Service Privacy Policy

How we handle your data when you use the scOS security service

Last updated: 6 July 2026

Overview

This Service Privacy Policy explains how Smart City Operating System Limited (“scOS”, “we”, “us”) collects, uses and protects personal information when you use the scOS Home Intelligence Service, our home and property security service for residential properties in the United Kingdom — including the Intelligence Hub, your connected cameras, our cloud detection service, and the smart-home and automation features of the service.

It sits alongside our Website Privacy Policy (which covers your use of scos.co.uk) and our App Privacy Policy (which covers the scOS mobile app). Where those policies and this one overlap, this policy governs the security service. For the purposes of UK data-protection law, scOS is the controller of the personal data described here (for customers we serve directly). This policy and our processing are governed by the law of England and Wales, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who We Are

Smart City Operating System Limited is a company registered in England and Wales (company number 13569571), with its registered office at 71 Manor Road, Luton, LU1 4EE, United Kingdom. We are registered with the Information Commissioner’s Office (ICO) under registration number ZB346678.

If you have any question about this policy, or wish to exercise your rights, please contact us via our contact page.

Information We Process

To provide the service, we process the following categories of personal data:

  • Account & identity: your name, email, phone number, address, login credentials and multi-factor authentication settings.
  • Billing: your billing address and the Direct Debit mandate and subscription details held with our payment provider (we do not store your full bank details on our own systems).
  • Camera footage & images: video and still images from cameras you connect to the service, which may include other people who come into view.
  • Detection outputs: the alerts and short descriptions our system generates about activity it detects.
  • Device & telemetry: information about your Hub and connected devices — status, health, configuration and diagnostic data.
  • Smart-home & automation: where you use these features, information about your connected devices and any routines or preferences you set.
  • Communications: alerts, notifications and messages we send you, and your interactions with in-app assistance.
  • Support: the content of your support requests and feedback.

Your Cameras and Footage

Real-time behavioural detection — no facial recognition.Our system assesses what is happening in view of your camera at the time — behaviour and context — in much the same way a person watching their own property would. Our detection focuses on activity happening on, or directly affecting, your property — for example, someone interfering with your property from an adjoining one — rather than general monitoring of neighbours or the wider street. We do not use facial recognition, and we do not try to identify who individuals are. We do not build facial profiles or match people against any database.

How your footage is stored. Recorded clips are encrypted and stored locally on your Intelligence Hub, not in our cloud. They are kept on a rolling basis — older recordings are automatically overwritten by newer ones — and are securely erased when your device or account is removed. Only limited alert snapshots are held in our cloud, for up to 30 days, to show your recent alert history. Live viewing is streamed to you and is not retained.

Encryption and staff access. Your recordings are encrypted with a key unique to your account that is held on your Hub and is not used to decrypt your footage in our cloud. Our staff cannot access or view your camera live streams or recordings. This is enforced at the infrastructure level: recorded footage stays on your Hub, and the way it is stored and encrypted means it cannot be viewed by scOS.

Improving Our Detection (Model Training)

To keep our detection accurate and reduce false alerts, we may — with your agreement — use footage from your cameras to develop, test and improve our detection. This is done through a per-camera setting called Training Contributions: when enabled, data is submitted to us automatically only in the moments when our models are uncertain about a prediction. Training Contributions are disabled by default, are chosen separately for each camera, and can be changed at any time by editing the camera in device settings in CaelusView or the scOS mobile app.

We keep footage used for this purpose only for as long as it is needed to develop and maintain accurate detection; we review this regularly and delete or anonymise it when it is no longer needed. Our assessment is based on behaviour and context, and we do not use it to identify individuals.

Other People Captured by Your Cameras

Your cameras may capture other people, such as visitors, delivery drivers or passers-by. Their images are processed to provide your security service, relying on the legitimate interest in protecting property and preventing crime, and are not used to identify who they are.

Important — how recorded footage works. Recorded footage is stored only on your Hub, like a home CCTV recorder (NVR). scOS does not have access to it and cannot search, view or retrieve it. If a person believes they were recorded at a property and asks scOS to provide or delete that footage, we have no technical means to find or erase recordings we cannot access; such requests should be directed to the person who operates the cameras at that property (our customer), who controls their own footage. scOS can, however, act on the limited data it does hold in its own systems (such as cloud alert snapshots) where the requester provides enough information for us to identify it.

