Effective Date: 9 April 2026
Last Updated: 9 April 2026
Version: 1.0
01 Introduction
This Privacy Policy explains how Vanti Ltd (Company No. 00650255), trading as "Smart Core", with its registered office at 10 Bonhill St, London EC2A 4PE ("Vanti", "Smart Core", "we", "us", or "our"), collects, uses, stores, shares, and protects Personal Data in connection with our Smart Core platform and services.
Smart Core provides intelligent building management solutions, including the Smart Core Connect cloud platform and the SC-BOS (Smart Core Building Operating System). Our services involve the processing of data from building systems, IoT devices, sensors, and associated user accounts.
We are committed to protecting the privacy and security of Personal Data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
1.1 Data Controller
For the purposes of this Privacy Policy:
§ Vanti as Controller: Vanti is the Data Controller in respect of Personal Data processed for its own purposes, including website visitors, prospective customers, account administration, billing, and service improvement.
§ Customer as Controller: Our enterprise customers ("Customers") are the Data Controllers in respect of Personal Data processed through the Smart Core platform on their behalf, including building occupant data, access control data, and IoT sensor data that may identify individuals. In these cases, Vanti acts as a Data Processor on behalf of the Customer, governed by our Data Processing Agreement(DPA).
1.2 Data Protection Officer
Our Data Protection Officer is:
Jason Brameld
Email: dpo@vanti.co.uk
Address: Vanti Ltd, 10 Bonhill St, London EC2A 4PE
02 Personal data we collect
We collect and process the following categories of Personal Data:
2.1 Account and Contact Data
Data provided when creating or managing a Smart Core account:
Data Type
Details
Data Source
Identity data
Full name, display name, username
Directly from user
Contact data
Email address, telephone number
Directly from user
Professional data
Job title, company/organisation name, department
Directly from user
Authentication data
Password hash (cryptographically hashed, not stored in plaintext), WebAuthn/passkey credentials, 2FA seed (encrypted at rest)
Generated during registration
Account metadata
Account creation date, last login, account type (user/service), role assignments
System-generated
Profile data
Profile picture, preferences, notification settings
Directly from user
2.2 Building Occupant and Visitor Data
Data processed through the Smart Core platform on behalf of our Customers (Vanti acts as Processor):
Data Type
Details
Data Source
Access control data
Name, email, company affiliation, badge/card ID, entry/exit times, door locations, access granted/denied decisions, entry codes, QR codes
Legitimate interests / Contract
Occupancy data
Zone/floor occupancy counts, entry/exit event counts with timestamps
Legitimate interests
Vehicle data (ANPR)
Vehicle registration plates, vehicle make, model, colour, year, country/area
Legitimate interests / Legal obligation
Actor/person data
Display name, email, company, vehicle registration, employee ID, external system IDs, profile picture
Contract / Legitimate interests
Security event data
Access denied events, incorrect PIN attempts, duress signals, door forced open, tamper detection, invalid logon attempts
Legitimate interests / Legal obligation
Visitor management data
Visitor name, company, host, purpose of visit, check-in/check-out times
Legitimate interests / Contract
2.3 IoT and Building Telemetry Data
Environmental and operational data from building systems (typically not Personal Data, but may become so when combined with other data):
Data Type
Details
Environmental data
Temperature, humidity, air quality (CO2, particulates), sound levels, pressure
Energy data
Electrical demand, meter readings, water/gas consumption
Device data
Device status, health, firmware versions, connectivity status
Lighting data
Light levels, emergency light status, lighting test results
HVAC data
Heating/cooling setpoints, fan speeds, valve positions
Space utilisation
Meeting room booking vs actual occupancy, desk utilisation
Waste management
Waste bin fill levels
2.4 Technical and Usage Data
Data generated through use of the Smart Core platform:
Data Type
Details
Device information
Browser type, operating system, device type, screen resolution
Network data
IP address, connection type
Usage data
Pages visited, features used, clicks, time on page
Log data
API requests, error logs, performance metrics
Session data
Session identifiers, authentication tokens (JWT)
Mobile app data
Device model, OS version, push notification tokens, app version
2.5 Communication Data
Data Type
Details
Support communications
Support tickets, emails, chat transcripts
Notifications
Alert notifications, system emails, in-app messages
Feedback
Survey responses, product feedback, feature requests
2.6 Payment and Billing Data
Data Type
Details
Billing information
Company name, billing address, VAT number
Transaction records
Invoice amounts, payment dates, payment method type
Note: We do not store full payment card numbers. Payment processing is handled by third-party payment processors.
03 How we collect personal data
We collect Personal Data through:
§ Direct provision: When you create an account, contact us, or submit information through our platform.
