1. Introduction
This policy is published by Visage Technologies d.o.o. (OIB: 11883765066, Ivana Lučića 2a, 10 000 Zagreb).
We develop computer vision technology across a broad range of applications, from automotive perception which enhances vehicle safety and autonomy to AI solutions that power personalized and interactive experiences for cosmetic brands. .
Our work involves training machine learning models to interpret and analyze visual data from nature in various ways, depending on the requirements of individual projects.
This policy explains what data we use, why, what rights you have in relation to it and when.
2. Purpose of This Policy
We see responsible AI development as one of the core values of our company and our mission. This requires AI systems and models to be accurate, unbiased, and fair across populations. We accomplish this by using quality data that is selected for relevance, representativeness, accuracy, completeness and sufficient volume.
Where personal data is used for AI model training, this policy also aims to meet our transparency obligations under Articles 13 and 14 GDPR, in particular, the obligation to inform data subjects to the extent reasonably possible.
Meeting our obligations at once inherently requires data: collected lawfully, used narrowly, and subject to meaningful individual control.
This policy describes how we achieve this goal.
3. Data We Use
Data we use for training consists of various imagery of objects, environments, vehicles, and other non-personal visual content.
Where a certain project or product requires so, we may use facial photographs for training certain computer vision models.
The data comes from two sources:
Our own datasets
We maintain collections of images and video frames relevant to the project objective compiled over time for commercial research and development purposes across various project types.
These datasets were built under research conditions.
Where the model training requires facial photographs, our own datasets are assembled by collecting images directly from individuals, under a written agreement with each participant. That agreement minimally sets out: (i) the purpose of the collection (AI model training) and the retention period; (i) what data is collected and how it is stored; (i) the participant’s right to withdraw and have their images deleted at any time; and (i) contact details for exercising subject’s rights.
No images containing personal data are collected from individuals by us without this process being completed first.
Licensed datasets
We use datasets licensed by third-party providers under commercial or research licensing agreements.
Before licensing any dataset that contains facial images, we review the provider's documentation and insist on appropriate contractual mechanisms, controls, and representations to meet GDPR requirements, for example:
- representation that the data subjects have voluntarily provided their images for the purpose of commercial AI model training,
- communication on exercise of data subject’s rights.
What we do not use
We do not collect facial images from website visitors.
We do not use data from customers or end users.
As a rule of thumb, we do not scrape social media or public websites to build training datasets containing facial images without it being transparently disclosed under this policy and:
- we limit our collection to websites which do not prohibit scraping in their terms of service or directives;
- we collect only what is strictly necessary for the training objective;
- we apply the same legal basis, retention, and individual rights framework described in this policy;
- we update this section to explicitly disclose the sources used.
We restrict our datasets to adult subjects and do not knowingly include images of children.
4. Classification of Data
A large portion of data points used for AI model training, such as images or videos of roads, surroundings, environment and similar, are not personal data and do not fall under the scope of GDPR.
Photographs of people are personal data under GDPR.
Photographs are not automatically classified as biometric data or special category data under Article 9 GDPR.
Under Recital 51 and Article 4(14) GDPR, photographs become biometric data only when processed through specific technical means with the purpose of uniquely identifying a natural person. We do not do this.
Our processing of AI model training data, including the facial images is limited to model training, teaching algorithms to detect features and estimate attributes. Our processing context is directed exclusively towards training algorithms in a way that meets our AI act and ethical obligations, with a technical goal to detect and analyze visual features in images.
Where photographs are used, the context of our processing does not involve any operation that extracts, derives, or directly infers any information about any sensitive characteristics of the individuals depicted. In such cases, we also:
do not extract identity templates, we do not perform identification, and we do not know or record the identity of the individuals in our training data.
do not build identity profiles.
do not sell, lease, or in any other similar way commercially exploit training data contrary to this policy.
do not link images to named individuals, and the output of our processing is a generalized model capability, not data about any specific person.
5. Transparency and Information
We are normally required to inform people directly when we process their personal data. For the images in our datasets, this is not possible. We do not know who the people shown are (see more details below in 6), and we hold no names or contact details that would allow us to reach them.
