.png?width=248&height=150&name=placeHolder%20(4).png)
GDPR Statement and Policy
We take security & data privacy very seriously and we continuously ensure all data is secured safely and in line with regulations.
What is GDPR?
The General Data Protection Regulation (GDPR) has come into effect as of the 25th of May 2018, this act replaces the EU Data Protection Directive of 1995. The act aims to provide more protection of natural person’s data and how it is used by Data Controllers and Data Processors. This statement and policy aims to address the protection of data and user privacy according to the new rules and regulations of GDPR.
The protection of personal data is of the utmost importance to Pointr. According to GDPR, any information relating to an identified or identifiable individual is personal data. If any information on its own or with another set of information can identify an individual, it is personal data. Personal data can include: name, email, phone number, social security number, etc as well as IP address, physical address, behavioral data, location data, biometric data, financial information, and much more.
IP and MAC addresses can be classified as Identifiable data, provided this can be used to determine a natural person’s identity. A device ID (MAC/IP) is not sufficient by itself to make such a connection. A device ID can identify a natural person if the data is reviewed in conjunction with some other form of data not held by Pointr such as CCTV or records of purchases in a specific area.
Data Collected & Security Measures
The table below highlights Pointr’s products and identifies the types of data collected by each as well as how this data is secured/protected.
Component |
Data |
Security Measures |
Pointr SDK |
|
|
Analytics |
|
|
Pointr Cloud |
No personally identifiable data used of end users are collected or processed – only one-way encrypted data is analyzed, stored and processed. |
|
Website maps/ Kiosk |
No personal data used – only record general usage stats |
Secured https communication (read-only) |
GDPR
Mobile SDK (Maps, Search, Indoor Navigation)
Device Identifier
When a phone runs an app containing our SDK (software library), it creates a random unique identifier for this device ("device identifier"). The device identifier is globally unique to that smartphone and app; this device identifier does not give away any personally identifiable information or device information such as MAC/IP. It is unique to that particular app running the Pointr SDK (hence, even if our SDK was used in another app on the same device, it would be a different identifier).
-
On iOS, users may reset this identifier as they wish by going to phone settings. Pointr follows Apple’s official recommendation for identifying devices utilising the device identifier method available in the default iOS SDK.
-
On Android, Pointr follows best practices from Android known as Instance ID. Which similarly to iOS provides a globally unique device ID that is easily resettable, unique and does not give away any personally identifiable information or device information such as MAC/IP.
-
https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor
-
https://developer.android.com/training/articles/user-data-ids#working_with_instance_ids_&_guids
Real-Time Location
When the app starts, the SDK triggers a permission dialog (on iOS and Android) to request permission from user to track their location (while running the app and/or in background). If a user declines this request, no location tracking is carried out. Users may at any time opt in / out of location tracking for the particular app that includes our SDK.
The SDK detects Bluetooth signals and processes them along with phone inertial motion sensors (such as gyroscope and accelerometer) to calculate indoor position of the device (smartphone).
Similarly, the SDK detects GPS signals to calculate the outdoor position of device (smartphone). The SDK uploads this location information to Pointr Cloud, along with Device Identifier.
Anonymity
Through this process, the SDK produces a random device identifier (eg. "ABCD") with timestamp and location (eg. "Device ABCD was at this position at this time") it is important to note:
-
This is not a device's MAC address, this is not user's ID (eg. if another user used the same device, we wouldn't be able to distinguish)
-
This doesn't say anything about user's personal information (such as first name, email, address, gender, etc.)
-
In all our settings, it's practically impossible to work out who a Device Identifier belongs to.
However, there is a possibility that:
-
Only one user was standing at a particular location at a venue (and no one else) and
-
You can see this through a camera (or in-person)
If you can see real-time location information coming from a specific device identifier at that time and location then you can guess that this user must have that specific device ID which is unique to Pointr and has no other information attached to it.
Analytics
A random device identifier (eg. "ABCD") with timestamp and location (eg. "Device ABCD was at this position at this time") and Session ID is used for analytics along with the Event data.
-
The identifiers are not a device's MAC address, this is not user's ID (eg. if another user used the same device, we wouldn't be able to distinguish)
-
This doesn't say anything about user's personal information (such as first name, email, address, gender, etc.)
-
In all our settings, it's practically impossible to work out who a Device Identifier belongs to.
Thus our analytics do not process personal data (PII - Personally Identifiable Data is excluded by design)
Website maps / Kiosks
By default, our web maps and kiosk software do not capture any information about the user. There is no login system either. They only record general usage stats (such as "how many people used Poi search today" or "what is the most frequently searched for product")
Pointr’s GDPR Policy
We are committed to the protection of personal data and will ensure adequate preventative measures are in place at all times to ensure compliance with the new GDPR rules and regulations. This new regulation entitles data subjects to the following rights:
-
Right to be informed – the products provided by Pointr are embedded within clients’ solutions. It is therefore their responsibility to inform data subjects.
-
Right to access – Pointr can accommodate an access request. This would only be possible if a user Provided their MAC ID and was connected to the WiFi at the time (as if using iOS 8 or later the MAC ID is randomized automatically). Otherwise all other information is randomized.
-
Right to rectification – As no personal data is stored within Pointr’s databases rectification is not applicable.
-
Right to erasure – Provided the data is identifiable, Pointr can remove location history from its database.
-
Right to withdraw consent – A user can disable location tracking (SDK) at any time as well as ask to have their device disabled on WiFi analytics products. This feature is known as Blacklisting on the Pointr Dashboard. Once a ID is blacklisted the Pointr Cloud ignores and no longer stores any information relating to that ID.
-
Right to data portability – the data held within the database is random and only applicable to Pointr’s maps and systems.
-
Right to object – A user can disable location tracking (SDK) at any time and have their device disabled on WiFi analytic products.
As Pointr is not a data controller and keeps limited to no personal data, we can confirm compliance and support of the above rights where applicable.
External Data Breach
Although high care is taken to protect our systems and databases, no system is 100% secure and it is always possible for an external party to access our database. Given all data is anonymous no personal data would be attained from the data alone. In the event a breach is uncovered, Pointr personnel will follow the data procedures and ensure timely resolution.
Internal Data Protection
Pointr ensures all contractors, consultants and employees agree to uphold Pointr’s privacy policies as well as to protect any personal data.
Data Storage
All projects are hosted on Azure with regional instances ensuring data is not passed outside of the area the data is collected. It is possible for client users to open the Pointr dashboard (where data is converted to visual data and analytics) is stored form abroad, however access to these systems are protected with HTTPS, secure password and optionally multi factor authentication. All activity is logged with activity detail, any unusual behavior triggers alerts and the venue is notified immediately.
