Site Location Privacy Policy — Starling Technologies

Starling Technologies Ltd – Site Location Privacy Policy

We take your privacy very seriously. Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

About Us

We are a UK-based tech company and aim to revolutionise pedestrian safety at pedestrian crossings by reducing the risk of accidents and near-misses. We want pedestrians, vehicles, and cyclists to safely and efficiently share the street and the road, making towns and cities safer and more attractive for all.

We prioritise the safety of pedestrians to make our towns and cities safer and more positive places. We aim to reduce the number of accidents and near misses by creating a more efficient traffic flow of cars and pedestrians. Use of our products and services provides the owners and operators of our cities and towns and their amenities with safer streets and public spaces.

We do not intentionally collect personal data about you, and all data that is collected via our products and services at any site location is immediately rendered anonymous so that no individual can be personally identified. However, as we take privacy matters seriously, this privacy policy covers our processing activities in the very unlikely event that the data collected at our site locations is deemed to be personal data:

Where our data is deemed to be personal data, when we collect and use certain personal data about you, we are responsible for it.

When we process personal data, we are subject to the UK General Data Protection Regulation (UK GDPR). We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to our wider operations in the European Economic Area (EEA).

Depending on the products and/or services to which our processing relates, we may act as a data controller for the purposes of the UK GDPR and the EU GDPR. We are a data controller when we are responsible for carrying out the processing of your personal data, and for making decisions about how we do so.

We may also be acting as a data processor or sub-processor for the purposes of the UK GDPR and the EU GDPR. This applies when our partners and clients or their customers use our products and services as a tool to help them achieve their goal of a safer and more efficient road and traffic environment, and we are processing personal data and supplying our products and services to them in accordance with their instructions.

Key terms

We thought it would be helpful to start by explaining some key terms used in this privacy policy:

We, us, our

Starling Technologies Ltd, a company registered in England and Wales at Companies House under Company registration number: 1252136, with our registered address at 93 Tabernacle Street, London, England, EC2A 4BA

Our data protection team

Andrew Caleya Chetty - info@starlingtech.co.uk

Personal data

Any information relating to an identified or identifiable individual. Please note that aggregated or statistical data from which we will not be able to identify a person individually is not considered to be personal data

Special category personal data (also known as sensitive data)

Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership

Genetic and biometric data (when processed to uniquely identify an individual). Ex: height, gait, facial structure.

Data concerning health, sex life or sexual orientation

Data subject

The individual who the personal data relates to

Our Products and Services

Our products and services consist of:

Starling Intelligence - a real-time and playback road user analysis
Starling Detector - a smart kerbside detection with pedestrian data capture for signalised crossings
Starling Control - an AI powered dynamic signal controller, utilising real-time analysis, decisioning and actuation of traffic signalling systems

Our Reliance on Anonymous Data

Our products and services rely on CCTV and video footage that is obtained from the relevant site location.

Depending on the products/services provided by us as per the relevant contract we have with our partner/client, such footage is either provided to us by our partner/client in a blurred format so that no individual can be personally identified, none of their characteristics can be seen, and no vehicle registration numbers can be read.

We may also collect such footage directly via our own CCTV hardware (or via our partner/customer hardware) placed at the relevant site location (with the partner and/or client’s consent). All footage collected is rendered anonymous automatically by our enhanced blurring techniques. This occurs within 0.1 second of the footage being collected. Such anonymous footage is stored securely at the site location and is deleted after 30 days at which point it is transferred to our on-premise service which is located in the UK. Where the anonymous footage is supplied to us directly by our partners/clients, this is directly stored at our on-premise server. At this point, depending on the nature of the products/services performed, we then analyse the anonymous footage to gain insights based on aggregated and anonymous road user data which is then shared with our partners/clients as part of our product/services. This is done through our proprietary technology tracking ‘objects’ contained within the footage. We will also save such anonymous footage on our local web-server based in the UK for our own quality control, monitoring and de-bugging requirements. Such footage is then deleted after 30 days.

Please note that the footage we have in our possession does not allow us or any other third party to identify individuals personally. Our enhanced blurring technique and technical measures render it impossible for a third party to reserve-engineer our footage to ever reveal the individuals or vehicles in such footage.

Please note therefore that anonymous, aggregated or statistical data from which we will not be able to identify a person individually is not considered to be personal data, and that such data is therefore outside the scope of the UK GDPR, the EU GDPR and this privacy policy.

As the data that we process through our products and services is indeed anonymous, aggregated or statistical data, such data is not subject to the UK GDPR or the EU GDPR.

