01 // WHO WE ARE
Sandford Digital Limited ("Sandford Digital", "we", "us", "our") is a company registered in England and Wales. We are the controller of personal data processed through our websites and the Sandford Site Scan spatial triage SDK.
We can be contacted at:
02 // THE SHORT VERSION
Sandford Site Scan is designed to inspect assets, not people. Our system is built to process the condition of physical infrastructure — train carriages, fleet vehicles, facilities — not to identify, track, or profile individuals. Privacy protection is enforced in our capture pipeline before any image reaches an AI model. This is not a policy position. It is an architectural constraint.
- People detected in captured frames are automatically filtered before AI processing
- We do not store raw video or images beyond the active session window unless explicitly configured by the operator
- We do not sell personal data to third parties under any circumstances
- Aggregate trend intelligence is anonymised at regional level — operator identity is never included
- You have the right to access, correct, and erase any personal data we hold about you
03 // WHAT DATA WE COLLECT AND WHY
A. SANDFORD SITE SCAN — MOBILE APPLICATION
The Sandford Site Scan app is an enterprise tool deployed by operators to their staff. When the app is in use, the following data is processed:
| DATA TYPE | PURPOSE | LEGAL BASIS | RETENTION |
|---|---|---|---|
| Camera frames (Base64) | Asset condition assessment via AI vision | Legitimate interests of the operator | Transient — processed and discarded within session unless operator configures retention |
| Spatial anchor metadata | Mapping frame to position on asset | Legitimate interests | Retained as part of session audit trail |
| Session ID and timestamp | Audit trail and dispute resolution | Legitimate interests / legal obligation | 90 days by default. Configurable per operator. |
| AI assessment output | Damage finding and severity scoring | Legitimate interests | 90 days by default. Configurable per operator. |
| License plate (Fleet regime) | Vehicle identification at handover | Legitimate interests of the operator | As per session audit trail |
Person filtering: Prior to any frame being submitted to the AI assessment pipeline, a pre-filter is applied to detect and exclude human subjects. Faces and identifiable personal characteristics are not processed by our AI models. No biometric data is collected, stored, or inferred.
B. CLIENT PORTAL — portal.sandford.digital
Operator and manager accounts on the client portal require the following personal data:
- Name and email address — for account authentication and communications
- Organisation name and role — for access control and audit purposes
- Login timestamps and activity logs — for security and compliance
C. INSIGHTS DASHBOARD — insights.sandford.digital
The Insights platform presents anonymised regional aggregate data only. No personal data about individuals or identifiable operators is presented to third-party subscribers. Account data (name, email, organisation) is collected for authentication purposes only.
D. WEBSITE — sandford.digital
- Contact form submissions — name, email, message — retained for 12 months
- Demo request submissions — retained until the request is fulfilled or declined
- Analytics data — anonymised page view data only. We do not use third-party tracking cookies.
04 // HOW WE USE AI VISION
Sandford Site Scan uses Claude, an AI model developed by Anthropic, to assess asset condition from camera frames. Frames are submitted to Anthropic's API over an encrypted connection. Anthropic's data processing terms apply to this transfer.
We instruct the AI model to:
- Assess the physical condition of the asset surface visible in the frame
- Identify damage, wear, or anomalies against a known baseline condition
- Return a structured JSON assessment — severity, findings, confidence, recommendation
- Ignore and not report on any human subjects, personal belongings, or non-asset objects
The AI model does not make autonomous decisions that have legal or significant effects on individuals. All assessments are reviewed by a human operator before any action is taken. Our use of AI is assistive, not determinative.
05 // OFFLINE PROCESSING
Sandford Site Scan is designed for deployment in signal-dead environments including rail depots and underground facilities. When network connectivity is unavailable:
- Captured frames and metadata are stored locally on the device in an encrypted queue
- No data is transmitted until a confirmed network connection is established
- The local queue is automatically cleared once data has been confirmed as received by our backend
- Locally stored data is protected by the device's native encryption and access controls
06 // WHO WE SHARE DATA WITH
| RECIPIENT | PURPOSE | LOCATION |
|---|---|---|
| Anthropic, Inc. | AI vision processing via Claude API | USA — Standard Contractual Clauses apply |
| Operator clients | Session results and audit trail for their own assets | UK / EU |
| Cloud infrastructure provider | Hosting and data storage | UK / EU only |
| Third-party intelligence subscribers | Anonymised regional aggregate data only — no personal data | UK / EU |
We do not sell, rent, or trade personal data. We do not share personal data with advertisers or data brokers.
07 // HOW LONG WE KEEP DATA
- Session audit trails — 90 days by default, configurable per operator contract
- AI assessment outputs — 90 days by default, configurable per operator contract
- Raw frame data — transient, not retained beyond active processing unless explicitly configured
- Portal account data — duration of contract plus 12 months
- Contact and demo request data — 12 months
- Anonymised aggregate data — indefinitely (no personal data present)
08 // YOUR RIGHTS
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
- Access — request a copy of personal data we hold about you
- Rectification — request correction of inaccurate personal data
- Erasure — request deletion of your personal data where there is no legitimate reason for continued processing
- Restriction — request that we restrict processing of your personal data in certain circumstances
- Portability — request transfer of your personal data to another controller in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Automated decisions — you have the right not to be subject to solely automated decisions that have legal or significant effects on you
To exercise any of these rights, contact us at privacy@sandford.digital. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
09 // SECURITY
- All data in transit is encrypted using TLS 1.2 or higher
- Local device storage is encrypted using native device encryption
- API keys and credentials are never stored in client-side code or transmitted in plain text
- Access to client data is restricted to authorised personnel only
- We conduct regular security reviews of our infrastructure and codebase
10 // COOKIES
sandford.digital uses no third-party tracking cookies. We use a single session cookie for authentication on the client portal. This cookie is strictly necessary for the portal to function and does not require consent under PECR.
The Sandford Site Scan mobile application does not use cookies.
11 // CHANGES TO THIS POLICY
We will update this policy as our products and legal obligations evolve. Material changes will be communicated to active clients by email with 30 days notice before taking effect. The version number and last updated date at the top of this page will always reflect the current version.
12 // CONTACT US
DATA PROTECTION ENQUIRIES
Sandford Digital Limited
Email: privacy@sandford.digital
For general enquiries: hello@sandford.digital