Security & privacy
AI Insights & People processes biometric data — face imagery and the mathematical face references derived from it — alongside member personal data. This page explains what is stored, where, who can see it, how long it lives, how it is deleted, and what you as the operator remain responsible for.
This page covers the people/AI layer; video security (encryption in transit, storage regions, camera isolation, sharing) is covered in CCTV Security & privacy.
What data this feature holds
| Category | Contents |
|---|---|
| Face references | Mathematical face templates in three isolated per-facility collections: identified members, unidentified visitors (shadow profiles), and the blacklist |
| Face imagery | Detection crops, profile photos, and shadow photos, stored under your facility's own storage prefix |
| Detection metadata | Who was seen, when, on which camera — the records behind the timeline and reports |
| Member profile data | Synced from your member management system: identity fields always; optional contact fields (email, mobile phone, address) only when you enable them |
| AI-estimated attributes | Estimated age range, gender, ethnicity, eyewear, and emotion/demeanor per person |
Storage, isolation, and regions
- Per-facility isolation. Each facility has its own face collections — identified, unidentified, and blacklist. Recognition never crosses facilities: a face reference from one site cannot match at another, even within the same brand.
- Regional storage. Face images and AI metadata live in the storage region configured for your facility's CCTV storage — data-residency choices apply to people data the same way they apply to footage.
- Processing split. Cameras and video ingest stay on the Edge Processor at your site; face matching and analysis run in the cloud against your facility's private collections (How it works → What runs where).
Who can access people data
- Roles. People and AI features are available to facility management roles — club manager and administrator level — through the same role/module grants as the CCTV module. Staff without CCTV module access see nothing.
- Feature gating. Every people API additionally checks that the People feature is enabled for the facility; calls otherwise return "People feature is not enabled for this facility".
- Guests are excluded by design. CCTV guest share links can expose cameras, recordings, and playback — but people data and face-detection timelines are explicitly not available to guest tokens. Sharing footage never shares identities.
- MCP. The
insights_*tools enforce the same two layers — the caller needs CCTV module access and the facility needs the People feature — see Integrations & MCP.
AI-estimated attributes: what they are and aren't
Profiles and reports show estimated age, gender, ethnicity, eyewear, and emotion-derived demeanor. Understand their nature:
- They are statistical estimates from imagery, not facts, and not data from your member system. The UI is explicit that AI-tracked information "may not match the data in your member management system."
- They exist for aggregate analytics (demographics in reports, sentiment by zone) and soft per-person context (demeanor). They are never used to grant or deny anything — access-zone rules match membership plans, types, and tags, not estimated attributes.
- Sentiment and demeanor are derived from facial-expression classification, weighted by your Sentiment Scoring context. Treat them as directional signals, not assessments of individuals.
Retention
| Data | Retention |
|---|---|
| AI metadata (face detections, timeline blocks, detection imagery) | The AI Metadata retention category in CCTV Storage & retention — default 24 months, configurable per facility. Expired records and imagery are purged by an automatic cleanup |
| Shadow photos | Kept while the profile exists (they're the person's live recognition reference, not historical footage) — removed when the person is deleted |
| Member profile data | Follows your member sync; disabling an optional field removes its stored values |
| Video footage | Governed separately by CCTV recording retention |
Set AI-metadata retention to match your privacy policy and local law — 24 months is a default, not advice.
Deleting a person's data
Deletion is available at three levels:
- Unidentified people — "Delete this person" (timeline or profile menu) permanently removes the shadow profile: its face references, detection records, and imagery. "This action cannot be undone."
- Members — the profile panel's Advanced accordion: "Permanently remove this member and all associated data from the system. This action cannot be undone." Note that if the member still exists in your member management system, a future sync can recreate the profile — for a genuine right-to-be-forgotten request, remove them from the source system too, then delete here.
- Time-based — the AI-metadata retention cleanup handles the long tail automatically.
The Person Data settings section (Settings → People → Person Data) is the administrative home for these controls. Blacklist entries are removed separately via Settings → Face Recognition → Blacklist Faces.
Operator obligations
Biometric processing is regulated in many jurisdictions (e.g. GDPR in Europe, BIPA in Illinois, the Privacy Act and APPs in Australia). Performance Hub gives you the controls; lawful operation is your responsibility as the operator. In practice:
- Tell people. Signage disclosing camera surveillance and facial-recognition/analytics use; a privacy policy describing what is collected, why, and for how long.
- Have a lawful basis — typically consent gathered at membership sign-up for members. Consider your obligations for non-members (guests, trials) who appear as unidentified profiles.
- Minimise. Only enable optional profile fields you need; only enable People Tracking on cameras where people intelligence has a purpose; never place cameras in privacy-sensitive areas (bathrooms, change rooms).
- Honour deletion requests using the flows above, including the source member system.
- Restrict access — people data follows CCTV module access; grant that role deliberately.
- Review the blacklist and Self Learning queue periodically — both are places where biometric decisions accumulate and deserve human oversight.
Where facial recognition itself isn't appropriate for your jurisdiction or clientele, note that the People feature degrades gracefully: without member photos, people appear as unidentified visitors and the aggregate analytics (zone activity, sentiment, demographics) still function.
Related pages
- CCTV Security & privacy — the video layer
- Storage & retention — regions and the AI Metadata category
- Settings → Person Data — the deletion controls