Data Privacy Policy

Pointr Ltd. is committed to conducting its business ethically and in compliance with all applicable laws and regulations, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and any other local regulation of countries we provide services in.

This document describes Pointr Ltd.’s Data Privacy Policy in the conduct of Pointr Ltd. business operations and employee responsibilities for ensuring implementation of the Policy.

1. Overview

You’re in control of your data

We’ve built the Pointr Maps Platform from the ground up to enable our customers to be in control of data at all times. We combine these controls with strong data security processes. Data is secured, encrypted and is not shared with external people or companies.

We keep your data safe

We use effective measures to protect your data against unauthorized access, use, modification, or loss. Pointr is built on enterprise-grade systems such as Microsoft Azure, which meets all modern security standards. All servers and systems are kept up to date with recent patches in line with Microsoft Azure standard policy, including virus scanning of files for all employees with access to our secure VPN.

Data is secured and encrypted in transmission to the database and when stored on the database, with no access possible from the internet (only through our secure VPN and the right credentials). All-access to the system, both internally and externally, is logged to prevent malicious interactions and Pointr have reporting on unexpected access, both based on password hacks and on unexpected endpoints.

 

2. Data Collected and Security Measures

The table below highlights Pointr’s products and identifies the types of data collected by each as well as how this data is secured/protected.

Component Data Security Measures
Pointr Mobile SDK No personal data used – only one-way encrypted/anonymized data is analyzed

  • Secured https communication

  • No end user IP address information is stored about SDK usage

  • User permission required before location is tracked
Pointr Cloud No personal data used – only one-way encrypted data is analyzed

  • Secured login

  • Two-factor authentication (optional)
Pointr Web SDK No personal data used

  • Secured https communication (read-only)

Pointr Mobile SDK

Device Identifier

When a phone runs an app containing our SDK (software library), it creates a random unique identifier for this device (“device identifier”). The device identifier is globally unique to that smartphone and app; this device identifier does not give away any personally identifiable information or device information such as MAC/IP. It is unique to that particular app running the Pointr SDK (hence, even if our SDK was used in another app on the same device, it would be a different identifier).

  • On iOS, users may reset this identifier as they wish by going to phone settings. Pointr follows Apple’s official recommendation  for identifying devices utilizing the device identifier method available in the default iOS SDK.

  • On Android, Pointr follows best practices from Android  known as Instance ID. Which similarly to iOS provides a globally unique device ID that is easily resettable, unique and does not give away any personally identifiable information or device information such as MAC/IP.

Real-Time Location

When the app starts, the SDK triggers a permission dialog (on iOS and Android) to request permission from users to track their location (while running the app and/or in the background). If a user declines this request, no location tracking is carried out. Users may at any time opt-in / out of location tracking for the particular app that includes our SDK.

The SDK detects Bluetooth signals and processes them along with phone inertial motion sensors (such as gyroscope and accelerometer) to calculate the indoor position of the device (smartphone).

Similarly, the SDK detects GPS signals to calculate the outdoor position of the device (smartphone).

Important: SDK processes these information on the device. No position-related information is forwarded externally.

Pointr Web SDK

By default, our Web SDK do not capture any information about the user. There is no login system either. They only record general usage stats (such as “how many people used POI search today” or “what is the most frequently searched for product”)

 

3. Data Privacy

We are committed to the protection of personal data and will ensure adequate preventative measures are in place at all times to ensure compliance with the new GDPR and CCPA rules and regulations. The new regulations entitles data subjects to the following rights:

  • Right to be informed – the products provided by Pointr are embedded within clients’ solutions. It is therefore their responsibility to inform data subjects.

  • Right to access – Pointr can accommodate an access request. This would only be possible if a user Provided their MAC ID and was connected to the WiFi at the time (as if using iOS 8 or later the MAC ID is randomized automatically). Otherwise, all other information is randomized.

  • Right to rectification – As no personal data is stored within Pointr’s database rectification is not applicable.

  • Right to erasure – Provided the data is identifiable, Pointr can remove location history from its database.

  • Right to withdraw consent – A user can disable location tracking (SDK) at any time as well as ask to have their device disabled on WiFi analytics products. This feature is known as Blacklisting on the Pointr Cloud Dashboard. Once an ID is blacklisted the Pointr Cloud ignores and no longer stores any information relating to that ID.

  • Right to data portability – the data held within the database is random and only applicable to Pointr’s maps and systems.

  • Right to object – A user can disable location tracking (SDK) at any time and have their device disabled on WiFi analytic products.

As Pointr is not a data controller and keeps limited to no personal data, we can confirm compliance and support of the above rights where applicable.

External Data Breach

Although high care is taken to protect our systems and databases, no system is 100% secure and it is always possible for an external party to access our database. Given all data is anonymous no personal data would be attained from the data alone. In the event a breach is uncovered, Pointr personnel will follow the data procedures and ensure timely resolution.

Internal Data Protection

Pointr ensures all contractors, consultants, and employees agree to uphold Pointr’s privacy policies as well as to protect any personal data.

Data Storage

All projects are hosted on Azure with regional instances ensuring data is not passed outside of the area the data is collected. It is possible for client users to open the Pointr dashboard (where data is converted to visual data and analytics) is stored form abroad, however access to these systems is protected with HTTPS, secure password, and optionally multi-factor authentication. All activity is logged with activity detail, any unusual behavior triggers alerts and the venue is notified immediately.

HIPAA Applicability

Pointr services are not subject to HIPAA as Pointr Maps Platform do not record or process any other PII and PHI Data in its products and services even when used by organizations which are subject to HIPAA.

This is currently ensured by avoiding recording of IP addresses of end users, anonymizing any identifiable device data before recording and avoiding processing of Personally Identifiable Information/Protected Health Information for product functionality. While this have been stated, most (if not all) of the HIPAA related controls and measures are already implemented through our ISO 27001 certified Information Security Management System.