CRIMR PRIVACY POLICY

Last updated: November 24th, 2025

This Privacy Policy explains how Detective Analytics, doing business as CRIMR (“CRIMR,” “we,” or “us”), collects, uses, discloses, and safeguards personal information in connection with the CRIMR platform and related services (the “Service”).

This Privacy Policy is separate from, and in addition to, the CRIMR Terms of Service available at https://crimr.com/terms.

By using the Service, or by having your information submitted into the Service by a participating organization, you acknowledge that your information will be handled as described in this Privacy Policy.

Important: Many types of data in CRIMR are entered by organizations (such as retailers or agencies) about other people (for example, employees, customers, suspects, or witnesses). In most cases, those organizations are the “controller” of that data, and CRIMR processes it on their behalf as a “processor” or “service provider.” Your rights may depend on your relationship with that organization and applicable law.

1. SCOPE AND ROLES

This Privacy Policy applies to:

  • Organizations using CRIMR (our “Customers”) and their authorized users (e.g., admins, loss-prevention staff, security personnel, police users).

  • Individuals whose information is entered into CRIMR, including but not limited to:

    • employees and internal subjects in Internal Incidents;

    • external subjects, customers, or other persons in External Incidents (Customer / Public Incidents);

    • witnesses, victims, and other involved persons.

1.1 Controller vs. Processor

  • For most incident-related data, CRIMR acts as a processor/service provider to the Customer that collected and entered the data. That Customer is generally responsible for:

    • determining the legal basis for processing;

    • providing any required notices; and

    • handling data subject rights requests.

  • For account data, billing, analytics, security monitoring, and CRIMR’s own marketing, CRIMR usually acts as an independent controller, determining the purposes and means of processing for those activities.

If you have questions or requests about incident information entered about you by a specific organization, you may need to contact that organization directly.

2. INFORMATION WE COLLECT

We may collect the following categories of information.

2.1 Account and Organization Information

From Customers and their authorized users:

  • Name, email address, phone number.

  • Organization name, location(s), and contact details.

  • Role or job title and permissions within the Service.

  • Authentication and security credentials (e.g., SSO identifiers, login logs).

2.2 Incident and Case Information

From Customers and their users, we process information related to incidents and cases, which may include:

  • Incident metadata:

    • date, time, and location of the incident;

    • incident type and category (e.g., External Incident / Customer / Public Incident, Internal Incident, accident);

    • incident severity and status;

    • values related to loss, theft, damage, or recovery.

  • Individuals involved:

    • names, aliases, or other identifiers;

    • contact details such as address, phone number, email (where provided);

    • descriptions such as physical descriptions or behavioral notes;

    • employee IDs and internal identifiers (for employees and internal subjects);

    • relationships to the incident (e.g., suspect, subject, employee, witness, victim).

  • Narratives and notes:

    • free-text descriptions and narratives entered by users;

    • manager notes and acknowledgement notes for internal incidents.

  • Media and files:

    • photos, video stills, CCTV screenshots, and other uploaded images or files;

    • documents attached to incidents (for example, police reports or internal reports).

  • External Incidents (Customer / Public Incidents):

    • information intended to be shared with other organizations and law-enforcement Agencies (as described below), which may include subject and vehicle descriptions, images, incident details, and related metadata.

2.3 Device and Usage Data

When users interact with the Service, we may automatically collect:

  • IP address and approximate location.

  • Device and browser information.

  • Log data (e.g., pages viewed, actions taken, timestamps).

  • Session information, cookies, and similar technologies used for authentication, security, and usage analytics.

2.4 Information from Third Parties

We may receive information about users or incidents from:

  • Customers importing data from prior systems or other tools.

  • Integrated services (such as identity providers, HR systems, or other case management tools).

  • Law-enforcement Agencies that use the Service and share additional data.

3. HOW WE USE INFORMATION

We use information for the following purposes:

3.1 To Provide and Operate the Service

  • Creating and managing Customer accounts and user profiles.

  • Allowing users to create, view, update, and manage incidents and cases.

  • Enabling workflows, approvals, notifications, and exports.

  • Providing support and troubleshooting.

3.2 External Incident Network Sharing

For External Incidents (Customer / Public Incidents), we use incident information to:

  • power the Network Sharing Features, which allow participating organizations to share External Incident information and identify repeat offenders and patterns;

  • connect potentially related incidents across locations or organizations;

  • support community safety and loss-prevention collaboration.

The specific fields shared may depend on the configuration selected by CRIMR or the Customer.

3.3 Law-Enforcement Access

We use incident data to provide Law-Enforcement Access Features, enabling authorized Agencies to:

  • access External Incidents relevant to the locations or jurisdictions they serve;

  • review incident details, narratives, media, and descriptors necessary to support investigations and public safety activities;

  • receive supporting information submitted by participating organizations.

3.4 Security, Fraud Prevention, and Integrity

  • Securing the Service, monitoring for suspicious or unauthorized activity, and preventing misuse.

  • Detecting and preventing fraud, abuse, or violations of our Terms of Service.

  • Investigating potential incidents involving safety or security.

3.5 Analytics and Product Improvement

  • Understanding how the Service is used to improve features and performance.

  • Creating aggregated and anonymized statistics (for example, trends, volumes, and patterns) that do not identify individuals or Customers.

  • Developing new features and offerings.

3.6 Communications

  • Sending service-related communications (e.g., security alerts, system updates, feature announcements) to Customer admins and users.

  • Responding to support inquiries and requests.

  • Where permitted by law, sending marketing or promotional communications about CRIMR to Customer admins or prospective customers (with the ability to opt out).

