Effective Date: 17 April 2026

1. Purpose

VisitUs is committed to the responsible, lawful, and transparent use of artificial intelligence in connection with its products and services.

This policy explains how VisitUs approaches AI governance, risk management, privacy, security, human oversight, and third-party AI services. It is intended to support trustworthy use of AI in a way that is consistent with applicable law, including the EU AI Act where relevant.

2. Scope

At the date of this policy, VisitUs’s use of AI is limited to facial recognition functionality powered by Microsoft Azure Face Recognition, where that functionality is enabled in the relevant customer deployment.

VisitUs does not state or represent that it develops its own general-purpose AI model or broad autonomous decision-making system for customer-facing use.

This policy applies to:

  • VisitUs personnel involved in selecting, configuring, supporting, or governing AI-enabled functionality;
  • third-party AI services used within VisitUs products or services;
  • customer-facing use of AI-enabled functionality made available by VisitUs.

3. Our AI Use Principles

VisitUs applies the following principles to any AI-enabled functionality it makes available:

a. Lawfulness and compliance

We seek to use AI in a manner consistent with applicable legal, regulatory, privacy, and contractual obligations, including data protection requirements and, where relevant, the EU AI Act’s risk-based framework.

b. Clear purpose limitation

AI-enabled functionality must have a defined, legitimate business purpose connected to VisitUs services. It must not be used outside its intended purpose without review and approval.

c. Transparency

Where AI-enabled functionality is used, VisitUs aims to describe its role clearly, including what the feature does, what data it uses, and any material limitations.

d. Human accountability

VisitUs does not treat AI outputs as beyond review. Appropriate personnel remain accountable for decisions about deployment, customer enablement, incident handling, and risk treatment.

e. Privacy and data protection

Where biometric or other personal data is involved, VisitUs expects processing to be handled with heightened care and in accordance with applicable privacy laws and contractual commitments. The EU AI Act also operates alongside existing EU data protection rules for biometric data.

f. Security and resilience

AI-enabled features must be subject to appropriate technical and organisational safeguards, including access controls, monitoring, and incident response processes.

g. Proportionality

VisitUs seeks to limit AI use to what is reasonably necessary for the intended service outcome and to avoid unnecessary or excessive data use.

4. Current AI Capability

VisitUs’s current AI-related capability is limited to facial recognition functionality using Microsoft Azure Face Recognition.

Microsoft states that Face identification and verification capabilities are subject to limited access controls and are available only to approved managed customers and partners, reflecting Microsoft’s responsible AI controls for the service.

VisitUs will:

  • assess the intended use case before enabling facial recognition functionality;
  • consider whether the use is appropriate for the customer’s environment and legal context;
  • rely on third-party vendor documentation and controls where the AI capability is provided by that vendor;
  • maintain internal governance over how the feature is offered, configured, and supported.

5. Prohibited or Restricted Uses

VisitUs does not permit AI-enabled functionality made available by it to be used for unlawful, unfair, or unsafe purposes.

Without limiting applicable customer obligations, VisitUs does not support use of its AI-enabled functionality for:

  • unlawful discrimination;
  • social scoring or manipulative practices;
  • emotion inference in contexts where this would be prohibited or inappropriate;
  • biometric categorisation to infer sensitive traits such as race, religion, political views, or similar protected characteristics;
  • any use that would breach applicable privacy, employment, surveillance, or biometric laws;
  • any use prohibited under the EU AI Act or other applicable law.

The EU AI Act prohibits certain AI practices outright and imposes stricter obligations on some biometric and transparency-sensitive use cases.

6. Risk Classification and Review

VisitUs adopts a risk-based approach to AI.

Before enabling or materially changing AI-enabled functionality, VisitUs may assess:

  • the purpose of the feature;
  • the categories of data involved;
  • whether biometric data or other sensitive data is processed;
  • the degree of human oversight;
  • the likelihood and impact of error, bias, misuse, or security compromise;
  • the extent of dependence on a third-party AI provider;
  • whether additional customer disclosures, controls, or approvals are required.

