The store knows who walked in. It has no idea what happened next.
Built for the American department store — a Macy's, a Nordstrom, a Dillard's. ARiX is a passive, on-premise store-cognition platform, powered by the MAX engine.
On a single Saturday, one flagship-scale department store logged 5,540 people through the door and 1,374 transactions at the register. Two numbers, bracketing the visit. Between them — the twenty-plus minutes where the buying decision is actually made — the store sees almost nothing.
The middle of the shopper journey is a black box. And the MIT Sloan School estimates ~6% of potential sales are lost inside it to lack of service alone.1
That gap isn't a measurement problem for its own sake. It's where the money leaks — at the fitting room, at the register, in the department with no one to answer a question. This is the story of one of the 4,166 people who walked in that Saturday and left without buying. Then it's the story of the system built to catch her.
First, the whole floor — breathing.
Every shopper is an anonymous "belief" — stitched across nodes by movement and appearance, never by a face. Watch the middle the store has never been able to see.
The leak isn't a bad day — it's a rhythm. It repeats every week and compounds every month. That's the number ARiX exists to bend.
At 2:14 PM, 612 people were somewhere inside. One of them is about to show you exactly where the money goes. We'll call her by the only name the system ever assigns: SHP·C41B.
The dress fits everywhere but the shoulders. She steps out, looks for an associate, and finds the fitting-room station empty. The nearest one is three departments away, unlocking a jewelry case for someone else. ARiX sees her do the thing that precedes almost every lost sale: the size round-trip — out of the room, scanning for help, back again.
She waits ninety seconds. Then she gets dressed, puts the dress back on the rack, and walks toward the door.
Basket abandoned: $214. Recorded by the store's systems: nothing at all.
This is the loss that leaves no trace. No queue, no incident, no receipt. A door counter can't see it. The staff roster swears an associate was "scheduled." Across the day, the store bled 70% of shoppers who couldn't find help straight out the door — a pattern the published research has measured for years.2
ARiX saw her hesitate — and moved before she reached the door.
Detection is worthless a beat too late. The advantage isn't seeing the walkout; it's seeing it coming, and naming the one action that stops it.
Two things had to be true for her to leave. There was demand at the fitting room, and there was no one available to meet it — in the one department where being available is the sale. ARiX holds both facts at once, in real time, so it can act on the gap instead of tallying it at closing.
ARiX read the round-trip the instant it happened and pinged the closest available associate — from Women's Apparel, light at that moment — to the fitting room, before SHP·C41B finished getting dressed. The size arrives. The dress goes to the register, not back to the rack.
$214 recovered. And she leaves as a customer, not a statistic.
Why was the fitting room uncovered while a jewelry associate stood three aisles away? Because the store staffs by crowd and by gut, not by where the next associate captures the most. ARiX places people by marginal dollars — weighted by how much each department's conversion actually responds to a person. An uncovered Home aisle costs nothing. An uncovered fitting room or jewelry case is near-total loss.
She is one shopper. On that Saturday there were 4,166 like her, somewhere in the gap.
We know her whole journey — and not her face. That's the moat.
The reason this is defensible is the same reason it's legal: the reasoning happens at the edge, and only a signed fact ever leaves the node.
The prevailing approach streams video to a cloud model. ARiX inverts it — the node understands on the spot and emits a small signed fact, not a frame. Pixels never leave the store; conclusions do.
>10,000× less data leaves the store. One choice — reason at the edge — buys privacy, latency, resilience, cost and data-ownership at once.
No stored biometric
No facial-geometry template, no persistent identifier. Cross-visit insight comes only from consented loyalty scans and anonymous cohorts — never a returning face.
On-prem & sovereign
Everything runs on the store LAN. No cloud egress, no central honeypot, no third party in the data path. The retailer owns it.
Signed & replayable
Every count is a signed fact under K-of-N consensus. You can prove a number to an auditor — a black box can only assert one.
Compounds without centralizing
Models improve across the fleet on patterns only, never raw data — so the edge grows while data locality stays intact.
For a US retailer this is the whole ballgame. Meta settled biometric-privacy claims for $650M8; Illinois damages run $1,000–$5,000 per violation with no proof of harm11. And it's in-store and specific: Target was sued over in-store facial recognition9, MAC Cosmetics over in-store biometric collection10. The tool most vendors reach for is the one generating the lawsuits. ARiX doesn't reach for it.
