SeniorVision
Privacy by architecture

The architecture is the policy.

Most privacy commitments in technology are written in policy and enforced in court. Ours is written in hardware and enforced at the silicon. The system cannot retain imagery, because it has no path on which to retain it.

This page is the full commitment, in six parts. It is the document we want operators, residents, families, regulators, and works councils to read.

The six commitments
  1. 01Image data is processed on edge devices only
  2. 02Residents are anonymous to the system
  3. 03Personnel are identified, with consent
  4. 04Privacy-critical zones use presence sensors, not cameras
  5. 05Nothing leaves the building
  6. 06Removal is complete
Reviewed against
  • GDPR (EU)
  • BDSG (Germany)
  • DSG (Switzerland)
  • ISO/IEC 27001
  • Works council frameworks
01

Image data is processed on edge devices only.

Every frame the camera produces is processed inside the camera unit. The processing produces structured activity events. The image data is then discarded — never written to disk, never persisted to memory beyond the duration of inference, never transmitted off the unit.

02

Residents are anonymous to the system.

Each resident is identified to the system by numeric ID. The system has no record of name, no record of face, no biometric template. The mapping between numeric ID and the person it refers to is held only on paper, in the resident's own room, where they can see it and, if they choose, dispose of it.

03

Personnel are identified, with consent.

Caregiving staff carry a Bluetooth tag whose use is consented individually, documented in writing, and revocable on request. KPI and compliance reporting use this data — and no other source identifies personnel anywhere in the system.

04

Privacy-critical zones use presence sensors, not cameras.

Bathrooms, en-suites, and dressing areas are not camera spaces. They use millimetre-wave presence sensors that detect a person's presence and duration without producing imagery of any kind. There is no engineering path from these rooms to a recoverable image.

05

Nothing leaves the building.

The central system runs on-premise, in the facility's own server room. It operates without an internet connection. The activity records the system holds are the operator's data, on the operator's hardware, under the operator's control. There is no SeniorVision cloud that holds resident data — because there is no resident data to hold.

06

Removal is complete.

When a facility chooses to leave SeniorVision, the server is powered down and removed. There is no extraction process, no data migration, no copy elsewhere — because the imagery never existed, and the personal mapping was always on paper, in the resident's room.

The architecture

What lives where.

A simplified data-flow diagram. The colour rule is the privacy rule: image data (left) never crosses the line into the central system. Activity events do.

In the room

Camera unit

  • Videoin-memory only
  • Inferenceon Jetson
  • Outputactivity events
events
On the LAN

Edge gateway

  • Tag presenceBLE
  • Presence sensorsmmWave
  • Aggregationper room
aggregated
In the building

Central server

  • Dashboardfor staff
  • Compliancefor managers
  • Audit trailfor regulators
The line that is not crossed

No frame, no portion of a frame, no embedding of a frame, no derivative of a frame, ever leaves the camera unit. The arrow between the camera and the LAN carries activity events only — structured, anonymous, and inspectable.

Next step

A conversation, not a demo.

The right way to evaluate SeniorVision is to talk to us. Write with a question, a constraint, a deployment context. We will reply within two working days.

Write to us →