Skip to content

Privacy & Legal

Last updated: 25 March 2026

Mazely is an indoor navigation platform. This document explains what data we collect, why we collect it, and how it is used. We do not collect any personal information from end users of the navigation service.

1. Who We Are

Mazely is an indoor wayfinding service that allows building operators to map their buildings and provides end users with visual, step-by-step navigation within those buildings.

Mazely operates in two distinct roles:

  • Building Operators (Admins) — organisations or individuals who create an account to map and manage a building. Operators are subject to the terms agreed at registration.
  • End Users (Navigators) — members of the public who use the navigation feature to find their way inside a building. No account or registration is required. No personal data is collected from end users.

2. Data Collected from End Users (Navigators)

When you use Mazely to navigate inside a building, the following anonymous data may be recorded for the purpose of providing analytics to the building operator:

Navigation events: When you request a route, we record the starting point, destination, total number of steps, and how many steps you completed. No names, login information, or contact details are associated with this record.
Step view events: As you advance through the navigation steps, we record which step you viewed and approximately how long you spent on it (dwell time in milliseconds). This helps building operators identify confusing junctions or poorly photographed areas.
QR code scans: If you arrive at Mazely by scanning a QR code placed in a building, we record which location the QR code was attached to, the approximate device type (mobile, tablet, or desktop), and the time of the scan.
Device type: We derive a coarse device category (mobile / tablet / desktop) from your browser's User-Agent string. We do not store the full User-Agent string. We do not fingerprint your device.
Anonymous session token: A randomly generated identifier (UUID) may be stored in your browser's local storage to link navigation events from the same session. This token contains no personal information, cannot identify you, and is not shared with third parties. You can clear it at any time by clearing your browser's local storage.

We do not collect: names, email addresses, phone numbers, precise location (GPS), IP addresses, or any other personally identifiable information from end users.

3. Data Collected from Building Operators (Admins)

Building operators create an account to access the map designer and management tools. We collect and store:

  • Email address (used for login and account management)
  • Hashed password (stored using bcrypt; the plaintext password is never stored)
  • Building maps, floor plans, room names, corridor photos, and connection data created by the operator
  • Invitation records (email + expiry date) when operators invite additional admins

Operator account data is retained for as long as the account is active. To request deletion of your account and associated data, contact us using the details in Section 7.

4. How Data Is Used

Navigation analytics: Aggregated, anonymous navigation data (routes requested, steps completed, QR scans) is made available to the building operator of the relevant building. This allows operators to understand how visitors move through their space, identify wayfinding problems, and improve their building maps.
Service operation: Session data is used to serve navigation requests and calculate routes. It is not used for advertising, profiling, or sold to third parties.
No cross-building tracking: Navigation data is scoped to a single building. We do not link or correlate navigation events across different buildings or operators.

5. Data Retention

Anonymous navigation events (sessions, step views, QR scans) are retained for a rolling period to support historical analytics for building operators. Events older than 24 months are eligible for deletion.

Building operator account data is retained until the account is deleted or the associated building is removed from the platform.

The anonymous session token stored in your browser has no server-side expiry. It is cleared when you clear your browser's local storage.

6. Cookies and Local Storage

Mazely does not use tracking cookies or advertising cookies.

We may store a small amount of data in your browser's local storage:

  • Your chosen language preference
  • Your chosen colour theme (light / dark)
  • An anonymous session token (UUID) for linking navigation events within a session

None of this data is sent to advertising networks or third parties. You can delete it at any time by clearing your browser's local storage for this site.

We do not use Google Analytics, Meta Pixel, or any third-party analytics scripts. All analytics are collected and stored on our own servers.

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR, including:

  • Right of access — you may request a copy of the data we hold about you.
  • Right to erasure — you may request deletion of your data.
  • Right to rectification — you may request correction of inaccurate data.
  • Right to object — you may object to processing of your data.

Because end-user navigation data is fully anonymous (no name, email, or identifier that could be linked back to you is stored), we are unable to retrieve or delete records for a specific individual end user — the data is not attributable to any person.

For building operator accounts, all rights above apply. Contact us using the details in Section 8.

The legal basis for processing anonymous navigation analytics is legitimate interests(Article 6(1)(f) GDPR) — specifically, providing venue operators with insights into how their buildings are used, which improves the navigation experience for all users.

8. Data Sharing and Third Parties

We do not sell, rent, or share end-user data with any third party for commercial purposes.

Navigation analytics are shared only with the building operator of the building that was navigated. Operators do not receive data from other buildings.

We may use infrastructure providers (hosting, object storage) that process data on our behalf under data processing agreements. All data is stored within the European Union unless otherwise stated in a specific deployment's data processing agreement.

9. Children

Mazely does not knowingly collect personal data from children under the age of 16. The navigation service is anonymous and does not require registration, so no age verification is possible or necessary for end users.

10. Changes to This Policy

We may update this privacy notice from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. Continued use of Mazely after changes are posted constitutes acceptance of the updated policy.

11. Contact

For questions about this privacy notice, to exercise your rights as a building operator, or to report a data concern, please contact:

Mazely

Please use the bug report button within the application or reach out through the official Mazely support channel for your deployment.

This document is provided for informational purposes and does not constitute legal advice. If you are a building operator deploying Mazely and collecting data on behalf of your organisation, you may be an independent data controller and should seek your own legal advice regarding your obligations under applicable data protection law.