What is business crime intelligence?

Business crime intelligence is the collection, analysis, and sharing of data about criminal activity targeting commercial organisations — including retail theft, fraud, organised crime groups (OCGs), and internal theft. Unlike generic security, it combines live offender databases, technology such as facial matching and ANPR networks, and expert analyst interpretation to deliver actionable intelligence that enables businesses to detect, prevent, and prosecute offenders across the UK.

How does facial matching technology work for retail crime investigation?

Fortify Intelligence's Facial Matching Engine allows businesses to submit CCTV images of suspects for retrospective matching against a database of thousands of the UK's most prolific and persistent business crime offenders. Using AI-powered analysis, the system identifies potential matches, providing investigators with name leads, offending histories, and intelligence context — dramatically accelerating identification timelines.

What is civil recovery and how can it benefit my business?

Civil recovery is a legal process that allows businesses to reclaim losses from shoplifters and fraudsters through civil litigation, independent of the criminal justice system. Fortify Intelligence enhances civil recovery rates by cleansing offender data before submission to a recovery agency — conducting thorough background checks to verify identities, confirm addresses, and enrich records. This significantly increases the proportion of successful recoveries and maximises financial returns.

How does the ANPR network help prevent business crime?

Automatic Number Plate Recognition (ANPR) surveillance tracks vehicle movements across 5,000+ sites nationwide — including petrol forecourts, shopping centres, retail parks, hotels, and motorway laybys. When a vehicle linked to known offenders enters the network, businesses receive real-time alerts enabling proactive prevention.

What are organised crime groups (OCGs) and how does Fortify Intelligence tackle them?

Organised crime groups (OCGs) are structured criminal networks responsible for a disproportionate share of retail and freight crime in the UK. Fortify Intelligence provides deep-dive OCG analysis: mapping group structures, identifying members, tracing stolen goods disposal routes, and briefing your team in-person or virtually.

Why work with ex-police professionals for business crime intelligence?

Ex-police and security professionals bring a fundamentally different capability to business crime intelligence. They understand how criminal investigations work, know what evidence is needed to secure prosecutions, have established police liaison relationships, and are trained in intelligence analysis techniques developed in law enforcement. Every Fortify Intelligence analyst and investigator is ex-police or security.

Do your business crime intelligence services cover the whole of the UK?

Yes. Fortify Intelligence operates a UK-wide service. Our ANPR network spans 5,000+ sites across England, Scotland, Wales, and Northern Ireland. Our offender database covers prolific offenders from across the UK, and our intelligence team operates nationally.

How quickly can your team respond to an active crime incident?

Clients on the Managed Service benefit from a dedicated analyst working exclusively for them — providing rapid intelligence support during and after incidents, including immediate ANPR checks, facial matching submission, and police liaison. For general enquiries and new client onboarding, our team aims to respond within one business day.

Privacy Notice for Offenders | Fortify Intelligence

1. Contact Details

OrganisationFortify Intelligence Ltd

Emailinfo@fortifyintelligence.co.uk

ICO RegistrationZC158080

Fortify Intelligence Ltd is registered with the Information Commissioner's Office (ICO) as a Data Controller. Any data protection queries should be directed to the email address above.

2. About Fortify Intelligence

Fortify Intelligence Ltd is a business crime intelligence company that delivers intelligence, investigation, and prevention services to businesses across the United Kingdom. Our Clients include retailers, shopping centres, hospitality venues, petrol forecourts, and other businesses that suffer from crime and anti-social behaviour.

Our services include a nationwide intelligence-sharing platform, a Facial Matching Engine for retrospective identification, a network of ANPR (Automatic Number Plate Recognition) cameras, and civil recovery services delivered through civil litigation.

Our Clients have a right — a recognised legitimate interest — to protect their property, staff and customers from crime and anti-social behaviour. This Privacy Notice explains how we exercise that right responsibly and in compliance with UK data protection law.

