Cinematic editorial still of a printed structured privacy-disclosure card laid flat on a clean desk, fountain pen alongside
BlogPeople Counting

The privacy nutrition label for sensors: 12 questions for any vendor

Jun 3, 202614 min read

Why a privacy label belongs on a sensor

Apple's App Privacy labels and Google's Data safety section forced mobile apps to declare, in a single panel, what data they collect, what they share, and what is linked to a user identity. The format is now familiar to anyone who has installed an app: a short, structured disclosure that a procurement reviewer or a customer can read in under a minute. Sensors hanging from ceilings and door frames do not yet have an equivalent panel, and they probably should. A sensor is a piece of permanent infrastructure in a building, and the data questions it raises are at least as serious as the ones an app raises.

infographic of a sensor with twelve labeled icons representing privacy questions for sensors in a colorful grid

The questions below are not Ariadne's invention. They are drawn from public privacy-by-design principles (the seven PbD principles set out by Ann Cavoukian and built into Article 25 of the GDPR), from the Apple and Google app-privacy label patterns, and from European Data Protection Board guidance on data protection by design and by default. They are the questions any procurement team should put to any people-counting vendor, including Ariadne. The answers below show how a camera-free, identifier-free design responds to each one.

This article is informational and is not legal advice. Confirm your specific deployment with your Data Protection Officer and legal counsel.

How to use this checklist

Treat the 12 questions as a short questionnaire to send a shortlisted vendor in writing, alongside a normal security review. The wording is deliberately closed where the regulatory answer is binary, and open where the answer has texture. Three rules make the exercise useful.

  • Ask for written answers. A vendor that cannot give clean written answers to the binary questions is telling you something about their product or their internal clarity. Either way it is useful to know before signing.
  • Ask for the structural answer, not the configuration answer. Many privacy properties can be turned on in configuration and turned off later. A property baked into the hardware or the data model is durable. The label should record which is which.
  • Ask what is on the 12-month roadmap. A vendor that plans to add face recognition, demographic inference, or identifier capture in the next release is not a non-biometric vendor today, even if the current build is clean.

The 12 questions

Here is the label, twelve questions grouped into four sections: what is captured, what is stored, who can see it, and how the design handles change. Each question is followed by the answer Ariadne gives, which the procurement team can use as a baseline reference.

1. What sensors does the device contain, and which ones are active?

Every sensing modality present in the unit is part of the privacy surface, even if it is not used today. A unit that contains an optical camera, even one that is currently disabled, has a different risk profile to one that contains no camera at all. Ask for a list of every sensor present in the hardware (depth, RGB camera, microphone, radio, thermal, accelerometer) and which of them produces data the platform actually reads.

Ariadne. The Ariadne unit contains a Time-of-Flight depth sensor and a patented radio signal sensor. There is no optical camera and no microphone. The sensors that produce data are the ones the platform reads; there is no dormant camera waiting for a feature flag.

2. Does any sensor capture an image, video, or audio recording?

This is the question a board or a DPO will ask first, because images and audio are the categories that most clearly fall inside GDPR and the EU AI Act's biometric scope. The answer should be a clean yes or no, with no qualifications about local processing or on-device blurring.

Ariadne. No. Time-of-Flight returns a depth reading, not an image or a video frame. The radio sensor reads electromagnetic signals, not audio. No camera output and no microphone output is captured at any point.

3. What identifiers are captured by default?

Identifiers include MAC addresses, IMEIs, advertising IDs, login tokens, loyalty IDs, and any other value that can be linked back to a device or a person. A counter that stores an identifier is processing personal data even before any biometric question, because the identifier is the link between a measurement and a human.

Ariadne. None by default. The radio sensor sees the signals a phone emits, including in airplane mode, and triangulates position to roughly 30 centimetres, but the MAC address that came with the packet is not stored. The Time-of-Flight sensor reads geometry only. Identifiers are stored only when a visitor explicitly opts in, for example by logging into a guest Wi-Fi service, and the operator can decline to offer that option.

4. What categories of data does the platform process, and for what purpose?

This is the Apple App Privacy label question, ported to a sensor. The vendor should be able to list every category of data the platform actually processes, and tie each one to a purpose. If a category is processed for a purpose other than the one the operator paid for, that is the disclosure that matters.

Ariadne. The platform processes depth readings (entries and exits at counted thresholds) and radio signal vectors (positions over time inside the building). It uses them to compute counts, dwell times, and paths through space. It does not process the data for advertising, for behavioural profiling, or for any purpose outside the visitor analytics the operator has commissioned.

