Security & Privacy

Safety you can verify, not just trust

Last reviewed: July 10, 2026

This is a life-safety app, so every claim on this page maps to a real control that ships in our code. And the app itself lets you prove your safety net works before you ever need it — a one-tap self-test that fires a real alert to your own phone, plus an in-app status screen that shows which parts of your safety net have been proven and when.

Our honesty rule. We deliberately don't list certifications we don't hold or protections we haven't built. Everything below is a control that ships today or, where noted, one we're actively rolling out. Plain language sits up top; tap “The technical detail” under any section to see how it actually works.

We never track you in the background

The app has no always-on or background location tracking. It only ever asks for “While Using the App” permission — there is no “Always” permission and no background location task. When the app is closed, it cannot see where you are.

The technical detail

On both iOS and Android the app is built with background location explicitly disabled and only the “when in use” permission string declared. The only background mode the app registers is receiving push notifications — never location. In code, the app requests foreground-only permission and never starts a background location task.

In practice that means: when the app is backgrounded or closed, it does not — and technically cannot — read your position.

Your location is captured only during an active emergency — in three cases you control

We capture your location in exactly three situations: when you press SOS, when you miss a check-in or don't arrive and your contact has already been alerted, or live during a trip only if you switch that on. Never during normal use, never on a timer.

The technical detail

Emergency location capture is wired to fire only once an escalation has actually reached the stage where your emergency contact has already been alerted (Stage 3), and again at the watchdog stage (Stage 4) — at most two captures per incident. It is never called on a schedule, never at the earlier stages, and never when you've checked in on time. Live trip sharing is the only continuous case, and it runs only while you have a trip switched on.

Emergency location is encrypted at rest and wiped within 72 hours

When we do capture your location in an emergency, we store it at reduced precision (rounded to 4 decimal places — never raw GPS) and encrypt it at the database column level with a key kept in a separate vault. The encrypted record is wiped within 72 hours of capture, and only our backend's service role can ever decrypt it — the app itself and our logs never hold the key. This is strong encryption at rest and in transit; it is not end-to-end / zero-knowledge, because our backend must be able to decrypt in order to actually alert your contacts.

The technical detail

Coordinates are rounded to 4 decimal places (roughly 11 metres at the equator) before storage — we never keep raw GPS. The rounded value and its address summary are encrypted at the column level using pgcrypto's pgp_sym_encrypt with a passphrase held in a separate Supabase Vault, so the key never lives in the app or in our logs.

Each record carries a purge deadline set to 72 hours after the moment of capture; once that window passes, the ciphertext is overwritten and only non-sensitive metadata (incident id, stage, timestamp) can remain. Because the backend service role must be able to decrypt in order to dispatch help, we do not — and will not — describe this as end-to-end or zero-knowledge encryption.

Live trip sharing is opt-in, coarse, link-based, and expires on its own

If you share a live trip, your contact opens a private link — no account needed — that shows your position rounded to roughly 100 metres, never your exact spot, and never your phone, email, destination or battery. Your contact sees only your first name, so they know who they're following. You can kill the link instantly, and it auto-expires (and stops serving any position) after 72 hours — 24 hours on a taster trip.

The technical detail

A shared trip link carries a 128-bit, URL-safe token. While the trip is live, the link returns your position rounded to about 100 metres plus your first name — never your exact location, phone, email, destination, or battery level. Stopping the trip clears the token immediately, which instantly and permanently kills the link.

If you forget to stop it, the share expires on its own — after 72 hours, or 24 hours on a taster trip — and stops returning any position at all.

The database decides who can see what — not just our app code

Access rules are enforced inside the database with row-level security, so even if our own app had a bug the database will not hand another person's data to you. The powerful functions that carry emergency data or personal information are locked to our backend only, and the few the app calls directly re-check that you are asking for your own data.

