Limitless connects Digital touchpoints for Physical spaces
Limitless are a location aware data platform that connects location, store & external data in a light to no touch cloud platform. Connecting the individual customer to their transactional data in a GDPR compliant manner.
Providing similar analytics as Google & Amazon for physical spaces by capturing data touchpoints at each step of the customer journey. Measuring the customer journey, linking it back to travel paths and purchases so that you can intervene and impact the customer in the buying moment. Limitless is not just another wi fi or data platform but an insights platform that drives business & customer insights with the ability to engage with the customer & personalise their experience driving business improvements.
We are an enterprise solution with key features that can bolted on to solve many challenging use cases. We specialise within the retail & property / place verticals however our platform can help any business with a physical building & customers.
Single Sign on Connect your customer in any channel on line / wi fi /app
Social Login Seamless Login connecting customer in channel of choice
Splash Page Customisable splash page with additional drip questions
Insights Customisable dashboards reporting on Business Insights
Engagement Captive Portal, Digital coupons or digital screens
Redemption From Digital campaigns to physical redemption with transparency
Understand your existing customer base & registered users to impact anonymous customers increasing loyalty.
Utilise your location data from wi fi and apps to measure dormancy , latency & abandoned baskets & encourage frequency.
Utilise existing sales data to increase spend, improve communication and drive engagement with personalised engagement based on their behaviours and not amalgamated data.
Benchmark your business by country / region improving each stores efficiencies and driving improvements across your stable of stores with reporting by function.
Henderson’s Case study
The Boulevard Case Study
Bon Accord Case Study
Moes Grill Case Study
Open a web browser and log in to your Meraki dashboard at https://dashboard.meraki.com
Click Configure > Access Control on the left menu. From the SSID dropdown, choose the one you wish to use, then configure with the below settings:
Open (no encryption)
|Splash page||Click – through|
|Network Access Control||Disabled: do not check clients for antivirus software|
|Assign Group Policies||Disabled: do not assign group policies automatically|
|Captive portal strength||Allow non – HTTP traffic prior to sign on|
|Walled garden||Walled garden is enabled|
|Walled garden ranges||*.limitlessinsight.com|
Note: If you wish to support social network logins, you also need to add the below entries for each network you plan to support.
Note: The Meraki MX/Z1 does not support the Client IP assignment or DNS settings, so please skip these two settings.
|Client IP assignment NAT mode||Meraki DHCP|
|Content filtering||Block Adult content|
Click Splash page on the left and configure with the below settings:
|Custom splash URL||*insert access_url here*|
|Where should users go after the splash page?||A Different URL:|
*insert redirect_url here*
Click Save to finish
The configuration is now complete.
What is Presence Data ?
Presence data is the total count of unauthenticated / anonymous devices (laptops, mobiles, tablets etc.) that come into contact (‘ping’) with an access point in a venue.
These devices get close enough to an access point so that their unique MAC address can be recorded, but do not authenticate onto the Wi-Fi network.
Recorded alongside the devices’ unique MAC address is also:
Strength of signal (RSSI); signifying how close a device is in proximity to an access point
•Duration; how long the device was seen by any access point within a venue
These distinct sets of data form two important reports within the Limitless Portal
Based on signal strength only, devices which have an RSSI of 30 or above are classed as ‘registered’ (coming close enough to an access point to infer that they entered the venue).
‘Passers By’ visitors are those whose devices were seen by an access point, but who did not meet the RSSI 30 threshold.
These are classed as ‘passed’ as they were close enough to the venue itself to become a visitor (and be picked up by an access point), but most likely did not enter the venue.
The motive for these computations is that many customers want to better understand not only the number of visitors they had, but also the number of potential visitors that passed by and could have entered the venue.
Being able to track this over time allows venues to measure success in attempts to convert a higher number of potential passers-by, encouraging them to enter the venue, and identify specific locations that have a higher percentage of conversion.
‘Walk Throughs’ visitors are those who do not meet the minimum duration threshold, and therefore did not meet the standard of a meaningful visit. They were in range of an access point for only a short time, and left the vicinity quickly, before they became visitors.
Walk through rate provides insights into the number of visitors leaving only a short time after entering. Tracking the bounce rate over time allows users to analyze successes in encouraging longer visits and improving ‘registered’ percentage, and the ability to measure walk throughs across different venues.
The walk through duration is customizable as different sectors and industries will classify a visit in different ways. Quick service restaurants (QSR) will have a different definition and expectation from restaurants with table service, and shopping centres might want to set a higher bounce duration than a coffee shop.
