Privacy Policy

Effective Date: March 19, 2026  ·  Supersedes: All prior versions

1. Key Definitions

The following terms are used throughout this Policy, derived from GDPR Article 4, CCPA, and other authoritative sources:

• Personal Data - any information relating to an identified or identifiable natural person, including name, identification number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
• Sensitive Personal Information - data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, or data concerning sexual orientation.
• Processing - any operation performed on personal data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, or destruction.
• Data Controller - the natural or legal person that determines the purposes and means of personal data processing.
• Data Processor - the natural or legal person that processes personal data on behalf of the Data Controller.
• Subprocessor - a third party engaged by a Data Processor to process personal data on behalf of the original Data Controller.
• Data Subject - an identified or identifiable natural person whose personal data is processed.
• Consent - freely given, specific, informed, and unambiguous indication of a data subject's agreement to the processing of their personal data.
• Data Breach - a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

2. Parties and Roles

2.1 IncoreSoft's Role

Depending on the context, IncoreSoft may act in different capacities under applicable data protection laws:

• Data Controller - when we determine the purposes and means of processing personal data (e.g., when you visit our website, create an account, register for events, or apply for employment).
• Data Processor - when we process personal data on behalf of our customers in connection with our AI video analytics products and services, strictly in accordance with their instructions and written agreements.
• Subprocessor - when we process personal data on behalf of a processor (such as a partner or reseller) acting on behalf of an original Data Controller. In such cases, data subject rights may be governed by the original Data Controller's privacy policy.

Our customers who deploy IncoreSoft products are typically the Data Controllers for any video data and personal data processed through our systems. Each customer is independently responsible for ensuring the lawfulness of their data processing activities, including conducting Data Protection Impact Assessments (DPIAs) where required.

2.2 Data Controller Responsibilities

When acting as Data Controller, IncoreSoft is responsible for:

• Ensuring personal data is processed lawfully, fairly, and transparently
• Collecting only necessary personal data and maintaining its accuracy
• Retaining personal data only as long as necessary for the specified purpose
• Implementing appropriate technical and organizational safeguards
• Facilitating data subject rights as described in Section 8

2.3 Data Processors and Subprocessors

When acting as Processor or Subprocessor, IncoreSoft:

• Processes personal data only per documented Data Controller instructions
• Ensures authorized personnel are bound by confidentiality obligations
• Implements appropriate technical and organizational safeguards
• Engages sub-processors only with prior Data Controller authorization
• Assists Data Controllers in fulfilling obligations regarding security, breach notification, and data subject rights
• Notifies Data Controllers without undue delay upon discovering personal data breaches

2.4 Categories of Data Processors Engaged by IncoreSoft

We may engage third-party service providers to assist with personal data processing, including:

• Cloud Storage and Infrastructure Providers
• Email Service Providers
• Payment Processors
• Analytics Providers
• Customer Support Platforms

A current list of specific data processors and subprocessors is available upon request at privacy@incoresoft.com.

2.5 Partner and Reseller Responsibilities

Partners and resellers who market, implement, or support our Services may act as Data Controllers or Data Processors depending on the service model. They are contractually required to:

• Fulfill all legal obligations applicable to their designated role under data protection law
• Limit personal data access to what is necessary and ensure personnel are trained and confidentiality-bound
• Promptly notify IncoreSoft of incidents, data breaches, or supervisory authority requests
• Cooperate with IncoreSoft and customers to facilitate data subject requests and regulatory investigations

2.6 Data Protection Officer (DPO)

IncoreSoft has designated a Data Protection Officer responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection laws. For privacy inquiries or to exercise your rights, contact the DPO at privacy@incoresoft.com.

2.7 Children's Data

We do not knowingly collect personal data from children under the age of 16 (or the applicable minimum age in your jurisdiction). If we become aware that we have collected data from a child without appropriate parental consent, we will take steps to delete such information promptly. Parents or guardians who believe their child has provided personal data to IncoreSoft may contact us to request its removal.

3. Legal Basis for Processing

We process personal data only when we have a lawful basis to do so, including:

• Consent - you have given clear, informed consent for a specific purpose (e.g., subscribing to newsletters or enabling optional features). You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Contract Performance - processing is necessary to fulfill a contract with you or to take pre-contractual steps at your request.
• Legal Obligation - processing is required to comply with applicable laws and regulations.
• Legitimate Interests - processing is necessary for our legitimate business interests (e.g., improving our products, ensuring security, preventing fraud, business analytics), provided these interests do not override your fundamental rights and freedoms.
• Vital Interests - processing is necessary to protect someone's life or physical safety.
• Public Interest - processing is necessary for a task carried out in the public interest or in the exercise of official authority, where applicable.