Trying to identify them just to send them a notice would defeat the purpose. It would mean deliberately identifying people who are currently unknown to us, which would create the very privacy risk we work to avoid.
Data protection law (see opinion WP260) recognises this situation and allows us to inform people publicly instead. That is what this policy does: it explains what images we process, why, how we protect them, and what rights you have.
If you believe you may appear in one of our datasets, contact us as described under point 11 and 12 below . We will treat your request in line with the rights described in this policy.
6. Identity of the data subjects
The images in licensed datasets show people whose identity is unknown to us.
We do not collect names or any other identifying details alongside the images, and we do not attempt to link any image to a specific person.
Identifying the people shown would require significant technical effort and cost. We have no interest in doing so, and no part of our processing is aimed at identification. The likelihood that persons depicted could be identified by us is therefore very low.
All images are stored securely, under strict access controls.
Even so, we do not rely on this to lower our standards. We treat every image as personal data under the GDPR and protect it with the full set of technical and organisational safeguards described in this policy.
7. Legal basis for own datasets & consent
For data we collect directly from individuals, our legal basis is consent.
Participants enter into a written agreement before any images are taken.
That agreement constitutes informed consent: it identifies the controller, explains the purpose of collection, describes what data is taken and how it is stored, specifies the retention period, and sets out the right to withdraw at any time.
Withdrawal of consent is possible at any time without giving a reason and without consequences. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
8. Licensed datasets & legitimate interests
For licensed third-party datasets, we are not the original collector and do not hold consent relationships with the individuals depicted.
Our processing of this data rests on legitimate interests and in accordance with the terms of WP260 rev.01 Guidelines on transparency under Regulation 2016/679 . Our assessment in key terms:
The need for diverse, representative training data is not solely a technical preference. Article 10 of the EU AI Act imposes explicit obligations on AI model developers to implement data governance practices that ensure training data is sufficiently representative and free from biases that could lead to discriminatory outputs. Collecting or licensing data across a wide range of demographic profiles, imaging conditions, and population characteristics is a direct compliance requirement under that framework, not merely a design choice.
Our interest: developing computer vision models that perform reliably across diverse populations, lighting conditions, and image quality levels require training on real-world facial image data that we cannot fully replicate through direct collection alone.
Necessity: synthetic or anonymized data cannot fully substitute for real-world image diversity for the training objectives we pursue. Additionally, the representativeness requirement under Art. 10 AI Act cannot be met without access to varied, real-world data of diverse populations and conditions.
Balancing: we do not identify, profile, or track the individuals in licensed datasets. Images are used exclusively within our development environment and are not shared externally. The impact on individuals is assessed as low given the absence of identification processing and separate keeping of the data.
Selection of datasets: we do not use randomly assembled or scraped image datasets, but purpose-built collections where participants were informed of the research or technical development context at the time of collection, and our own datasets are collected exclusively under written agreement.
Opt-out: individuals whose images appear in our datasets can withdraw from future training use at any time through the process described in this policy, which materially reduces the residual impact of the processing on any individual who becomes aware of it and objects.
A Legitimate Interests Assessment and DPIA are maintained internally.
We note that restricting access to sufficiently diverse training data does not eliminate bias from AI models, but it entrenches it.
A model trained on a narrow or homogeneous dataset will perform less accurately for the populations underrepresented in that data. The individuals most affected are typically those whom data protection law is specifically designed to protect. We consider this an important context for any assessment of our data practices.
9. Retention
The datasets are retained until the earliest of:
- the expiry of the justified post-project retention period of five years (only if necessary due to a specific and documented continuing purpose, such as contractual maintenance, validation, defect remediation, security testing or the establishment or defence of legal claims, etc);
- an absolute maximum period from the date of collection or receipt which is ten years;
- the expiry or termination of the applicable licence;
- the point at which the data is no longer necessary for the documented purpose; or
- a withdrawal, erasure or other request requiring deletion.
We review our dataset inventory annually and retire datasets that are no longer necessary. Retired datasets are deleted or placed in restricted archive storage and are not used in further training without a fresh review.
