Data Processing — Retellect

This page summarises how Retellect processes personal data on behalf of its retail customers when the checkout vision platform is deployed in their stores. The binding commercial terms live in the Data Processing Addendum (DPA) signed alongside the Master Services Agreement. This page is a transparent summary — it does not replace the signed DPA.

1. Roles

The retailer running the stores is the data controller. Retellect, SIA is the data processor, acting only on the retailer's documented instructions.

2. Subject matter and duration

Processing of camera and transaction data captured at the retailer's self-checkout and assisted checkout lanes, for the duration of the Services agreement plus any post-termination period agreed in the DPA.

3. Nature and purpose of the processing

Real-time recognition of items at the checkout lane (camera frames analysed on-device).
Generation of recognition events and loss-prevention alerts forwarded to the retailer's systems.
Logging of confirmed transactions used to continuously improve the recognition model.
Operational analytics and dashboards for the retailer's loss-prevention and operations teams.

4. Categories of personal data

Camera frames of the checkout lane, which may incidentally capture shoppers' hands, clothing, and brief moments of presence within the camera's field of view.
Transaction metadata (item codes, weights, timestamps, lane identifiers).
Operator and store-staff identifiers when supplied by the retailer for audit purposes.

Retellect does not perform facial recognition or biometric identification of shoppers. Cameras are positioned to view the scanning area, not customers' faces.

5. Categories of data subjects

Shoppers at the retailer's self-checkout and assisted checkout lanes.
Store staff handling the lane.

6. Sub-processors

Retellect uses a small set of vetted sub-processors to operate the service. The current list:

Sub-processor	Service	Location	Transfer mechanism
Amazon Web Services EMEA SARL	Cloud infrastructure for Retellect Cloud (model management, dashboards, central services)	EU (Frankfurt and Ireland regions)	EU — no transfer; AWS DPA + EU SCCs available
Google LLC (Google Workspace)	Business email, document collaboration, video meetings	EU and US	EU Standard Contractual Clauses + supplementary measures
StrongPoint AS	Self-checkout platform integration on joint retailer deployments	EU (Norway, EEA)	EU/EEA — no transfer

We notify retailer customers in advance of any addition or replacement of sub-processors and provide a reasonable period to object, as set out in the DPA.

7. International transfers

Where a sub-processor processes personal data outside the European Economic Area, transfers are covered by the European Commission's Standard Contractual Clauses (Module 3 — processor to sub-processor) or by an adequacy decision under GDPR Art. 45.

8. Security measures

Access control — role-based access, MFA on all administrative accounts, principle of least privilege.
Encryption — TLS 1.2+ in transit; at-rest encryption on cloud-stored data.
Edge processing — recognition runs on the lane itself; raw camera frames are not streamed to the cloud unless explicitly enabled for a specific purpose agreed with the retailer.
Logging and audit — production access is logged and reviewed.
Personnel — confidentiality undertakings for all staff and contractors with access to systems handling customer data.
Incident response — documented procedures; the retailer is notified without undue delay (and within 72 hours where required by Art. 33 GDPR).

9. Audits

Retellect makes available the information necessary to demonstrate compliance with Art. 28 GDPR and supports reasonable audits, including third-party audit reports where available. Audit scope and frequency are agreed in the DPA.

10. Data return and deletion

On termination of the Services, Retellect returns or deletes personal data processed on behalf of the retailer in accordance with the retailer's instructions and the DPA, subject to any retention required by applicable law.

11. Contact

For questions about Retellect's data processing or to request the current DPA template, write to info@retellect.com.

This page is a public-facing summary. The legally binding obligations between Retellect and a retailer customer are set out in the signed Data Processing Addendum, which prevails in case of any inconsistency.