Privacy

Privacy is the architecture, not a policy

Device identifiers never leave the Collector. There is nothing in our system to subpoena, breach, or re-balance, because the data required to do so never exists in the first place.

The three things to know

  1. Device identifiers never leave the Collector. They are held only on the device, only for the duration of an aggregation window (up to 60 minutes), then discarded entirely. Not hashed, not stored, not transmitted.
  2. Only aggregate counts are sent. About 10 KB an hour per Collector. No identifier of any kind, raw or transformed, traverses the network.
  3. It's not personal data. The information that leaves a Collector cannot single out, link to, or infer about any individual. It aligns with the approach the ICO's 2016 Wi-Fi Location Analytics guidance describes as compliant.

What the Collector actually does

Six stages between a probe-request landing on the Collector and a count leaving it. The wire payload contains no identifier of any kind, by construction.

  1. 01

    Observe

    Probe-request frames captured passively from nearby Wi-Fi devices.

    MAC visible (transient)
  2. 02

    Filter

    Only locally-administered (random-MAC bit set) addresses retained; non-randomising legacy kit excluded by design.

    MAC visible
  3. 03

    Hashmap

    MAC inserted into a per-window hashmap for deduplication. Held in RAM only, never written to storage.

    MAC in RAM only
  4. 04

    Bracket

    RSSI binned into one of five distance bands: ≤3m, 3–8m, 8–15m, 15–25m, fringe.

    MAC in RAM only
  5. 05

    Aggregate

    At window close (1, 5, 15, 30, or 60 minutes), unique-MAC counts per bracket are summed.

    MAC in RAM only
  6. 06

    Discard

    MACs erased; the per-bracket counts emitted as the wire payload, ~10 KB per hour.

    No identifier remains

Five parallel windows run simultaneously: 1, 5, 15, 30, and 60 minutes. Each window has its own hashmap, and each hashmap is destroyed at window close.

What the ICO actually said

Remove identifiable elements by, for example, anonymising the MAC address so that individuals cannot be identified, where this would still enable a data controller to achieve the specified purpose of data collection (e.g. where the data controller's intention is to measure the number of visitors to a store, only).

Crowd-Sense goes one step further than the ICO's example: identifiers aren't anonymised by hashing, they're deleted. We hold this is the strongest defensible posture under UK GDPR.

How we're different from other vendors

Most Wi-Fi analytics products from the past decade hash MAC addresses and retain them in a back-end database. Mobile-SDK aggregators collect location data via consenting apps. Camera vendors do on-device inference but the camera is the issue. Crowd-Sense rejects all three patterns: no back-end identifier database, no SDK consent chain, no image, no audio.

The Subject Access Request answer: at the time of any request, the only personal data that ever existed about the requester (a probe-request MAC) was held briefly on the Collector, used to increment a bracket counter, and discarded at the next aggregation-window close (within 60 minutes of capture). There is nothing to disclose because there is nothing held.

For your DPO

We provide compliance-grade documentation for any deployment: DPO technical note, DPIA template, methodology disclosure, and venue signage artwork. The full architectural verification packet (including firmware source review) is available under NDA. Get in touch.