3. Why We Process Your Personal Data

If you have been reported to Fortify Intelligence in connection with an incident involving one of our Clients, we may process your personal data for the following purposes:

Prevention and detection of crime — to enable our Clients to identify individuals who have been involved in incidents at their premises, and to prevent further offending
Intelligence management — to manage intelligence on behalf of our Clients and to inform them of an individual's modus operandi and any patterns of offending behaviour
Exclusion scheme administration — where a Client issues an exclusion notice, to manage that exclusion across participating businesses
Intelligence collation — to collate intelligence on criminal activity patterns across the UK, including identifying organised crime group activity
Civil recovery — to support the recovery of losses suffered by Clients through civil proceedings, conducted through civil litigation
Legal proceedings — to contribute to legal proceedings against individuals where appropriate, including police investigations and prosecutions
Facial matching — to retrospectively identify individuals from CCTV images in connection with specific incident investigations, using our biometric matching capability
ANPR vehicle movement intelligence — to identify vehicles associated with offending behaviour and provide movement intelligence in support of investigations

4. Types of Processing

Fortify Intelligence undertakes the following types of processing of personal data about individuals:

Data collection — receiving incident reports and intelligence from Clients and partners
Data storage — holding your data in a facility independently certified as secure to the Cyber Essentials standard
Data retention — keeping data for the periods described in section 9 below
Data collation — associating an individual with multiple incidents, with co-offenders, or with organised crime groups
Data sharing — sharing relevant data with Clients and other authorised parties as described in section 8 below
Data deletion — irrevocably deleting data at the end of the applicable retention period
Data analysis — analysing de-personalised data for historical comparison, trend analysis, and service improvement
Biometric processing — facial matching of images against our database for the purpose of retrospective identification in investigations

Fortify Intelligence does not make solely automated decisions about individuals. All biometric matching outputs and intelligence are reviewed by a qualified human analyst before any action is taken.

5. Lawful Basis of Processing

Our Clients' legitimate interests provide the lawful basis on which Fortify Intelligence may process specific items of your personal data for specific purposes without your consent (Article 6(1)(f) UK GDPR — the "crime condition" in Article 6(1)(ea) also applies).

Fortify Intelligence has assessed the impact of its processing on your rights and freedoms, has balanced these against our Clients' own rights, and has concluded that our Clients' rights prevail in this specific matter. This means that for the purposes of preventing and detecting business crime and managing intelligence on behalf of our Clients, we can process your personal data without requiring your consent.

Where we process biometric data (facial images for the purpose of unique identification), this constitutes special category data under Article 9 UK GDPR. We process such data under:

DPA 2018, Schedule 1, Part 2, paragraph 10(a) — preventing or detecting unlawful acts, where seeking consent would prejudice the purpose of processing
Article 9(2)(f) — processing necessary for the establishment, exercise or defence of legal claims

Where we process criminal offence data, we do so under Article 10 UK GDPR and DPA 2018 Schedule 1, Part 2, paragraph 10(a), as processing is authorised for the purpose of preventing or detecting unlawful acts.

Where we process data for civil recovery purposes, the legal basis is Article 9(2)(f) (legal claims) and Article 6(1)(f) (legitimate interests).

ImportantProcessing decisions are based entirely on behaviour — the commission or alleged commission of criminal or anti-social acts. They are never based on protected characteristics such as race, gender, sexual orientation, religion or disability.

6. What Personal Data We Hold

Depending on the nature of your involvement in an incident and the services requested by our Client, Fortify Intelligence may hold the following categories of personal data about you:

Identification Data

Your name — to identify you in our system and enable reports to be submitted about you by Clients
Date of birth — to correctly identify you, particularly in high-volume environments
Facial image (still photograph) — from CCTV footage or photographs provided by Clients. We will not process AI-altered or reconstructed facial images. Where biometric matching is conducted, the image is processed through our Facial Matching Engine; the output is reviewed by a human analyst
Video footage — where relevant to an investigation; not shared with Clients

Contact Details

Postal address, email address, and telephone number(s) — held so that Fortify Intelligence can communicate with you where required (e.g. to issue exclusion notice confirmation, send warning letters, or comply with Article 13 UK GDPR)
Contact details are not shared with Clients except for the purpose of civil recovery proceedings

Incident Information

Details of reported incidents in which you have been involved
A brief summary descriptor of the nature of offending (e.g. "theft", "fraud", "violence") — this is shared with Clients
Full incident details are held in a restricted database accessible only to authorised Fortify Intelligence analysts. They are not shared with Clients but may be shared with police and for civil recovery

Vehicle Data

Vehicle registration mark(s) associated with you — processed via our ANPR network where relevant to an investigation

Intelligence Links

Associations between you and co-offenders, organised crime groups, or patterns of offending behaviour, where identified by our analysts

Data We Do Not Process

Fortify Intelligence does not process the following categories of data:

Race or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Health data (except in exceptional circumstances where it directly affects public safety of Clients' staff)
Data concerning sex life or sexual orientation

