Privacy Policy

Last updated: March 22, 2026

1. Introduction

Redlyst ("we," "us," or "our") operates a facial recognition security platform for banks and financial institutions. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cloud platform, edge devices, and related services (collectively, the "Service").

2. Information We Collect

Account Information

When an administrator creates your account, we collect your name, email address, and assign you a role-based access level. Passwords are hashed using bcrypt and never stored in plain text.

Biometric Data

Face photos uploaded to the watchlist are processed by InsightFace to generate 512-dimensional facial embeddings (mathematical representations). These embeddings are stored in our database for matching purposes. Raw facial recognition processing occurs entirely on your on-premises edge device — biometric video data is never transmitted to our cloud servers.

Camera and Match Data

When a facial match is detected, a snapshot image is captured from the camera feed and stored securely in AWS S3. Match events include the confidence score, camera identifier, timestamp, and associated person record. Camera RTSP URLs and configuration are stored to facilitate connectivity.

Phone Numbers

If you opt in to SMS alerts, we collect your mobile phone number for the sole purpose of delivering security alert messages via Twilio.

3. SMS Messaging Policy

SMS Alert Service

Redlyst offers an optional SMS alert service to notify authorized security personnel when a facial recognition match is detected at one of their monitored sites. By opting in, you agree to the following terms:

  • Consent: You must explicitly opt in to receive SMS messages by checking the consent checkbox in your alert settings and providing your mobile phone number. We will never send SMS messages without your prior express consent.
  • Message Content:SMS messages contain facial recognition match alerts including the matched person's name, risk level, camera location, and confidence score, along with a link to acknowledge the alert.
  • Message Frequency: Message frequency varies based on alert activity at your monitored sites. You may receive multiple messages per day during active periods, or none during quiet periods. Quiet hours can be configured in your alert settings.
  • Costs: Message and data rates may apply depending on your mobile carrier and plan. Redlyst does not charge for SMS messages, but standard carrier rates apply.
  • Opt Out: You can opt out of SMS messages at any time by replying STOP to any message, or by unchecking the SMS consent checkbox in your alert settings. You will receive a confirmation message upon opting out.
  • Help: For assistance with SMS messages, reply HELP to any message, or contact us at support@redlyst.io.
  • Carriers:Compatible with all major US carriers including AT&T, T-Mobile, Verizon, and Sprint. Carrier participation may vary.
  • No Sharing:Your phone number will never be sold, rented, or shared with third parties for marketing purposes. Phone numbers are used exclusively for delivering Redlyst security alerts via Twilio's messaging platform.

4. How We Use Your Information

We use collected information to:

  • Authenticate and authorize access to the platform
  • Process facial recognition matches against your watchlist
  • Deliver security alerts via dashboard, email, SMS, and webhooks
  • Display camera snapshots and match comparison images
  • Maintain audit trails of platform actions
  • Provide site-level analytics and reporting

5. Data Storage and Security

On-Premises Processing

All facial recognition processing occurs on your on-premises edge device. Raw camera video feeds are never transmitted to or stored on our cloud servers. Only match alert data (snapshot image, confidence score, and metadata) is sent to the cloud.

Cloud Storage

Account data and match events are stored in MongoDB Atlas with encryption at rest. Match snapshot images and face photos are stored in AWS S3 with server-side encryption. All data transmission uses TLS encryption.

Multi-Tenant Isolation

Data is isolated at the site level. Users can only access data from sites they are explicitly authorized to view. Role-based access control is enforced at both the API and middleware level.

6. Third-Party Services

We use the following third-party services to operate the platform:

  • MongoDB Atlas — database hosting (encrypted at rest)
  • AWS S3 — image storage (server-side encryption)
  • AWS IoT Core — secure edge device communication
  • Twilio — SMS alert delivery
  • SendGrid — email alert delivery
  • Vercel — web application hosting

Each third-party service processes data only as necessary to provide their respective functions and is subject to their own privacy policies.

7. Data Retention

Match events and snapshot images are retained indefinitely unless manually deleted by an administrator. Account data is retained for the duration of the account. Deactivated user accounts are soft-deleted and can be permanently removed upon request. SMS opt-in consent timestamps are retained for compliance purposes.

8. Your Rights

You have the right to:

  • Access your personal data held by the platform
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Opt out of SMS messages at any time
  • Modify your alert preferences and notification channels

To exercise these rights, contact your platform administrator or email us at privacy@redlyst.io.

9. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Redlyst

Email: privacy@redlyst.io

SMS Support: support@redlyst.io