4. Categories of Personal Data We Collect

We may collect and process the following categories of personal data:

4.1 Information You Provide Voluntarily

• Name, job title, and company/organization details
• Email address, phone number, and mailing address
• Account credentials and preferences (language, notification settings)
• Billing and payment information (e.g., masked credit-card data, billing address, transaction history)
• Support requests and correspondence
• Event registration details
• Feedback, survey responses, and testimonials
• Employment and recruitment information (CV/résumé, qualifications, references, interview notes)

4.2 Information Collected Automatically

• IP address and approximate geolocation
• Browser type, operating system, and device information
• Pages visited, time spent, and navigation paths on our website
• Cookies and similar tracking technologies (see our Cookie Policy)
• Referral source and search terms

4.3 Information Related to Our Products

• System usage data, license information, and product telemetry
• Error logs and crash reports for product improvement
• Feature usage statistics (anonymized where possible)

We do not intentionally collect special categories of personal data (as defined in Article 9 of the GDPR) through our website or marketing activities. We do not sell sensitive personal information as defined under CCPA. We do not access or track precise geo-location data unless you expressly consent to such collection.

5. How We Use Your Data

We use personal data for the following purposes:

• Service Delivery & Account Management - to provide, maintain, and improve our products and services, and to manage user accounts and contractual obligations
• Communication & Support - to respond to inquiries, provide technical support, manage incidents, and send service-related notifications
• Marketing - to send newsletters, product updates, and promotional materials (only with your consent, with opt-out available at any time)
• Analytics & Product Improvement - to analyze usage and feedback, improve user experience, and develop new features
• Security & Fraud Prevention - to detect, prevent, and address fraud, abuse, and security incidents
• Legal Compliance - to comply with applicable laws, regulations, legal processes, and regulatory obligations
• Business Operations - to manage contracts, billing, business relationships, audits, and quality assurance
• Recruitment & Employment - to assess and manage job applications, interviews, onboarding, and employment administration
• Event Management - to manage registrations, attendance, and program participation

If we wish to use your data for purposes not described in this Policy, we will provide notice or obtain your consent before doing so.

6. How We Share Your Data

We may share personal data with the following categories of recipients:

• Partners and Distributors - when you request information about our products, we may redirect your inquiry to authorized partners or distributors. Information about our partner network is available at incoresoft.com/partners.
• Service Providers - third-party vendors who assist us with hosting, analytics, email delivery, customer support, and other operational functions. These providers are contractually bound to protect your data and process it only for specified purposes.
• Legal Authorities - when required by law, court order, or governmental request.
• Business Transfers - in the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the successor entity.

We do not sell, rent, or trade your personal information to third parties for their independent marketing purposes. We do not sell or share personal information as defined under the CCPA, including for cross-context behavioral advertising. We do not offer financial incentives in exchange for the collection, sale, or retention of personal data.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

• Account data - retained for the duration of the business relationship and up to 12 months after account closure or contract termination
• Marketing data - retained for 6 months after you cease to be a potential consumer of our products and services, or until you withdraw consent
• Website analytics data - retained in anonymized form for up to 26 months
• Support correspondence - retained for up to 3 years after resolution
• Recruitment data - retained for up to 12 months after application decision, unless you consent to longer retention
• Legal and compliance data - retained as required by applicable law

When personal data is no longer needed, we securely delete or anonymize it.

8. Your Rights

Under applicable data protection laws (including the GDPR), you have the following rights regarding your personal data:

• Right to Be Informed - receive clear information about how your personal data is collected and used, as provided in this Privacy Policy
• Right of Access - request a copy of the personal data we hold about you
• Right to Rectification - request correction of inaccurate or incomplete data
• Right to Erasure ("Right to Be Forgotten") - request deletion of your personal data, subject to legal obligations
• Right to Restriction of Processing - request that we limit how we use your data
• Right to Data Portability - receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
• Right to Object - object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent - withdraw consent at any time without affecting the lawfulness of prior processing
• Right Not to Be Subject to Automated Decision-Making - not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
• Right to Lodge a Complaint - file a complaint with your local data protection supervisory authority

To exercise any of these rights, please contact us at privacy@incoresoft.com. We may require identity verification before processing your request. We will respond within 30 days, as required by law.

