight maintains internal
accountability documentation and records.
Personal data is retained only for as long as necessary for contractual, regulatory, security, audit, or
legitimate business purposes. Retention of operational deployment data is determined by the customer
acting as controller.
As a global organisation operating from Israel, the United Kingdom, and the United States, personal
data may be transferred internationally.
Safeguards may include Standard Contractual Clauses, the UK International Data Transfer Addendum,
adequacy decisions, and appropriate technical and organisational protections. Where required under
applicable data protection law, Corsight implements appropriate transfer safeguards, including the
European Commission's Standard Contractual Clauses and, where applicable, the UK International
Data Transfer Addendum.
Such safeguards are incorporated into contractual arrangements with customers, partners, and affiliates
where personal data is transferred outside the originating jurisdiction without the benefit of an adequacy
decision.
Security measures are implemented in accordance with the risk-based classification requirements
under the Israeli Privacy Protection Regulations (Data Security) 2017.
• Encryption in transit and at rest.
• Role-based access controls and multi-factor authentication.
• Network segmentation and secure development practices.
• Penetration testing, vulnerability management, and incident response procedures.
Where location data or mobile application data is processed, such data is collected only where relevant
to the functionality, security, support, or administration of the relevant service, and subject to applicable
device permissions and legal requirements.
Where Corsight acts as controller, individuals may exercise rights of access, rectification, erasure,
restriction, objection, and portability where applicable. Where required by applicable law, including
Israeli data protection law, Corsight notifies relevant authorities and affected parties of data security
incidents. Where Corsight processes personal data for direct marketing purposes, including B2B
communications, individuals have the right to object at any time to such processing.
Individuals may opt out of marketing communications by using the unsubscribe mechanism included in
communications or by contacting [email protected].
Where Corsight acts as processor, requests must be directed to the relevant controller.
Identity verification is conducted before responding to requests. Requests must include sufficient
information to verify identity and enable the location of relevant records.
Corsight provides biometric matching technology but does not independently make legal or similarly
significant decisions about individuals. Corsight's technology is designed with human-in-the-loop
architecture. It is not designed or structured for fully automated decision-making.
Corsight does not initiate identification actions, issue alerts, or take enforcement decisions regarding
individuals. Deployment decisions remain under customer control and may include human review
mechanisms.
Concerns regarding data processing may be directed to [email protected]. Individuals may lodge
complaints with relevant supervisory authorities including the UK Information Commissioner's Office,
EU supervisory authorities, the Israeli Privacy Protection Authority, or relevant U.S. regulators.
• Corsight AI Ltd (Israel) – Tuval 40, Floor 28, Ramat Gan, 5252247.
• Corsight AI Ltd (United Kingdom) – 30 Old Bailey, London, United Kingdom, EC4M 7AU.
• Corsight AI Inc (United States) – 3 Germay Dr., Unit 4 #2808, Wilmington, DE 19804.
• Email: [email protected].
• Data Protection Officer: Tony Porter OBE QPM LLB.
This Policy may be updated periodically to reflect legal, regulatory, or operational changes. The most
recent version will be published on our website.
Document Control
Version 0.1
Date: 3 March 2026
Document Owner: Corsight Privacy Team
Approved By: Chief Executive Officer
Next Review Date: 28 May 2026