Moonlight Analytica Request demo
Floor intelligence

42ms and no faces stored: the engineering behind privacy-safe floor intelligence

Inside the architecture that makes Janus's floor intelligence possible: on-prem inference, anonymous tracks, and a 42ms clock that never has to phone home.

Moonlight AnalyticaField notes June 18, 20265 min read

A camera pointed at a stockroom ceiling captures a face in every frame it records. What happens to that frame in the next 42 milliseconds is the entire argument for how Janus is built. Most vision-analytics vendors solve the privacy question by shipping the frame somewhere else, a server rack that can afford heavier models, and treating what happens to that face as a policy problem once the data has already left the building. Janus solves it earlier than that. The frame never leaves the building, and no face gets isolated into anything resembling an identity. The only thing that crosses the network is a number.

That's a harder problem to build than a privacy policy, and a more interesting one than a marketing page usually explains. A system that can't leak biometric data because it never generates any in the first place has to make specific choices at the model layer, at the network layer, and eventually at compliance. Those choices show up as a diagram, not a promise.

What actually crosses the building's threshold

Every camera feed on a Janus deployment terminates at a compute box inside the same building as the cameras, rather than at a data center somewhere else. That box runs the full inference stack locally: frame capture, geometry and zone modeling, track assignment, dwell and flow aggregation. Each of those stages produces something a cloud-first system would typically treat as worth transmitting. A raw frame for a reviewer to check. Pose keypoints for retraining a model. Even a cropped face, saved for a recognition index. Janus discards each of those artifacts inside the same cycle that produced them.

None of that discarding happens downstream on a schedule, either. The raw frame buffer gets overwritten by the next frame before the current cycle finishes. There's no queue and no temp folder holding onto anything, because there isn't a version of yesterday's footage sitting anywhere to delete.

What survives past the building's edge is a narrower thing: zone occupancy, dwell duration, a track count, tied to nothing more identifying than an integer that resets the moment a person leaves frame. On the same 4,200 sq ft convenience-store floor that ran 17 tracked zones and separated out 4 staff paths for its promo-dwell numbers, what crosses that boundary is a set of zone-and-dwell figures attached to an anonymous track ID. No video frame, no face, makes the trip.

On-prem · same building as the cameras Network edge Camera sensorCaptures a face, every frame Edge inference42ms cycle, same room Raw video framediscarded, same cycle Pose / track geometrykept as a resettable ID only Face embeddingnever generated Zone + dwell aggregateanonymous counts, resettable ID Dashboard / APIaggregate numbers only
On-prem inference Discarded, same cycle Never generated Only the aggregate crosses
IllustrativeStage boundaries reflect the architecture Janus runs, not a literal box count on any one floor.

An anonymous track is a narrower thing than it sounds

The word anonymous gets attached to a lot of vision systems that still generate biometric data and simply promise not to misuse it. That's a policy commitment, and policies change, get subpoenaed, or get sold along with the company that made them. Janus's version of anonymity is architectural instead. The model that assigns a track ID works off body geometry and movement: height, gait, the shape of a person moving through a zone. It was never trained to recognize a face at all. There's no facial-recognition model running anywhere in the pipeline to switch off, and no face-embedding vector sitting in a database for a breach to expose. It was never generated to begin with.

That distinction lands on exactly the line the law draws. Illinois' Biometric Information Privacy Act, 740 ILCS 14, regulates four specific identifiers: a retina or iris scan, a fingerprint, a voiceprint, and a scan of hand or face geometry, according to a breakdown of the statute by Recording Law. The EU's GDPR draws a related but sharper line: under Article 9, a photograph only becomes regulated biometric data once it's run through a system built to match faces; an ID badge photo sitting untouched in a folder never reaches that threshold. A system that assigns anonymous geometric tracks and discards the frame that produced them never reaches it either, because there's no face-matching step for a photograph to run through in the first place.

The privacy here comes from a model Janus never trained to recognize a face. No policy required.

Why 42ms is a floor requirement, not a benchmark number

42 milliseconds sounds like a number a vendor picked because it sounds sharp, and vendors do pick round numbers for that reason. This one isn't decorative. It sits close to the ceiling a floor decision can tolerate before the number is useless. A host stand deciding between a 25-minute wait and a 45-minute one needs that figure now, mid-service. A report a manager opens Monday morning is too late to change anything. A round trip to a cloud server can't hit that window reliably: a 2026 comparison of edge and cloud deployments for video surveillance put cloud inference round trips at 300 to 800 milliseconds, against 20 to 100 milliseconds for on-device inference. Even the fast end of a cloud round trip is several multiples of what Janus reports today.

Here's the part that doesn't show up until the two requirements sit side by side. A system built to hit a 42ms ceiling and a system built to never let a face leave the building end up needing almost the same architecture: both rule out a network hop to a server that isn't in the room with the cameras. The privacy property wasn't purchased separately from the speed property. Building for one got most of the other for free.

That trade-off isn't free on its own terms, though. An on-prem box has to be provisioned and maintained at every site, where a cloud vendor can scale compute centrally and hand a customer a subscription instead of a maintenance contract. Janus makes the trade anyway, because the alternative is a 300-millisecond-plus round trip with a raw frame, face and all, sitting in a queue somewhere waiting its turn.

Two ways to build the same floor-intelligence product
What changesCloud-first CV pipelineJanus, on-prem
Where inference runsRemote server, off-siteSame building as the cameras
Round-trip latency300–800ms typical42ms
What crosses the networkRaw frames or face cropsZone + dwell aggregates only
Face embeddings generatedOften, for re-identificationNever
Biometric category triggeredBIPA / GDPR Art. 9, typicallyNot triggered — no biometric data exists to regulate
Illustrative"Cloud-first CV pipeline" describes a common architecture pattern, not a named vendor. Latency range from the 2026 edge-vs-cloud video surveillance comparison cited above.

What a GM actually gets to trust

None of this shows up on a features list the way "AI-powered" does. It shows up as a diagram nobody at a retail chain has to take on faith, because there's nothing routed off-site worth auditing in the first place. A general manager approving cameras for a stockroom ceiling is approving a box that counts, forgets, and counts again on her own floor, fast enough that the number is usable before the next decision has to get made. There's no face database sitting somewhere she'll never see.

42ms
Camera frame to zone reading, on-prem
0
Faces stored, ever
17 / 4
Zones tracked / staff paths separated, case example

The 42ms figure and the zero faces stored trace back to the same architectural decision, just read from two different angles.

Janus · Physical-space intelligence

See what actually leaves your floor.

Janus runs inference on-prem and never generates a biometric identity to begin with. A zone or dwell reading reaches your dashboard as a number, in 42ms.