5. Where is the data processed, and where does it live?

Data residency is a procurement and DPO question. The vendor should be able to say where in the world the processing happens, where the storage sits, and what jurisdictions touch the data on its way through.

Ariadne. Hybrid Fusion runs centrally in the Ariadne platform, not in the sensor itself. The platform is hosted in the European Union and the data sits under EU data protection law for the whole journey. The sensor streams its feeds to the platform; the fusion, the analytics, and the storage all happen inside the EU.

6. How long is data retained, and what is the deletion mechanism?

Retention is the most common gap on a real-world privacy label. A vendor that has no documented retention policy is telling you that the data sits forever, or that the engineers will decide later. Both answers fail Article 5(1)(e) GDPR.

Ariadne. Retention is configurable per deployment and is documented in the data processing agreement signed with the operator. The default position for the counts is to keep aggregated time-series data for the analytical horizon the operator requires (typically multiple years for trend work) and to discard raw signal vectors much earlier. Deletion on request is supported through the platform.

7. Who can access the raw data, internally and externally?

Access is a two-part question. Inside the vendor, which engineers and operations staff can read which fields, and against what authorisation. Outside the vendor, which third parties (sub-processors, hosting providers, integration partners) touch the data, and under what contracts. A clean answer names every external party.

Ariadne. Internally, raw signal data is accessible only to engineers on the platform team under role-based controls and audit logs. Externally, the sub-processor list is documented in the data processing agreement, with each party's role and jurisdiction named. No party outside that list has access.

8. Does the system perform biometric identification or biometric categorisation?

This is the EU AI Act question. Identification means recognising who a person is. Categorisation means inferring an attribute (age, gender, ethnicity, emotion) from a biometric trait. Either answer being yes brings the deployment inside the AI Act's high-risk or prohibited regime, depending on the application.

infographic of a privacy nutrition label for sensors showing data collected, data shared, and user linkage sections with simp

Ariadne. No. The platform does not identify individuals, does not match faces, does not produce face templates, and does not infer demographic or emotional attributes. There is no camera input from which any of those could be built, so the answer is structural rather than configurable.

9. Can a visitor be re-identified across visits, cameras, or zones?

Re-identification is the question Apple's label captures with "data linked to you". A counter that builds a stable token (a hashed MAC, a body-shape signature, a behavioural template) for the same visitor across days is producing identified data, even if it never sees a name. The vendor should say plainly whether this happens.

Ariadne. No. The patented signal sensing does not store the MAC address by default, so there is no stable per-device token to link visits together. The Time-of-Flight stream produces geometry events at thresholds, not body-shape templates. Hybrid Fusion stitches a trajectory inside a single visit and does not carry it across to other visits.

10. What is the legal basis for processing, and who is the controller?

GDPR Article 6 requires a lawful basis. In a visitor-analytics deployment, the controller is usually the operator (the retailer, mall, museum, or city) and the vendor is the processor. The label should make the roles explicit and identify the basis the controller is likely to rely on (legitimate interests with a balancing test, in most counting deployments; consent in narrower flows).

Ariadne. The operator is the controller and Ariadne is the processor. The standard processor terms are in the data processing agreement. Because no PII is captured by default in the counting flow, the operator typically relies on legitimate interests for the analytics, supported by transparency notices at the venue. Any opt-in identifier (for example guest Wi-Fi login) sits under a separate consent basis that the operator runs.

11. How are visitors informed, and how can they exercise rights?

Article 13 and 14 GDPR require transparent information at the point of collection. EDPB guidance on data protection by design encourages signage and a layered privacy notice for any in-building sensing. The vendor should describe the materials it provides the operator (signage templates, web copy, multilingual versions) and how data subject requests are handled.

Ariadne. Ariadne provides signage and notice templates for the operator to deploy at venue entrances, in the languages the venue uses, describing the camera-free, identifier-free nature of the measurement. The operator handles direct rights requests, with platform support to identify and delete any opt-in identifier records.

12. What is the 12-month roadmap on data collection?

A label that is clean today may not be clean next year. The vendor should disclose features on the public 12-month roadmap that would change any of the answers above: an optional face module, a demographic add-on, an identifier-based feature. A no-change roadmap is itself a meaningful disclosure.

Ariadne. There is no face module, no demographic categorisation, and no identifier-based counting feature on the public 12-month roadmap. The non-biometric, no-PII posture is the durable design point, not a temporary configuration.

How Ariadne handles the underlying measurement

The answers above hang off a measurement architecture that is camera-free by construction, not by configuration. It is worth stating that architecture in one paragraph so the label has a structural reference.

