🛡️ GDPR & data access compliance

Organisation owners and managers setting up Merlin Cloud in the UK or EEA

Data protection officers and compliance leads

Store and IT teams who need a quick overview

Data minimisation: we collect only what is needed for analytics and operations.

No identification: camera analytics are session based and do not track unique people.

Privacy by design: derived metrics are used for reporting, not raw identity data.

Security in transit: HTTPS with TLS 1.2 or 1.3.

Transparent controls: role based access and audit logs in the dashboard.

You (the client organisation): Data Controller for your end-customer and staff data.

Merlin Cloud: Data Processor for analytics and device data processed on your behalf.
A Data Processing Addendum can be provided on request.

Derived analytics: People now, Total People, entries and exits, zone totals, busiest hour.

Heatmaps: computed overlays, position coordinates, density values.

Privacy posture: no facial recognition, full body blur, detection processed on server then anonymised immediately after the detection script runs.

Frames: where frame storage is enabled for validation or security, frames are deleted after 6 months.

Interaction events: page views, clicks, dwell timers, sessions, conversions, error logs, timestamps.

Offline queue: events stored in localStorage and uploaded once online. Items are deleted only after successful insertion into the database.

No sensitive payloads: sensitive inputs are redacted. At-rest encryption for local caches is available for enterprise clients.

User accounts, roles, and audit logs of who changed what and when.

Device metadata needed to operate deployments.

Most clients rely on legitimate interests for aggregated, non-identifying analytics.

Run a DPIA if you operate in regulated environments or enable optional features such as staff identification for enterprise.

Provide a store notice describing analytics in use. See sample wording below.

Access, rectification, deletion, restriction, portability, objection

Since analytics are not tied to identities, these rights usually apply to account users rather than shoppers.

Submit requests through the Help Centre or your Merlin Cloud representative. We will assist as Processor.

Camera frames: deleted after 6 months where frame storage is enabled.

Derived analytics: retained per contract. Custom retention can be set for enterprise.

Kiosk offline cache: removed on device only after confirmed server insertion.

Exports: CSV files you download are under your control.

Transport: HTTPS with TLS 1.2 or 1.3.

At rest: options for encryption and device level lockdown for enterprise clients.

Access control: Admin, Manager, Viewer roles.

Audit trail: logs of content edits, schedule changes, publishes, rollbacks.

Asset delivery uses AWS S3 and CloudFront.

Additional sub-processors and data locations are listed in the DPA or available on request.

Where data moves outside the UK or EEA, we use appropriate safeguards such as SCCs or equivalent transfer mechanisms. Details are covered in the DPA.

Add a privacy notice at store entrances.

Complete a DPIA where appropriate.

Configure roles and least-privilege access.

Set retention that meets your policy.

Train staff on no recording and no re-identification practices.