When we measure visitors frequency we may see that a visitor comes to a venue 5 times a week, then starts to move to 4 , 3, 2 & leaves the venue. This can be known as churn and most physical buildings do not capture the churn rate. With Limitless we can detect this and intervene bringing the customer back so we don’t lose them or increasing frequency again. This could work for re vamping stores, or spotting a competitor with specific promotions that impact your business.
Latency can be set through venue as you may visit food retail every day, a larger shop once a week or Shopping centre at different frequencies.
Dormancy measures when the Limitless platform has last seen you in venue again based on the visitor frequency and the size of the venue. Limitless use this measure to re engage around special occasions or activations to bring the customer back to the venue. Whether recently dormant or having been seen for a while we can engage with the customer & understand the reason behind this.
Limitless standardises the dashboard by industry so that you don’t have to Tabs are provided for
At the moment Limitless does this as part of the ‘setup’
All public facing portals and websites are encrypted with TLS (Transport Layer Security). TLS is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. Limitless support TLS 1.2 minimum.
Limitless regularly review TLS ciphers offered, and remove ciphers that are no longer considered to meet minimum security requirements.
All Limitless-hosted data is hosted within cloud services such as Google Cloud (GCP) or Amazon Web Services (AWS), and all disks hosting data are encrypted (AES-256) using the security controls available with those cloud providers.
All passwords are encrypted with the bcrypt hashing function & Multi Factor Authentication (MFA).
Limitless host and handle data in a way consistent with the standards of the EU’s GDPR regulations.
Separate active opt-in is sought for all marketing consents within the EU and as activated by customers elsewhere, and any EULA or opt-in consent is stored against the user and venue with the date, time and language of opt-in. Once a user has logged in, they are sent a link to an end user profile where they can view data held about themselves, view (and change) any opt-in consents and immediately delete all data collected about them.
Additionally, users can email the Limitless Data Protection Officer (via a clearly displayed email address) with any queries, for any changes to their data or to exercise their right to be forgotten.
Data is only used for the stated purposes, and Limitless do not collect more data than is strictly needed (although the individual customers decide their own data uses and configure the portal to collect the information required by themselves, as well as uploading their own additional EULAs and privacy policies where required, consent of which is tracked individually).
Limitless have a declared data retention period of 12 months of inactivity, after which all PII data about a customer are destroyed.
When a user joins a Limitless Insights SSID and reaches the splash page, their device MAC address and user agent are stored, as well as the AP MAC (and therefore venue the user is at). When a user logs in via the WiFi, any user data they provide is also stored against their profile. The exact data collected varies according to the login method chosen and the configuration created by the customer, but can include personally identifiable information (PII; see PII section below), as well as other potentially sensitive information such as a user’s Facebook likes. This data is either submitted by the user via web form, or transferred from their social media account if they grant access. Data in transit via the captive portal is always secured via TLS, and all data collected is initially stored local to the captive portal software in a document store.
If configured by the customer, Limitless may additionally collect domain lookup data via a third party company, WebTitan, by using WebTitan’s own DNS servers (the same mechanism for blocking access to prohibited websites). Domain look-ups are logged against the venue’s web-facing IP, and aren’t traceable to an individual user or device.
Location data is data collected passively about devices (both registered and anonymous) by compatible network access points. Typically, an AP records a received signal strength indication (RSSI) value, a MAC address (which may be randomised, depending on the client software) and a date/time for each client WiFi probe. With the right hardware and 4 or more APs, this data may be enhanced to an estimated geometric coordinate of the device relative to the uploaded floor-plan.
When a client MAC is recognised as having logged in via Limitless in the past, some demographic data may be associated with the location data records (gender, age). Where a user has logged into this venue before and accepted the venue’s T&Cs, a recognised device will be linked against the user record, regardless of whether the user is currently authenticated to the WiFi.
Limitless are voluntary supporters of the Future of Privacy Forum (fpf.org), via which a user can opt out of client MAC tracking across a range of services.
Limitless do not store data about randomised MAC addresses (devices like modern iPhones that do not present their true MAC addresses until authenticated to the WiFi), and anonymous MAC addresses (addresses that haven’t authenticated to the WiFi) are one-way hashed with a company-specific salt on export to prevent sharing of data about anonymous devices and comparisons with third party data sources.
