Privacy Policy

WeSafe (the "Service", "we", "us", or "our") acts as the controller of the personal data you provide through the Service. We process your data in accordance with the data-protection law applicable in your jurisdiction, including:

• KVKK (Law No. 6698) — for users in Türkiye
• GDPR (Regulation 2016/679) — for users in the EU/EEA
• UK GDPR & DPA 2018 — for users in the United Kingdom
• CCPA/CPRA — for residents of California, USA
• LGPD (Law No. 13.709) — for users in Brazil
• PIPEDA — for users in Canada
• Other applicable local data-protection regulations

Wherever you are, your data is processed under the principles of lawfulness, transparency, purpose limitation, data minimisation, and good faith.

Account information

• First and last name (entered by user or received from Apple / Google Sign-In; Apple's relay email is accepted)
• Email address (Apple relay or Google)
• Phone number (for phone verification)
• Date of birth — collected at signup for age verification and the 18+ volunteer approval workflow
• Country code (phone country)

User identifier — pseudonymous

The Firebase Authentication user identifier (UID) does not directly identify you *but* can be linked to your account. Under GDPR/KVKK it is therefore treated as pseudonymous, not anonymous.

Crystal clear: WeSafe does NOT read or upload your address book. The `NSContactsUsageDescription` key is not even declared in our Info.plist.

Adding an emergency contact follows this flow:

1. You tap Add on the Emergency Contacts screen. 2. Apple's system picker (`CNContactPickerViewController`) opens — this is Apple's own UI; the WeSafe process cannot read what is inside it, and never accesses the full list. 3. You select one contact. 4. The system returns only the contact's name + phone number + relationship label (you can edit the label). 5. WeSafe stores these fields (up to 5 emergency contacts) in your own Firestore profile document under `users/{uid}.emergencyContacts` so they survive device migration. 6. You can remove any contact at any time, which deletes the Firestore field.

Location data

We access your location only when:

• You start an SOS — your location is written to the Firestore SOS document and pushed via FCM to selected helpers/emergency contacts.
• You explicitly enable location sharing with a specific person.
• You use the check-in feature.

We do not track in the background without your request. `location` is declared in `UIBackgroundModes` *only* so an active SOS can keep streaming live location when the screen is locked.

Audio and video — only during an active SOS

When SOS starts, the microphone and camera (if you grant permission) publish live via WebRTC (LiveKit) to helpers in the SOS room. The publish ends when SOS ends; media is purged from memory when the session closes.

As of Build 29, the `audio` background mode is *removed* (Apple Guideline 2.5.4 compliance). If the app is backgrounded or the phone is locked, microphone publish stops. No ambient recording occurs outside the SOS flow.

Notification token

Your APNs/FCM token is stored in Firestore at `users/{uid}.fcmToken` so we can deliver push notifications.

Volunteer verification (optional)

If you choose to become a WeSafe volunteer, we additionally collect full name + phone number + application reason, stored under `volunteers/{uid}`. We do *not* collect national ID, driver's license, or any government identity document.

SOS evidence media (optional)

During SOS you may optionally attach photos/videos. These are hosted on Cloudinary CDN and shown only to helpers/contacts associated with that specific SOS event.

Diagnostic data

Firebase Crashlytics collects anonymous technical data (device model, iOS version, stack traces) on crashes. No PII is transmitted.

WeSafe never collects:

• Turkish national ID, passport, driver's license, or any government identity document
• Your full address book, or any contact you didn't personally pick
• Browser history, IDFA/ADID (Apple advertising identifier), ATT tracking
• Health data (we do not use HealthKit)
• Financial data or credit card information (no payment outside Apple StoreKit, if ever added)
• Biometric data (Face ID / Touch ID is evaluated on-device only; never reaches our servers)
• Third-party ad-network data
• Social-media linkage (no Instagram / Facebook / X)

Your personal data is processed for the following purposes:

• Creating and transmitting emergency notifications
• Delivering SOS signals to helpers and the emergency contacts you choose
• Syncing your emergency contacts across devices
• Providing safe arrival tracking through the check-in feature
• Improving service quality (anonymous crash data only)
• Preventing abuse and performing security review
• Volunteer coordination and verification

We NEVER use your data for marketing, advertising, or third-party profiling.

| Provider | Purpose | Region | |---|---|---| | Firebase / Google Cloud | Auth, Firestore, Cloud Functions, Crashlytics, FCM push, Messaging | Belgium + Netherlands (eur3 multi-region) | | LiveKit | WebRTC audio/video transit during active SOS | EU (Germany — Frankfurt) | | Cloudinary | Hosts the SOS evidence photos/videos you upload | EU | | Apple | Sign in with Apple, APNs push delivery | Apple infrastructure | | Google | Google Sign-In | Google infrastructure |

Aymedo does not sell, rent, or disclose data to any other third party except where legally compelled (court order, prosecutor's request). The Firebase Analytics SDK is *not* included in our app.

| Data type | Retention | |---|---| | Account info (name, email, phone, date of birth) | While account is active | | Emergency contacts | Until you delete them or close your account | | SOS events (location, timestamps) | Anonymized after 12 months | | SOS evidence media (Cloudinary) | 12 months; then auto-deleted | | Location history | Not retained outside an active SOS | | Crashlytics diagnostic data | 90 days | | FCM token | While account is active | | Volunteer data | While volunteer status is active + 12 months |

Deleting your account in-app (Profile → Delete Account) permanently erases all account data and emergency contacts from Firestore within 30 days.

