Processing commitments for customer-controlled visitor data.

Customer as controller

For visitor access management records entered by an estate, school, office, or institution, the customer normally decides why and how the data is processed.

AccessLynk as processor

AccessLynk processes customer-controlled data to provide the service, support users, secure the platform, maintain records, send service emails, and comply with lawful instructions.

AccessLynk as controller

AccessLynk may act as controller for its own website, consultation, onboarding, billing, security, and business administration data.

We process customer-controlled data according to the customer agreement, the customer organization's documented configuration and usage of the platform, applicable law, and instructions reasonably necessary to provide AccessLynk.

• Customer administrators, security officers, hosts, residents, staff, and manager viewers.
• Visitors, parents, vendors, contractors, guests, delivery personnel, and other people whose visit is recorded by a customer organization.
• People listed in customer-managed watchlist or safety records where the customer has a lawful basis to maintain those records.
• Prospects, customer contacts, support contacts, and consultation attendees.

• Identity and contact data such as name, email, phone number, role, organization, department, job title, and privacy alias.
• Visitor operation data such as visit purpose, vehicle number, destination, host, gate, visit code, QR payload, timestamps, approval status, notes, alerts, and audit history.
• Security and technical data such as IP address where available, user agent, login and action timestamps, push subscription data, rate-limit metadata, and system health data.
• Support and communication data such as emails, booking information, meeting details, and service messages.

• Process customer-controlled personal data only for the service, lawful customer instructions, security, support, legal compliance, and agreed operational purposes.
• Use reasonable technical and organizational safeguards appropriate to the nature of visitor management and security operations.
• Limit internal access to people who need it for service operation, support, security, compliance, or administration.
• Use subprocessors only where needed to provide hosting, storage, email, scheduling, notifications, support, security, or infrastructure services.
• Assist customers, where reasonably possible, with data subject requests, deletion, export, security inquiries, and compliance questions.
• Notify affected customers of confirmed security incidents where required by law or customer agreement.

• Maintain a lawful basis for collecting and using visitor, resident, staff, and security data.
• Provide appropriate notices at gates, receptions, estates, schools, offices, and digital entry points.
• Configure roles, gates, destinations, users, watchlist records, and retention expectations responsibly.
• Avoid uploading unnecessary sensitive data and remove users who should no longer have access.
• Use exports, reports, and audit logs only for lawful security, operational, compliance, or administrative purposes.

On offboarding or valid request, we can support export, deletion, or restriction of customer-controlled data subject to the customer agreement, legal holds, security needs, backup cycles, and system integrity.

For a customer-specific data processing agreement or due diligence review, contact lnykbridgetechnologies@gmail.com.