We do not retain training data indefinitely as a hedge against future needs. Continued retention requires current justification.
10. Your Rights
Any questions about this policy with respect to the processing of personal data can be directed to our Data Protection Officer at [email protected].
As a data subject whose photograph may be included in one of our training datasets, you have rights under GDPR. Below we explain each right and how it applies in practice given the nature of our datasets.
Right of access
You can request information about whether we hold images of you in our training data.
How we respond depends on the data set. For data collected directly from you: we hold an identity-linked participant record and can respond directly.
For licensed datasets: we do not hold identity records, so a meaningful search requires you to submit a reference photograph, for more details see Section 11 (How to exercise your rights).
Right to erasure
You can request deletion of your images from our training datasets, and we will honor these requests. For more details see Section 11 (How to exercise your rights)
It does not retroactively alter model weights that were derived from training runs already completed before your request. This is a technical constraint inherent to how machine learning models work, and it applies across the industry.
The training process does not embed or preserve individual images within the model, but what results is a set of generalized parameters from which no individual image can be extracted or reconstructed.
Right to object
Where we rely on legitimate interests as our legal basis, specifically for licensed datasets, you have the right to object to processing on grounds relating to your particular situation.
We will stop using your data unless we can demonstrate compelling legitimate grounds that override your interests.
For data collected from you directly under consent, the relevant mechanism is withdrawal of consent, not objection.
Right to restriction
You can request that we restrict processing of your data, for example, while an objection or erasure request is being assessed.
Right to file a complaint with the data protection authority
You can for instance file a complaint with the Croatian data protection authority, by post at Agencija za zaštitu osobnih podataka, Ulica Metela Ožegovića 16, HR – 10 000 Zagreb, Croatia or by e-mail: [email protected].
11. How to exercise your rights
You can contact our DPO directly.
12. Opt-Out
You can withdraw consent or opt out of having your images used in our AI training at any time, without giving a reason and without consequences. The process depends on the dataset your images are in.
Upon receipt of an opt-out or withdrawal request, we will:
if your data is from our own collection: locate your participant record and delete your images directly
If you believe that your personal data may be included in a licensed dataset, we can use a reference photograph provided by you to search for visually matching images and remove any corresponding records.
Please note that this process requires additional processing of your personal data and may involve the processing of biometric data for the purpose of identifying potential matches. However, this process does not allow us to verify your identity. It is used solely to identify and remove images that are highly likely to depict you based on visual similarity.
To proceed, you will need to provide additional information and give your explicit consent to this type of processing.
flag removed records so they are not reintroduced in future training runs
confirm the outcome.
We handle rights requests free of charge.
In exceptional cases involving manifestly unfounded or abusive requests which we interpret narrowly: bad faith or clear abuse of process, not volume alone, we may charge a reasonable fee or decline to act, in accordance with Article 12(5) GDPR. Any such decision will be communicated to you in writing with reasons.
We respond within one month of receipt.
Where a request is exceptionally complex, or where we receive an unusually high volume of simultaneous requests, we may extend this by a further two months under Article 12(3) GDPR. If we extend, we will notify you in writing within the first month, with an explanation
13. International Transfers
Our training data is processed within the EEA.
Our development infrastructure is in Croatia.
Where we use third-party tools or infrastructure that involve transfers outside the EEA, we ensure appropriate safeguards, typically Standard Contractual Clauses under Commission Decision 2021/914 with an appropriate transfer impact assessment.
We do not routinely transfer training datasets to third countries.
14. Security
Training datasets are held under access controls limiting access to engineers and researchers assigned to the relevant project.
We continuously update our security framework with a clear vision to enhance and upgrade security with time, appropriate to the risk levels applicable to us.
15. Updates
We will update this policy when our training practices materially change.
We will not make changes that will reduce your rights.
The version number and effective date at the top reflect the current version.
Questions or rights requests
Contact our Data Protection Officer
For questions about this policy, access requests, erasure requests, objections, restrictions, withdrawals, or opt-out requests, email [email protected].