Ariadne measures this with Hybrid Fusion, its patented camera-free method. Time-of-Flight depth sensing counts every visitor at the entrances, capturing geometry rather than images, while patented phone signal sensing follows movement through the interior, detecting the signals a phone emits even in airplane mode. The sensor streams both feeds to Ariadne, where Hybrid Fusion combines them into one trajectory per visit and computes counts, dwell, and paths. The streams carry no identifier: no MAC address, no device ID, no biometric data, and no camera is involved. Identifiers are stored only when a visitor explicitly opts in, which keeps the method GDPR-friendly and outside biometric territory.

The architecture is the reason the privacy label answers come out the way they do. Time-of-Flight returns geometry, not pixels of a person, so there is no image to recognise. Patented signal sensing reads radio packets and discards the address that came with them, so there is no device identifier in the data. Fusion happens centrally in the Ariadne platform, not in the sensor itself, which keeps the processing path and the audit trail in one place. The system is described in detail on the how it works page, and the data handling sits in the privacy policy. The hardware lineup is on the Ariadne sensor page, and the solution surface is the people counting page, with the analytics platform itself documented at Ariadne Analytics.

How to score a vendor against the label

Once the questionnaire is filled in, the scoring is straightforward. Three patterns are worth flagging in any review.

  1. Structural beats configurable. If a vendor's clean answer to question 2 (no image captured) or question 8 (no biometric processing) depends on a setting that an administrator could change, the deployment classification depends on the configuration audit. A structural answer (the hardware does not contain a camera) removes that ongoing burden.
  2. Default state matters more than maximum capability. Question 3 (identifiers captured by default) and question 6 (retention) are where many vendors describe a best case that is not the shipping default. Pin the answer to the configuration the operator will actually run on day one.
  3. Roadmap is part of the label. Question 12 is the difference between a vendor that happens to be clean now and a vendor whose product strategy keeps it clean. The latter is what a long-lived contract needs.

What is not on the label and why

Two questions deliberately do not sit on the privacy label, because they are accuracy and security questions rather than privacy ones, and conflating them weakens the disclosure.

  • Accuracy. How accurate the counter is, how it behaves in groups, and how it handles edge cases (children, wheelchairs, queues) belongs in a separate accuracy disclosure. Mixing it with the privacy label invites the answer "we are 99 percent accurate", which is not a privacy property.
  • Security. Network security, key management, and incident response belong in a security review. The privacy label intersects security at access controls (question 7) but should not try to substitute for an ISO 27001 or SOC 2 review.

FAQ

Is this label an Ariadne framework?

No. The 12 questions are drawn from public privacy-by-design principles, the App Privacy and Data safety label patterns from Apple and Google, and European Data Protection Board guidance. Any procurement team can use them with any vendor. Ariadne uses them on itself in this article to show how a camera-free, identifier-free design answers each one.

Where does the privacy-by-design framing come from?

Privacy by design was set out as seven principles by Ann Cavoukian at the Information and Privacy Commissioner of Ontario in the 1990s and was adopted as a regulatory expectation in Article 25 of the GDPR (data protection by design and by default). The European Data Protection Board has issued guidance interpreting that article, which underpins much of the questionnaire here.

Does the system use cameras?

No. Ariadne counts with Hybrid Fusion: Time-of-Flight depth sensing plus patented phone signal sensing, never cameras. Time-of-Flight captures geometry rather than images, and signal sensing captures no MAC address by default, so the measurement involves no video, no faces, and no biometric data.

What if my deployment needs identifiers for a specific feature?

Identifiers are supported through an opt-in path, for example a guest Wi-Fi login, where the visitor knowingly provides a credential. That flow has its own consent basis and its own retention rules, and is separate from the default counting flow. The operator can decline to offer it.

Is this article legal advice?

Infographic of a privacy nutrition label checklist for sensors with icons representing data types, compliance, and quick revi

No. The article is informational only. Confirm classification, lawful basis, and retention with your Data Protection Officer and legal counsel, who will adapt the analysis to your jurisdiction and your specific configuration.

Related articles

More on People Counting:

people counting platform page

Talk to us

Two questions, twenty minutes, a real walkthrough of your venue's footfall.

What to expect

  • 20-minute screen share, walked through on your venue map
  • Live walkthrough of Hybrid Fusion sensor outputs
  • Where Ariadne fits, and where it doesn't

Got a different question?

Send us a message

Anything that isn't a sales conversation. We'll route it to the right person and get back within one business day.