SmartALERT Privacy Notice

SmartALERT Privacy Notice

Who we are

We are IHL Tech Ltd, 57 Ashbourne Road, Derby, Derbyshire, DE22 3FS.

Company Registration Number: 09926970

We are registered as a data controller at the UK Information Commissioner’s Office under number ZA175849.

We are responsible for the processing of personal data that we have received in accordance with the UK General Data Protection Regulation (UKGDPR) and the DPA 2018.

What is SmartALERT?

SmartALERT is a real-time alerting application that allows the secure sharing of Incidents relating to Data Subjects (Subjects of Interest) who are suspected of committing offences or criminal behaviour within a gambling or hospitality premise. In short, SmartALERT is used for the detection and prevention of crime and disorder.

Our Customers

We provide SmartALERT to Operators of Adult Gaming Centres and Licenced Bingo premises in Great Britain. These are referred to as our Customers.

We refer to our Customers premises as Venues.

Subjects of Interest (SOI’s)

We securely hold personal data of SOI’s (which may include Special Category Data in the form of biometric or photographic image) for the purpose of detecting and preventing crime and disorder. We do not ask or seek the SOI’s for consent to process this data as it would undermine the purpose for processing.


We maintain the SOI’s in Hotlists, and these Hotlists will also include information and the reason for an SOI being on the Hotlists.

Please Note

  • If you are providing us data for any other service we provide, please refer to our Privacy Notice Menu.
  • If you are visiting our website, please refer to our standard Privacy Policy.

Our responsibilities

  • Our responsibilities as a Data Processor
    • When a SmartALERT Incident is created by a Customer, we act as a ‘Data Processor’. This means that we are acting on the instruction of our Customers to support them in the collection of incident data to help prevent crime and disorder within venues.
  • Our responsibilities as a Data Controller
    • Once a SmartALERT Incident has been submitted, we act as a ‘Data Controller’ of the data. This means we determine why and how the Personal Data of SOI’s is processed and shared to enable us to provide the SmartALERT Service to our Customers to help prevent crime and disorder within Venues.

When we collect data

We will collect data from our Customers when:

  • An actual OR possible incident has occurred in Venue and the Customers are able to provide supporting evidence of the incident

Types of data we may collect

  • Incident Data
    • One of either
      • Photo OR
      • Name / Nickname
    • Optional Data
      • Gender
      • Physical Description
        • Age Estimation
        • Height Estimation
        • Hair Style
        • Hair Colour
        • Build Type

Types of data we DO NOT collect

  • Any data relating to racial or ethnic origin.

Purposes for which we process SOI data

We collect SOI data solely for the purpose of the detection and prevention of crime and fraud.

We will share SOI data with our Customers, to enable them to monitor for visits by SOI’s in Venues to ensure they are kept free from crime and disorder.

SOI data is shared proportionately within a radius subject to the type of incident records.

Data Sharing – Proportionately

We share SOI data on a radius that is proportionally based on the ‘threat level’ of an incident type. The Data is shared on a tablet device that is managed in Venue by our Customers

The ‘threat levels’ we currently support and their associated sharing radius are:

  • Low Level : 2km
    • Suspicious Activity
    • Barred Customers
  • Medium Level : 5km
    • Verbal Abuse
    • Venue Damage
    • Machine Damage
  • High Level : 10km
    • Machine Fraud
    • Physical Abuse
    • Theft
    • Violent
  • Critical Incident
    • Nationwide
  • Motorway Service Area (MSA) Incident
    • All MSA’s

How and why we use your data

Data protection law requires that we only use the SOI data for certain reasons and where we have a lawful basis to do so. Here are the reasons why we process the SOI data:

  • Processing of Alerts (as a Data Processor)
    • Processing of the SOI record to enable our Customers to submit information relating to possible or actual offences in order to keep venues free from crime and disorder
    • In this context, our lawful basis for processing the SOI Personal Data is our contract with our Customers AND the substantial public interest when Photo containing a facial image of an SOI has been captured during the creation of a SmartALERT incident.
  • Providing Incident Alerts (as a Data Controller)
    • Processing of the SOI record to enable IHL to deliver, support and improve its SmartALERT System.
    • Sharing of the SOI Incident with our Customers to enable them to manage and monitor any visits to ensure Venues are kept free from crime and disorder.
    • In this context, our lawful basis for processing the SOI Personal Data is legitimate interests AND the substantial public interest when Photo containing a facial image of an SOI has been captured during the creation of a SmartALERT incident. To support this lawful basis, we have conducted a Legitimate Interest Assessment.