3.7 Legal, Compliance, and Safety

  • Complying with legal obligations and responding to lawful requests.

  • Enforcing our Terms of Service and other policies.

  • Protecting the rights, property, or safety of CRIMR, Customers, users, and the public.

4. HOW WE SHARE INFORMATION

We may share personal information as follows:

4.1 With Other Organizations via Network Sharing

For External Incidents (Customer / Public Incidents):

  • We share certain incident information with other participating organizations through the Network Sharing Features as a core function of the Service.

  • This may include incident metadata, narratives, subject and vehicle descriptions, and associated media or files, depending on the configuration and product capabilities.

Customers choose whether to use External Incident features and are responsible for entering only information they are legally permitted to share.

4.2 With Law-Enforcement Agencies

We provide authorized Agencies using CRIMR with access to relevant External Incidents within their jurisdiction, including incident details and supporting information, to support public safety and investigations.

We may also disclose information directly to law enforcement or other authorities when required by law or in response to lawful requests.

4.3 With Service Providers

We use third-party service providers to support the Service, such as:

  • cloud hosting providers, data storage, and content delivery networks;

  • authentication, identity, and access management services;

  • analytics and error monitoring;

  • communication tools (e.g., email, SMS providers);

  • payment processors and billing systems.

These service providers are contractually obligated to handle personal information only in accordance with our instructions and applicable data protection laws.

4.4 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business, personal information may be transferred as part of that transaction, in accordance with applicable law.

4.5 Legal and Safety Disclosures

We may disclose information when we believe in good faith that doing so is:

  • required by law, regulation, or legal process;

  • necessary to respond to lawful requests by public authorities;

  • necessary to protect the rights, property, or safety of CRIMR, our Customers, users, or the public; or

  • necessary to detect, prevent, or address fraud, security, or technical issues.

4.6 With Your Consent

We may share information with third parties for other purposes with your consent or at your direction (for example, when a Customer requests a specific integration).

5. COOKIES AND SIMILAR TECHNOLOGIES

We and our service providers may use cookies, local storage, and similar technologies to:

  • keep you signed in and maintain session security;

  • remember your preferences;

  • understand how the Service is used and improve performance.

You can control cookies through your browser settings, but disabling certain cookies may affect the functionality of the Service.

6. DATA RETENTION

We retain personal information:

  • for as long as necessary to provide the Service and fulfill the purposes described in this Policy;

  • as required by our agreements with Customers; and

  • as required or permitted by law (for example, record-keeping, security, and legal compliance purposes).

Retention periods may differ depending on the type of data and the Customer’s configuration and policies. When we no longer need personal information, we will take steps to delete, anonymize, or aggregate it.

7. INTERNATIONAL TRANSFERS

CRIMR may process and store information in countries other than the country where it was collected, including the United States. These countries may have data protection laws that differ from those in your jurisdiction.

Where required by law, we implement appropriate safeguards (such as standard contractual clauses or equivalent mechanisms) to protect personal information when it is transferred internationally.

8. YOUR RIGHTS AND CHOICES

Your rights regarding personal information may depend on:

  • your location and applicable data protection laws; and

  • whether CRIMR is acting as a controller or a processor for the relevant data.

8.1 If You Are a Direct User of CRIMR

If you have an account with CRIMR as a Customer admin or user, you may:

  • access and update certain account information via the Service;

  • request deletion of your account subject to our contractual obligations to your organization;

  • opt out of marketing emails by using the unsubscribe link in those emails.

Where required by law, you may also have rights to request:

  • access to personal information we hold about you;

  • correction of inaccurate information;

  • deletion or restriction of processing;

  • portability of certain information; and

  • objection to certain processing activities.

To exercise these rights, you can contact us at [privacy@crimr.com] or using the contact details below. We may need to verify your identity before responding.

8.2 If Your Information Is Entered by a Customer (Incident Subjects, Employees, etc.)

If your information has been entered into CRIMR by a Customer (for example, as an employee subject, suspect, witness, or other involved person), the Customer is typically the controller of that data.

In that case:

  • You should direct your request (access, correction, deletion, etc.) to the organization that collected your information (for example, your employer, the store, or the agency).

  • We will support the Customer in responding to valid requests in accordance with our contractual obligations and applicable law.

Where applicable law allows you to contact us directly, we may refer your request to the relevant Customer or work with them to fulfill it.

9. MINOR’S PRIVACY

The Service is not designed for use by minors under the age of 18 in a personal or consumer context. However, incident information about minors may be entered into CRIMR by Customers (for example, as witnesses, victims, or subjects) in the course of law-enforcement, safety, or loss-prevention activities.

If you believe we have collected personal information directly from a child in violation of applicable law, please contact us so we can investigate and take appropriate action.

10. SECURITY

We implement technical and organizational measures designed to protect personal information from unauthorized access, use, alteration, and destruction. These measures may include:

  • encryption in transit;

  • access controls and authentication;

  • logging and monitoring;

  • backups and disaster recovery procedures.

No system can be completely secure, and we cannot guarantee absolute security. Customers also play an important role in protecting data by maintaining strong access controls, managing user accounts, and following security best practices.

11. THIRD-PARTY LINKS AND SERVICES

The Service may include links to third-party websites or integrations with third-party services. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party sites or services you use.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • update the “Last updated” date; and

  • provide notice through the Service, by email, or both, where appropriate.

Your continued use of the Service after an updated Privacy Policy becomes effective indicates that you have read and understood the changes.

13. CONTACT US

If you have questions or concerns about this Privacy Policy or our privacy practices, you can contact us at:

  • Email: dainfo@crimr.com

  • Or via the contact information listed on our website: https://crimr.com