However, as we take privacy matters seriously, we have prepared this privacy policy as a safeguard for individual privacy rights and freedoms in the very unlikely event that the data that we process is indeed deemed to constitute personal data. Such unlikely circumstances in which our anonymous footage could be deemed to be personal data (i.e. where individuals can be personally identified) may result from a change in legislation such as the UK or EU GDPR, or from the very unlikely event that our technical measures to anonymise data are not correctly applied to the footage. Even if this is very unlikely to occur given the high standard of technical processes and measures in place, our commitment to protecting the privacy of individuals leads us to thoroughly consider all possible circumstances, even those which are unlikely to occur.

Machine Learning for Improvement of our Products and Services

Whether we are acting as a data controller, processor or sub-processor, when the anonymous footage reaches our on-premise server in the UK, we may take a copy of the anonymous footage and store it on a separate, secure server which is based in the EEA.

When we do this, it is to allow us to carry out machine learning and AI training of our product and services. We do this so that we can always obtain the most accurate results, as is the case for the development and improvement of any AI-based technologies.

When we retain anonymous and aggregated data for our own machine learning purposes, we then become a data controller of such data when this data is transferred to our machine learning database.

Site locations

As stated above, our products and services rely on CCTV footage and video data which can be obtained from various sites by our partners/clients, and which is shared with us. Also, as noted above, we can also obtain such footage ourselves from CCTV and street cameras placed at various site locations. As noted above, the data we collect is anonymous, meaning no person recorded can be identified from the footage.

This privacy policy therefore applies to any data collected at various site locations (or when it is provided to us by our partners/clients) – and only to the extent that the anonymous data we process is indeed deemed to be personal data under the UK or EU GDPR.

Where required, our partners/clients, or ourselves, ensure that all relevant approvals and authorisations are in place for the placement of CCTV and our products/services at each site location.

For any queries about site location and the relevant data processing activities at that site location, please contact the site owner or manager – i.e., our partner or client (such as the relevant city council, local authority or service provider as indicated on the relevant signage at the location where you scanned the QR Code/obtained the URL link to bring you to this web page).

A list of our site locations is available on request.

Personal data we collect

As stated, we do not intentionally collect personal data, and all data that is collected via our products and services at any site location or supplied to us by our partners/clients is immediately rendered anonymous so that no individual can be personally identified.

However, as we take privacy matters seriously, we have defined the list below of personal data which may potentially be concerned by our processing activities in the very unlikely event that the anonymous data collected were to be deemed personal data:

Gender
Age
Health
Ethnicity
Vehicle registration numbers
Location data (i.e., at the site location where our products and services are in deployment)

How your personal data is collected

We collect most of our data either from our partners/clients when they supply such data sets to us, or directly from video footage obtained via CCTV cameras that are placed at our site locations (either by us directly, or by our partners/customers depending on the product or service implemented). Where required, our partners/clients, or ourselves, ensure that all relevant approvals and authorisations are in place for the placement of CCTV and our products/services at each site location.

How and why we use your personal data

Legitimate Interests

Under data protection law, we can only process personal data if we have a proper reason, e.g., for our legitimate interests or those of a third party.

A legitimate interest is when we have a business or commercial reason to use personal data, so long as this is not overridden by a data subject’s own rights and interests. Despite the fact that the data we process is anonymous and aggregated data, as a precaution, we have carried out an assessment when relying on legitimate interests, to balance our interests against those of any affected data subjects in the event any data we process is ever deemed to be personal data.

The legitimate interests of all parties are likely to be aligned and given the blurring techniques and data anonymisation which is key to our processing activities, the aligned legitimate interests of the parties involved are not likely to outweigh individual privacy rights. Indeed, enhancing pedestrian and cyclist safety management is a key goal for any public space. Road safety is also an important topic for road and street users at large, and with our interests in deploying our proprietary technology (and where applicable, that of our partners), alongside our clients and other partners, we have a legitimate interest to use such technology to achieve these aligned goals.

Machine Learning – Scientific Research

When we carry out machine learning or AI training on the anonymous footage we retain (as set out above), we do so for scientific research purposes. Data protection law says that scientific research should be interpreted in a broad manner including for example technological development and privately funded research.

We do not carry out any automated decision making or profiling about individuals that produces legal effects concerning you or similarly significantly affects data subjects.

The table below explains what we use personal data for and why.

