Personalised Guidance

Unique identifier for this recommendation instance. Generated fresh on each request — never reused. Consumers log this ID against user interactions (accepted, dismissed, followed) to feed back into routing quality signals without needing to retain any personal data.

Format: RFC 4122 UUID v4 — Single-use, never reused

The category of guidance this recommendation provides. Determines which output fields are relevant and which channel templates apply. A route recommendation populates recommended_route_id; a destination recommendation populates recommended_destination_id.

UUID of the recommended route in the WIM topology graph. Required when recommendation_type is route or alternative. References a path through the topology object's node graph that satisfies all active user preference constraints.

UUID of the recommended destination WIM record. Required when recommendation_type is destination — for example, when the system suggests the nearest pharmacy or the least-congested entrance to a department.

Human-readable explanation of why this recommendation was generated. Surfaces in user-facing channels as the "why" behind a suggested route — for example, "Step-free route via West Lift" or "Main corridor busy — quieter route via Level 2 bridge." Must be translatable and meet WCAG 2.2 plain-language guidelines.

Max: 256 chars — Must be localised per language_preference

Urgency level of this recommendation. Affects how channels surface the guidance — critical overrides all other content on digital signs and kiosks; standard follows normal display scheduling. Only the routing engine or an authorised operator may set critical.

A short-lived, non-identifying session token that links multiple recommendation requests within a single journey without associating them with a person. Rotated at session expiry or on demand. Never contains or derives from any personal identifier. Used only for within-session continuity — for example, remembering that a user already passed Level 2 so subsequent recommendations skip it.

Format: random token, min 32 chars — Not a user ID — Expires: per session_expiry

Ephemeral key-value store for journey-scoped state that informs routing decisions within a single session — for example, the user's starting location, their declared destination, or which checkpoints they have already passed. Never persisted beyond the session. All values must be non-identifying.

Type: key-value map — Max keys: 16 — Max value length: 128 chars — Never persisted

UTC timestamp after which this recommendation must not be displayed or acted upon. Recommendations expire because live conditions change — a congestion state, queue, or closure that prompted the recommendation may have resolved. Consumers must check this field before rendering and discard stale recommendations silently.

Format: ISO 8601 — Typical TTL: 5–15 minutes from generation

Declared accessibility routing mode. When set, the routing engine constrains all candidate routes to satisfy the corresponding EN 17210 attribute in the destination's accessibility object. A preference is never inferred — it must be explicitly declared by the user or their assistive device.

BCP 47 language tag for the language in which recommendation_reason and recommended_message must be rendered. When absent, the record's wim.language_default applies. Never inferred from device locale without explicit user consent.

Format: BCP 47 — Examples: en-GB, nl-NL, de-DE, ar

User's declared mobility mode for this journey. Determines which route segments and transport connections are considered valid. A user with walking_aid will not be routed through turnstiles or narrow passages even if those are technically step-free.

When true, the routing engine excludes any corridor or zone where the live sensory.crowd_density exceeds the site's configured comfort threshold (typically 0.6). Used for sensory-sensitive users and as a general preference for quieter journeys.

When true, all route segments requiring stair traversal are excluded from consideration. Distinct from accessibility_preference: step_free — a user may prefer to avoid stairs for comfort or fatigue reasons without declaring a formal accessibility need.

When true, routes through zones where sensory.noise_level_db exceeds the configured comfort threshold (typically 65 dB) are deprioritised or excluded. Primarily used for sensory-sensitive and neurodivergent users.

When true, the routing engine optimises for minimum estimated travel time, using live sensory congestion data to adjust traversal costs. When combined with other boolean preferences, fastest-route is treated as a tiebreaker rather than a hard constraint.

When true, the routing engine minimises the number of direction changes, level transitions, and distinct environments the user passes through. Prioritised for first-time visitors, users with cognitive accessibility needs, and visitors under time pressure who benefit from predictable, linear paths.

When true, the routing engine minimises the number of junctions and turns where a navigation decision is required. Related to simplest_route but distinct — a simple route may still have many small decision points, while a route with few decision points may travel a longer physical distance.

