GDPR Statement and Policy

We take security & data privacy very seriously and we continuously ensure all data is secured safely and in line with regulations.

What’s GDPR?

The General Data Protection Regulation (GDPR) has come into effect as of the 25th of May 2018, this act replaces the EU Data Protection Directive of 1995. The act aims to provide more protection of natural person’s data and how it is used by Data Controllers and Data Processors. This statement and policy aims to address the protection of data and user privacy according to the new rules and regulations of GDPR.

The protection of personal data is of the utmost importance to Pointr. According to GDPR, any information relating to an identified or identifiable individual is personal data. If any information on its own or with another set of information can identify an individual, it is personal data. Personal data can include: name, email, phone number, social security number, etc as well as IP address, physical address, behavioral data, location data, biometric data, financial information, and much more.

IP and MAC addresses can be classified as Identifiable data, provided this can be used to determine a natural person’s identity. A device ID (MAC/IP) is not sufficient by itself to make such a connection. A device ID can identify a natural person if the data is reviewed in conjunction with some other form of data not held by Pointr such as CCTV or records of purchases in a specific area.

 

We Keep your Data Safe

The table below highlights Pointr’s products and identifies the types of data collected by each as well as how this data is secured/protected.

services-menu-icon
Mobile SDK

(Maps, Search, Indoor Navigation)

services-menu-icon
Analytics
services-menu-icon
Website Maps / Kiosks

Data Collected & Security Measures

The table below highlights Pointr’s products and identifies the types of data collected by each as well as how this data is secured/protected.

Component
Data
Security Measures
Pointr SDK
  • User coordinates
  • Timestamp
  • Unique anonymized device identifier
  • Search history

Secured https communication Completely randomized/anonymized device ID user permission required before location is tracked

Analytics
  • Anonymized Device ID 
  • Timestamp
  • Access/Usage Event Data
  • Secured https communication
  • Strong MD5 AES one-way data encryption algorithm
Pointr Cloud

No personally identifiable data used of end users are collected or processed– only one-way encrypted data is analysed, stored and processed.

  • Secured login
  • Two-factor authentication (optional)
Website maps/Kiosk

No personal data used – only record general usage stats

Secured https communication (read-only)

Mobile SDK (Maps, Search, Indoor Navigation)
Device Identifier

When a phone runs an app containing our SDK (software library), it creates a random unique identifier for this device ("device identifier"). The device identifier is globally unique to that smartphone and app; this device identifier does not give away any personally identifiable information or device information such as MAC/IP. It is unique to that particular app running the Pointr SDK (hence, even if our SDK was used in another app on the same device, it would be a different identifier). 

  • On iOS, users may reset this identifier as they wish by going to phone settings. Pointr follows Apple’s official recommendation for identifying devices utilising the device identifier method available in the default iOS SDK.
  • On Android, Pointr follows best practices from Android known as Instance ID. Which similarly to iOS provides a globally unique device ID that is easily resettable, unique and does not give away any personally identifiable information or device information such as MAC/IP.
  • https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor
  • https://developer.android.com/training/articles/user-data-ids#working_with_instance_ids_&_guids 
Real-Time Location

When the app starts, the SDK triggers a permission dialog (on iOS and Android) to request permission from user to track their location (while running the app and/or in background). If a user declines this request, no location tracking is carried out. Users may at any time opt in / out of location tracking for the particular app that includes our SDK.

The SDK detects Bluetooth signals and processes them along with phone inertial motion sensors (such as gyroscope and accelerometer) to calculate indoor position of the device (smartphone). 

Similarly, the SDK detects GPS signals to calculate the outdoor position of device (smartphone). The SDK uploads this location information to Pointr Cloud, along with Device Identifier.

Anonymity

Through this process, the SDK produces a random device identifier (eg. "ABCD") with timestamp and location (eg. "Device ABCD was at this position at this time") it is important to note:

  • This is not a device's MAC address, this is not user's ID (eg. if another user used the same device, we wouldn't be able to distinguish)
  • This doesn't say anything about user's personal information (such as first name, email, address, gender, etc.)
  • In all our settings, it's practically impossible to work out who a Device Identifier belongs to.