Please Note: Where IncoreSoft acts as Data Processor or Subprocessor on behalf of a Data Controller (such as a customer, partner, or reseller), data subject rights requests must be submitted to the relevant Data Controller. We will promptly notify and assist the Data Controller in responding to your request. If you are unsure who the Data Controller is for your personal data, contact us and we will make reasonable efforts to direct your inquiry to the appropriate Controller.

9. Consent

9.1 Obtaining Consent

Where personal data processing is consent-based, we obtain explicit consent prior to collecting or processing your personal data for those specific purposes. You may be asked to provide consent when subscribing to marketing communications, participating in surveys, or enabling optional product features.

9.2 Withdrawal of Consent

You have the right to withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out prior to withdrawal. To withdraw consent, contact us at privacy@incoresoft.com, or use any opt-out mechanisms provided within relevant communications or Services.

9.3 Consequences of Withdrawing Consent

Withdrawing consent may affect the availability or quality of certain Services or features that rely on such consent. We will inform you of any impact at the time of your request.

9.4 Marketing Communications

We only use personal data for direct marketing where you have provided consent or where legally permitted. You may opt out of marketing communications at any time by following the unsubscribe instructions in any communication, adjusting your account settings, or contacting us.

10. California Residents - CCPA/CPRA Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know - request disclosure of the categories and specific pieces of personal information we have collected
• Right to Delete - request deletion of your personal information
• Right to Correct - request correction of inaccurate personal information
• Right to Opt-Out - opt out of the sale or sharing of your personal information
• Right to Limit Use of Sensitive Personal Information - request that we limit the use and disclosure of sensitive personal information to only what is necessary
• Right to Non-Discrimination - not be discriminated against for exercising your privacy rights

IncoreSoft does not sell or share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for any purpose other than those permitted by the CCPA (such as providing services, ensuring security, or legal compliance). We do not offer financial incentives in exchange for the collection of personal data.

To exercise your CCPA/CPRA rights, contact us at privacy@incoresoft.com. Authorized agent requests may require written authorization.

11. International Data Transfers

IncoreSoft operates globally and may transfer your personal data to countries outside the European Economic Area (EEA), the United Kingdom, Switzerland, or your country of residence. When we transfer data internationally, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) - approved by the European Commission or other competent authority
• Adequacy Decisions - transfers to countries recognized as providing adequate data protection
• Binding Corporate Rules (BCRs) - where applicable
• Contractual Protections - binding agreements with partners and service providers requiring equivalent data protection standards

For SCC-based transfers, we regularly review supplementary measures and conduct transfer impact assessments to ensure ongoing adequacy and compliance with EEA, UK, and Swiss requirements.

IncoreSoft complies with the EU General Data Protection Regulation (GDPR) 2016/679 and ensures that all international data transfers meet the standards set forth by applicable regulations.

Upon request, we will provide further information regarding the international transfer mechanisms used and, where possible, make relevant safeguard copies available.

12. Video Data and AI Analytics

As a provider of AI-powered video analytics solutions, IncoreSoft processes video data exclusively in our capacity as a Data Processor on behalf of our customers (Data Controllers). Key principles:

• Video streams from surveillance cameras that enable automatic recognition of individuals are considered personal data under the GDPR.
• Each customer must independently assess the legal basis for deploying video surveillance, including conducting Data Protection Impact Assessments (DPIAs) for each camera installation.
• IncoreSoft processes video data strictly in accordance with written customer agreements and applicable data protection laws.
• We are responsible for ensuring the security and integrity of video data processing, and we implement all reasonable measures to guarantee maximum confidentiality and cyber protection.
• IncoreSoft does not have independent access to customer data repositories and does not retain video data beyond the scope of our processing agreements.
• Customers must independently evaluate and balance the impact of video surveillance on privacy rights against the legitimate purposes of their deployment (e.g., security, crime prevention, safety).

We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals, unless specifically disclosed with the required safeguards in place.

13. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to analyze traffic, remember preferences, and improve your browsing experience. For detailed information about the cookies we use and how to manage them, please refer to our Cookie Policy.

We do not identify users solely by their IP address. However, we may combine automatically collected data with information you provide voluntarily to personalize your experience.

You can control cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

Do-Not-Track Signals

Some browsers offer "Do Not Track" (DNT) features. Our Services currently do not respond to DNT signals, as there is no uniform industry interpretation standard.

Social Media Features

Our Services may allow you to interact via third-party social networks. Social plugins (such as "Like" or "Share" buttons) may transmit data to the respective network when activated. We encourage you to review your social network's privacy controls for more information.