When true, the routing engine selects the path with the lowest aggregate live congestion score, computed from sensory.crowd_density readings along each candidate route segment. Different from avoid_crowds — this minimises total congestion across the whole route rather than blocking individual high-density zones.

The output channel through which this recommendation should be delivered. When populated, the routing system prioritises this channel for rendering the guidance. Inferred from the requesting device type if not explicitly set; never inferred from personal data.

Pre-formatted, channel-ready guidance message to display alongside or instead of the structured routing output. Localised to language_preference. Used when the channel cannot render structured route data — for example, a simple text display or a voice prompt that needs a natural-language sentence rather than turn-by-turn instructions.

Max: 512 chars — Plain text only — Localised per language_preference

Routing engine's confidence in the quality of this recommendation, expressed as a float between 0.0 and 1.0. Computed from the freshness of sensor data, the completeness of the record graph, and the number of viable alternative routes. Channels should display a fallback message rather than the recommendation when this falls below 0.5.

Range: 0.0 – 1.0 — Display fallback below: 0.5 — Computed, not editable

Ordered array of route UUIDs that the routing engine computed as viable alternatives to recommended_route_id. Listed in descending preference order. Consumers may offer these to the user as "other options" — particularly on mobile and kiosk channels where interactive route selection is supported.

Max items: 5 — Ordered: best-first — Each item: UUID referencing a topology route

Privacy processing mode applied when generating this recommendation. Mandatory for all recommendation objects. anonymous means no session state is retained beyond the current request; session_only allows within-session continuity but no cross-session persistence; consented requires consent_status: granted.

Whether it has been verified that the recommendation was generated without processing any personally identifiable data. When true, the object is exempt from GDPR data subject rights obligations and the record need not be logged in the operator's personal data register.

Whether the system detected any personal data in the inputs used to generate this recommendation — for example, a named appointment reference or a device ID that could constitute personal data. When true, full GDPR processing obligations apply and gdpr_status must be set accordingly.

Whether automated profiling and behavioural inference have been disabled for this recommendation, implementing the user's right to object under GDPR Article 22. When true, the routing engine may only use declared preferences and live environmental data — not inferred behavioural patterns — to generate the recommendation.

Standard: GDPR Art. 22 — Right to object to automated decision-making

Overall GDPR compliance status of this recommendation object at the time of generation. Computed automatically. A recommendation with non_compliant status must not be served to any channel.

Whether the recommendation pipeline configuration (not this individual object) has been reviewed by a Data Protection Officer or equivalent. This is a configuration-level flag, not a per-object flag — it reflects whether the operator's recommendation system as a whole has been GDPR-audited. Inherited from the site's governance record.

Whether the recommendation pipeline has been verified to implement Privacy by Design per GDPR Article 25 — specifically: anonymous-by-default session handling, no cross-session profiling without consent, and automatic data minimisation before any preference signals are processed.

Maximum duration in seconds that any data associated with this recommendation (session state, preference signals, interaction logs) may be retained. After this period all associated data must be deleted from all systems. Defaults to the operator's site-level policy if not set per recommendation.

Unit: seconds — Min: 60 — Typical: 900 (15 min) for anonymous sessions

Duration in seconds after which the anonymous_session_id expires and is rotated. Session rotation is a privacy-by-design mechanism that prevents long-term linkability of journey requests even within a single visit. Must be less than or equal to data_retention_policy.

Unit: seconds — Max: equal to data_retention_policy — Typical: 600 (10 min)

Whether explicit user consent is required before this recommendation can be generated or served. Set to true whenever privacy_mode is consented, or when the routing engine would use any data that requires a lawful basis beyond legitimate interest. When true and consent_status is not granted, the recommendation must not be served.

Current state of user consent for the data processing activities underpinning this recommendation. Aligns with the W3C Data Privacy Vocabulary consent states. A recommendation with withdrawn or refused status must not be served and all associated session data must be deleted immediately.

Whether this recommendation was manually set or modified by an authorised operator, overriding the routing engine's automated output. When true, the recommendation is surfaced with an elevated trust signal to consuming systems — human overrides take precedence over any subsequent automated recommendation for the same route segment until the override is cleared. Used during incidents, VIP movements, or emergency routing changes.