Trust Centre
Fortify Intelligence operates at the intersection of technology, intelligence, and law. Our commitment to responsible data handling is foundational — not an afterthought. This Trust Centre sets out how we protect personal data, what legal frameworks govern our work, and how to exercise your rights.
ICO Registration
Fortify Intelligence Ltd is registered with the Information Commissioner's Office (ICO) as required under the Data Protection Act 2018. Any organisation that processes personal data must register unless an exemption applies.
How We Protect Your Data
Data protection is embedded in how we design and deliver our services. These are the core commitments that underpin our approach.
All personal data processing is conducted in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018.
Fortify Intelligence Ltd is registered with the Information Commissioner's Office (ICO) as a data controller, as required by the Data Protection Act 2018.
We collect and retain only the personal data that is strictly necessary for the specific intelligence or investigation purpose, and delete it when no longer required.
We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including our Facial Matching Engine and ANPR operations.
All staff handling personal data receive regular data protection training. Our analysts hold relevant professional experience from policing and security backgrounds.
We honour all data subject rights under UK GDPR, including subject access requests, rectification, and erasure, subject to applicable law enforcement exemptions.
Legal Basis for Processing
UK GDPR requires that every processing activity has a lawful basis. The table below sets out the basis on which we process personal data for each of our key services.
| Service | Lawful Basis | Data Category | Notes |
|---|---|---|---|
| Facial Matching Engine | Substantial Public Interest (DPA 2018, Sch. 1, Pt. 2) + Legal Claims (Art. 9(2)(f)) | Biometric processing for retrospective identification in business crime investigations. DPIA in place. | |
| ANPR Network | Legitimate Interests (Art. 6(1)(f)) | Vehicle registration data for the prevention and detection of business crime. LIA conducted. | |
| Prevention Intelligence Alerts | Legitimate Interests (Art. 6(1)(f)) | Intelligence shared with subscriber businesses to prevent known offenders from committing further offences. | |
| Civil Recovery Support | Legal Claims (Art. 9(2)(f)) / Legitimate Interests (Art. 6(1)(f)) | Data enrichment and background checks to support civil recovery proceedings . | |
| Investigation Services | Legitimate Interests (Art. 6(1)(f)) / Legal Obligation (Art. 6(1)(c)) | Processing to support client investigations and obligations to cooperate with law enforcement. | |
| Client Relationship Management | Contract (Art. 6(1)(b)) | Processing necessary to fulfil contractual obligations to business clients. |
Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) to balance our interests against the rights of data subjects. Copies are available on request.
Responsible Use of Facial Matching
Our Facial Matching Engine processes biometric data — specifically facial images — to retrospectively identify individuals involved in business crime incidents. This is among the most sensitive processing we undertake, and we apply the highest standard of safeguards.
- DPIA completed and kept under review
- Processing used only for retrospective investigation, not real-time surveillance
- No automated decisions with legal effect — all matches reviewed by a qualified human analyst
- Data sourced from clients or lawfully obtained intelligence databases
- Images retained only for the duration of the active investigation
- Access restricted to authorised personnel with professional accountability
- Regular audits of matching accuracy and any potential bias
Biometric data constitutes special category data under Article 9 UK GDPR. We process it under Schedule 1, Part 2 of the Data Protection Act 2018 (substantial public interest — prevention of unlawful acts) and Article 9(2)(f) (legal claims). Our lawful processing condition is documented and available to data subjects and the ICO upon request.
Automatic Number Plate Recognition
Our ANPR network spans 5,000+ sites across the United Kingdom, including petrol forecourts, shopping centres, and retail car parks. Vehicle registration data is processed to support business crime prevention and investigations.
- Processing underpinned by a Legitimate Interests Assessment (LIA)
- Data shared only with subscribing clients in connection with specific incidents
- Standard retention period of up to 2 years unless linked to an active investigation
- Access controls in place to prevent misuse
- ANPR sites operate in compliance with applicable road traffic and surveillance legislation
Vehicle movements in publicly accessible car parks are processed under legitimate interests. Individuals can object to this processing by contacting us. We will assess any objection against the compelling legitimate grounds for processing.
Exercising Your Data Rights
Under UK GDPR you have specific rights regarding your personal data. We are committed to honouring these rights, subject to the exemptions that apply to crime prevention and detection.
Request a copy of the personal data we hold about you.
Response within 1 monthAsk us to correct inaccurate or incomplete personal data we hold about you.
Response within 1 monthRequest deletion of your personal data where it is no longer necessary or where you have withdrawn consent.
Response within 1 monthObject to processing based on legitimate interests. We will assess your objection against our compelling grounds.
Response within 1 monthAsk us to pause processing of your data in certain circumstances, for example while a dispute is being resolved.
Response within 1 monthRaise a complaint with us directly, or escalate to the ICO if you are not satisfied with our response.
ico.org.uk · 0303 123 1113To submit a data rights request or raise a concern, contact us at: info@fortifyintelligence.co.uk
Note: The Data Protection Act 2018 includes exemptions for personal data processed for the purposes of the prevention or detection of crime, the apprehension or prosecution of offenders, and the assessment or collection of a tax or duty. Where an exemption applies, we will explain this in our response to your request.
Our Policies
How we collect, use, retain, and protect personal data across all our services.
Read policyWhat cookies we use on this website, why we use them, and how to manage your preferences.
Read policyFull processing documentation for offender data — legal basis, DPIA, LIA, retention schedules, and Appropriate Policy Document.
Read policyHow we process personal data belonging to client contacts and subscribers, and their rights.
Read policyHow we process personal data about individuals involved in business crime incidents, and their rights.
Read policyData Protection Enquiries
If you have a question about how we handle your personal data, wish to exercise a right, or want to raise a concern, please contact us. We aim to respond to all data protection enquiries within five working days.