Privacy Policy

1. Introduction

I'm Alive ("we", "our", or "us"), operated by Mendios Technologies Bangalore Pvt Ltd (the company behind WebMobi), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

We collect minimal information necessary to provide our service:

• Email address - For account authentication and sending alerts
• Name - For display purposes and personalized alerts to your contacts
• Timezone - To schedule check-ins at your local time
• Check-in times and notes - To track your wellness history
• Emergency contact information - Name, phone, email, and relationship to send alerts when needed
• In-app feedback and NPS scores - When you respond to optional feedback prompts within the app
• Notification preferences - For each emergency contact, you choose whether they receive a notification on every check-in, only when you miss a check-in, or are paused entirely (see Section 6 for details)

2.2 Automatically Collected Information

• Push notification token - To send reminders and alerts
• Device type and OS version - For app compatibility and troubleshooting
• App usage data - Check-in patterns and feature usage (anonymized)
• Email engagement data - Open rates and click tracking for onboarding and report emails, used to improve communication relevance
• Device activity signals (planned -- opt-in, paid plans only) - App opens, charging patterns, and motion detection for passive safety tracking

2.3 Emergency Location Snapshot (Family Plus)

Emergency Location Snapshot is a feature available only on the Family Plus plan and only takes effect when you have failed to check in and an emergency escalation is already in progress. We do not track your location during routine app use, in the background, or at any time outside an active emergency.

Specifically:

• When it captures: only when an escalation incident has reached Stage 3 (your emergency contact has been alerted) or Stage 4 (the watchdog stage). Captures never happen at Stage 1 or 2, never during normal use, and never when you have checked in on time.
• Maximum captures: at most two locations per emergency incident — one at Stage 3 and one at Stage 4. The phone makes a single foreground location request and reports the result; if the OS denies permission or location is unavailable, the incident proceeds without location.
• Precision: coordinates are stored at 4-decimal precision (approximately 100 metres at the equator). We do not store raw GPS. The intent is "near enough for a contact to dispatch help," not "precise enough to identify a specific address inside a building."
• Reverse geocoding: the human-readable address summary (e.g., "Near Indiranagar, Bengaluru") is generated on your phone using the operating system's built-in reverse-geocoder. Our servers never call Google or Apple Maps APIs, and your raw coordinates are never sent to a third-party geocoding service.
• Encryption at rest: coordinates and address summary are encrypted at the column level using pgcrypto and a passphrase held in Supabase Vault. The encryption key is per-environment and never present in our application code or logs.
• Who can see it: you, on the in-app Activity screen; and your emergency contact, only while the incident is unresolved. The moment the incident is resolved (you check in, or your contact taps "I've got it"), location visibility for the contact is revoked automatically.
• Auto-deletion: the encrypted ciphertext is wiped 72 hours after capture. After that point, only non-sensitive metadata (incident ID, stage, capture timestamp, source platform) remains for analytics purposes — never location.
• Opt-out: the feature is opt-in for Family Plus users. You can disable it at any time in Settings → Emergency Location, and the disabled state is honoured even if a silent push arrives during an active escalation.
• When permission is requested: when you enable Emergency Location Snapshot for the first time, iOS will ask whether to allow location access while you're using the app. We request this in advance so that, during a real emergency, we can capture your location without requiring you to tap "Allow" — which you may not be able to do if you're incapacitated. You may also see a one-time confirmation on Android. You can revoke this at any time in your phone's system Settings.

2.4 AI Voice Agent (Family Plus)

On the Family Plus plan, when you miss a check-in and an escalation reaches Stage 3, our AI Voice Agent may place an automated phone call to you (typically about 75 minutes after the missed check-in) asking whether you are okay. You can reply by voice (e.g., "I'm fine") or by pressing "1" to confirm safety, "2" to indicate you need help. The call is processed in real time using third-party voice infrastructure (see Section 8.1) — Twilio for the telephony channel, Deepgram for converting your speech to text, ElevenLabs for the agent's text-to-speech voice, and Anthropic Claude for understanding your reply. We classify the outcome (e.g., resolved_fine, resolved_distress, no_answer, voicemail) and store only the structured outcome — we do not record audio by default and we do not store full transcripts. A daily cap of 5 voice calls per user prevents runaway dispatch.