What we use your personal data for:

Our reasons - Providing our products and services

For our legitimate interests or those of a third party, i.e. to make sure we can deliver our service and products pursuant to applicable contractual obligations with our partners and clients, with the overall aim of improving road safety and efficiency

Our reasons - Preventing and detecting fraud against you or us

For our legitimate interests or those of a third party, i.e. to minimise fraud that could be damaging for you and/or us

Our reasons - Ensuring business policies are adhered to, e.g. policies covering security, archive and back-up

For our legitimate interests or those of a third party, i.e. to make sure we are following our own internal procedures so we can deliver the best and most secure service and products

Our reasons - Operational reasons, such as improving efficiency, training and quality control

For our legitimate interests or those of a third party, i.e. to be as efficient as we can so we can deliver the best service and products

Our reasons - Statistical analysis and machine learning to help us manage and improve our business, e.g. in relation our product and services quality and range

For our legitimate interests or those of a third party, i.e. to be as efficient as we can so we can deliver the best service and products; and to carry out processing on the basis of the scientific research exception set out above

Our reasons - Preventing unauthorised access and modifications to systems

For our legitimate interests or those of a third party, i.e. to prevent and detect criminal activity that could be damaging for us

Our reasons - Ensuring safe road use and practices

For our legitimate interests or those of a third party, e.g. to make sure we are furthering the aligned goals of road safety and efficiency, as further described above

Our reasons - External audits and quality checks, e.g. for ISO or accreditations

For our legitimate interests or a those of a third party, ie to obtain or maintain our accreditations so we can demonstrate we operate at the highest standards

Special Category Personal Data (also known as Sensitive Data)

As noted above, we do not intentionally collect personal or sensitive data, and all data that is collected via our products and services at any site location or supplied to us by our partners/clients is immediately rendered anonymous so that no individual can be personally identified.

However, as we take privacy matters seriously, in the very unlikely event that the anonymous data collected were to be deemed sensitive, we will also ensure we are permitted to process such special category personal data under applicable data protection laws. This includes where we are entitled to process sensitive data, where we have a data subject’s explicit consent, where the processing is necessary to protect a data subject’s vital interests, where the data subject is physically or legally incapable of giving consent or where processing is necessary to establish, exercise or defend legal claims.

For the purposes of our machine learning and AI training activities, we rely on the scientific research rule as described above. This means that we are able to process sensitive data without consent of the data subjects for our machine learning and AI training purposes.

When we are processing data on behalf of our partners/clients, as such partners are usually local authorities or city councils, the processing of sensitive data is necessary for reasons of substantial public interest to ensure public road safety, reduce accidents and issues, and improve efficiency and congestion issues, and also for our partners/clients’ scientific research and statistical purposes carried out in the public interest. For more information on our client/partner’s basis for processing sensitive data, please contact them using the relevant details on the signage available at the relevant site location.

Marketing

We do not carry out any marketing activities using personal data processed pursuant to our site location processing activities. We will always treat your personal data with the utmost respect and never sell it with other organisations outside Starling Technologies Ltd for marketing purposes.

Who we share your personal data with

We routinely share data with:

our partners and clients pursuant to the contractual relationship we have with them;
third parties we use to help deliver our services and products, such as cloud storage providers, developers, and technical specialists; and
other third parties we use to help us run our business, e.g. our lawyers and partners (where we provide our products and services in combination with those provided by another party).

We only allow our service providers, partners and clients to handle any data we share with them if we are satisfied that they take appropriate measures to protect such data. We also impose contractual obligations on service providers to ensure they can only use such data to provide services to us.

We may also need to:

share such data with external auditors, such as for any ISO certifications we may obtain;
disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations;
share data with other parties, such as potential buyers of some or all of our business or during a restructuring—usually, information will be anonymised but in the even that this is not possible, the recipient of the information will be bound by confidentiality obligations.

If you would like more information about who we share our data with and why, please contact us (see ‘How to contact us’ below).

Where your personal data is held

All data processed or arising out of or in connection with our products and services may be held at our offices and those of our clients, partners, service providers, representatives and agents as described above. In the very unlikely event that our anonymous data is indeed deemed to be personal data, we are subject to various restrictions when sharing personal data with third parties, and we will always ensure relevant safeguards are in place (see above: ‘Who we share your personal data with’).

Some of these third parties may be based outside the UK/EEA. For more information, including on how we safeguard data (including where any anonymous data is deemed to be personal data) when this happens, see below: ‘Transferring your personal data out of the UK and EEA’.

How long your personal data will be kept

We will keep all data for as long as is necessary to achieve our overall purpose but not beyond that point. In the unlikely event our anonymous data is deemed to contain personal data, we will keep such personal data for as long as is necessary:

to respond to any questions, complaints or claims made by a data subject or on their behalf;
to show that we treated data subjects fairly;
to keep records required by law; and
to provide our product/services to our partners/clients.

We will not keep any personal data for longer than necessary. As noted above, most data we obtain is deleted 30 days after being collected at an on-site location and 30 days thereafter once it has been transferred to our on-premise solution.

When we are acting as data controller of the anonymous footage that we retain on a separate EEA-based server for our machine learning and AI training activities (on the basis of the scientific research rule), even if such anonymous data were ever to be deemed to be personal data, we are entitled to retain such data for as long as is necessary to achieve our machine learning and AI training purpose, and do not have to delete such data if doing so would render this activity impossible, or would seriously impair it.

