Privacy Policy Pools
Lynxight – Privacy Policy for the Training and Optimization of the System
Every year, a large number of people find themselves in distress situations in swimming pools. Pool visitors rely on lifeguards, and lifeguards can be supported with state-of-the-art technology to increase safety for swimmers.
The Lynxight drowning alert system (the "System"), is an intelligent technology aiding and supporting the lifeguard staff. The System's goal is to recognize and alert the on-duty lifeguards of imminent dangers for swimmers in the swimming pool.
Regarding operational use at the swimming pool, the pool operator is the controller under the General Data Protection Regulation (“GDPR”). For information on this specific processing of your data, please refer to the respective privacy policy of the swimming pool operator.
In a second step, Lynxight Ltd. receives a small subset of the footage from the pool operator and uses it for the training and optimizing of the System. This serves to improve the System for the benefit of all. This Privacy Policy provides information about this processing by Lynxight for the purpose of training and optimizing the System.
- Identity and contact details of the controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
Lynxight Ltd.,
1 Ha-Tsmikha St, Yokne’am Illit,
2066733,
Israel
+972 (0)4 3730331
- Contact details of the Data Protection Officer
You can contact Lynxight Ltd.’s data protection officer (DPO) directly at [email protected].
- Purpose and Legal Basis of Processing
The purpose of the processing is to constantly improve the System's ability to detect potential safety incidents across all swimming pools where the System is used. The System trains on real-world example footage so that the System's Artificial Intelligence model learns what a drowning incident looks like. The data is also used for regression testing, which verifies the performance of new models in detecting drowning events.
The legal basis for Lynxight Ltd's processing in that regard is the legitimate interest pursuant to Art. 6 (1)(f) GDPR. The training serves the purpose of creating, maintaining and improving the functionality of the System. First, the training of the software serves Lynxight’s own commercial interests. Second, and in particular, it serves to protect the critical interests of a large number of pool visitors and pool operators. People in swimming pools where the System is used are better protected from drowning or other dangerous events, thereby safeguarding the life and health of all visitors to swimming pools where the System is used. The interests of all pool operators where the System is used are also served, who are obliged to protect their visitors.
- Categories of Data Processed
The System uses cameras that monitor the pool area and analyze the movements of swimmers. If the System detects that a swimmer is in distress, it will alert the on-duty person, of the swimmer’s location. Video clips of all safety events causing an alert by the System, or videos of safety events that do not trigger an alert are collected. About thirty percent of these clips are selected for manual inspection by Lynxight personnel to verify the quality of System detection and for tracking the false alerts rate. Of this 30%, 0.1% are used for System training and testing. The System only needs to be able to visually distinguish the contours of one person from another and observe their movement. The person's name, face image or other identifier are not required and not used for the System's analysis. In many cases, the quality (resolution) of the footage is insufficient to allow identification of the data subject. The footage presents the silhouette of a person, but not any identifiable features of the face or body. In a minority of cases, the resolution of the footage would potentially allow identification of the data subject when viewed in combination with other information.
The personal data processed here are therefore short video recordings (so-called alert clips), i.e. soundless video footage of the pool area. These clips capture the appearance and movements of swimmers in the pool as well as of bystanders and pool staff in the immediate proximity of the pool. The footage is dated and timed.
This is what a typical visual excerpt from one of the clips looks like:

- Data Sources
We receive your data from the respective swimming pool operator, who uses our system as a controller and transmits the data to us for the purpose of optimizing the system.
- Recipients of the Personal Data
We use Amazon Web Services EMEA SARL, 38, avenue John F. Kennedy, L-1855 Luxembourg as a Hosting services provider.
Some of the footage may also be accessed from our facilities in Israel. For Israel, there is an adequacy decision by the EU Commission pursuant to Art. 45 GDPR, which establishes an adequate level of data protection for data transfers from the EU.
- Retention Period
The video clips of alerts, i.e. false-alarm and true-alarm incidents as well as safety incidents that did not trigger an alert, which are used for continuous system improvement, are retained for 5 years.
This retention period is necessary for continuous System improvement in safety-event detection accuracy. A shorter retention period would mean that a smaller learning repository is available to train the AI-based detection algorithm, resulting in poorer performance. We would also not be able to properly test new versions of the model for their performance in detecting incidents.
- Rights of Data Subjects
In most cases, the quality (resolution) of the footage is insufficient to allow the identification of a specific, individual person. In that case we do not process any personal data of yours. In a minority of cases, the resolution of the footage is sufficient to allow the identification of individuals. In this case, your personal data is processed and you are a data subject within the meaning of the GDPR. Then, you have the following rights:
You have the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR and the right to data portability under Article 20 GDPR. If we process your personal data on the basis of your consent, you can revoke this consent at any time. There are no formal requirements relating to how consent is revoked.
- Your Right to Object pursuant to Article 21 and your Right to lodge a complaint pursuant to Article 77 GDPR
If your personal data is processed for the purpose of our legitimate interests in accordance with Article 6(1) (f) GDPR, you can object to this processing in accordance with the legal requirements in Article 21 GDPR. Where you object to the processing, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the data is being processed for the establishment, exercise or defence of legal claims.
You also have the right to lodge a complaint with a data protection supervisory authority in accordance with Article 77 GDPR if you believe that your personal data is being processed unlawfully. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy. You may complain to the supervisory authority, in the EU Member State of your residence or place of alleged infringement of the GDPR. If you are in the U.K. you may You may complain to the supervisory authority, UK's information Commisioner's Officer (ICO)
- Automated individual decision-making
The System does not make any automated decisions within the meaning of Art. 22 GDPR.