← Back to home

Privacy Policy

Version 2026-06-launch · effective

Privacy Policy

This draft was generated by the platform team. Have your counsel review and adjust the legal-basis, jurisdiction, and contact sections before going live. The technical claims about retention, storage, and rights match what the platform actually does today.

1. Who we are

Securicom Central (the "Service") is operated by Securicom ("Securicom", "we", "us", or "our"). The Service is a multi-tenant operations portal used by property management companies to run service calls, equipment lifecycles, access topology, resident communications, and related workflows for the buildings they manage.

This Privacy Policy explains what personal information we collect when you use the Service, why we collect it, who we share it with, how long we keep it, and the rights you can exercise over it.

2. Roles

For most data we hold, our role depends on who you are:

  • If you are a representative of a property management company that

uses the Service (an "Organization"), Securicom acts as a data processor on behalf of that Organization. The Organization is the data controller of the data its members, residents, and vendors submit.

  • If you are a resident, on-site staff member, or service vendor

working with an Organization through the Service, your data is controlled by that Organization. Direct questions about your data to the Organization first; we will help them respond.

  • For information you provide directly to us outside of any

Organization — for example, contacting us from this website — Securicom is the controller.

3. Information we collect

We collect only what is necessary to operate the Service.

3.1 Account information

When you accept an invitation to join an Organization we collect the name, email address, and (optionally) phone number you provide. We also record whether you have verified your email address and which Organization(s) you belong to.

3.2 Authentication credentials

If you sign in with a password, we store a salted, hashed version of that password — never the plain text. If you enroll in multi-factor authentication (MFA), we store the TOTP secret that your authenticator app uses and salted hashes of the one-time recovery codes we issue to you.

If you sign in via Single Sign-On (OIDC) — for example through your employer's Google Workspace or Microsoft Entra ID tenant — we store the identifier returned by the identity provider and a short-lived state token used to complete the sign-in handshake.

3.3 Operational data

When you use the Service, the Organization you belong to controls operational data including:

  • Properties, units, and unit occupancies the Organization

manages.

  • Service requests you submit or work on, including titles,

descriptions, photos, attachments, comments, and status history.

  • Work orders, vendor quotes, and completion notes.
  • Equipment records — cameras, controllers, doors, readers, alarm

panels, mechanical systems — along with their service history, warranties, contracts, spare-parts inventory, and access topology.

  • Emergency contact lists.
  • Security blog posts published inside the portal.
  • AI Expert conversations: the questions you ask the AI Security

Expert, the answers it returns, the sources it cited, and any feedback you give on those answers.

3.4 Communications

We record each notification we attempt to deliver to you (email or in-app), including the recipient address, channel, event type, subject line, a preview of the body, and the delivery outcome. This lets you and your Organization debug missing notifications and prove what was sent for compliance purposes.

3.5 Audit log

We record a security-relevant event for every login, MFA change, role change, permission grant, organization change, data export, and request closure. Each event captures the actor, organization, event type, summary, request ID, IP address, and user-agent.

The audit table is append-only at the database level: even an attacker with full application access cannot rewrite or delete an entry.

3.6 Technical data

Each request to the Service is logged with a request ID, IP address, and user-agent header. We use these for security monitoring, debugging, and audit. JSON Web Tokens (JWTs) and short-lived refresh tokens are stored to keep your session signed in across page loads.

4. How we use your information

We use the information above to:

  • Provide the Service to you and your Organization.
  • Authenticate you, enforce permission boundaries, and detect

abuse.

  • Send you notifications you have opted into and operational

messages that you cannot opt out of (for example, password resets and security alerts).

  • Surface answers in the AI Security Expert that are grounded in

your Organization's own data.

  • Respond to your requests, including data subject rights.
  • Comply with our legal obligations and respond to lawful

requests from authorities.

5. Legal bases (UK / EU users)

Where the General Data Protection Regulation (or the UK GDPR) applies, we rely on the following legal bases:

  • Performance of a contract — to provide the Service to you.
  • Legitimate interests — security monitoring, fraud

prevention, product analytics in aggregate.

  • Legal obligation — when we must process your data to

comply with the law.

  • Consent — when we ask you to accept this policy on first

sign-in and when a new version is published.

6. AI Security Expert

The AI Security Expert retrieves answers from data your Organization stores in the Service. It uses a technique called Retrieval Augmented Generation (RAG): your text is converted into vector embeddings that live in your Organization's tenant in our Postgres database and are never shared across tenants.

