Privacy Policy

1. Who we are

Unlock Retail Limited ("Unlock Retail", "we", "us") is the data controller for personal data described in this policy.

• Registered office: 1 Marylebone High Street, London, W1U 4LZ, United Kingdom
• Privacy contact: privacy@unlockretail.com
• General contact: see our contact page

Unlock Retail provides software and hardware analytics for venues such as retail parks, theme parks and other commercial sites. Our platform helps site operators understand visitor flow, occupancy, zone activity and aggregated audience trends through privacy-conscious analytics. We sell directly to business customers and provide access to a secure web dashboard for approved customer users only.

2. Personal data we collect

From website visitors

• Name, email address, role and organisation when you submit a demo or contact form on unlockretail.com.
• Email address (and your explicit consent record) when you sign up to our newsletter.
• Standard server logs (IP address, browser, pages visited) used for security and aggregated usage measurement.
• Strictly necessary cookies required for session handling and CSRF protection (see §11).

From dashboard / customer users

• Account details (name, work email, role, employer/customer organisation) created when an authorised user is invited by their organisation, signs up, or is added by an existing customer.
• Authentication data (hashed passwords, session tokens).
• Activity logs tied to your account for security and audit.

From the analytics platform

The Unlock Retail platform processes camera-derived signals to produce aggregated visitor counts and demographic trends (e.g. estimated age band, gender, mood). We do not store identifiable images of individuals, and we do not link aggregated analytics to named individuals.

3. Lawful basis for processing

Under UK GDPR Article 6, every processing activity must rely on a lawful basis. We rely on the following:

• Consent — newsletter subscriptions, optional analytics cookies. You can withdraw consent at any time.
• Contract — operating a customer's dashboard account, sending account-related transactional emails, providing the contracted Platform.
• Legitimate interest — responding to demo and contact-form enquiries, server logging for security and abuse prevention, fraud and platform-integrity monitoring. We have assessed that these uses are necessary, proportionate and within reasonable expectation.
• Legal obligation — meeting tax, accounting, fraud-prevention and other statutory record-keeping requirements.

4. How we use personal data

• To respond to demo and contact requests.
• To create, manage and secure customer dashboard accounts.
• To send transactional emails (see §6).
• To provide, support, monitor and improve the Unlock Retail service.
• To meet legal, accounting and security obligations.

5. How accounts are created

Customer dashboard accounts are created in one of three ways:

• An authorised contact at a customer organisation invites a colleague.
• A user submits a demo request and is later set up by Unlock Retail with their employer's permission.
• Unlock Retail support adds a billing or technical contact at the request of an existing customer.

Every account is linked to a specific customer organisation and a defined role.

6. Email communications

Unlock Retail sends transactional emails to users and business contacts where necessary to provide our service. These may include account invitations, email verification, password resets, demo request confirmations, contact form replies, security notifications, billing notices and service-related updates.

We do not use purchased, rented or scraped email lists. We do not send unsolicited bulk email through our transactional email provider. Marketing or newsletter emails are sent on one of the following bases:

• Explicit consent — you ticked the consent box on our newsletter sign-up form.
• Soft opt-in (UK PECR Reg 22(3)) — you submitted a demo or contact request, in which case we may send occasional related product updates. We disclose this at the point of submission and you can unsubscribe at any time.

Every marketing email includes a one-click unsubscribe link. Once you unsubscribe we suppress the address from future marketing for at least 24 months so we don't accidentally re-add you.

7. Recipients and processors

We do not sell personal data. We share personal data only with vetted third-party processors that help us run the service, under written processing agreements. Processor categories include:

• Cloud hosting and infrastructure — provides the servers and managed databases that run our website and Platform.
• Transactional email — delivers account, demo, security and other service emails to your inbox.
• Error monitoring and observability — captures application errors and performance metrics so we can identify and fix issues.
• Payment processing — handles billing for paying customers (where applicable).

We will also disclose personal data where required by law, regulation, valid court order or to protect the rights, property or safety of Unlock Retail, our customers or others.

8. International transfers

Our primary cloud hosting is located in the United Kingdom (London). Where a sub-processor (for example, our transactional email provider) hosts personal data outside the UK or European Economic Area, any such international transfer is protected by appropriate safeguards — typically the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision recognised by the UK Information Commissioner's Office.

9. Retention

We keep personal data only as long as we need it for the purpose it was collected, plus any period required by law. Specific retention periods include:

• Demo and contact-form enquiries — retained for 24 months from submission, then deleted or anonymised, unless they convert into an active customer relationship.
• Customer dashboard accounts — retained while the account is active and for 12 months after closure for audit, billing and dispute purposes.
• Newsletter subscriptions — retained until you unsubscribe, plus 24 months of suppression-list retention so we can honour your unsubscribe request.
• Server and security logs — retained for 90 days, except where a longer period is required for an active investigation.
• Transactional email delivery records — retained for 12 months for deliverability diagnostics and abuse handling.
• Camera-derived analytics — only aggregated outputs are stored; raw signals are not retained.

10. Security

We apply technical and organisational safeguards described on the security page, including encryption in transit, encryption at rest, role-based access control, hashed passwords and CSRF protections. No system is perfectly secure, but we work to meet industry standards.

11. Cookies and similar technologies

We use a small, minimal set of cookies. We do not use cross-site advertising trackers on our website. The cookies we currently set are:

• XSRF-TOKEN — strictly necessary. Carries the CSRF token used to protect form submissions on our website. Expires at the end of the browser session.
• unlockretail_session — strictly necessary. Identifies your browser session on our website and dashboard. Expires after 2 hours of inactivity, or sooner when you close the browser.
• cc_cookie — strictly necessary. Stores your cookie-consent preferences so we don't have to ask you again on every visit. Expires after 6 months.

If we add optional cookies in the future (for example, web analytics), they will be loaded only after you opt in via our cookie banner. You can review or change your cookie choices at any time via the Manage cookies link in our footer.

12. Your rights

Under UK GDPR you have the following rights in respect of your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your data where we no longer have a lawful basis to keep it.
• Restriction — ask us to pause processing of your data while a question is resolved.
• Portability — receive certain data in a portable format.
• Objection — object to processing carried out on the basis of legitimate interest.
• Withdraw consent — at any time, where consent is the lawful basis (e.g. newsletter, optional cookies).

To exercise any of these rights, email privacy@unlockretail.com. We will respond within one month of receiving a verifiable request, in line with UK GDPR.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) — see ico.org.uk. We would, however, appreciate the chance to address your concern first.

13. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of this page reflects the most recent change. Material changes will be highlighted on this page or notified to dashboard users where appropriate.

14. Contact

For privacy questions, data requests or complaints, email privacy@unlockretail.com, or write to Unlock Retail Limited, 1 Marylebone High Street, London, W1U 4LZ, United Kingdom.