Privacy Policy

Sensor Platform — Signal Data

iDTag sensors passively receive radio-frequency (RF) signals broadcast by nearby wireless devices as part of their normal operation. These include Wi-Fi probe request frames. The following attributes may be observed and processed:

Data Element	Description	Stored?
Hashed Device Identifier	A one-way cryptographic hash derived from the device's RF characteristics. Cannot be reversed to identify the original device or its owner.	YES
Signal Strength (RSSI)	Received signal strength indicator, used solely for positioning calculations.	YES
Frequency / Channel	RF channel on which the signal was observed.	YES
Timestamp	Date and time of detection, used for dwell-time and flow analytics.	YES
Sensor ID / Zone	Identifier of the iDTag sensor that detected the signal, mapped to a venue zone.	YES
Raw MAC Address	Never stored. Modern devices use randomized MAC addresses by default; iViu discards any raw hardware address immediately upon receipt.	NEVER

Partner & Customer Accounts

When a business partner or enterprise customer creates an account on the iViu platform, we collect the information necessary to provide services:

• Company name and business contact name
• Work email address and phone number
• Billing and payment information (processed by our PCI-compliant payment processor; card numbers are never stored on iViu servers)
• Account credentials (passwords stored as salted cryptographic hashes)
• Usage logs and API access records for security and billing purposes

Website Visitors

When you visit iviuinsights.com or iviutech.com, we may collect basic analytics data described in Section 7 (Website & Cookies).

• Names, usernames, or screen names
• Email addresses
• Phone numbers
• Home or mailing addresses
• Government-issued identification numbers (SSN, passport, driver's license)
• Financial account numbers or payment card information
• Biometric data (fingerprints, facial geometry, voice patterns)
• Health or medical information
• Demographic information (age, gender, race, ethnicity, religion)
• Political opinions or affiliations
• Location history outside of the venue where sensors are deployed
• Device contents, messages, calls, browsing history, or app data
• Social media identifiers or profiles

iViu's sensor platform detects presence and movement in a physical space. It does not know — and has no mechanism to learn — who you are.

Sensor Signal Data

Collected signal data is used solely to:

• Calculate indoor positioning — determining approximate location within a venue to sub-1-meter accuracy
• Generate foot traffic analytics — aggregated counts, dwell times, flow paths, and zone occupancy reports delivered to venue operators
• Support SIGINT security functions — detecting anomalous or unauthorized device behavior in critical infrastructure deployments (e.g., utility substations, government facilities)
• Improve platform accuracy — internal calibration and model training using de-identified aggregate datasets

Signal data is never used for advertising targeting, behavioral profiling of individuals, resale to data brokers, or any purpose beyond the specific service contracted by the deploying partner.

Partner Account Data

Business account information is used to:

• Provision and maintain platform access
• Process billing and send invoices
• Provide technical support
• Send service notifications (maintenance windows, security alerts)
• Comply with legal obligations

Legal Basis (GDPR)

For persons in the European Economic Area, our legal basis for processing is:

• Legitimate interest — for sensor signal data, which is inherently anonymous and processed to provide security and analytics services
• Contract performance — for partner account data necessary to deliver contracted services
• Legal obligation — where processing is required by applicable law

Data Category	Retention Period	Notes
Raw signal observations	90 days	Used for rolling analytics windows; purged on a 90-day cycle
Aggregated analytics reports	13 months rolling	Year-over-year comparisons; no individual device linkage
SIGINT event logs	Per customer contract (typically 12–36 months)	Retained to support security investigations
Partner account records	Duration of contract + 7 years	Required for financial and legal compliance
Opt-out records	Indefinite	Maintained to honor opt-out requests permanently
Website analytics	14 months	Standard analytics retention window

Upon expiration of the applicable retention period, data is securely deleted or irreversibly anonymized. Customers may request earlier deletion subject to legal hold obligations.

We may share data in the following limited circumstances:

Platform Partners (Venue Operators)

Analytics reports and dashboards are delivered to the venue operator (our direct customer) who has deployed iDTag sensors on their property. These reports contain only aggregated, anonymized metrics — not individual device-level data.

Service Providers

We engage third-party service providers for infrastructure (cloud hosting, CDN), payment processing, email delivery, and support ticketing. These providers act as data processors under contract and may only process data as directed by iViu.

Legal Requirements

We may disclose data when required by law, court order, or valid government request, or when we believe disclosure is necessary to protect the safety, rights, or property of iViu, our customers, or the public. We will notify affected parties where legally permissible.

Business Transfers

In the event of a merger, acquisition, or sale of assets, data may be transferred to the acquiring entity subject to the same commitments in this policy. We will provide notice before data is subject to a materially different privacy policy.

