Privacy Policy and Data Processing

Last updated: June 22, 2026

1. Who we are and scope

INTELLIUM Security ("INTELLIUM", "we") provides an AI-powered video surveillance SaaS platform —detection of people, vehicles and objects, license plate recognition (LPR), personal protective equipment (PPE) and, optionally, facial recognition— deployable in the cloud, on customer-owned storage (BYOS) or on-premise. This policy explains what data we process, on what basis, for how long, and what rights apply.

2. Roles: Controller vs. Processor

In most cases, the customer (the company operating the cameras) is the Data Controller and decides what is captured, for what purpose, and who is monitored. INTELLIUM acts as the Data Processor, processing data on behalf of and under the instructions of the customer. With respect to the customer's account data (billing, contact, telemetry), INTELLIUM acts as Controller.

Customer obligation. In accordance with Dominican Republic Law 172-13 and industry practice (Hikvision, Dahua), the customer must obtain express, written consent from individuals where applicable, visibly post signage in monitored areas, and, where facial recognition is used, disclose it explicitly at the point of entry. INTELLIUM provides the tools; the legal basis toward data subjects is the customer's responsibility.

3. Data we process

  • Account data: name, email, company, and contact and billing details of registered users.
  • Detection metadata: timestamps, object classifications (person, vehicle, etc.), sub-labels, zones, line-crossing and PPE events.
  • Images and video: snapshots and clips associated with events, retained according to the customer's configuration.
  • License plates (LPR): plate text and the associated crop.
  • Facial biometric data (optional, opt-in module): when the customer enables Facial Forensic Analysis, faces are immediately converted into irreversible mathematical vectors (embeddings). We do not use the raw photograph as the primary identity method, and it is technologically infeasible to reconstruct a face from the vector. Biometric data is treated as a sensitive category.
  • Operational and technical data: IP addresses, edge-node telemetry, logs and versions, for availability and security.
  • Cookies and analytics: only if configured (Google Analytics 4 uses cookies; Plausible is cookieless).

4. Purposes and permitted uses

Intrusion prevention and physical access control; post-incident forensic analysis; early alerts (SIA DC-09 and push notifications); technical support and compliance with legal obligations. Where the customer enables it and solely with data from their own accounts, curated data is used to improve and retrain our AI models.

5. Prohibited uses

INTELLIUM prohibits using the platform for commercial profiling, social scoring, or the unjustified tracking of individuals. We do not sell or rent biometric or operational data. We do not use one customer's data to train models benefiting another without a legal basis and authorization.

6. Facial recognition: specific safeguards

  • It is optional and can be disabled; processing occurs preferentially at the edge.
  • Faces are only compared against watchlists / persons of interest defined by the customer.
  • INTELLIUM may restrict or disable facial recognition where local law limits it, following industry practice in jurisdictions with biometric-type regulations (e.g. BIPA).
  • We apply measures to mitigate demographic bias in model performance through testing and continuous improvement; we do not claim the complete absence of bias.

7. Retention and destruction

  • Volatile data: events that do not trigger an alert or match a watchlist are automatically overwritten according to the customer's node (typically 24 hours to 7 days).
  • Plan-based retention: other data is kept for the duration of the contracted plan and then deleted.
  • Cryptographic erasure: when an identity is deleted or the service ends, the associated vectors and metadata are destroyed irrecoverably.

8. Infrastructure security

Encryption in transit via TLS 1.3; at rest, AES-256-GCM with an independent key per customer (HKDF derivation) under a zero-knowledge architecture: INTELLIUM staff cannot view images unless the customer grants explicit support permission. Software updates are signed, and edge nodes do not expose video streams (RTSP).

9. Deployment models and sub-processors

  • Cloud: hosted with infrastructure providers (sub-processors) under confidentiality agreements.
  • BYOS (customer-owned storage): media is stored in the customer's own storage.
  • On-premise: data remains on the customer's premises.

We maintain and provide, upon request, the list of sub-processors.

10. International transfers

If the cloud deployment involves processing data outside the customer's country, we apply safeguards (consent where applicable, contractual clauses and technical measures), as required by the GDPR and equivalent industry practices.

11. Data subject rights (Access/Rectification/Erasure / Habeas Data / GDPR)

Requests for access, rectification, cancellation/erasure and objection must be directed to the Controller customer operating the cameras. INTELLIUM provides them with tools in the Forensic Manager to locate, export or destroy an individual's information. In the Dominican Republic, the Habeas Data remedy applies (Law 172-13).

12. Minors, breaches and changes

We do not direct our services to minors. In the event of a security breach, we will notify the affected customer without undue delay so they can meet their notification obligations. We may update this policy; significant changes will be announced via the panel or by email.

13. Contact / Privacy Officer

For legal inquiries, security audits or questions about our ethical AI, write to legal@intelliumsecurity.com.

Reference legal framework: Dominican Republic Law 172-13 (and the Habeas Data remedy); GDPR principles; jurisdictions with BIPA-type biometric regulations. This document is informational and does not constitute legal advice.