This Privacy Policy explains how VIDEAR Ltd collects, uses, and protects your personal data when you use the CPAS — Common Position Awareness System — mobile application and associated services.
VIDEAR Ltd is a United Kingdom registered company and the developer of CPAS — the Common Position Awareness System. CPAS is a safety tracking platform that makes leisure users (kayakers, SUP boarders, paramotor pilots, sailors, hill walkers, and other outdoor activity participants) visible to rescue services and nominated token holders in real time using only a smartphone.
Registered company: VIDEAR Ltd, United Kingdom
Contact: contact@videar.tech
Patent: GB2629638B — Granted July 2025
For the purposes of UK data protection law, VIDEAR Ltd is the Data Controller for personal data processed through the CPAS application.
We collect the following categories of personal data when you register for and use CPAS:
| Category | Data Collected | Purpose |
|---|---|---|
| Identity | First name, last name, profile photograph | User identification in the CPAS system and C-ID card displayed to rescue services |
| Contact | Mobile phone number, email address | Session activation SMS, overdue alerts, token holder notifications |
| Activity Profile | Activity type (kayak, SUP, sailing, paramotor, hill walking etc.), club membership, equipment details | Activity-appropriate tracking display and SAR identity card |
| Location | GPS latitude, longitude, altitude, heading, speed — transmitted at regular intervals during active sessions | Real-time safety tracking; last known position in overdue events; rescue datum |
| Session Data | Session ID, departure point, planned return time, route waypoints, session status | Session management, overdue detection, SAR handover |
| Token Holders | Names and mobile numbers of nominated token holders (up to 3 per user) | Emergency escalation SMS; overdue alerts sent to token holders on user's behalf |
| Device | Device type, operating system version, app version | Technical diagnostics, compatibility, session quality |
Free-Forever Commitment: CPAS is free to all dark target users for the duration of the feasibility study. We do not sell your personal data. We do not use your data for advertising. Your data exists solely to keep you safe.
The CPAS application requests the following device permissions. Each permission is requested only when functionally necessary and you will be asked to grant it explicitly on your device.
| Permission | Why It Is Required | Can Be Denied? |
|---|---|---|
| Precise Location | Core function of CPAS — transmits your GPS position to rescue services and token holders during active sessions | No — CPAS cannot function without location access |
| Background Location | Continues transmitting your position when the app is not in the foreground — essential during outdoor activity when the screen is off or locked | No — tracking stops if background location is denied |
| Camera | Used during registration to capture your profile photograph for your CPAS C-ID card, which is displayed to RNLI and rescue coordinators in an emergency | Yes — you may upload a photo from your gallery instead |
| Photo Library / Storage | Allows you to select an existing photograph from your device for your profile instead of using the camera | Yes — you may use the camera option instead |
| SMS | Opens your native SMS application pre-filled with your session activation message to token holders. CPAS does not send SMS directly — your device's messaging app sends the message with your explicit tap | Yes — you can copy and send the message manually |
| Notifications | Delivers in-app status updates, session heartbeat confirmations, and overdue warnings | Yes — you will miss in-app alerts but core tracking continues |
| Internet Access | Transmits location pings to CPAS infrastructure via MQTT over cellular data | No — CPAS requires a data connection to transmit position |
CPAS requests access to your device camera and photo library solely for the purpose of creating your CPAS identity profile photograph. This photograph is used to generate your C-ID card — a verified identity card displayed to RNLI coordinators, coastguard operators, and search and rescue personnel in the event of an emergency or overdue alert.
We will never: Access your camera without your explicit action. Take photographs automatically or in the background. Access, store, or transmit any photograph other than your designated profile image. Use your photograph for advertising, training data, facial recognition, or any purpose other than SAR identity display.
Your profile photograph is stored securely on VIDEAR's AWS infrastructure (eu-west-2, London region) and is accessible only to:
— RNLI and coastguard coordinators viewing an active or overdue session in the CPAS Situational Awareness Interface
— Your nominated token holders, who receive a link to your C-ID card when a session becomes overdue
— VIDEAR Ltd operational staff for technical support purposes only
You may update or delete your profile photograph at any time from within the CPAS app. Deletion of your photograph removes it from all CPAS systems within 30 days.