14. Participation in Events

By participating in IncoreSoft events, you acknowledge that:

• IncoreSoft may take photographs and record audio/video during events held in public or semi-public venues.
• Your image and voice may be captured in such recordings.
• These materials may be used in presentations, marketing materials, social media, publications, and educational content.

For individuals who are interviewed, speak at events, or otherwise actively contribute, we request explicit consent for the use of personal data. Consent is confirmed upon event registration.

If you do not wish your personal data to be used in this manner, you have the right to withdraw consent at any time by contacting us at privacy@incoresoft.com.

15. Data Protection Measures

IncoreSoft employs comprehensive security measures to protect your personal data:

Technical Measures

• Data encryption at rest and in transit (SSL/TLS)
• Access controls, role-based permissions, and identity management
• Multi-factor authentication for critical systems
• Firewalls and intrusion detection/prevention systems
• Data anonymization or pseudonymization, where appropriate
• Regular vulnerability assessments, penetration testing, and security patch management

Administrative Measures

• Formal information security and privacy policies, subject to regular review
• Ongoing security awareness and privacy training for employees and contractors
• Clearly defined roles and responsibilities for data protection and incident response
• Incident response and data breach notification procedures
• Vendor and third-party risk management, including due diligence and contractual obligations
• Data Protection Impact Assessments (DPIAs) conducted for high-risk processing activities

Physical Measures

• Secure data center facilities with environmental controls (fire suppression, power redundancy, climate control)
• Restricted physical access to servers and infrastructure
• Secure disposal of hardware and media containing personal data

The effectiveness of these measures is subject to ongoing monitoring, testing, and continuous improvement to address emerging threats and vulnerabilities. While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure.

16. User Security Considerations

Security is a shared responsibility. While IncoreSoft implements robust security measures, your actions also play a critical role in protecting personal data.

User Responsibilities

• Maintain the confidentiality and security of your account credentials, including passwords and authentication tokens
• Promptly update passwords if you suspect unauthorized access or compromise
• Immediately notify IncoreSoft of any actual or suspected unauthorized access or security incidents
• Use Services only in accordance with applicable laws and any instructions provided by your organization

Security Best Practices

• Use strong, unique passwords for your account and change them regularly
• Enable multi-factor authentication (MFA) wherever available
• Keep your software, operating systems, and applications up-to-date
• Be vigilant against phishing attacks - do not click unknown or suspicious links
• Review account activity and monitor for unauthorized access

For security concerns or incident reporting, contact us at privacy@incoresoft.com.

17. Third-Party Links and Services

Our website and products may contain links to third-party websites, applications, and services not owned or controlled by IncoreSoft. We are not responsible for the privacy practices, data protection measures, or content of these third parties. We encourage you to review the privacy policies of any third-party services before providing personal information.

Links to third-party resources do not constitute endorsement of their content or practices. To the maximum extent permitted by law, IncoreSoft disclaims responsibility for any loss or damage arising from the use of third-party links, integrations, or services.

18. Regulatory Compliance

IncoreSoft is committed to compliance with applicable data protection regulations and recognized industry standards, including:

• GDPR - EU General Data Protection Regulation (2016/679)
• UK GDPR - UK General Data Protection Regulation and Data Protection Act 2018
• CCPA/CPRA - California Consumer Privacy Act and California Privacy Rights Act
• PIPEDA - Personal Information Protection and Electronic Documents Act (Canada)
• Ukrainian Data Protection Law - Law of Ukraine "On Protection of Personal Data"
• OECD Guidelines - on the Protection of Privacy and Transborder Flows of Personal Data
• ISO/IEC 27001:2022 - Information Security Management controls and practices
• ISO/IEC 27701:2019 - Privacy Information Management System (PIMS) framework

Where local laws impose stricter requirements, we comply with the higher standard. Our practices are regularly reviewed and updated to align with evolving legal requirements and best practices.

For additional information about our compliance efforts, contact us at privacy@incoresoft.com.

19. Privacy Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, or legal requirements. When we make significant changes, we will:

• Post a prominent notice on our website or within our Services
• Update the "Effective Date" at the top of this page
• Send email notification to registered users where appropriate
• Provide a summary of material changes

We encourage you to review this Policy regularly. Your continued use of our website and services after changes are posted constitutes your acceptance of the updated Policy. If you disagree with any changes, you may discontinue use of our Services and request account deactivation by contacting us.

20. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Privacy & DPO Inquiries:privacy@incoresoft.com
General Inquiries:incoresoft.com/contacts

For GDPR-related concerns, you also have the right to lodge a complaint with your local data protection supervisory authority in your habitual residence, place of work, or place of the alleged infringement.