§ Automated collection: Through cookies, analytics tools, and server logs when you interact with our services.
§ Building systems: Through IoT devices, sensors, access control systems, and other building infrastructure connected to the Smart Core platform.
§ Third-party sources: From identity providers (SSO/OIDC), Microsoft Graph (where authorised by Customer), and publicly available business contact information.
§ Customer provision: When enterprise customers upload or integrate data into the platform.
04 Legal bases for processing
We process Personal Data under the following legal bases (Article 6, UK GDPR):
4.1 Where Vanti is the Data Controller
Data Type
Legal Basis
Detail
Account creation and management
Contract (Art. 6(1)(b))
Necessary to provide the requested services
Billing and invoicing
Contract (Art. 6(1)(b))
Necessary to perform the contract
Customer support
Contract (Art. 6(1)(b))
Necessary to provide support services
Service improvement and analytics
Legitimate Interests (Art. 6(1)(f))
See Legitimate Interests Assessment below (Section 4.3)
Security monitoring
Legitimate Interests (Art. 6(1)(f))
See Legitimate Interests Assessment below (Section 4.3)
Marketing communications
Consent (Art. 6(1)(a))
Only with explicit opt-in consent
Legal compliance
Legal Obligation (Art. 6(1)(c))
Compliance with UK laws and regulations
Aggregated analytics and benchmarking
Legitimate Interests (Art. 6(1)(f))
Creating anonymised, aggregated insights
4.3 Legitimate Interests Assessment
Where we rely on legitimate interests as a legal basis, we have conducted a balancing test for each processing activity:
Service Improvement and Product Analytics
§ Legitimate interest: Improving the reliability, performance, and usability of the Smart Core platform for all customers. This includes analysing feature adoption patterns, monitoring error rates and API performance, reviewing user journey flows, and conducting session-level product analysis to identify UX issues.
§ Necessity: Product analytics are necessary to identify bugs, optimise performance, and prioritise feature development. Without this data, improvements would rely on anecdotal feedback alone, resulting in a poorer service for all customers.
§ Less intrusive alternatives considered: (i) Opt-in only analytics rejected because low adoption rates would produce unrepresentative data; (ii) Sampling rather than full collection: adopted where feasible for high-volume telemetry data; (iii) Fully anonymised analytics: adopted for aggregate reporting, but session-level analysis requires pseudonymised data to trace user journeys.
§ Balancing test: The data processed is limited to platform interaction data (pages visited, features used, performance metrics). No building occupant data, access control records, or sensor data is used for product analytics. Data is pseudonymised and access is restricted to the product and engineering teams. Data subjects (platform users) would reasonably expect that a SaaS provider monitors how its platform is used. The impact on privacy is minimal and proportionate to the benefit of a better product.
§ Safeguards: Data minimisation (only interaction data collected); pseudonymisation; access restricted to authorised personnel; retention limited to 6 months for raw data; aggregated for longer-term trends.
Security Monitoring
§ Legitimate interest: Protecting the Smart Core platform, Customer Data, and building systems from unauthorised access, cyber attacks, and security threats. This includes monitoring authentication events (failed logins, brute force detection), API abuse and rate limit violations, network anomaly detection, privilege escalation attempts, and maintaining audit trails for forensic investigation.
§ Necessity: As a platform managing physical building security (access control, ANPR, occupancy), the consequences of a security breach extend beyond data loss to physical safety. Comprehensive security monitoring is essential and cannot be achieved through less intrusive means.
§ Less intrusive alternatives considered: (i) Reactive-only security (investigate after incidents): rejected as inadequate given the physical safety implications; (ii) Reduced logging scope: rejected because partial logs are insufficient for forensic investigation; (iii) Shorter retention of security logs: adopted where the data type permits (system logs at 6 months), but security events retained for 36 months to support regulatory investigation timelines.
§ Balancing test: Security monitoring processes technical data (IP addresses, authentication events, API patterns) rather than content data. Platform users have a strong interest in the security of a system that manages their building access and physical safety. The privacy impact is low relative to the significant security benefits, and monitoring does not extend to the substance of Customer Data or individual user behaviour.
§ Safeguards: Monitoring is system-level (performance, authentication, network) not content-level; access to security logs restricted to security team; data minimisation applied; retention periods proportionate to risk.
4.4 Where Vanti is the Data Processor
Where we process Personal Data on behalf of our Customers (e.g., building occupant data, access control records, ANPR data), our Customers are responsible for identifying and documenting the applicable legal basis. Our processing is governed by the Data Processing Agreement executed with each Customer.