Where an answer is generated by a large language model (LLM) operated by a third party, we send the LLM only the question and the retrieved context — not your account details, MFA secrets, or unrelated data. We do not allow LLM providers to use your data to train their models.

Every answer cites the sources it drew from so you can verify it.

7. Who we share your information with

We share information only when necessary:

  • Within the Service. Your data is visible to members of your

Organization based on the permissions the Organization grants. Tenant isolation is enforced at both the application and database row-level so different Organizations never see each other's data.

  • Service providers. We use vetted subprocessors for hosting,

email delivery, error monitoring, and the LLM provider that powers the AI Security Expert. Each is bound by a data processing agreement that limits how they may use your data.

  • Legal disclosure. We may disclose information if compelled

by lawful process or to protect the rights, property, or safety of Securicom, our customers, or others.

  • Business transfers. If Securicom is involved in a merger,

acquisition, or asset sale, your data may be transferred — we will give notice before any such change becomes effective.

We do not sell your personal information.

8. How long we keep your data

We retain personal data only as long as we need it. Current retention windows are:

  • Notification delivery records — 365 days.
  • Unconfirmed MFA enrollments — 7 days.
  • Expired blacklisted refresh tokens — 30 days after expiry.
  • Idempotency keys — until their natural 24-hour expiration.
  • Audit log events — retained for the lifetime of the

Organization to support security and compliance investigations.

  • Operational data (requests, equipment, comments) — for as

long as your Organization keeps using the Service, or until your Organization or you delete the record.

When you delete your account, we anonymise your user row in place (the email becomes a one-shot tombstone, your name and phone are wiped, your password is invalidated, MFA secrets and recovery codes are deleted, and all outstanding refresh tokens are revoked). Historical references in maintenance requests and audit events remain so the Organization's historical record stays intact, but they no longer point to your personal data.

9. Your rights

Depending on where you live, you may have one or more of the following rights:

  • Right of access — see what we hold about you.
  • Right to portability — receive a machine-readable copy of

your data. You can exercise this right at any time by visiting Settings → Privacy → Export your data.

  • Right to erasure — delete your account. You can exercise

this right at any time by visiting Settings → Privacy → Delete your account.

  • Right to rectification — correct inaccurate data. Update

your profile in Settings → Profile or ask the Organization that controls your data.

  • Right to restrict or object — ask us to limit how we use

your data, or object to specific uses based on legitimate interests.

  • Right to withdraw consent — withdraw consent you previously

gave. You will be asked to re-consent the next time we publish a material update to this policy.

To exercise any right outside of the in-product controls above, contact us at the address in Section 14. We respond to verified requests within 30 days.

10. Security

The Service is built with security as a default, not an add-on:

  • Tenant isolation enforced at the API layer and at row level in

the database.

  • MFA available to every account and optionally required

org-wide.

  • SSO via OIDC with PKCE, signed state, and ID-token signature

verification.

  • Immutable audit log (database-level REVOKE of UPDATE and

DELETE).

  • Daily encrypted backups with monthly restore drills.
  • Continuous dependency, container, and secrets scanning in

CI/CD.

  • Rate limiting on authentication and AI endpoints.
  • Idle-session timeout that signs you out client-side after a

configurable period of inactivity.

No security measure is perfect. If you become aware of a vulnerability in the Service, please contact us at the address in Section 14.

11. International transfers

We process data primarily in the region where your Organization is hosted. Where data must cross borders — for example to reach a subprocessor in another country — we rely on Standard Contractual Clauses and equivalent safeguards approved by the relevant data protection authorities.

12. Children

The Service is intended for use by people aged 18 or older acting in a professional capacity, or as a resident of a managed property. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, contact us at the address in Section 14 and we will delete it.

13. Changes to this policy

We may update this policy from time to time. When we make a material change, we will:

  • Publish the new version under a new version tag.
  • Show you a notice the next time you sign in.
  • Block continued use of the Service until you accept the new

version, unless the law allows otherwise.

Older versions remain available on request, and the consent record on your account shows exactly which version you accepted and when.

14. Contact

For privacy questions or to exercise any right described above, contact us at:

  • Emailprivacy@securicom.example
  • Postal — Securicom Privacy Team, c/o Securicom (replace

with the registered business address).

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.