3. Information We Do NOT Collect

We are committed to minimal data collection. We do NOT collect:

• Health or medical information
• Contact list or address book
• Device identifiers for advertising
• Browsing history
• Financial or payment information (payments are handled by Apple/Google via RevenueCat)
• Biometric data
• Phone calls, text messages, or content from other apps

4. How We Use Your Information

Your information is used solely to provide and improve our Service:

• Authenticate your account and maintain security
• Send check-in reminders at your scheduled time
• Alert your emergency contact if you miss a check-in
• Display your check-in history within the app
• Send important service updates and notifications
• Improve app functionality and user experience
• Respond to support requests

4.1 Per-Contact Notification Preferences

By default, every emergency contact you add receives a confirmation each time you check in. This is the noisier-but-reassuring choice for family caregivers. You can change this for any contact, at any time, to:

• Only when I miss a check-in: the contact hears from us only on miss / escalation, plus an optional Monday-morning weekly summary email.
• Paused: the contact will not be contacted, even on a missed check-in. We show you an in-app warning so you remember this, and we recommend you keep at least one contact on a non-paused setting.

Notification preferences are stored alongside the contact record and respected by every channel — email, push notification, SMS, and (on Family Plus) the AI voice agent.

5. SMS Communications

For users on the Family plan, emergency alerts may be sent to your designated emergency contact via SMS using Twilio (from +1 661-518-2541). SMS is used exclusively for safety-related escalation alerts when you miss a check-in.

• Your emergency contact can reply OK to acknowledge the alert or STOP to unsubscribe from SMS alerts
• SMS is available on the Family plan only
• We do not use SMS for marketing or promotional messages
• Standard messaging rates from your contact's carrier may apply

6. Email Communications

We send the following types of email communications:

• Onboarding drip sequence - A 10-day series of emails to help you get the most out of the app after sign-up
• Weekly safety reports - A summary of your check-in activity sent to you and optionally to your emergency contact
• Emergency alerts - Sent to your emergency contact when you miss a check-in
• Service updates - Important changes to the app or these policies

Every non-essential email includes an unsubscribe link. You can opt out of onboarding and report emails at any time. We do not sell or share email addresses with third parties for marketing purposes.

7. Passive Activity Tracking (Planned Feature)

We are developing a passive activity tracking feature that monitors basic device signals to detect potential inactivity without requiring a manual check-in. This feature will be opt-in only and available on paid plans.

What we track:

• App opens and interaction timestamps
• Device charging patterns (plugged in / unplugged)
• Device motion detection (accelerometer-based activity)

What we do NOT track:

• Location (unless separately opted in on the Family plan)
• Phone calls, text messages, or call logs
• Browsing activity or content from other apps
• Contacts, photos, or files on your device

Data retention for passive tracking:

• Raw activity signals are deleted after 7 days
• Daily activity summaries (e.g., "active" / "inactive") are retained for 90 days

Passive tracking is opt-in only and can be disabled at any time in your app Settings. Basic passive tracking is available on the Lifetime plan; full passive tracking (including motion detection) is available on the Family plan.

8. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties — not to advertisers, not to data brokers, not to insurance companies, not to anyone. Many location-tracking apps in our category are funded by selling user location data; we are not, and we do not. This is a deliberate, foundational product choice, not a marketing claim.

We may share information only in the following circumstances:

• With your designated emergency contact - Check-in status and alerts only, as part of core service functionality
• With service providers - Who help us operate the app (cloud hosting, email delivery, push notifications) under strict confidentiality agreements
• Legal requirements - If required by law, court order, or government request
• Safety - To protect the rights, property, or safety of our users or others
• Business transfers - In connection with a merger, acquisition, or sale of assets (with notice to users)

8.1 Service Providers

We use the following third-party services. Each receives only the information necessary for the function described — never your full account profile, never your location history.

• Supabase - Database and authentication. Data is stored encrypted at rest; column-level encryption (pgcrypto + Vault) is applied to emergency location coordinates and address summaries. Hosted region per environment.
• Expo - Push notification delivery to mobile devices. Receives push tokens and notification payloads.
• Amazon Web Services (SES) - Email delivery for alerts, onboarding, weekly digests, and reports.
• Twilio - SMS delivery for emergency alerts (Family and Family Plus plans). On Family Plus, Twilio also handles the inbound/outbound voice channel for the AI Voice Agent. Twilio receives the user's phone number, contact phone numbers, and the audio stream of the call (not retained by us).
• Deepgram (Family Plus only) - Real-time speech-to-text transcription of the AI Voice Agent call. Audio is processed in-flight; we do not retain transcripts.
• ElevenLabs (Family Plus only) - Text-to-speech for the AI Voice Agent. Receives only the synthesised text we send to the caller, never personal information about you.
• Anthropic (Claude) (Family Plus only) - Conversation classification for the AI Voice Agent ("did the user say they're okay or that they need help?"). Receives only the user's spoken words for the duration of the call.
• RevenueCat - Subscription and in-app purchase management. Receives subscription identifiers and entitlement state.
• Vercel - Website hosting.
• Mixpanel - Product analytics, keyed by anonymous account UUID. We never send email addresses, phone numbers, or location data to Mixpanel.
• Sentry - Error tracking and crash reporting. Personally identifying information is redacted before submission.

