Operator: Resilient Path Consulting, Sister Bay, Wisconsin
Effective date: June 1, 2026
Last updated: June 4, 2026
Contact: privacy@resilientpathconsulting.net
We measure how crowds move through an event or venue — where people gather, how long they linger in an area, and how foot traffic shifts over the course of a day. We do this by passively observing the wireless signals that phones and other devices broadcast on their own.
We do not know who you are, and we are not trying to find out. We do not collect your name, your phone number, your location history, the contents of any communication, audio, or video. We never connect to your device. We observe only the anonymous signals already being transmitted into open airspace, and we convert any device identifier into an irreversible token before it is ever stored.
We do not read the names devices broadcast, we exclude medical and health devices entirely, and we never recognize any single device for longer than 90 minutes.
Our stated goal is simple: to understand crowd movement, not to identify people.
This is a passive crowd-analytics system. A small number of fixed sensors listen for standard Bluetooth Low Energy (BLE) advertising packets — the routine "I exist" broadcasts that phones, wearables, and similar devices emit automatically.
By noting that the same anonymized token appears at different sensors at different times, we can estimate:
This information helps event organizers and venues plan layouts, staffing, vendor placement, and crowd management.
We collect only what is necessary to measure movement:
That's it. The advertising packets devices broadcast may contain additional fields — names, manufacturer data, service identifiers, and so on. We deliberately do not read or store those fields, except for the narrow, defensive use of identifying devices we should exclude (see Section 5).
A raw device identifier observed in open airspace is not, by itself, a name or an identity. Our position is that we will not be the link that turns it into one. Everything below is designed to guarantee that.
Some devices are more sensitive than an anonymized, rotating phone signal, and we go out of our way not to keep their data:
Excluded devices are counted, not stored. To confirm our exclusion logic is working, we may keep a single running tally of how many devices were excluded. We do not store anything about what those devices were, and we never break that count down by device type — it is one undifferentiated number.
Classification only in aggregate. Where we estimate the makeup of a crowd (for example, to convert a device count into an approximate headcount), we do so only as aggregate statistics. We never classify, label, or recognize an individual device.
Hashing on ingestion. Device identifiers are converted into one-way hashed tokens as soon as they are ingested into our backend, before they are written to any persistent storage such as a database or disk. A one-way hash cannot be reversed back into the original identifier.
Why a hash, not encryption. Encryption can be undone with a key. A one-way hash cannot. We deliberately keep no key that could reverse a token back into a device identifier.
No long-term retention of raw identifiers. Raw device identifiers exist only transiently in memory or in transit while being processed into tokens. They are not committed to persistent storage and are discarded once tokenized.
Limited-time recognition (90-minute cap). Because phones rotate their Bluetooth identifier frequently, we may briefly recognize a device across those rotations within a single visit, so that we can measure how long it stays in an area. This recognition is held only in temporary memory, is never written to disk, is used only to measure dwell time and movement, and is permanently and irreversibly discarded no later than 90 minutes after a device is first seen. After 90 minutes, a device that is still present is treated as entirely new, with no link to its earlier session. We never recognize any device for longer than this.
Consistent tokens, by design. Within a single season, a device maps to the same token across all sensors, which is what lets us measure movement between zones. It is not consistent across years.
Periodic token rotation. The secret salt used to generate tokens is rotated at least once per year. After rotation, the same device produces a completely different token, which intentionally breaks any ability to correlate a device from one rotation period to the next.
Salt destruction. When the salt is rotated, the previous salt is destroyed. Because a token cannot be reversed without the salt that produced it, destroying the salt makes the prior period's tokens permanently irreversible — by anyone, including us.
Aggregation. Reporting and analytics are produced from aggregated, anonymized data — counts, durations, and flows — never from individual device records.
Most modern smartphones (current iOS and Android) automatically randomize their Bluetooth identifiers and rotate them frequently. This limits long-term and cross-visit tracking — which is a real privacy benefit. As described in Section 6, we may briefly recognize a device through these rotations within a single visit to measure dwell time, but never for longer than 90 minutes and never in a way that persists across visits, seasons, or our annual token reset.
You can prevent your device from being counted at any time by turning off Bluetooth on your device while in the area. Because the system is passive and receive-only, a device with Bluetooth disabled is invisible to it.
We share only aggregated, anonymized analytics (such as crowd counts, dwell times, and movement patterns) with the event organizers, venues, or partners we are working with — for example, a destination marketing or event-planning partner. We do not share device-level data, tokens, or raw identifiers with any third party. We do not sell data.
Data in our pipeline is handled on systems we control. Raw identifiers are tokenized before storage, in-session recognition data is held in memory only, access to analytics systems is restricted, and we retain no key capable of reversing a token to a device identifier.
This system passively observes signals that devices voluntarily broadcast into unlicensed, open radio spectrum. We do not transmit to, interfere with, or connect to any device, and we do not attempt to identify any individual. Where applicable law requires notice of such observation, this policy serves as that notice.
We may update this policy as the system evolves. Material changes will be reflected in the "Last updated" date above and posted wherever this policy is made available.
Questions about this policy or the system can be directed to:
Resilient Path Consulting
privacy@resilientpathconsulting.net