Customers can configure ‘Connectors’, which are third party integrations that copy data into or out of Limitless’s hosting. This information is typically basic CRM data about end users (e.g. names and email addresses, Mobile No being exported to third party email lists, under accounts run by the same company).
Connector connection/session data is stored encrypted.
A RESTful API exists for extracting most end user data in raw format. Access to this service is via signed public/private keys, provided on request by the Limitless support team once a customer’s rights to the data have been verified. Access to Limitless’ APIs is encrypted in transit using HTTPS, and requested are signed with a nonce to prevent replay attacks, and a full audit log exists of all requests, including the source IP of the requests.
Users can also define Webhooks that trigger data export on certain actions (e.g. a user logging into the WiFi) via an HTTPS POST to a user-defined endpoint, which allows for real-time responses to events. These endpoints must be HTTPS with a valid certificate, and are verified by header.
Depending on the customer’s configuration of their captive portal and the access method chosen by the end user, Limitless may capture and store the following data classified by Limitless as PII: first name, last name, date of birth, email address, mobile number, and social user ID (e.g. Facebook ID). Additionally, Limitless can collect other data that is categorised as being potentially personally identifiable when combined with other data: client/device MAC, gender, login date/time, Facebook likes, Facebook/Twitter location/home town, postcode/zip code.
PII data is stored in three locations: the access document store (where the user logs into the WiFi), the central analytics data store (where the data is stored/processed) and in the end user-facing profile document store (where the end user themselves can review, modify and delete their own data). It is encrypted in all three locations, as detailed above.
When a user requests to be forgotten or when a user has been inactive long enough to meet the end of the data retention period, all PII data is removed from the user record and the user’s sessions become anonymous. Limitless retain basic anonymous demographic information: the age and gender of the user at the time of log-in.
It is possible for customers to add custom data fields or survey questions for the user to complete, which can include other PII data such as national IDs or passport numbers. All custom data like this is treated as PII.
Limitless do not handle or store any user financial data. Any payments are taken via a direct communication between the end user and our payment gateway provider ‘Stripe’ (www.stripe.com). Stripe are fully PCI-DSS compliant. Limitless Insights record only a one-time transaction ID for potential refund purposes.
All data gathered by the Limitless platform resides in one of three GCP hosting locations depending on where the customer is located in the world, they are as follows:
California for North and South America
London, UK and Amsterdam, Netherlands for Europe, Africa and the Middle East
Singapore for APAC, APJ, ASEAN and ANZ
Limitless is compliant with regional data storage/privacy requirements where implemented, to retain data within the geographical boundaries determined by local legislation.
All user data is anonymized after a period of 12 months of inactivity. This means Limitless will store a user’s personal data, in its full form, for at least 13 months, and after 12 months of inactivity (not logging back into the WiFi) we strip out anything which is deemed personally identifiable. This includes name, email, telephone number, etc. However, we do maintain non-identifiable information such as age and gender at the time of login, and session metadata such as time of login, network data usage and connection method used.
Limitless may discard raw data sooner. For example individual location data records from location services can be dropped after 24 hours, but an aggregated record of when the device was present on a floor plan and what zones were visited will be kept.
All of our databases are replicated to a secondary instance in a different Zone. The replication is real time. In the event of planned database maintenance, DB instance failure, or a Zone failure, the affected cloud service (e.g. Amazon RDS or Google CloudSQL) will automatically failover to the standby. This means that we do not have a single point of failure.
Limitless runs daily snapshots on all databases, which means we have the ability to restore our database quickly should the need arise.
The customer will have access to the end-user data and share ownership of this data with Limitless as a third party, in order to provide the solution. In this scenario you are also considered a joint Controller of this data and are required to treat this data in accordance with the same regulations as Limitless and any local legislation concerning the safe storage of data. At present the solution is centrally hosted.
CALEA, or the Communications Assistance for Law Enforcement Act, is a United States law that oversees telecommunication security which has now been expanded to internet security. CALEA is intended to preserve the ability of law enforcement agencies such as the FBI and FCC to conduct electronic surveillance while protecting the privacy of information outside the scope of the investigation.
It requires that telecommunications carriers and manufacturers of telecommunications equipment design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities to comply with legal re-quests for information.
Limitless is a global guest Wi-Fi analytics, occupancy management, and Insights platform, deployed in over 30 countries globally and partnered with some of the largest service providers in the world.
Limitless captures Personal Identifiable Information (PII) from millions of users every month, on boarding an average of 7,000 users per day across more than 34,000 venues.