Where a use case may trigger heightened legal or regulatory obligations, including under the EU AI Act or privacy law, VisitUs may require additional review, controls, or restrictions before deployment.

7. Human Oversight

VisitUs aims to ensure that AI-enabled functionality is subject to meaningful human oversight appropriate to the context.

That includes, where relevant:

  • clear internal ownership for the feature;
  • support and escalation paths for suspected errors or issues;
  • review of incidents, complaints, or anomalies;
  • ability to suspend, limit, or disable the feature where risk is identified.

For higher-risk AI contexts, the EU AI Act emphasises human oversight, transparency, accuracy, and risk controls.

8. Data Governance

VisitUs expects AI-enabled functionality to be supported by appropriate data governance practices, including:

  • documented understanding of what data is used by the feature;
  • controls over access to relevant systems and data;
  • minimisation of unnecessary data collection or retention where practicable;
  • alignment with applicable privacy notices, contractual commitments, and customer instructions;
  • appropriate treatment of biometric and other sensitive personal data.

Where third-party AI services are used, VisitUs may rely in part on the provider’s technical and organisational safeguards, but remains responsible for its own governance, vendor due diligence, and lawful deployment decisions.

9. Third-Party AI Providers

Where VisitUs uses third-party AI services, VisitUs may assess:

  • the provider’s documented capabilities and limitations;
  • applicable security, privacy, and compliance commitments;
  • access restrictions or service conditions imposed by the provider;
  • whether the provider’s service is appropriate for the intended use case;
  • whether contractual, technical, or operational safeguards are required.

For Microsoft Azure Face, VisitUs expects use to remain subject to Microsoft’s service terms, responsible AI controls, and access restrictions applicable to Face identification and verification features.

10. Accuracy, Testing, and Monitoring

VisitUs seeks to ensure that AI-enabled functionality is appropriately tested, monitored, and reviewed for the intended use case.

This may include:

  • pre-release or pre-enable testing;
  • review of known limitations and expected error conditions;
  • monitoring for incidents, complaints, or unusual outcomes;
  • periodic review when there is a material change to the feature, provider, use case, or legal environment.

VisitUs does not guarantee that AI-enabled functionality will be error-free in all scenarios. Customers should not rely on any AI-enabled feature as the sole basis for decisions where independent verification, human judgment, or legal review is required.

11. Transparency to Customers and Users

VisitUs aims to provide clear information to customers about AI-enabled functionality, including:

  • that the functionality uses AI;
  • the provider of the AI capability, where relevant;
  • the purpose of the feature;
  • any material operational limitations known to VisitUs;
  • any important customer responsibilities regarding lawful use, notices, consents, and configuration.

Where customer use of the feature may involve additional legal obligations, including under privacy or employment law, customers remain responsible for assessing and meeting those obligations in their own environment.

12. Incident Management and Complaints

VisitUs will treat material issues involving AI-enabled functionality seriously.

This may include:

  • triage and investigation of reported incidents;
  • review of data, system behaviour, and vendor information where relevant;
  • corrective action, including configuration changes, temporary suspension, or disabling of the feature;
  • internal escalation where legal, privacy, security, or customer impact is significant.

13. Training and Internal Accountability

VisitUs may provide internal guidance or training to relevant personnel on:

  • the scope of AI-enabled functionality made available by VisitUs;
  • appropriate customer-facing descriptions of the feature;
  • privacy, security, and compliance considerations;
  • escalation paths for risks, incidents, and complaints.

Responsibility for AI governance sits with VisitUs management and relevant operational, product, technical, legal, and privacy stakeholders as applicable.

14. Review of This Policy

VisitUs may review and update this policy from time to time to reflect:

  • changes to VisitUs products or services;
  • changes to third-party AI services used by VisitUs;
  • legal or regulatory developments, including developments under the EU AI Act;
  • lessons learned from monitoring, incidents, customer feedback, or internal review.

15. Contact

Questions about this policy or VisitUs’s use of AI can be directed to:

VisitUs
[email protected]