PRIVACY POLICY (RACK Reporting)
Last Updated: June 2026
This Privacy Policy explains how our incident recording application (“the Application”, “we”, “us”, or “our”) collects, uses, shares, and retains personal data. This policy applies to businesses using our platform (Retailers), individuals reporting incidents, and individuals identified as subjects or suspects in relation to an incident.
1. Information We Collect
We collect information necessary to record, investigate, and process retail incidents (such as theft, abuse, or property damage). This may include:
Retailer & Reporter Data: Name, business contact details, role, and log-in credentials.
Incident Details: Time, date, location, and description of the event.
Subject / Suspect Data: Names, physical descriptions, identifiers, and visual evidence (such as CCTV stills or video footage) submitted by the Retailer.
2. How We Use and Share Your Data (Police Reporting)
Our primary purpose is to help retailers log and manage workplace incidents. However, we also support public safety and crime prevention.
Law Enforcement Threshold: Data submitted to the Application will be assessed against a specific severity and evidentiary threshold. Where an incident meets this threshold, the relevant data will be securely shared with the UK Police for the prevention and detection of crime.
Retailer Opt-Out
Retailers retain control over their reporting preferences. You can opt out of automated or platform-facilitated police reporting at any time through your account settings or by contacting our support team. If you opt out, your logged incidents will remain strictly within your private dashboard unless we are legally compelled to disclose them.
3. Lawful Bases for Processing
Under the UK GDPR, we rely on the following legal grounds to process this data:
Legitimate Interests: To enable retailers to protect their staff, assets, and business premises, and to facilitate the establishment or defense of legal claims.
Substantial Public Interest: Where we process “criminal offence data” (information about suspected offenses), we do so under the lawful basis of preventing and detecting unlawful acts (Data Protection Act 2018, Schedule 1).
4. Data Retention and Automated Reviews
We do not hold onto data indefinitely. We maintain a strict review cycle to ensure data minimized:
Annual Review: We review all stored incident and personal data every 12 months. If there is no longer a valid legal or business reason to keep the information, it will be securely and permanently deleted.
Maximum Retention: Data that no longer serves a live investigative or legal purpose will be purged during these annual cycles.
5. Your Rights (Subjects and Suspects)
If you are an individual who has been identified as a subject or suspect in an incident report, you have specific rights under UK data protection law, including the right to request the deletion of your data (the “Right to Erasure”).
Deletion Requests
How to Apply: You can submit a deletion request directly to our Data Protection Officer.
The Legitimate Interest Test: Upon receiving a request, we will evaluate whether we have an overriding legitimate business or legal interest to retain the data (for example, if the data is actively being used by a retailer for a legal dispute, or if it is part of an active police investigation).
21-Day Turnaround: If no overriding legitimate interest exists, we will completely fulfill your deletion request within 21 days of receiving it. We will notify you once the deletion is complete.
6. Security
We implement robust technical and organizational measures to protect your data, including end-to-end encryption for data in transit, secure access controls for retailers, and encrypted storage protocols.
7. Contact Us
If you have any questions about this Privacy Policy, or if you wish to exercise your data rights, please contact our Data Protection Team at:
Email: legal@rackreporting.com