However, there is a possibility that:

  • Only one user was standing at a particular location at a venue (and no one else) and
  • You can see this through a camera (or in-person)

If you can see real-time location information coming from a specific device identifier at that time and location then you can guess that this user must have that specific device ID which is unique to Pointr and has no other information attached to it.

Analytics

A random device identifier (eg. "ABCD") with timestamp and location (eg. "Device ABCD was at this position at this time") and Session ID is used for analytics along with the Event data. 

  • The identifiers are not a device's MAC address, this is not user's ID (eg. if another user used the same device, we wouldn't be able to distinguish)
  • This doesn't say anything about user's personal information (such as first name, email, address, gender, etc.)
  • In all our settings, it's practically impossible to work out who a Device Identifier belongs to.

Thus our analytics do not process personal data (PII - Personally Identifiable Data is excluded by design) 

Website maps / Kiosks

By default, our web maps and kiosk software do not capture any information about the user. There is no login system either. They only record general usage stats (such as "how many people used Poi search today" or "what is the most frequently searched for product")

Pointr’s GDPR Policy

We are committed to the protection of personal data and will ensure adequate preventative measures are in place at all times to ensure compliance with the new GDPR rules and regulations. This new regulation entitles data subjects to the following rights:

  • Right to be informed – the products provided by Pointr are embedded within clients’ solutions. It is therefore their responsibility to inform data subjects.
  • Right to access – Pointr can accommodate an access request. This would only be possible if a user Provided their MAC ID and was connected to the WiFi at the time (as if using iOS 8 or later the MAC ID is randomized automatically). Otherwise all other information is randomized.
  • Right to rectification – As no personal data is stored within Pointr’s databases rectification is not applicable.
  • Right to erasure – Provided the data is identifiable, Pointr can remove location history from its database.
  • Right to withdraw consent – A user can disable location tracking (SDK) at any time as well as ask to have their device disabled on WiFi analytics products. This feature is known as Blacklisting on the Pointr Dashboard. Once a ID is blacklisted the Pointr Cloud ignores and no longer stores any information relating to that ID.
  • Right to data portability – the data held within the database is random and only applicable to Pointr’s maps and systems.
  • Right to object – A user can disable location tracking (SDK) at any time and have their device disabled on WiFi analytic products.

As Pointr is not a data controller and keeps limited to no personal data, we can confirm compliance and support of the above rights where applicable.

External Data Breach

Although high care is taken to protect our systems and databases, no system is 100% secure and it is always possible for an external party to access our database. Given all data is anonymous no personal data would be attained from the data alone. In the event a breach is uncovered, Pointr personnel will follow the data procedures and ensure timely resolution. 

Internal Data Protection

Pointr ensures all contractors, consultants and employees agree to uphold Pointr’s privacy policies as well as to protect any personal data.

Data Storage

All projects are hosted on Azure with regional instances ensuring data is not passed outside of the area the data is collected. It is possible for client users to open the Pointr dashboard (where data is converted to visual data and analytics) is stored form abroad, however access to these systems are protected with HTTPS, secure password and optionally multi factor authentication. All activity is logged with activity detail, any unusual behavior triggers alerts and the venue is notified immediately.

Offerings

See our services and features in action
and how they add value to different industries.

Location Based Services

Provide the finest location experience for your visitors.

Learn more
Location Based Analytics

Real-time analytics to help you make data-driven decisions.

Learn more
Location Based Engagement

Engage with users based on their real-time location.

Learn more

Explore Deep Location®

Pointr’s Deep Location® platform powers all your location requirements,
from mapping, navigation and positioning to
location-based analytics and marketing.

Find out more

Any Questions?


Contact us if you have any other questions on
how we ensure data privacy & security.

 

Contact us