Privacy Policy

Vioo SAS ("Vioo", "we", "us") operates an AI-powered retail intelligence platform that helps businesses understand customer behaviour through computer vision analytics. This Privacy Policy explains how we collect, process, and protect personal data in connection with our platform and website (vioo.ai).

We are committed to full compliance with the General Data Protection Regulation (GDPR – EU 2016/679) and Morocco's Law 09-08 on the Protection of Individuals with Regard to Processing of Personal Data, as overseen by the Commission Nationale de contrôle de la Protection des Données à caractère personnel (CNDP).

Data Controller (for website visitors and prospective clients):

Data Processor (for our B2B clients): When our clients deploy Vioo cameras in their retail premises, our clients are the data controllers for in-store visitor data. Vioo acts as a data processor under a written Data Processing Agreement (DPA). We only process such data on documented instructions from our clients.

Vioo was built with privacy as a foundational principle, not an afterthought:

• No facial recognition. We do not identify, profile, or re-identify any individual by face.
• Anonymisation at source. All camera footage is processed locally. The output is anonymous movement trajectories and statistical aggregates — not video recordings sent to the cloud.
• Data minimisation. We collect only what is strictly necessary for the analytics service.
• Purpose limitation. Data collected for footfall analysis is never used for any other purpose.

4.1 Website & Demo Request Form

When you submit a demo request on vioo.ai, we collect:

• First name, last name, email address, phone number
• Job title, country
• Message content
• IP address and browser metadata (standard server logs)

Legal basis: Legitimate interest (responding to a business enquiry) and, where applicable, performance of a pre-contractual step (Art. 6(1)(b) GDPR / Art. 4 Law 09-08).

4.2 Platform Users (Authenticated Accounts)

For users with a Vioo account (retail operators, security staff), we process:

• Name, email address, role, and organisational affiliation
• Login timestamps and session activity
• Alert review actions and decisions (audit trail)

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

4.3 In-Store Analytics Data (Processed on Behalf of Clients)

Our platform processes anonymised movement data captured by cameras installed in client premises. This data consists of:

• Anonymous trajectory vectors and dwell time statistics
• Zone entry/exit counts
• Behavioural event classifications (e.g. queue alerts)

No biometric data is processed. The data controller for this processing is the deploying retail client.

We do not sell, rent, or trade personal data. We may share data with:

• Sub-processors: Cloud infrastructure (Microsoft Azure), email delivery (Resend), and monitoring tools — all bound by GDPR-compliant DPAs.
• Professional advisors: Legal, financial, or audit firms under confidentiality obligations.
• Authorities: Only where required by applicable law or court order.

A current list of sub-processors is available on request at privacy@vioo.ai.

Our infrastructure is hosted in the France Central Region. Where data is transferred outside the EEA, we rely on the EU Standard Contractual Clauses (SCCs) as the legal transfer mechanism. For Morocco-based data subjects, transfers are governed by CNDP-approved safeguards under Law 09-08.

• Demo request data: 24 months from last interaction.
• Platform account data: Duration of the contract + 12 months.
• Audit logs: 36 months (security and compliance).
• In-store analytics data: As defined in the client DPA (typically 90 days for raw aggregates).

After the applicable retention period, data is securely deleted or anonymised.

Under GDPR and CNDP Law 09-08, you have the right to:

• Access — obtain a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion ("right to be forgotten")
• Restriction — limit processing in certain circumstances
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — at any time, without affecting prior processing

To exercise any right, email privacy@vioo.ai. We respond within 30 days.

You may also lodge a complaint with your supervisory authority: the CNIL (France), your local EU DPA, or the CNDP (Morocco, www.cndp.ma).

We implement appropriate technical and organisational measures including:

• TLS 1.3 encryption in transit; AES-256 encryption at rest
• Role-based access control (RBAC) with tenant isolation
• Audit logging of all data access and alert review actions
• Regular security assessments and penetration testing

Our website uses strictly necessary cookies for session management and authentication. We do not use advertising or third-party tracking cookies. You can manage cookies through your browser settings.

We may update this policy to reflect changes in law or our practices. We will notify registered users by email and update the "Last updated" date above. Continued use of the platform after changes constitutes acceptance.