Returning Customer Recognition via Hashed Wi-Fi MAC Addresses

A small bar in Istanbul's Beyoğlu district wanted guests greeted with "welcome back" before they opened the menu. The fix wasn't an expensive CRM — it was hashed MAC addresses in the Wi-Fi captive portal. Third visit triggers a server alert, fourth visit auto-applies a 5% loyalty discount.

The Hash Pipeline — Plaintext MAC Never Hits Disk

When a device associates, the access point captures the MAC in RAM and immediately computes SHA-256(mac + restaurant_salt). The salt is a 32-byte per-restaurant secret, rotated yearly. The 64-character hex output is what gets stored; the plaintext MAC is wiped from memory the same tick. No disk, no log file, ever.

TTL is 90 days. The visitor_hashes table holds only hash, first_seen, last_seen, visit_count. Nothing personally identifiable — it slots cleanly into the "anonymized data" carve-out in GDPR Recital 26 and Turkey's KVKK guidance. Day 91 a prune cron deletes it.

iOS 14+ MAC Randomization Is Actually Fine

Since 2020 Apple emits a different MAC per SSID. This is good for you: the iPhone reconnecting to your restaurant uses the same randomized MAC every time on your network. Persistent on your SSID, untrackable across networks — exactly the privacy/utility balance you want.

Android 10+ behaves similarly; some OEMs let users disable randomization manually. Empirically we see ~92% recognition across both ecosystems, plenty for a regulars program.

Server-Side Flow and the Discount Trigger

• Visits 1-2: Silent ingestion. Counter increments. No POS popup.
• Visit 3: "Regular candidate" badge appears on the table-open screen.
• Visit 4+: 5% coupon auto-applied at session creation, no manual input.

The Beyoğlu bar pushed repeat-visit share from 18% to 27% in three months. Zero staff training — the rule engine does the work and the server greets each return by hash, not name.

FAQ

Is this GDPR/KVKK compliant? Yes — salted SHA-256 is irreversible and no PII is stored. Still add a line to your privacy notice mentioning anonymous Wi-Fi visit statistics.

Can I deanonymize a hash later? No — by design. The hash is a discount trigger, not an identity.

Does it need a password-protected Wi-Fi? No — open SSID is fine. The only requirement is that the device associates.

Found this helpful? Share it.