05 How we use personal data
5.1 Service Delivery
§ Providing, maintaining, and improving the Smart Core platform
§ Authenticating users and managing access permissions
§ Processing and displaying building data, alerts, and analytics
§ Enabling IoT device integration and automation
§ Delivering notifications and alerts
§ Providing technical support
5.2 Security and Fraud Prevention
§ Monitoring for unauthorised access or suspicious activity
§ Detecting and preventing security threats
§ Enforcing our Terms of Service and Acceptable Use Policy
§ Maintaining audit logs for security investigations
5.3 Product Development
§ Analysing usage patterns to improve features (using aggregated/anonymised data)
§ Testing new features and functionality
§ Identifying and fixing bugs
5.4 Communications
§ Sending service-related notices (maintenance, security alerts, account updates)
§ Responding to support enquiries
§ Marketing communications (with consent only)
5.5 Legal and Compliance
§ Complying with legal obligations
§ Responding to lawful requests from authorities
§ Establishing, exercising, or defending legal claims
06 Data sharing and recipients
6.1 Sub Processors
A full and current list of our sub-processors is maintained as a separate Sub-Processor Register and is available upon request from your account manager or our Data Protection Officer. The authoritative and up-to-date register is set out in the Data Processing Agreement (DPA) executed with each Customer. Where a Customer's DPA specifies a different or more detailed sub-processor list, that list takes precedence.
6.2 No Sale of Personal Data
We do not sell Personal Data to third parties. We do not share Personal Data with third parties for their own marketing purposes.
07 International transfers
7.1 UK Data Residency
Our primary hosting infrastructure is located in the United Kingdom (Microsoft Azure UK South and UK West regions). We process and store the majority of Personal Data within the UK.
7.2 Transfers Outside the UK
Certain sub-processors may process Personal Data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place, including:
§ UK Adequacy Decisions: Transfers to countries recognised by the UK Secretary of State as providing adequate data protection.
§ UK International Data Transfer Agreement (UK IDTA): Standard contractual clauses approved by the ICO.
§ UK Addendum to EU SCCs: Where applicable, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses.
7.3 Transfer Impact Assessment
We conduct Transfer Impact Assessments for transfers to countries without an adequacy decision, considering the legal framework and enforcement practices of the recipient country.
08 Data retention
8.1 Retention Periods
Retention periods for all categories of Personal Data are set out in full in the Data Processing Agreement (DPA) executed with each Customer. The DPA contains the authoritative retention schedule and takes precedence over any indicative periods published elsewhere. Customers who have not yet executed a DPA should contact their account manager for the applicable default retention schedule.
Retention periods for all categories of Personal Data are set out in full in the Data Processing Agreement (DPA) executed with each Customer. The DPA contains the authoritative retention schedule and takes precedence over any indicative periods published elsewhere. Customers who have not yet executed a DPA should contact their account manager for the applicable default retention schedule.
8.2 Customer-Specific Retention
Enterprise customers may negotiate specific retention periods in their Data Processing Agreement. Customer-specified retention periods take precedence over the defaults above.
8.3 Deletion
When the retention period expires, or upon Customer request (subject to legal obligations), Personal Data is securely deleted or irreversibly anonymised. Our deletion processes comply with NIST SP 800-88 guidelines for media sanitisation.
09 Data security
9.1 Technical Measures
§ We implement appropriate technical and organisational security measures to protect Personal Data against unauthorised access, loss, or disclosure. The full description of our technical and organisational measures (TOMs) — including encryption standards, access controls, authentication mechanisms, and incident response procedures — is set out in the Data Processing Agreement (DPA) executed with each Customer. The DPA contains the authoritative and most detailed version of our security controls; in the event of any inconsistency between this Policy and the DPA, the DPA takes precedence.
9.2 Organisational Measures
§ Our organisational measures — including staff training, access management, incident response, and vendor due diligence — are documented in full in the Data Processing Agreement (DPA). Customers may request a copy of our current security summary from their account manager.
