Data Protection Policy

1. Our core promise

Your data belongs to you. We will:

• Never sell your personal data to any person, company, or organization — ever.
• Never share your personal data with third parties for advertising, marketing, profiling, or commercial data-brokering purposes.
• Never use your location, contacts, communications, or behaviour to build advertising profiles or target you with ads.
• Collect only the minimum data necessary to provide the features you use.
• Keep your data only for as long as it is needed, then delete or anonymize it.
• Be transparent about what we collect, why, and who processes it on our behalf.

This promise is not merely a policy — it is the foundation of our business model. FriendsMap is funded by donations and subscriptions, not by monetizing you.

2. What data we collect and why

The table below summarizes each category of data, why we collect it, and the legal basis under PIPEDA and GDPR:

• Phone number — Used for SMS-based sign-in verification. This is how we authenticate you without requiring a password. Legal basis: contract (necessary to provide the Service).
• Display name and profile photo — Optional. Shown to your friends within the app so they can identify you on the map. Legal basis: consent (you choose to provide these).
• Date of birth — Collected once during account setup to determine whether parental consent is required. We do not use this for marketing or targeting. Legal basis: legal obligation (child protection compliance) and contract.
• Real-time location — Processed when you enable location sharing, and shared only with the specific people you choose. We do not build a historical movement database. Location is processed in near-real-time and not archived for ad purposes. Legal basis: consent (you explicitly enable sharing).
• Parent/guardian information (for minors) — Name, email address, and optionally phone number of the parent or guardian, plus records of identity verification. Used only for safety compliance and account management. Legal basis: legal obligation and legitimate interest (child safety).
• Usage data — Anonymized or pseudonymized records of features used (e.g. convoys created, events attended) to help us understand what is working and what needs improvement. Legal basis: legitimate interest.
• Device and technical information — Device type, OS version, app version, and crash logs. Used for technical support, bug fixing, and ensuring compatibility. Legal basis: legitimate interest.
• SOS emergency data — Your current location at the moment you activate SOS, used in real time to build the outbound alert. Not stored on our servers after the alert is sent. Legal basis: vital interests (emergency safety).

3. Where your data is stored

FriendsMap uses Google Firebase (Google LLC) for its backend infrastructure — including authentication, real-time database, cloud storage, push notifications, and crash reporting. Firebase servers are primarily located in the United States, with additional infrastructure in other regions depending on Firebase's global architecture.

What this means for you:

• Your data may be stored and processed in the United States.
• Google Firebase operates under Google's Cloud Data Processing Addendum, which includes data processing obligations and security commitments binding on Google.
• Firebase infrastructure is certified under ISO 27001, SOC 1, SOC 2, SOC 3, and other international security standards.
• For Canadian users, transfers to the US are covered under PIPEDA's cross-border transfer provisions. For EU/EEA users, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for the transfer.

We do not use additional cloud storage providers beyond what is listed here. If this changes, we will update this policy and notify you.

4. Who can access your data

Access to your personal data is strictly controlled:

• Within FriendsMap: Only team members who require access to perform their job functions are granted access, on a strict least-privilege basis. Access is reviewed regularly. No team member may access your data for personal purposes.
• Google Firebase: As our infrastructure provider, Google has technical access to data stored in Firebase. Google processes this data only as a data processor under our instructions and is contractually prohibited from using it for its own advertising purposes.
• HERE Technologies: Processes location queries to return map tiles and routing information. HERE receives map/routing requests but does not receive your account identity or personal profile.
• No one else: We do not share your data with any other third parties. Specifically, we do not share with advertising networks, data brokers, analytics companies that build profiles, government agencies (except under lawful legal compulsion), or any company that intends to use your data commercially.

5. How your data is protected

We apply multiple layers of technical and organizational security measures:

• Encryption in transit: All communications between your device and FriendsMap servers use TLS 1.2 or higher (HTTPS). Location data and account information are never transmitted in plain text.
• Encryption at rest: Data stored in Firebase is encrypted at rest using AES-256 encryption, enforced by Google's infrastructure.
• Authentication security: We use Firebase Authentication with SMS-based one-time codes. We do not store passwords.
• Access controls: Production data environments are protected by multi-factor authentication and role-based access control. Only authorized personnel may access production systems.
• Monitoring and logging: We maintain audit logs for access to sensitive data. Anomalous access patterns are flagged for review.
• Third-party security review: We review the security certifications and compliance documentation of all service providers before onboarding them and on an ongoing basis.
• Incident response: We maintain a documented incident response plan. In the event of a breach, see Section 7 below.
• Data minimization: We do not collect data we do not need. This in itself reduces your exposure in the event of any security incident.