9. Data Security

We implement appropriate technical and organisational security measures including:

• Encryption in transit: TLS 1.2 or higher for all client-server communication. We do not accept HTTP — every redirect lands on HTTPS at the edge.
• Encryption at rest (general): all stored data is encrypted at the storage layer by our cloud database provider.
• Column-level encryption for sensitive fields: emergency location coordinates and address summaries are additionally encrypted using pgp_sym_encrypt (pgcrypto) with a 32+ byte passphrase held in Supabase Vault. The encryption key is per-environment and is never present in our application code, configuration files, or runtime logs. Only a database stored procedure can decrypt these fields, and only the service-role of our backend can call that procedure.
• Row-level security (RLS): every table containing user data has database-enforced policies restricting access to the row owner (you) plus, where appropriate, your designated emergency contacts during an active escalation. RLS is enforced at the database, not in application code, so a bug in our code cannot expose another user's data.
• Time-bounded sharing: location data is visible to emergency contacts only while an escalation incident is unresolved. The moment the incident resolves, the contact's view is revoked automatically.
• Single-use magic links: the link your emergency contact receives via SMS or email to confirm or escalate an alert is signed (HMAC-SHA256), expires within 48 hours, and burns on first use.
• Secure token storage on device: push tokens and authentication credentials are stored in the OS-secured keychain on iOS and the Keystore on Android.
• Regular security audits: we maintain a written set of security specifications and conduct periodic audits against them. The most recent audit (April 2026) covered location, voice agent, magic links, and the per-contact notification model.
• Access controls and authentication: access to production databases and infrastructure is limited to a small number of authorised engineers and gated by multi-factor authentication.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Data Retention

We retain your data as follows:

• Account data - Retained while your account is active
• Check-in history - Retained for 12 months, then automatically deleted
• Emergency location snapshots (Family Plus) - Encrypted ciphertext is wiped 72 hours after the relevant escalation incident is resolved. After that point, only non-sensitive metadata (incident ID, stage, capture timestamp, source platform) is retained.
• AI Voice Agent outcomes (Family Plus) - Structured outcome (e.g., resolved_fine / resolved_distress / no_answer) is retained alongside the incident record. Audio is not recorded by default. Full transcripts are not retained.
• Passive tracking signals - Raw signals deleted after 7 days; daily summaries retained for 90 days
• Email engagement data - Retained for 90 days
• User feedback - Retained for 24 months
• After account deletion - All personal data deleted within 30 days

You can request deletion of your account and all associated data at any time.

11. Your Rights

Depending on your location, you have the following rights under applicable privacy laws:

GDPR (European Union / United Kingdom)

• Access - Request a copy of your personal data
• Rectification - Request correction of inaccurate data
• Erasure - Request deletion of your data ("right to be forgotten")
• Restriction - Request restriction of processing
• Portability - Request export of your data in a portable format
• Object - Object to certain types of processing

CCPA (California, United States)

• Right to Know - Request what personal information we collect and how it is used
• Right to Delete - Request deletion of your personal information
• Right to Opt-Out of Sale - We do not sell your personal information, so this right is automatically satisfied
• Non-Discrimination - We will not discriminate against you for exercising your privacy rights

DPDP Act (India)

• Access - Request a summary of your personal data and processing activities
• Correction - Request correction or completion of inaccurate data
• Erasure - Request erasure of your personal data
• Grievance Redressal - Right to file a grievance regarding data processing

Specific to Emergency Contacts

In addition to the rights above, you have the following controls over how your emergency contacts hear from us:

• Revoke a contact at any time: remove the contact in Settings → Contacts. We stop sending them notifications immediately, even if a check-in is in progress.
• Pause a contact: set notify mode to "Paused" to keep the relationship recorded but suspend all outbound contact (including emergency alerts).
• Switch to alerts-only: stop the daily check-in confirmations to a contact while keeping them on the emergency-alert path.
• Disable emergency location: if you are on Family Plus, you can turn off Emergency Location Snapshot in Settings → Emergency Location. The disable takes effect immediately and persists across app restarts.

How to Exercise Your Rights

To exercise any of these rights, you can:

• Email us at support@webmobi.com
• Delete your account directly in the app (Settings > Delete Account)

We will respond to verified requests within 30 days (or sooner where required by law).

12. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new policy on this page
• Updating the "Last updated" date
• Sending an email notification for significant changes

Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@webmobi.com
• Support: support@webmobi.com
• Website: https://imalive.co/support