Skip to main content
modern retail store interior overhead view

Privacy-First People Counting: Anonymous, On-Premise, No Facial Recognition

CountPort Team · · 12 min read

Anonymous people counting privacy is not a marketing slogan. It is a design decision you can verify. The question every operations or IT lead eventually asks is simple: are we counting people, or are we tracking them? Those are different things, and the difference shows up in how the system is built.

This guide explains how privacy-first people counting actually works. We cover body-only detection, where the video gets processed, what data is stored, and why only anonymous numbers ever leave your building. The goal is to give you enough detail to evaluate a system honestly.

One note before we start. This is a technical explainer, not legal advice. Privacy rules vary by country and by setup. Confirm your own obligations with your own data protection advisor.

Key takeaways

  • Privacy-first people counting means counting people without identifying anyone, by design, not by deleting data after the fact.
  • CountPort uses body-only detection, never facial recognition, and stores no biometric data.
  • Raw video is processed on-site on your own hardware. Only anonymous, aggregated numbers sync to the cloud.
  • CountPort counts within each camera and excludes staff, but does not re-identify or de-duplicate the same person across cameras.
  • This is an explainer, not legal advice. Confirm your specific obligations with your own data protection advisor.

What "privacy-first" actually means for people counting

Privacy-first people counting means the system counts people without identifying anyone. Nobody gets named, matched to a profile, or recognized on a return visit. That outcome is built into how the software works, not bolted on afterward.

There are two broad approaches in this market, and they are easy to confuse. The first captures detailed images of people, then anonymizes or blurs them later. Privacy here is a step you apply after collection. The second is built to never identify anyone in the first place. It reads the scene as anonymous shapes and never produces an identity to protect.

The distinction matters because "we anonymize the data" still means the identifying data existed at some point. "We never collect identifying data" is a stronger position. The earlier privacy lives in the pipeline, the less there is to go wrong.

We want to be clear about scope. This article describes how the technology works. It is not a compliance promise, and no honest vendor can hand you one in a blog post. Your specific obligations depend on your jurisdiction, your full deployment, and your own policies.

CountPort sits firmly in the second camp. Detection is body-only. Video is processed on-site on your own hardware. The only data that leaves the building is anonymous, aggregated numbers. The rest of this guide unpacks each of those choices.

Body-only detection: counting shapes, not faces

Detection works from the shape and position of a person in the frame: head, shoulders, and body. The software finds these shapes, follows them as they move, and counts them as they cross a line or enter a zone. It does not read facial features, and it does not need to.

CountPort never uses facial recognition. It stores no facial template, no fingerprint, no gait signature, and no other biometric identifier. There is no enrollment step and no watchlist. A person in the frame is a moving shape with a position, nothing more.

To avoid double-counting one person who lingers, the software assigns a short-lived tracking ID to each shape inside a single camera's view. That ID lets it tell "the same person who has been standing here for ten seconds" apart from "a new person who just walked in." The ID is local to that one camera and is discarded once the person leaves the frame. It is not a profile, and it is not retained.

For a deeper walk-through of the detection step, see People Counting Without Facial Recognition: How Body-Only Detection Works. It covers placement, overhead views, and why faces are unnecessary for an accurate count.

Where the video is processed: on-site, on your hardware

The software runs inside your building. Depending on your setup, that means a back-office PC, a small mini-PC, a Mac Mini, or directly on supported cameras. It reads your existing IP camera streams over RTSP or ONVIF. There is no separate sensor to mount and no rip-and-replace of your camera estate.

Raw video is read and analyzed on that local hardware. The frames are processed into counts on the spot. The video itself is never uploaded to CountPort. It does not stream to a cloud service for analysis, because the analysis already happened on-site.

What does sync to the cloud is the result: anonymous, aggregated reporting figures. Counts, occupancy, dwell, zone metrics, timestamps. These are the numbers you actually want to look at, and they are small. That sync is what lets you compare today against last week, or one store against another, from a single dashboard.

This split is the whole point of an on-premise design. Sensitive content stays local. Only summary numbers travel. If you want the architecture in detail, the technology page lays out the full data flow. We also compare the trade-offs in On-Premise vs Cloud Video Analytics: Why Where the Video Runs Matters.

What is stored, and for how long

It helps to be concrete about what records actually exist. A privacy-first system should be able to list them plainly. Here is what CountPort keeps.

Record type What it is What it is not
Visitor counts Totals of people entering or crossing a line An image of any visitor
Real-time occupancy How many people are in a zone right now An identity or a name
Dwell time How long shapes stayed in an area, in aggregate A record tied to one named person
Zone and queue metrics Movement and wait figures by area A face or biometric template
Timestamps When each count or measurement happened A linkable personal identifier

Every item on that list is a number or a summary. There are no stored images of people and no identities. You cannot open a CountPort analytics record and see who walked in, because that data was never produced.

Retention of these analytics records depends on your plan and your configuration. It is something you set, not a fixed black box. You decide how far back the summary figures are kept, in line with your own policies.

One more distinction is worth drawing clearly. The CountPort analytics described here are separate from any CCTV footage your security system records. Your camera DVR or VMS keeps video on its own schedule under its own controls. CountPort's retention settings apply to the count data, not to that footage.

Why only numbers leaving the building changes the privacy picture

Data minimization is a plain idea: collect and keep the least amount of data that still does the job. For people counting, the job is producing reliable numbers about traffic and behavior. You do not need identities to do that. So a privacy-first system does not collect them.