Transferring your personal data out of the UK and EEA

All of our data is stored within the UK/EEA. However, to provide our products and services, it is sometimes necessary for us to share our data outside the UK/EEA, e.g.:

with our partners, clients and other companies located outside the UK/EEA;
with our service providers located outside the UK/EEA; or
if site locations or data subjects are based outside the UK/EEA.

In the very unlikely event that the anonymous data collected were to be deemed personal data, data protection laws state that can only transfer personal data to a country or international organisation outside the UK/EEA where:

the UK government or, where the EU GDPR applies, the European Commission has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);
there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
a specific exception applies under data protection law

These are explained below.

Adequacy decision

We may transfer personal data to certain countries, on the basis of an adequacy decision. These include:

all European Union countries, plus Iceland, Liechtenstein and Norway (collectively known as the ‘EEA’);
Gibraltar; and
Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.

Other countries to which we may transfer personal data do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception, as explained below.

Transfers with appropriate safeguards

Where there is no adequacy decision, we may transfer personal data to another country if we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects. The safeguards will usually include using legally-approved standard data protection contract clauses.

To obtain a copy of the standard data protection contract clauses and further information about relevant safeguards, please contact us (see ‘How to contact us’ below).

Transfers under an exception

In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, e.g.:

the transfer is necessary for a contract in the data subject’s interests, between us and another person/party; or
the transfer is necessary to establish, exercise or defend legal claims

We may also transfer information for the purpose of our compelling legitimate interests, so long as those interests are not overridden by your interests, rights and freedoms. Specific conditions apply to such transfers and we will provide relevant information if and when we seek to transfer personal data on this ground.

Further information

If you would like further information about data transferred outside the UK/EEA, please contact us (see ‘How to contact us’ below).

Your rights

If you are usually resident in the UK or in the EEA, you have the following rights in respect of your personal data, which you can exercise free of charge:

Access The right to be provided with a copy of your personal data

Rectification The right to require us to correct any mistakes in your personal data

Erasure (also known as the right to be forgotten) The right to require us to delete your personal data—in certain situations

Restriction of processing The right to require us to restrict processing of your personal data in certain circumstances, eg if you contest the

accuracy of the data

Data portability The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format

and/or transmit that data to a third party—in certain situations

To object The right to object:

—at any time to your personal data being processed for direct marketing (including profiling);

—in certain other situations to our continued processing of your personal data, e.g. processing carried out for the

purpose of our legitimate interests.

Not to be subject to automated individual The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal decision making effects concerning you or similarly significantly affects you

For further information on each of those rights, including the circumstances in which they apply, please contact us (see ‘How to contact us’ below) or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights.

If you would like to exercise any of those rights, please:

email, call or write to us—see below: ‘How to contact us’; and
provide enough information to identify yourself and any additional identity information we may reasonably request from you (due to the anonymisation techniques as due to the fact we cannot identify you, we might require various details such as which site location you have visited, and the time/date/period of your visit/length of time at the site location);
let us know what right you want to exercise and the information to which your request relates.

Please note that we may not be able to comply with your request where doing so requires us to send you any underlying footage which may include personally identifiable data subjects other than yourself, as we need to protect their privacy. If this is the case, we will inform you in writing of this fact.

Keeping your personal data secure

We have appropriate security measures to prevent data (including to the extent such data contains information that may be deemed to be personal data) from being accidentally lost, used or accessed unlawfully. We limit access to such data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify data subjects and any applicable regulator of a suspected data security breach where we are legally required to do so.

How to complain

Please contact us if you have any query or concern about our use of your information (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with the Information Commissioner or if you are usually resident in the EEA, with any relevant European data protection supervisory authority. The Information Commissioner may be contacted at https://ico.org.uk/make-a-complaint or telephone: 0303 123 1113.

Changes to this privacy policy

This privacy notice was first published on 16th August 2021 and last updated on16th August 2021.

We may change this privacy notice from time to time—when we do so, we will inform you via this webpage.

How to contact us

Individuals in the UK

You can contact us and/or our Data Protection Team by post, e-mail or telephone if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.

Our contact details are shown below:

Our contact details Our Data Protection Team’s's contact details

Starling Technologies Ltd - 93 Tabernacle Street, London, England, EC2A 4BA Email address: info@starlingtech.co.uk

Andrew Caleya Chetty

Individuals in the EEA

We have appointed Andrew Caleya Chetty to be our data protection representative within the EEA. Their contact details are info@starlingtech.co.uk.

Individuals within the EEA can contact us direct (see above) or contact our European representative.