IP & ID Collection Policy

This page explains how SecurePoint USA collects and uses network IP addresses and government ID images to operate a compliant Visitor Management System. Our goals are security, fraud prevention, sanctions geofencing, and immutable auditability. We apply strict purpose limitation, retention controls, and tenant isolation.

What we collect

• IP address & user agent on key actions (host pre-registration, visitor registration completion, screening, check-in). Stored in organization-scoped audit logs.
• Visitor ID image (if provided by the visitor) stored in a private storage bucket with signed URL access only.

Why we collect it

• Security & abuse mitigation (rate limiting, anomaly detection).
• Sanctions geofence signals and compliance investigations.
• Immutable audit trails for regulated environments.

How we protect it

• Row Level Security (RLS) — data is scoped by organization_id.
• Encryption at rest and in transit; signed URLs for access to ID images.
• Access is least-privilege and audited.

Retention

• IP addresses: raw IPs are retained for up to 180 days, then replaced by a salted hash used for trend/audit. A nightly job enforces this rotation.
• ID images: retained for legitimate compliance and security purposes and accessible only via signed URLs. Tenants may request deletion/export subject to regulatory obligations.

Your choices

• Organizations can request exports for regulators or incident response.
• Visitors may request information via the organization’s privacy contact.

For details on our general privacy practices, see Privacy.