PRIVACY POLICY

Internal CRM Application

Effective Date: 3/16/2026

1. Introduction

This Privacy Policy governs the collection, use, and protection of personal and sensitive information within our internal Customer Relationship Management (CRM) application. This application is proprietary software designed exclusively for authorized employees and internal use only. It is not a public-facing application, and access is restricted to designated personnel with valid organizational credentials.

By accessing this application, you acknowledge that you have read, understood, and agree to comply with this Privacy Policy and all applicable data protection regulations.

2. Definitions

Personal Data

Any information relating to an identified or identifiable individual, including but not limited to names, contact information, employee IDs, and behavioral patterns.

Biometric Data

Information derived from the user’s physical characteristics, specifically facial features captured through the camera-based authentication system and fingerprint/thumb recognition data used for login verification.

Notification Data

Information contained within in-app notifications and thumb notifications (push notifications) including message content, timestamps, and delivery logs.

3. Data Collection

3.1 Camera-Based Login

Our application uses camera-based facial recognition technology for secure authentication. When you log in:

• Your device’s camera is activated to capture facial images for identity verification
• Facial images are processed locally on your device and converted into encrypted biometric templates
• Raw camera footage is NOT stored or transmitted to servers unless explicitly authorized by the user
• Biometric templates are transmitted securely only for authentication verification
• Login attempts are logged with timestamps for security audit purposes

3.2 Thumb Notifications (Push Notifications)

Thumb notifications are time-sensitive alerts delivered to your device. Data collected includes:

• Notification content and subject matter
• Timestamps of notification delivery and user interaction
• Device information and notification status (delivered, opened, dismissed)
• User engagement metrics related to notifications

3.3 Usage Data

We automatically collect information about how you use the application, including but not limited to: pages accessed, features used, duration of sessions, timestamps, IP addresses (when applicable), and device identifiers.

4. Purposes of Data Processing

We collect and process data for the following purposes:

1. Authentication and Access Control – To verify user identity and grant appropriate access to application features
2. Security – To maintain system security, detect unauthorized access, and prevent fraud
3. Operational Management – To deliver notifications, maintain system functionality, and provide technical support
4. Compliance – To meet legal, regulatory, and organizational requirements
5. System Improvement – To optimize application performance and user experience
6. Audit and Monitoring – To maintain activity logs and security audits

5. Data Retention

Data retention periods are determined by the type of information and operational necessity:

Biometric Data (Facial Recognition)

• Encrypted templates are retained for the duration of the user’s employment or account active status

Login Records and Audit Logs

• Maintained for a minimum of 12 months for security and compliance purposes

Notification Data

• Retained for 6 months unless required longer by organizational policy

Usage Analytics

• Aggregate data retained indefinitely; personally identifiable data anonymized after 12 months

6. Data Security

We implement industry-standard security measures to protect your data:

• End-to-end encryption for biometric data transmission
• Encrypted storage of sensitive information using AES-256 or equivalent
• Secure authentication protocols and multi-factor verification
• Regular security audits and penetration testing
• Access controls limiting data access to authorized personnel only
• Monitoring for unauthorized access attempts and suspicious activity

7. Access and User Rights

7.1 Right to Access

Authorized employees may request to access their personal data held within the CRM system. Requests should be submitted to the Data Protection Officer or designated administrator.

7.2 Right to Correction

You have the right to request correction of inaccurate or incomplete personal data within the system.

7.3 Right to Deletion

Upon termination of employment or account closure, you may request deletion of your personal data, subject to legal retention requirements.

7.4 Right to Opt-Out

You may opt out of receiving thumb notifications through application settings, though certain system-critical notifications may still be sent.

8. Sharing and Disclosure

Data within this internal CRM is not sold, shared, or disclosed to third parties, except in the following circumstances:

• With authorized internal departments for legitimate business purposes
• To law enforcement or regulatory authorities when required by law
• To trusted service providers (vendors) who perform services on our behalf under strict confidentiality agreements
• With system administrators for maintenance, troubleshooting, and security purposes

9. Camera Permissions and Control

Camera usage for facial recognition authentication is governed by the following:

• Camera activation is only initiated when you explicitly attempt to log in
• You maintain control over camera access through your device settings and can revoke permissions at any time
• If camera permissions are denied, alternative authentication methods may be available
• We do not access the camera for any purpose other than authentication
• Camera footage is not recorded, stored, or transmitted beyond the local device processing required for biometric conversion

10. Notification Management

Thumb notifications can be managed through the following methods:

• Toggle notification categories on/off in application settings
• Set quiet hours to reduce disruption
• Configure notification frequency and delivery preferences
• System-critical security and compliance notifications cannot be disabled

11. Third-Party Integrations

This application may integrate with third-party services for specific functionality. Any data shared with third-party providers is governed by their respective privacy policies and data processing agreements. We are responsible for ensuring such providers maintain adequate security and confidentiality standards.

12. Data Breach Notification

In the event of a confirmed data breach involving personal or biometric information, we will:

• Notify affected users immediately upon discovery of the breach
• Provide details about the nature of the breach and information affected
• Recommend immediate actions to mitigate risk
• Notify regulatory authorities as required by applicable law

13. Compliance with Data Protection Regulations

This Privacy Policy complies with applicable data protection regulations, including but not limited to:

• General Data Protection Regulation (GDPR) – for EU residents
• California Consumer Privacy Act (CCPA) – for California residents
• UK Data Protection Act 2018
• Biometric Information Privacy Act (BIPA) – applicable local biometric regulations
• Other applicable local and national data protection laws

14. Data Processing Agreements

For users covered by GDPR or similar regulations, a formal Data Processing Agreement (DPA) is available upon request. This document outlines specific obligations regarding data processing, security measures, and compliance.

15. Updates to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. Changes will be communicated to users through:

• In-application notifications
• Email notification to registered email addresses
• Updated version displayed within the application

Continued use of the application following notification of changes constitutes acceptance of the updated Privacy Policy.

16. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or your data, please contact:

Email: [email protected]

Address: 144 Charles St, Leicester LE1 1LB, United Kingdom

17. User Acknowledgment

By logging into and using this CRM application, you acknowledge that:

• You have read and understood this Privacy Policy
• You consent to the collection and processing of your data as described herein
• You understand that biometric data (facial recognition) will be used for authentication
• You accept receipt of thumb notifications as part of the application functionality
• You are responsible for maintaining confidentiality of your login credentials

This document is confidential and for internal use only.

Last Updated: 3/16/2026