GDPR-compliant footfall analytics

Why footfall measurement raises GDPR questions

Counting visitors means measuring people in a physical space, and most ways of doing it touch something personal: signals from a phone, or images at a door. Under GDPR, anything that could identify a person is personal data, and identifiers and stored footage are exactly the kind of material the regulation exists to police. A compliance team is right to slow a footfall project down and ask what is collected, what is kept, and whether anyone could ever be picked out of the data. Those questions deserve direct answers, in writing, before a single visitor is counted.

How the method answers them

Bumbee Labs counts with Wi-Fi, optical 3D sensors, cellular network data or a hybrid of them, and the same privacy design runs through every method. Measurement is passive: nothing is installed on a phone, and nothing is asked of the visitor. All personal data is irrevocably deleted, never hashed and kept, never stored, so only anonymous, aggregated statistics remain and no individual can be identified. Camera and sensor installations process video for analytics only, storing no personal images. Cellular analytics works on anonymised, aggregated network data, with no device-level tracking.

What reaches you is statistics: visitor counts, dwell times, flows, capture rates and trends. The whole journey from signal to statistic, through collection, anonymisation, filtering, processing and insight, is described step by step on data deliverables.

What the approval means for your review

For a compliance review, the approval changes the starting point. The central question, does this produce personal data, has already been asked and answered where it matters most, so you can use the statistics without taking on privacy risk, because no personal data is ever produced. Independent confidence sits alongside the regulatory kind: the method is validated by academia, partners and customers, and every deployment is verified with manual control measurements matched against our own data. If a formal assessment is on the table, DPIA for people counting collects the questions a DPO typically asks and shows where these answers live.

What compliance teams ask us

• What is collected? Wi-Fi signals that phones emit, optical counts at a point, or anonymised, aggregated network data, depending on the method. Collection is passive throughout.
• What is kept? Statistics only: counts, dwell, flows and trends. Nothing that could identify anyone is stored.
• Can anyone be picked out of the data? No. The method is designed so that no individual can ever be identified.
• Where do the numbers go? Into dashboards and a documented, pull-based API. Your visitor data is yours, ready for the systems you already run.

Who this is for

Retailers and shopping centres, transport hubs and airports, museums, libraries, city centres and outdoor advertising: places where footfall drives real decisions and privacy scrutiny is rightly high. The approach scales from a single store to entire districts, and the statistics arrive the same way at every scale, so a group with many sites reviews the method once. Public bodies buying through a tender can turn the same principles into requirements with procuring people counting.

Straight answers, before you commit

Bring the questions your DPO will ask anyway. A demo walks through the method, the data journey and the dashboard in plain language, our privacy policy covers how we handle data more broadly, and the results on case studies show the statistics at work for organisations that asked the same questions first.