Now the part a serious reader turns to first: where this breaks.
A single hero ROI would be the least trustworthy thing here. So: the assumptions, then the objections we think are most likely correct, then the pilot that settles them.
One flagship-scale store · annual traffic ≈ 1.5M · ADS ≈ $78 · identified addressable leak ≈ $2.9M/yr (identified, not recoverable) · deployment ≈ 55 nodes, installed capex $280k–$420k. The swing variable is the capture rate — the share ARiX-directed action actually recovers — left deliberately as a range.
| Scenario | Capture of leak | Recovered / yr | Capex (mid) | Simple payback |
|---|---|---|---|---|
| Conservative | 15% | ~$435k | $350k | ~10–12 mo |
| Base | 30% | ~$870k | $350k | ~5–6 mo |
| Optimistic | 45% | ~$1.3M | $350k | ~3–4 mo |
Even the conservative row clears capex inside a year — but a credible pilot must be able to return a capture rate below the conservative case. If it can't fail, it isn't a measurement.
| The objection | Our position & residual risk | Confidence |
|---|---|---|
| Cross-node re-ID without faces degrades in crowds and lookalike apparel. | Multi-node geometry helps, but stitch accuracy is the load-bearing assumption behind every "phantom-free" claim. Residual: high until measured. First thing the pilot reports. | medium |
| Appearance/geometry embeddings may themselves be "biometric" under BIPA. | Ephemeral, discarded, non-identifying descriptors likely fall outside face-geometry scope; gait/body is the grey zone. Residual: medium legal. Needs a written opinion + retention audit before the claim goes to counsel. | medium |
| Attribution: "how do you know she'd have bought?" | We can't prove it per shopper, and won't claim to. Lift is measured against a control (staffed vs unstaffed periods), reported with a confidence interval. Residual: the hardest claim in the deck; the pilot lives or dies on the control. | low→med |
| Detection ≠ action: advice becomes shelfware if associates ignore it. | The pilot measures action-rate and downstream lift, not detection accuracy alone. Residual: medium-high; change management is a real dependency. | low→med |
| Incumbents (Xovis, RetailNext, Sensormatic, Standard/Trigo) are entrenched. | Differentiation is edge + on-prem + no-biometric + signed audit; the hard-to-copy part is the consensus/audit layer and the legal posture, not the counting. Residual: medium — defend on IP and compliance, not features. | medium |
- Stitch accuracy ≥ agreed threshold vs audited ground truth.
- Measured conversion lift vs matched control periods — with a confidence interval, not a point estimate.
- Action-rate on ARiX cues, and capture rate back-calculated against the range above.
- Privacy: independent confirmation of no persistent biometric retention.
- Stitch accuracy below the floor for phantom-free counts, unrecoverable by added nodes.
- Measured lift indistinguishable from control inside the interval.
- Action-rate too low for detection to translate to recovery.
- A legal opinion that the correspondence descriptor is a regulated biometric.
Start with one floor. Prove it against a control. Then scale.
The gap is measurable. The question is how much of it is recoverable — in your store.
ARiX deploys pilot-first: one floor, countersigned acceptance criteria, a control so lift is attributable. If it doesn't move the numbers we agreed on, it doesn't roll out.
Request a pilot briefing- MIT Sloan on understaffing and lost sales (~6% of potential sales), via Retail Dive. retaildive.com
- Zebra Technologies 17th Annual Global Shopper Study (2024), via Chain Store Age (70% find associates hard to locate). chainstoreage.com
- Industry compilation of shopper statistics (fitting-room conversion ~85% vs ~58%). shoppopdisplays.com
- Industry compilation of discount/promotion response statistics. shoppopdisplays.com
- In re Facebook Biometric Information Privacy Litigation, $650M BIPA settlement (2021), via LegalClarity. legalclarity.org
- Proposed class action against Target over in-store facial recognition (2024), via ClassAction.org. classaction.org
- Class action alleging in-store biometric collection by MAC Cosmetics (2025), via ClassAction.org. classaction.org
- BIPA statutory damages and 2025 filing volume, via The Lyon Firm. thelyonfirm.com