9.3 SC-BOS On-Premises Security
For SC-BOS deployments on Customer premises:
§ Customer is responsible for the physical security of the hosting environment
§ Vanti provides secure-by-default configurations with TLS enabled
§ PKI certificate enrollment for node authentication
§ Open Policy Agent (OPA) policy engine for granular access control
§ Audit logging of all authentication and authorisation decisions
010 Your rights
10.1 Data Subject Rights
Under the UK GDPR, you have the following rights in relation to your Personal Data:
Right of access (Art. 15)
Request a copy of your Personal Data and information about how it is processed
Right to rectification (Art. 16)
Request correction of inaccurate or incomplete Personal Data
Right to erasure (Art. 17)
Request deletion of your Personal Data (subject to legal obligations)
Right to restriction (Art. 18)
Request restriction of processing in certain circumstances
Right to data portability (Art. 20)
Receive your Personal Data in a structured, machine-readable format
Right to object (Art. 21)
Object to processing based on legitimate interests or for direct marketing
Rights related to automated decision-making (Art. 22)
Not be subject to decisions based solely on automated processing with legal or significant effects
Right to withdraw consent
Withdraw consent at any time (where processing is based on consent)
10.2 Building Occupants and Visitors
If you are a building occupant, visitor, or other individual whose Personal Data is processed through the Smart Core platform on behalf of a Customer, you should direct your data subject rights requests to the relevant Customer (as the Data Controller). We will assist our Customers in responding to such requests in accordance with our Data Processing Agreement.
10.3 How to Exercise Your Rights
To exercise any of your rights where Vanti is the Data Controller, please contact Vanti’s Data Protection Officer :
Email: dpo@vanti.co.uk
Address: Vanti Ltd, 10 Bonhill St, London EC2A 4PE
We will respond to your request within one (1) month. This period may be extended by a further two (2) months where requests are complex or numerous, in which case we will inform you of the extension within the initial one-month period.
We will ask you to verify your identity before processing your request.
10.4 Right to Complain
If we have not complied with our obligations, and you have attempted to resolve these without success, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: https://ico.org.uk/make-a-complaint/
ICO Registration Number: ZA068925
011 Automated decision-making
11.1 Smart Core Platform
The Smart Core platform includes automated processing capabilities, such as:
§ Automated alerts: System-generated alerts based on sensor thresholds, device failures, or security events
§ Access control decisions: Automated grant/deny decisions based on configured access policies
§ Automation rules: Customer-configured rules for HVAC, lighting, and other building systems
These automated processes are configured and controlled by the Customer (as Data Controller). Vanti provides the platform capability but does not make independent automated decisions about individuals.
11.2 No Profiling
We do not use Personal Data for automated profiling that produces legal effects or similarly significant effects on individuals.
012 Guidance for building occupants
12.1 Building Occupant Privacy Notices
Vanti recognises that the most sensitive data subjects — building occupants, visitors, and other individuals whose movements and access are tracked — typically do not have a direct relationship with Vanti. These individuals interact with the Smart Core platform indirectly, through the buildings they occupy or visit.
Our Customers (as Data Controllers) are responsible for informing these individuals about the processing of their personal data. To support our Customers, Vanti provides:
a) a template Building Privacy Notice that Customers can customise and display in their buildings, covering the specific data types processed by Smart Core (access control, occupancy monitoring, ANPR where applicable);
b) guidance on signage requirements, particularly for ANPR cameras and occupancy sensors;
c) information about data subject rights and how building occupants can exercise them through the Customer;
d) support in responding to data subject access requests relating to building data.
e) Customers may request these materials from their account manager.
12.2 Opt-Out and Data Minimisation for Building Occupants
The availability of opt-out mechanisms for building occupants depends on the Customer's configuration of the Smart Core platform:
§ Core access control: Logging of entry/exit events is inherent to the security function and cannot typically be opted out of while maintaining building access.
§ Occupancy monitoring: Customers may configure occupancy sensors to collect aggregate counts only (not linked to individuals), reducing the privacy impact.
§ ANPR: Where deployed, ANPR processing applies to all vehicles entering the monitored area. Customers should ensure appropriate signage is displayed.
§ Optional features: Some features (e.g., desk booking, personalised environmental preferences) are optional and can be declined by individual occupants.
Customers are encouraged to adopt a data minimisation approach and only enable the processing activities necessary for their specific building management requirements.
013 Children's data
The Smart Core platform is an enterprise B2B service not directed at children. We do not knowingly collect Personal Data from children under the age of 18. If we become aware that we have collected Personal Data from a child, we will take steps to delete it promptly.
014 Cookies and similar technologies
For detailed information about the cookies and similar technologies we use, please see our separate Cookie Policy].
015 Changes to this policy
15.1 Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:
§ Posting the updated policy on our website with a new "Last Updated" date
§ Sending an email notification to registered account holders.
§ Providing in-app notification.
15.2 Review
We review this Privacy Policy at least annually to ensure it remains accurate and up to date.
016 Contact us
If you have any questions about this Privacy Policy or our data protection practices, please contact Vanti’s Data Protection Officer:
Email: dpo@vanti.co.uk[JB10]
Vanti Ltd (trading as Smart Core)
10 Bonhill St
London EC2A 4PE
United Kingdom
This Privacy Policy was prepared on 9 April 2026 and should be reviewed by qualified legal counsel before publication.