As the person operating cameras at your property, you have your own responsibilities under data-protection law for the areas your cameras cover. The Information Commissioner’s Office (ICO) publishes helpful guidance on using domestic CCTV responsibly.

Our Lawful Bases for Processing

We rely on the following lawful bases under Article 6 of the UK GDPR:

  • Performance of a contract — to deliver the security service you have signed up for (account, devices, alerts, billing).
  • Legitimate interests — to keep the service secure and effective, to detect and prevent crime (including processing footage of third parties in view), and to improve our detection. You can ask us about, or object to, this processing.
  • Legal obligation — to keep certain records (for example, billing records for tax and accounting).
  • Consent — for optional features such as contributing your footage to model training, which you can withdraw at any time.

How Long We Keep Your Data

  • Camera recordings: stored only on your Hub on a rolling basis (older recordings overwritten by newer ones); no central copy; securely erased on device/account removal.
  • Alert snapshots (cloud): up to 30 days, then automatically deleted; short-lived processing images within 1 day.
  • Account information: for the duration of your account plus up to 2 years after closure.
  • Billing records: 7 years, to comply with UK tax and accounting requirements.
  • Detection model training data (where you opt in): only as long as needed to maintain accurate detection, reviewed regularly, then deleted or anonymised.
  • Device & telemetry data: retained only as long as needed to operate, support and secure the service.
  • Support & communications: for as long as needed to resolve your query plus a reasonable period.

Who We Share Your Data With

We do not sell your personal data. We share it only with service providers who process it on our behalf under contract, and only as needed to run the service:

  • Cloud hosting & infrastructure (Amazon Web Services), for secure hosting, storage and processing.
  • Payment / Direct Debit provider, to set up and collect your subscription.
  • Messaging & notification providers, to deliver alerts and push notifications to your devices.
  • Specialist cloud compute providers, used to run parts of our detection — these process only the limited data that leaves your Hub (such as alert snapshots and the model-uncertainty submissions you opt in to), never your stored recordings, which stay on your Hub.

We may also disclose personal data where required by law, or to establish, exercise or defend legal claims. Where the service is provided through a distribution partner, we will tell you and set out the respective responsibilities.

Where Your Data Is Processed

We process personal data in the United Kingdom and the European Economic Area (for example, secure hosting in AWS’s Ireland region, which the UK recognises as providing an adequate level of protection). Where any processing takes place outside the UK or EEA, we put appropriate safeguards in place — such as the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses) — as required by UK GDPR.

How We Protect Your Data

  • Encryption of data in transit and at rest, including per-account encryption of your recordings.
  • Access controls, authentication and multi-factor authentication for staff and administrative access.
  • Secure, isolated handling of each customer’s data.
  • Ongoing security testing and improvement.

No security measures are perfect. If you believe your account or a device has been compromised, please contact us immediately.

Your Rights

Under UK data-protection law you have the right to access, correct, delete or receive a copy of your personal data, and to restrict or object to certain processing. You can also withdraw consent where we rely on it. We will respond within one calendar month. Some data may need to be retained where the law requires it (for example, billing records).

To exercise any of these rights, contact us via our contact page. If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

Children

Our account holders must be adults (18 or over) responsible for a property; the service is not directed to children and we do not knowingly create accounts for anyone under 18. Children may nonetheless be captured incidentally by a customer’s cameras, as described in “Other People Captured by Your Cameras” above; we treat any personal data relating to children with particular care, recognising the additional protection given to children’s data under UK data-protection law. If you believe we hold a child’s personal data that we should not, please contact us and we will take appropriate steps.

Changes to This Policy

We may update this policy from time to time. When we do, we will update the “Last updated” date above and, where changes are significant, tell you through the service.

Contact Us

For any question about this policy or your personal data, please get in touch.

Contact Us

Smart City Operating System Limited

4th Floor, Silverstream House

45 Fitzroy Street

London, W1T 6EB

United Kingdom