7. Where We Get Your Personal Data

Your personal data may be provided to Fortify Intelligence from:

Our Clients — who submit incident reports, provide CCTV footage, and share intelligence about incidents on their premises
Police and public agencies — under formal Data Sharing Agreements (DSAs), for the purposes of preventing and detecting crime
Partner Business Crime Reduction Partnerships (BCRPs) — under DSAs, where there is evidence that you have been involved in offending in multiple areas
You yourself — if you voluntarily provide information about yourself in correspondence with us
Publicly accessible sources — social media content that is publicly accessible without privacy controls
Our ANPR network — vehicle movement data from our network of cameras across the UK

8. Who We Share Your Data With

The following categories of persons may have access to data we hold about you:

Fortify Intelligence Clients — businesses that subscribe to our services and share a legitimate interest in preventing crime on their premises. Clients receive limited data only: your name, image, and a brief description of the offence type. Full incident details are not shared with Clients.
Police and law enforcement — under formal Data Sharing Agreements or where required by law. Their lawful basis for further processing is their public task.
Civil recovery legal partner — data shared is solely for the purpose of civil recovery proceedings. They act as an independent Data Controller for the purpose of any legal proceedings.
Partner BCRPs — where you have been involved in, or are likely to be involved in, offending in areas outside the immediate Client's area of operation. Sharing is subject to an extant Data Sharing Agreement.
Fortify Intelligence authorised analysts — who process your data in the course of their duties, subject to confidentiality obligations and access controls.

Fortify Intelligence will not transfer your personal data outside the United Kingdom.

9. How Long We Keep Your Data

Data is retained under a tiered retention framework based on the nature and frequency of reported incidents:

First report — no further incidents: your name, date of birth, and facial image will be shared with Clients for 3 months from the date of the report. If no further report is received in that period, your data will be withdrawn from Clients. It will be retained in our restricted database (accessible only to authorised Fortify Intelligence personnel) for a further 12 months, after which it will be irrevocably deleted if no further incidents are reported.
Second report within the 3-month period: your data will be shared with Clients for a further 12 months from the date of the second report. You may also be excluded from all Client premises for 12 months. If no further reports are received, your data will be withdrawn from Clients at the end of that period and retained in our restricted database for a further 12 months, after which it will be irrevocably deleted.
Prolific or ongoing offending (3 or more reports): data is retained and shared with Clients for as long as active offending continues. Retention is subject to an annual review. Data will be deleted when continued retention is no longer justified.
Civil recovery proceedings: data shared for civil recovery will be retained for the duration of proceedings and for 6 years thereafter, in accordance with the Limitation Act 1980.
ANPR vehicle data not linked to an investigation: retained for up to 2 years on a rolling basis.
Facial matching source images: deleted on conclusion of the investigation unless required for ongoing legal proceedings.

All retention periods are reviewed annually. Data will not be retained beyond these periods unless there is a specific legal obligation or ongoing legal proceedings requiring it. When no longer required, data is irrevocably and securely deleted.

10. Your Rights

You have the following rights under UK GDPR in relation to the personal data Fortify Intelligence holds about you. Please note that some of these rights are subject to exemptions — in particular, the DPA 2018 contains exemptions where processing is for the prevention or detection of crime. Where an exemption applies, we will explain this in our response.

Right of access (Subject Access Request) — you have the right to obtain a copy of the personal data we hold about you. To make a request, contact us at the details below. You may be asked to provide proof of identity. We will respond within one calendar month.
Right to rectification — if you consider any personal data we hold about you to be inaccurate, unnecessary or disproportionate, you can ask us to correct it. Note that you do not have the right to require us to delete correct, necessary, and proportionate data about your offending behaviour.
Right to restrict processing — in certain circumstances, you may ask us to restrict how we use your data while a dispute is being resolved.
Right to object — you have the right to object to processing based on legitimate interests. We will consider your objection against our compelling legitimate grounds for processing.
Right not to be subject to solely automated decisions — Fortify Intelligence does not make solely automated decisions with legal effect. All intelligence outputs are reviewed by a qualified human analyst.

Contact for Rightsinfo@fortifyintelligence.co.uk

Response TimeWithin one calendar month of receipt of a valid request

You also have the right to complain about our processing to the Information Commissioner's Office (ICO). You can submit a complaint at ico.org.uk/concerns/handling or by calling 0303 123 1113.

We will provide you with full documentation to demonstrate our compliance with data protection law in response to any valid request.

Privacy NoticeFor Individuals (Offenders)