Location data is the core function of CPAS. When you activate a session, your device transmits GPS position data (latitude, longitude, altitude, heading, and speed) at regular intervals to VIDEAR's secure infrastructure. This data is:
— Transmitted via encrypted MQTT over your device's cellular data connection
— Stored in AWS DynamoDB (eu-west-2, London) for the duration of your active session
— Displayed in real time to your nominated token holders via a secure tracking URL
— Available to RNLI and coastguard coordinators in the CPAS Situational Awareness Interface
— Retained for up to 90 days after session completion for safety audit purposes
— Permanently deleted after 90 days unless you request earlier deletion
Background tracking: CPAS continues to transmit your location when the app is in the background or the screen is locked. This is essential for outdoor safety tracking. You are informed of this when granting background location permission. You can end background tracking at any time by deactivating your session within the app or via the SOS screen.
Your location data is never sold to third parties, used for advertising, shared with commercial organisations, or used to build behavioural profiles.
We process your personal data under the following lawful bases under UK GDPR:
| Processing Purpose | Lawful Basis |
|---|---|
| Providing real-time safety tracking during active sessions | Performance of contract (you use CPAS for this purpose) |
| Sending overdue alerts to token holders and rescue services | Vital interests (safety of life) |
| Displaying your C-ID card to rescue coordinators | Vital interests (safety of life) |
| Sending session activation and return SMS messages | Legitimate interests / consent |
| Improving the CPAS platform and feasibility study analysis | Legitimate interests (anonymised/aggregated data only) |
| Responding to support and account enquiries | Legitimate interests |
We share your personal data only in the following circumstances:
Token Holders: Your nominated token holders receive your real-time tracking URL, session status, and C-ID card link during active sessions and in overdue events. You explicitly choose and consent to this when nominating them.
RNLI / HM Coastguard / Rescue Services: In an active emergency or overdue event, your position data, last known position, session data, and C-ID card are made available to responding rescue services via the CPAS Situational Awareness Interface.
Infrastructure Providers: VIDEAR uses Amazon Web Services (AWS, eu-west-2 London) for data storage and processing. AWS acts as a data processor under a Data Processing Agreement. Your data does not leave the United Kingdom.
Legal Obligation: We may disclose data where required by UK law, court order, or to protect the safety of persons.
We do not share your data with advertisers, data brokers, social media platforms, or any third party for commercial purposes.
| Data Type | Retention Period |
|---|---|
| Active session location pings | 90 days from session end, then permanently deleted |
| Profile data (name, photo, activity type) | For the duration of your account; deleted within 30 days of account closure |
| Token holder contact details | For the duration of your account; deleted within 30 days of account closure |
| Session metadata (session IDs, timestamps) | 12 months for safety audit purposes, then deleted |
| Anonymised/aggregated feasibility study data | Indefinitely (contains no personally identifiable information) |
Under UK GDPR, you have the following rights in relation to your personal data:
Right of Access: Request a copy of all personal data we hold about you.
Right to Rectification: Request correction of inaccurate data.
Right to Erasure: Request deletion of your data ("right to be forgotten"). Note: we may retain minimal data for safety audit purposes for up to 12 months.
Right to Restrict Processing: Ask us to pause processing of your data in certain circumstances.
Right to Data Portability: Receive your data in a machine-readable format.
Right to Object: Object to processing based on legitimate interests.
Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time by deactivating your account.
To exercise any of these rights, contact us at contact@videar.tech. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
VIDEAR takes the security of your personal data seriously. The following measures are in place:
— All location data is transmitted over encrypted TLS/SSL connections (MQTT over port 8883)
— Data is stored on AWS infrastructure in the London (eu-west-2) region
— Access to CPAS infrastructure is restricted to authorised VIDEAR personnel only
— The CPAS Situational Awareness Interface is role-scoped: each rescue coordinator sees only the corridor and users they are authorised to view
— No payment data is processed or stored by VIDEAR — CPAS is free to use
In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay.
CPAS is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. Users aged 13–17 should have parental or guardian consent before registering. If you believe a child under 13 has registered without consent, please contact us at contact@videar.tech and we will delete their account promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you via the CPAS app and update the effective date at the top of this page. Your continued use of CPAS after notification of changes constitutes acceptance of the updated policy.
The current version of this policy is always available at videar.tech/privacy.
If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact VIDEAR Ltd:
Email: contact@videar.tech
Subject line: Privacy — CPAS
Response time: Within 5 business days
For data protection enquiries, you may also contact the UK Information Commissioner's Office:
ico.org.uk · 0303 123 1113
We'll respond to all data and privacy enquiries within 5 business days.