Here is what each “lawful basis” means:

  • Contract
    • Our contract with our Customers to support their legal obligations to operate the Venue in accordance with their gambling licence.
  • Legitimate Interests
    • The processing of the Personal Data of SOI’s is necessary for the purposes of our legitimate interests in detecting and preventing crime and disorder.
  • Substantial Public Interest
    • We are able to demonstrate that the processing of the Personal Data of SOI’s is in the Substantial Public Interest.

Your privacy choices and rights

Your rights

SOI’s can exercise their rights by sending us an email at

  • SOI’s have the right to access information we hold about them
    • This includes the right to ask us for supplementary information about:
      • the categories of data we’re processing.
      • the purposes of data processing.
      • the categories of third parties to whom the data may be disclosed.
      • how long the data will be stored (or the criteria used to determine that period).
      • their other rights regarding our use of their data.

We will provide the SOI with the information within one month of their request, unless doing so would adversely affect the rights and freedoms of others (e.g. another person’s confidentiality or intellectual property rights).

We will tell an SOI if we can’t meet their request for that reason.

  • SOI’s have the right to be ‘forgotten’ by us
    • SOI’s can do this by asking us to erase any personal data we hold about them if it is no longer necessary for us to hold the data for the purpose for which it was collected UNLESS we have a legal obligation to retain the SOI’s personal data.
  • SOI’s have the right to lodge a complaint regarding our use of their data
    • SOI’s can tell us first, so we have a chance to address their concerns. If we cannot address those concerns, SOI’s can address any complaint to the UK Information Commissioner’s Office, either by calling their helpline or as directed on their website at

How secure is the data we collect?

We have physical, technical and organisational procedures in place to appropriately safeguard and secure the data we collect.

  • All data is stored in a secure ISO 27001 facility by AWS (Ireland).
  • All data traffic is encrypted with SHA-256 RSA Encryption.
  • We have Always-On Network Flow Monitoring.
  • We have DDos protection services provided by AWS, including Automated Mitigation and all APIs are protected using a Throttling middleware.
  • We have IP Attack Prevention in the form of Rack Attack Preventative Implemented.

If you believe your privacy has been breached, please contact us immediately on

Where do we store the data?

The data we collect is processed in our Data Centre hosted in Ireland, in our offices in Northampton (UK), Nottingham (UK) and Withernsea (UK) and also in any data processing facilities operated by the third parties identified below.

If we transfer or store your information outside the EEA, we will take steps to ensure that your privacy rights continue to be protected as outlined in this Privacy Notice.

How long do we store the data?

  • Data Shared on the Venue Tablet
    • Data that is shared on the Venue Tablets is visible for the duration relevant to the ‘threat level’ of the incident, after which the data is removed from the Tablet Device.
      • The ‘threat levels’ we currently support and their associated Tablet visibility durations are:
        • Low Level : 24 Hours
        • Medium Level : 24 Hours
        • High Level : 48 Hours
        • Critical Incident : 120 Hours
        • MSA’s : 48 Hours
      • Data Shared in our Cloud-based application SmartHub
        • We will stop actively processing any personal/identifiable after 2 years of the last recorded incident against the SOI. After which the SOI data will be deleted. Your data is kept for this maximum period of 2 years to allow our Customers to evidence an incident in Venue in the event of an investigation by law enforcement.

If we obtain information about the SOI, and it is deemed there in no evidence of crime or fraud the SOI’s Personal Data will be removed with immediate effect.

Other Third parties who process your data (Non-Partners)

Businesses often use third parties to help them host their application, communicate with customers, power their emails etc. We contract with third parties who we believe are the best in their field at what they do.

When we do this, sometimes it is necessary for us to share your data with them in order to get these services to work well.

Your data is shared only when strictly necessary and according to the safeguards and good practices detailed in this Privacy Notice.

If third party providers (processors) are established outside of the EU/EEA, we shall ensure that we contract only with third-party providers that are located in countries that ensure adequate levels of protection based on the European Commission’s adequacy decision or that IHL Tech Ltd has entered into agreements with corresponding Standard Contractual Clauses that ensure adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals.

Here are the details of our main third-party service providers, and what data they collect or we share with them, where they store the data and why they need it:

  • Amazon Web Services, Ireland
    • We host our SmartALERT System (part of SmartHub) on AWS Data Centres in Ireland.


We do not use cookies in the collection of SmartALERT Data.

Revision Date 23/06/22