Privacy Policy
Version 1 · last updated 2026-06-10. This policy explains what personal information MugShotter processes, our role, the lawful basis, how long we keep it, where it is hosted, and how to exercise your rights.
1. Who we are
MugShotter (the "Platform") provides a cross-firm, post-detention incident-lookup service for licensed and regulated private-security firms and accredited neighbourhood-watch organisations. The Platform is hosted by MugShotter, with application data on secure Hetzner cloud infrastructure located in Germany.
The Platform acts as an Operator under POPIA, a Processor under the EU-GDPR and UK-GDPR, and a Service Provider under the California CCPA / CPRA - and the equivalent processor-role under any other applicable data-protection framework. We process personal information on behalf of each member organisation. The member organisation is the Responsible Party / Controller / Business: it initiates the collection and is responsible for the lawfulness and legitimacy of the data it contributes under the law of its own jurisdiction.
2. What we process
- Biometric data: face embeddings (numeric vectors derived from a face photograph) of individuals detained on a client site by a member organisation. Biometric data is "special personal information" under POPIA s.26 and a "special category" under GDPR / UK-GDPR Article 9 (and "sensitive personal information" under CCPA / CPRA).
- Photographs: the original capture photograph and any annotations.
- Incident records: date/time, site name, charges, items recovered, law-enforcement case reference (if any), officer identifier, contributing organisation.
- Account information: organisation details (name, licensing/accreditation number, contact info), user accounts (email, name, role), officer registrations (display name, Telegram identifier), and Terms-acceptance records (version, timestamp, IP).
- Operational logs: every read and write event - who accessed what, when, and from where (IP, user-agent). Append-only and tamper-evident.
3. Lawful basis
Each member organisation is responsible for the lawful basis applicable in its own jurisdiction. In South Africa, member organisations process under POPIA s.33(1)(b) (processing in accordance with a law - Trespass Act 6 of 1959 + common-law arrest powers) and s.27(1)(b) (necessary for the establishment, exercise or defence of a right or obligation in law); biometric "special personal information" engages s.26-s.27; and processing of alleged criminal conduct on behalf of third parties engages the s.57 prior-authorisation requirement. In other jurisdictions, equivalent provisions apply (for example, GDPR / UK-GDPR Articles 6, 9 and 10; CCPA / CPRA service-provider arrangements). Capture is post-detention only: no scan-before-detention, no mass surveillance, no consumer/citizen use.
4. Retention
Default retention is 730 days from incident date. Where a law-enforcement case reference is on record, retention may extend in line with the investigation. Records with no case or internal reference are retained for a short window only and the contributor is warned at capture. Retention is enforced nightly by an automated process that redacts notes, deletes face embeddings and photographs, and writes a retention-purge audit row. Financial records are retained as required by tax law.
5. Sharing model
On a face-match query, member organisations see incident summaries from other organisations (date, charges, contributing organisation). Internal notes, site addresses, items-recovered details and reporter identity are not shared cross-firm without an additional written request. We never sell personal information or share it with marketing third parties.
6. Cross-border processing
Personal information captured via MugShotter is securely transmitted to and hosted on cloud infrastructure located in Germany (Hetzner Online, Falkenstein). Germany is subject to the European Union's General Data Protection Regulation (GDPR). For South-African members, we rely on the resulting level of data protection under POPIA s.72; for UK and EU members, the transfer takes place between two GDPR-aligned jurisdictions (Chapter V mechanisms apply where relevant); for members in other jurisdictions (including California), members must satisfy their own cross-border transfer rules. This is disclosed on every capture-point notice posted at client sites.
7. Subject rights
You have the right to confirm whether we hold your personal information, request a record of it, request correction or deletion, and object to processing where permitted by your applicable law (POPIA s.23-25 in South Africa; GDPR / UK-GDPR Articles 15-22 in the EU and UK; CCPA / CPRA in California; equivalents elsewhere). Lodge a Subject Access Request at /popia/sar; we respond within 30 days and verify identity before releasing any records. As an Operator/Processor we will route requests about contributed incident data to the relevant Responsible-Party / Controller organisation where appropriate.
8. Subject access requests
For subject access requests, corrections, deletions, complaints, or data-protection-authority correspondence, please lodge a request at /popia/sar. The Information Officer designated under POPIA s.55 will handle your request.
9. Security
Role-based access control; an audit log on every read and write; hash-chained audit (HMAC-SHA256) for tamper-evidence; encryption in transit (TLS) and at rest; rate limiting and brute-force protection on login and signup; a separate database role with INSERT-only grant on the audit log; signed-URL photo serving with 60-second tokens; and nightly encrypted backups.
10. Complaints
If you believe your data-protection rights have been violated and we have not resolved the matter to your satisfaction, you may complain to your jurisdiction's data-protection authority - for example, the South-African Information Regulator at inforegulator.org.za, the UK ICO at ico.org.uk, your EU member-state data-protection authority, or the California Privacy Protection Agency at cppa.ca.gov.
11. Aegis RF-Shield & DiskWatch app purchases
Our two paid Android apps - Aegis RF-Shield and DiskWatch - are sold directly to individual buyers on a monthly subscription. For these purchases MugShotter is the Responsible Party / Controller (not an Operator): you contract with us directly, with no member-organisation in between. This is separate from the cross-firm incident-lookup service described above, and these apps do not collect or transmit biometric data - Aegis reads radio signals and DiskWatch scans licence discs, both entirely on your device; scan results never leave your phone.
What we process for app purchases: your PayPal email address (received from PayPal to identify your subscription and for support), a device identifier and device label (your handset model - used to bind your licence to one phone at a time), your subscription and licence status (active / cancelled / lapsed, and the paid-through date), and payment references (the PayPal subscription and payment ids). We do not receive or store your card number - PayPal handles the payment. Our audit logs record only a non-reversible hash of your device label, never the clear value.
Payment processor (Operator / sub-processor): payments are processed by PayPal, which acts as our payment Operator and processes your information under its own privacy statement and user agreement. PayPal processes data in the United States and other countries; for South-African buyers this is a cross-border transfer for which we rely on POPIA s.72 (PayPal is bound by a comparable level of protection under its binding terms and applicable law). PayPal South Africa settles in USD.
Retention & your rights: we keep this information while your subscription is active and for a limited period afterwards for tax, accounting and dispute-resolution purposes. You can erase the personal information we hold - without losing your licence - at any time using the “Erase my data” option on the Aegis RF-Shield or DiskWatch page (prove ownership with your licence key + the PayPal email you paid with), or by contacting our Information Officer. Erasing clears your PayPal email and device details; your licence key keeps working and you simply re-enter it in the app. If your subscription is still active, your PayPal email may be re-collected on the next renewal to keep managing billing, so cancel in PayPal first for permanent erasure.
12. Changes
We publish material changes here and update the date above. For material Terms changes we also increment the Terms version, and registered organisation owners are notified and asked to re-accept; continued use after an update constitutes acceptance where permitted by your applicable law.