Privacy Policy
Version 1.0 · Effective date: 21 June 2026
This Privacy Policy explains how Rodella UK Ltd, trading as "Pariah" ("Pariah", "we"), handles personal data for which we are the controller — namely data about visitors to our website, people who enquire about or use our Platform, and our customers' account and billing contacts.
Important — two different roles. When our customers use the Platform to process facial images and biometric templates of individuals at their premises, the customer is the data controller and Pariah acts as a processor on their behalf. That processing is governed by our Data Processing Agreement (/legal/dpa), not this Policy. If you have been recorded by a venue using Pariah, please contact that venue to exercise your rights; we will support them as processor.
1. Who we are
Controller: Rodella UK Ltd, trading as "Pariah", company no. 14860294, registered office 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. ICO registration: ZC171346 (registered with the Information Commissioner's Office; renews annually). Company contact: mail@rodella.xyz. Data protection contact: dpo@pariah.dev (or privacy@pariah.dev).
2. What we collect (as controller)
- Account data — name, work email, username, role, organisation, company number/verification status.
- Billing data — plan, transaction records, card metadata (brand/last four). Full card details are handled by Stripe; we do not store full card numbers.
- Usage and technical data — log data, device/app information, IP address, and diagnostics needed to run and secure the service.
- Communications — enquiries, support requests, and marketing preferences.
- Website/cookies — see our Cookie Policy (/legal/cookies).
We do not act as controller of the end‑subject facial/biometric data processed through the Platform on our customers' behalf.
3. Why we use it and our lawful basis (UK GDPR Article 6)
| Purpose | Lawful basis |
|---|---|
| Providing and securing the Platform; managing your account | Performance of a contract |
| Billing, fraud prevention, company verification | Contract; legitimate interests; legal obligation |
| Service emails (verification, security, billing) | Contract / legitimate interests |
| Product analytics and improvement | Legitimate interests |
| Marketing to business contacts | Legitimate interests or consent (you may opt out anytime) |
| Meeting legal/regulatory and accounting duties | Legal obligation |
Where we rely on legitimate interests, we have balanced those against your rights and will provide our assessment on request.
4. Who we share it with
We use vetted sub‑processors to run the service, including:
- Amazon Web Services — cloud facial‑search (AWS Rekognition), invoked only for manual mobile searches.
- Cloudflare — content delivery, tunnels, and object storage (R2).
- Hetzner — server hosting.
- Stripe — payment processing.
- Postmark — transactional email.
- Sentry — error monitoring and diagnostics (technical/log data only).
A current list with locations and roles is maintained in the DPA sub‑processor schedule (/legal/dpa). We may also disclose data where required by law or to protect our rights.
5. Mobile applications
Our iOS and Android apps are used by our customers' Authorised Users. In addition to the account and usage data above:
- Camera and photo access — used only when an Authorised User performs a manual facial search. Images submitted for search are processed on the customer's behalf as processor (see the DPA) and are sent to AWS Rekognition for matching; they are not used for any other purpose, including training.
- Device biometric unlock (Face ID / fingerprint) — handled entirely on‑device by the operating system to unlock the app session. We never receive, store, or transmit your device biometric data.
- Authentication tokens — stored in the device's secure storage (Keychain / Keystore).
- Push notifications — device push tokens are processed to deliver security alerts you have enabled.
6. International transfers
Some providers may process data outside the UK. Where they do, we rely on appropriate safeguards — UK adequacy regulations, the UK International Data Transfer Agreement/Addendum, or Standard Contractual Clauses. Note that continuous NVR detection runs locally on‑premises (no cloud transfer of those biometric templates); cloud facial search via AWS is limited to manual mobile lookups and runs in the AWS eu-west-2 (London) region, so that data does not leave the UK.
7. Retention
We keep account and billing data for the life of your account and as required for legal, tax, and accounting purposes. Following subscription suspension, Customer Data is retained for 90 days before deletion (see DPA). Marketing data is kept until you opt out.
8. Your rights
Subject to UK GDPR, you may request access, rectification, erasure, restriction, portability, and object to certain processing, and withdraw consent. To exercise these (for data we control), contact dpo@pariah.dev. You may complain to the Information Commissioner's Office (ico.org.uk), though we'd appreciate the chance to help first.
9. Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit and at rest, role‑based access control, and audit logging. See the DPA security annex for detail.
10. Changes
We will update this Policy as needed and post the revised version with a new effective date.
Privacy queries: dpo@pariah.dev