Limitless cloud based software solution maintains real-time compliance global with data protection laws such as GDPR, RIPA, CALEA and many more.
First, we must review the order for validity. If the order contains an error (e.g. recites the wrong standard of due process) it should be returned to the law enforcement agency for correction.
A valid search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures upon a showing of probable cause is required to compel Limitless Insights to provide the Personally Identifiable Information on end users of Limitless Insights’s products or services.
Limitless holds Personal Identifiable Information (PII) on all end users of our guest Wi-Fi service.
The level of detail per individual is dependent on which venue the end user has visited – information such as name, date of birth, contact information including mobile number and email address, MAC address, browser, OS and venues end users have visited.
Limitless makes much of its end user data accessible to the venue owner themselves.
Limitless typically responds to valid requests for information within two business weeks.
However, response times may take longer than two business weeks depending on the complexity and scope of the request.
Benefits to Venue Owners using Limitless Insights
Limitless complies with State and Federal Laws and Carrier Guidelines
Limitless provides a service that reduces the complexity for your business and mitigates the risk associated with managing the legal process of a CALEA request
We assist with Law Enforcement Agencies. Limitless will take the lead on any law enforcement requests and process them accordingly
You can reduce Operating and Capital Expenditure by alleviating responsibility relating to CALEA from the venue owners and ensure they stay compliant and do not commit unnecessary resources
Captive portal splash pages are hosted on access nodes which is an elastically scaling PHP application backed by a scaling NoSQL database. Static content is served from Amazon’s CDN.
Location-based services such as Cisco MSE, Mist , Ruckus SPOT or Meraki Cloud can be used with the product. These collect the MAC addresses of WiFi-enabled devices within range of the network APs and either provide basic RSSI information (which can be used to estimate the distance from the AP to derive footfall, dwell time, conversion and bounce rate stats) or estimated X/Y coordinates that can be used to place a user on a map and track paths a user takes around a venue. Location data can be linked to known WiFi users via MAC address.
The portal is the application where resellers and customers manage their licenses, infrastructure and view reports. Access to this application is controlled by username and password. User accounts can be given granular rights (read or write access to many individual sections of the portal) and are assigned hierarchically (e.g. with rights to a single venue, a group of venues, a whole company or a whole reseller, etc). Platform rights are granted by individual users, and a user cannot grant or revoke rights beyond their own scope.
When a new portal user is created, they are sent a username (email) and a randomly generated password in email format. Upon first login, they are asked to change this password to one of their choice, which must be greater than 8 characters and contain both numbers and capital letters. The user must change their password every 90 days and they are not allowed to reuse any password from the past 12 months.
Limitless integrate with many of our customers Epos systems so that we can help analyse instore efficiencies and monitor sales margin and best selling lines. This allow us to analyse aggregated data to suggest promotions based on personas. With promotions & redemptions we can connect purchases to the individual therefore personalising their in store experience. This is controlled by the customers EULA & Marketing consent of the customer. We ingest & display the data in conjunction with our customer.
When a venue does not have wi fi or a native app
Generic offers can be served up
Promotions can be based around current promotions
Micro surveys are additional questions that can be asked between 3 – 9 questions
Send an email to us to create a support ticket at firstname.lastname@example.org
you can email us to create a support ticket at email@example.com
On the login screen to the Limitless Insights Portal, click ‘Forgot your Password.Type in the email address you use for the Portal Systems
Select ‘Request Password Reset’ and if the email address you entered matches a record in our System then an email will be sent out to reset the password.
Find the email sent to your inbox (Always check your spam folder as it can end up there!)
Click the link within the email and then type in a new Password (Make sure it’s in-line with our Password Requirements)
Users have the ability to unsubscribe from the service at any time, which means their details will not be included in future email marketing you send via Limitless Insights
To do this users can click the ‘Unsubscribe’ button located at the bottom of every email they receive
Limitless is primarily a software platform so we do not provide hardware. In the case of WiFi you must have your own hardware and an existing network in order to deploy Limitless but we do work with recommended installers.
You can monitor your current licensing by visiting the ‘Licensing Status’ area of the portal. We will contact you in advance of any upcoming license expiry to check in and ensure there is no disruption to our service. If you are using Presence and/or Location then it is vital your licensing remains in place and is not allowed to expire to prevent any data loss.
There are several different license types available, each with different features.
For any GDPR requests you can email us at firstname.lastname@example.org