Like @Andrew_Masters wrote, the POIs are only valid during a certain time-frame. Each POI is valid until a next set of POIs have been issued one month later, and when you get a new POI, that new one is not traceable to your previous one.
The protocol is similar to what Bryan Ford described in his 2008 whitepaper, https://pdos.csail.mit.edu/papers/accountable-pseudonyms-socialnets08.pdf
_We propose Pseudonym parties, a scheme for creating accountable pseudonyms, which combine inperson social occasions (parties) with technical infrastructure (a pseudonymous sign-on service) to enforce the rule that one real person gets one virtual persona on any participating online service. Pseudonym parties enable the user to adopt different personas in different online spaces without revealing the connection between them, while ensuring that each user has only one accountable pseudonym in each space. Pseudonym parties can be started incrementally in a fully decentralized fashion, can run on volunteer labor with minimal funds, and may even be fun._
The POI tokens are not by themselves tied to an image of you, or a name, or any other identity-data. Since the tokens are not linked to ‘who you are’, but rather to the proof that it’s very hard to obtain multiple of these tokens, they could be understood as being anonymous tokens. These tokens can then be used to sign identity data like a uPort ID or other IDs, or used to gain access to governance services such as crypto basic income.