Although iViu does not collect personally identifiable information, we recognize that some individuals prefer not to have any device signals processed by our platform. We provide a straightforward opt-out mechanism.

How to Opt Out

Submit a device opt-out request through our dedicated opt-out portal:

Once submitted, your device identifier is added to a permanent exclusion list that is propagated to all deployed iDTag sensors. Signals matching the opted-out identifier are discarded without processing. Opt-out records are retained indefinitely so the exclusion persists even after the raw signal data retention window expires.

What Opt-Out Does

• Prevents future signal observations from being included in any analytics
• Removes any rolling signal history associated with the opted-out identifier
• Applies globally across all iViu partner deployments

What Opt-Out Cannot Do

• Opt-out cannot remove historical data from before the request was submitted where retention periods have not yet expired
• Opt-out applies to iViu's platform only; devices may still be detected by third-party systems

Analytics

Our websites use privacy-respecting analytics to understand aggregate visitor behavior (page views, referral sources, device type). Analytics data is anonymized and not linked to any individual. We do not use advertising pixels, cross-site tracking scripts, or behavioral profiling tools.

Cookies

Our websites use a small number of cookies:

• Theme preference — stores your light/dark mode choice in browser localStorage; never transmitted to our servers
• Session tokens — for authenticated partner portal sessions; expire when you close your browser or log out
• Analytics — anonymized first-party analytics only; no third-party advertising cookies

You can disable cookies in your browser settings. Disabling cookies will not affect your ability to read public content on our sites; it may affect the functionality of authenticated partner areas.

Contact Forms

If you contact us through the website contact form, we collect your name, email address, company name, and the content of your message solely to respond to your inquiry. This information is not added to any marketing list without explicit consent.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent local law:

To exercise any of these rights, contact us at support@iviutech.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK or the relevant EEA data protection authority).

Note on sensor data: Because sensor data is processed anonymously with no link to any identifiable individual, it does not constitute personal data under GDPR. There is no data held that can be attributed to you by name, email, or other identifier. The opt-out mechanism in Section 6 provides a practical means of exclusion.

California residents have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know — request disclosure of the categories and specific pieces of personal information collected about you, the purposes for collection, and the categories of third parties with whom it has been shared
• Right to Delete — request deletion of personal information we have collected, subject to certain exceptions
• Right to Correct — request correction of inaccurate personal information
• Right to Opt Out of Sale or Sharing — iViu does not sell or share personal information for cross-context behavioral advertising. No opt-out of sale is needed.
• Right to Limit Use of Sensitive Personal Information — iViu does not collect sensitive personal information as defined by the CPRA
• Right of Non-Discrimination — we will not discriminate against you for exercising your privacy rights

To submit a CCPA request, contact us at support@iviutech.com or call us at the number on the About page. We will verify your identity before processing requests and respond within 45 days, with a possible 45-day extension where permitted.

The iViu platform and websites are intended for business and enterprise use and are not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information through our website contact form or partner portal, we will delete that information promptly.

As noted throughout this policy, our sensor platform does not collect personally identifiable information from any individual — regardless of age.

If you believe a child under 13 has provided us personal information, please contact us at support@iviutech.com.

iViu implements industry-standard and beyond-standard security measures appropriate to the sensitive nature of the environments in which our platform is deployed, including government facilities, utility substations, financial institutions, and major retail and gaming properties.

• All data in transit is encrypted using TLS 1.2 or higher
• Data at rest is encrypted using AES-256
• Sensor-to-cloud communications use mutual TLS with certificate pinning
• Access to production systems is restricted by role-based access control (RBAC) with multi-factor authentication
• Partner portal sessions use short-lived tokens; credentials are stored as salted hashes (bcrypt)
• Penetration testing and security audits are conducted on a regular basis
• Our incident response plan includes mandatory breach notification as required by applicable law

In the event of a security incident involving personal data, we will notify affected parties and, where required, regulatory authorities within the timeframes mandated by applicable law (72 hours under GDPR; as promptly as feasible under applicable US state law).

We may update this Privacy Policy from time to time. The "Revised" date at the top of this page reflects the date of the most recent changes.

For material changes — changes that expand the types of data collected, alter how data is used, or affect your rights — we will provide at least 30 days' advance notice by posting a prominent notice on our websites and, where we have your contact information, by email.

Continued use of the iViu platform or our websites after the effective date of a revised policy constitutes acceptance of the updated terms to the extent permitted by law.

For privacy-related inquiries, rights requests, or concerns, please contact:

For general business inquiries, visit our Company page or use the contact form on the main site.