When only aggregate counts leave the building, the data category changes. A number like "412 visitors entered between 2pm and 3pm" cannot be traced back to any individual. It is a different kind of thing from a record that points at a specific person. Aggregates that cannot be linked to a human are simply a lower-risk category of data, and the privacy review reflects that.

We should be honest about the boundary, because overclaiming helps no one. Re-identification is a real concept in the wider industry. In general terms, it describes attempts to reconnect anonymized data back to individuals, often by combining datasets. We mention it so you can ask the right questions of any vendor. We are not describing something CountPort does.

To be specific about the limit: CountPort counts within each camera's field of view and excludes staff. It does not match, re-identify, or de-duplicate the same visitor across different cameras. If one person walks past three cameras, that is handled as activity in three views, not as a tracked individual stitched together into one journey. Whether that is a feature or a constraint depends on your goals, but either way it should be stated plainly. For the regulatory framing, see Is People-Counting Data Personal Data Under GDPR? A Plain-English Look.

Staff exclusion without identifying staff

Staff exclusion filters employees out of your visitor counts. The reason is accuracy. If your team keeps walking through the entrance, restocking shelves, or pacing the floor, their movement gets counted as footfall unless you remove it. That inflates your numbers and quietly corrupts every metric built on top of them.

The important part for this discussion: staff exclusion does not require facial recognition, and it does not name anyone. It works from patterns and configured rules rather than from recognizing a specific person's identity. You exclude staff activity without building a database of who your staff are.

Consider an illustrative example. A small store has four people on shift, and each crosses the entrance line, say, fifteen times a day for breaks, deliveries, and errands. That is roughly sixty extra "visits" daily, or about 1,800 a month, none of them real customers. For a store doing a few thousand visitors a month, that error is large enough to wreck your conversion rate and mislead your staffing decisions. Excluding staff fixes the denominator.

You can read how this works in practice on the staff exclusion feature page. It pairs well with conversion reporting, where a clean visitor count is the foundation everything else stands on.

What a privacy reviewer or DPO will want to confirm

If your organization runs a privacy review or has a data protection officer, a camera-based counting system will get questions. Knowing them in advance makes the process faster and the answers cleaner.

A review usually asks the same core set of things:

  • What data is collected, and is any of it personal or biometric?
  • Where does the data live: on-site, in the cloud, or both?
  • Who can access it, and how is that access controlled?
  • How long is each type of data retained, and is retention configurable?
  • What signage and documentation accompany the cameras?

Most camera-based systems are accompanied by signage and internal documentation as a matter of good practice. People should be able to see that an area uses cameras, and you should be able to point to a written description of what the system does. We cover the specifics in Do You Need Signage or Consent for Anonymous Footfall Counting?.

For a structured way to work through all of this, we maintain a dedicated walk-through: How to Run a Privacy Review for a Camera-Based Counting System. It turns the questions above into a checklist you can hand to a reviewer.

Finally, confirm your obligations with your own data protection advisor. Rules differ by country, sector, and setup. A guide like this can tell you how the technology behaves. It cannot tell you what your specific jurisdiction requires of you.

How CountPort approaches privacy honestly

It is easy to write privacy slogans. It is more useful to list the actual design choices, because those are the things you can check.

  • Detection is body-only. No facial recognition, ever.
  • No biometric data is stored. No facial templates, no profiles.
  • Raw video is processed on-site on your own hardware and is never uploaded.
  • Only anonymous, aggregated numbers sync to the cloud for reporting.
  • Counting happens within each camera; there is no cross-camera re-identification.
  • Analytics retention is configurable and separate from your CCTV footage.

It is just as important to be clear about what CountPort does not claim. We do not promise that your deployment is compliant with any specific regulation, because compliance depends on your full setup and your jurisdiction. We do not claim to be the only vendor doing any of this. We do not build biometric profiles of your visitors. Those are limits we state on purpose.

You can read our documented position and company stance on the company page. If you want a fuller grounding in the basics first, What Is People Counting? A Complete Guide to Camera-Based Visitor Counting is a good starting point.

Frequently asked questions

Does CountPort use facial recognition?

No. CountPort detects people as anonymous body shapes and never identifies faces. It stores no facial templates or other biometric data.

Does my camera video get uploaded to the cloud?

No. Raw video is processed on-site on a PC, mini-PC, Mac Mini, or supported camera inside your building. Only anonymous, aggregated numbers are synced for reporting.

Is anonymous people counting GDPR compliant?

Anonymous aggregate counts that cannot be linked to a person generally fall outside personal-data rules, but compliance depends on your full setup. We do not give compliance guarantees, so confirm with your own advisor.

What data does CountPort actually store?

It stores analytics records such as visitor counts, occupancy, dwell time, zone and queue figures, and timestamps. These are numbers and summaries, not images or identities.

Can CountPort track the same person across different cameras?

No. CountPort counts within each camera's view and excludes staff. It does not re-identify or de-duplicate the same visitor across multiple cameras.

See the on-site architecture for yourself

The fastest way to evaluate a privacy-first design is to watch it run on your own hardware and see exactly what data moves. A short walkthrough shows where the video stays, what gets stored, and what syncs.

Request a demo and we will show you the on-site setup and the data flow end to end.

#People Counting #Footfall Analytics #Privacy #On-Premise