The technical detail

Row-level security policies live in the database itself, below our application code — so a bug in the app can't make the database hand you another person's row. The stored procedures that carry emergency data, personal information, SOS, or billing entitlements are executable only by our backend's service role; execute rights are revoked from anonymous and ordinary authenticated callers.

The handful of functions the app is allowed to call directly re-verify that the requesting account matches the account being asked about, and reject the request outright on a mismatch.

We prove your safety net works — before you have to rely on it

You can fire a real alert to your own phone and watch it arrive, and see a per-feature status list — SOS delivery, missed-check-in reminder, trip alert, contacts reachable, location capture — each marked “Verified” with the date it was last proven. A self-test never pages your real contacts.

The technical detail

The self-test runs against a synthetic, immediately-deleted test incident, so it exercises the real delivery path to your own device without ever paging your real emergency contacts. The status screen marks each feature “Verified” only if it was actually proven within the last 90 days — otherwise it asks you to re-prove it, so a stale green is never shown.

If our main alert channel fails, alerts reroute automatically

Email alerts have an automatic backup path: if our primary email provider starts failing, a circuit breaker switches sending to a second provider, and anything that still can't send lands in a retry queue with an on-call page — alerts don't silently disappear.

The technical detail

Email alerts go out through a primary provider (Amazon SES). A circuit breaker watches the failure rate; if the primary starts failing, sending is automatically rerouted to a second provider (Resend). Anything that still can't be delivered is written to a dead-letter queue and pages our on-call — with the recipient's personal details scrubbed from the page — so a failed alert is retried and seen by a human, never silently dropped.

You can delete your account and your data — for real

Delete your account from Settings and we truly remove it: your record is neutralized immediately (all outbound contact stops, email and phone are released), then permanently purged within 30 days of deletion, keeping only a minimal audit that carries no personal identifiers. This is designed to honor your erasure rights under the GDPR, CCPA and India's DPDP Act.

The technical detail

Deleting your account runs a two-phase erasure. First, a soft-delete neutralizes the record immediately — it stops all outbound contact and releases your email address, phone number, and push token. Then, within 30 days of deletion, the record and everything linked to it are permanently purged (cascade), leaving only a minimal audit entry keyed by an internal id with no personal identifiers.

We describe this honestly as designed to honor — not to automatically certify — your erasure rights under GDPR, CCPA, and the DPDP Act. You can start deletion yourself from Settings, in the app.

We don't sell your data

We do not sell, rent, or trade your personal information to advertisers or data brokers. Our product analytics is keyed to a pseudonymous identifier, and we redact personal data in our error logs. This is a foundational product commitment.

The technical detail

Product analytics is keyed to a pseudonymous account identifier rather than your name, email, or phone number, and personally identifying information is redacted from our error and crash logs before it's recorded. For the full list of processors we use and exactly what each one receives, see our Privacy Policy.

We audit ourselves against written specs, and fix what we find

We keep a written set of security specifications and periodically audit our code against them. Our most recent internal review (July 2026) found several high-severity issues — forged safety-call webhooks, an over-permissive data function, and a webhook host check — and we have written and tested the fixes and are rolling them out to production; we're working through the medium-severity items now. We describe this honestly: it is an internal program, not an external certification.

The technical detail

Our specifications cover data classification, encryption, row-level security and grants, edge functions, magic-link tokens, and logging & PII handling. The July 2026 internal review flagged a set of issues; the high-severity ones — a way to forge our safety-call webhooks, an over-permissive database function, and a webhook host check — have fixes written and tested and are being rolled out to production, and we're working through the medium-severity findings now.

This is our own program, measured against our own written specifications — not an audit by an outside firm and not a formal certification. We would rather tell you that plainly than imply a badge we don't hold.

Report a security issue

Found a vulnerability or a privacy concern? Email us and we'll respond. We'd rather hear it from you than not know.

Want the full data-handling detail — every processor, retention window, and your rights under GDPR, CCPA, and the DPDP Act? Read our Privacy Policy. Prefer to see how the app works end to end? Start with How it works.

Explore Safety Resources