6. Data retention schedule

We retain data only for as long as necessary:

• Account data (phone number, display name, profile photo): Retained while your account is active. Deleted or irreversibly anonymized within 30 days of account deletion.
• Real-time location data: Processed in near-real-time and not archived as a permanent movement history. Temporary caching for convoy/event features is session-scoped only.
• Age verification and parental consent records: Retained for as long as the minor's account exists, plus a reasonable period thereafter as required under applicable child protection laws.
• Usage and diagnostic data: Retained for up to 90 days, then deleted or anonymized.
• Support communications: Retained for up to 2 years to assist with follow-up requests, then deleted.
• Financial/subscription records: Retained for up to 7 years as required under Canadian tax and accounting laws. These records contain billing references only; we do not store full payment card numbers.
• Legal hold: Where required by a court order or legal obligation, we may retain specific data beyond the above periods, for the duration of that legal requirement only.

7. Data breach response

Despite best efforts, no system is completely immune to breaches. Our response plan:

• Detection: We monitor for unauthorized access and unusual activity. Upon detecting or being notified of a potential breach, we immediately activate our incident response team.
• Containment: We take immediate steps to contain the breach, including revoking compromised credentials, isolating affected systems, and preserving forensic evidence.
• Assessment: We assess what data was affected, the likely impact, and the number of users involved.
• Regulatory notification: If the breach poses a real risk of significant harm, we will report it to the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible, and to other applicable regulators as required by law.
• User notification: We will notify affected users as soon as reasonably possible after the breach is confirmed, providing details of what happened, what data was involved, and what steps we are taking to protect them.
• Remediation: We implement corrective measures to prevent recurrence and may engage independent security experts to audit our systems.

We maintain a breach register as required by PIPEDA.

8. Your data rights

You have meaningful rights over your personal data. To exercise any of the rights below, contact us at contact@friendsmap.me. We will verify your identity before acting on any request.

• Right of access: You can request a copy of all personal data we hold about you, in a legible format.
• Right of correction (rectification): You can ask us to correct any inaccurate or incomplete data we hold about you.
• Right of deletion (erasure): You can request that we delete your personal data. We will do so within 30 days unless we are required by law to retain certain records. Deleting your account in the app triggers this process automatically.
• Right of data portability: You can request your data in a structured, machine-readable format (e.g. JSON or CSV) where technically feasible, so you can transfer it to another service.
• Right to withdraw consent: Where processing is based on your consent (e.g. location sharing), you can withdraw that consent at any time via app settings, without affecting the lawfulness of prior processing.
• Right to object: You can object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests.
• Right to restrict processing: In certain circumstances, you can request that we limit how we use your data while a dispute is being resolved.
• Right not to be subject to automated decisions: We do not make automated decisions that significantly affect you based on your personal data.

We will respond to all verified requests within 30 days. In complex cases, we may extend this by an additional 30 days with notice.

If you are unsatisfied with our response:

• Canadian residents: File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
• Quebec residents: Contact the Commission d'accès à l'information du Québec at cai.gouv.qc.ca.
• EU/EEA residents: Contact your national data protection authority.
• California residents: You have specific rights under the CCPA/CPRA, including the right to opt out of sale of personal information (we do not sell — so this is inherently satisfied), and the right to non-discrimination for exercising your rights.

9. No automated profiling or decision-making

FriendsMap does not build profiles about you for advertising, scoring, or targeting. We do not use your personal data in automated decision-making processes that produce legal or similarly significant effects about you. Your data is used only to provide the features you explicitly use.

10. Cross-border data transfers

Your data may be transferred to and processed in countries other than Canada, primarily the United States (via Firebase/Google). When such transfers occur, we ensure equivalent protection is in place:

• For PIPEDA purposes: we maintain contractual obligations with our providers consistent with PIPEDA's cross-border transfer requirements.
• For GDPR purposes: we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission as the transfer mechanism.
• We do not transfer data to jurisdictions that we have reason to believe cannot provide adequate protection without first putting additional safeguards in place.

11. Children's data protection

We apply heightened protections to data belonging to users who are 15 years old or under:

• No minor's account is activated until a parent or guardian has completed identity verification.
• Minor data is never used for advertising, marketing, or commercial purposes of any kind.
• Parents have full rights to access, correct, and delete their child's data at any time.
• We do not share minor data with any third party except as strictly necessary to operate the Service (e.g. Firebase for authentication) and with the SOS trusted contact feature as designed.
• If we discover that a user under 13 has created an account without verified parental consent, we will immediately suspend the account and delete associated data.

12. Updates to this policy

We may update this Data Protection Policy when our practices change or when legal requirements evolve. Material changes will be posted on this page with a new effective date, and users will be notified via the app or email. We encourage you to review this policy periodically.

13. Complaints and Data Protection

For any data protection questions, rights requests, or concerns:

Email: contact@friendsmap.me

We aim to respond to all data protection inquiries within 30 days.