Your personal data is processed on Google Firebase (eur3: Belgium + Netherlands). LiveKit uses EU-Frankfurt. Cloudinary uses EU servers.

• EU/EEA users (GDPR): transfers rely on Google's Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46.
• Türkiye users (KVKK): cross-border transfers rely on your explicit consent (Art. 9) and the technical safeguards described in Section 11.
• UK users (UK GDPR): transfers comply with the UK International Data Transfer Agreement (IDTA).
• California users (CCPA/CPRA): we do not sell or share your personal information.

Your data is never shared with third parties for advertising, marketing, or any commercial purpose other than the safety service. Data may be disclosed to competent public authorities only when legally required in your jurisdiction.

The following technical and administrative measures are implemented to protect your personal data:

• Encryption in transit: TLS 1.3 for all Firebase, LiveKit, and Cloudinary calls
• Encryption at rest: Google Cloud (AES-256), Cloudinary (AES-256)
• Authentication: Firebase Authentication + Sign in with Apple / Google Sign-In
• Authorization: Firestore Security Rules — access restricted by `request.auth.uid == userId`
• On-device protection: iOS Data Protection (Complete File Protection class) — sensitive files auto-encrypted while the device is locked
• App Check and certificate pinning planned for future releases

Aymedo employees have no access to live data; anonymized logs are used for technical support.

No permission is mandatory. WeSafe asks for each permission *individually*; there is no "Grant All Permissions" bulk button. If you deny a permission, the app retains its core function (manual SOS, manual SMS draft, Privacy Center remain available).

• The onboarding screen uses a *"Continue"* CTA — no aggregate-grant buttons (Apple G5.1.1(iv))
• Notifications, Location, Camera, Microphone, and Motion permissions are *independent and optional*; the app continues working when denied (Apple G5.1.1(v), G4.5.4, G5.1.5)
• Address-book access is never requested — `CNContactPickerViewController` suffices (Apple G5.1.2)
• HealthKit, Bluetooth, Local Network, NFC *are not used*

Regardless of which law applies to you, WeSafe extends the following core rights to every user:

• Right of access — request a copy of the data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — available directly in-app via Profile → Delete Account
• Right to restriction of processing
• Right to data portability — *practical note:* currently fulfilled manually via privacy@we-safe.io; in-app self-service export is planned for a future release
• Right to object — to processing based on legitimate interest
• Right not to be subject to automated decision-making — Aymedo does *not* use automated decisions in volunteer approval; decisions are made by humans

Region-specific rights

• EU/EEA (GDPR): right to lodge a complaint with your national supervisory authority
• Türkiye (KVKK Art. 11): the rights above as enumerated in KVKK; complaints to the Kişisel Verileri Koruma Kurumu
• California (CCPA/CPRA): right to know, delete, correct, opt out of sale/sharing (we do neither), and limit use of sensitive personal information
• United Kingdom (UK GDPR): same rights as EU/EEA; complaints to the ICO
• Brazil (LGPD): confirmation, access, correction, anonymisation, portability, deletion, and revocation of consent
• Canada (PIPEDA): access and challenge accuracy

To exercise any right contact privacy@we-safe.io. We respond within the timeframe required by your applicable law (e.g. 30 days under GDPR; 45 days under CCPA).

Cookies and tracking

The WeSafe mobile app uses no ad tracking technology and no third-party analytics. The Firebase Analytics SDK is *not included* in the app; only Auth, Firestore, Crashlytics, Messaging, and Cloud Functions modules are used. No Apple App Tracking Transparency (ATT) tracking is performed.

Payments and subscriptions

WeSafe is currently free; there is no subscription or purchase flow. When premium features are added in the future, Apple's In-App Purchase (StoreKit) will be used — *never* external payment links or non-IAP tipping mechanisms (Apple G3.1.1).

Children

WeSafe is not designed for users under 13. We collect date of birth at signup; under-13 accounts are automatically blocked.

This section maps each Apple App Store Review Guideline cited in WeSafe's submission history to the precise behaviour of the current shipping build (Build 29 / version 1.2.2).

| Guideline | Status | Where addressed | |---|---|---| | 2.5.4 — Background Modes | Resolved in Build 29 | `audio` removed from `UIBackgroundModes`; only `location` and `remote-notification` remain | | 3.1.1 — In-App Purchase | Compliant | No tipping, donation, or external payment mechanism | | 4 — Sign in with Apple | Compliant | Post-SiwA flow does not re-collect name/email already provided by Apple | | 4.5.4 — Push Notifications | Compliant | Push notifications are optional; can be skipped at onboarding | | 5.1.1(iv) — Permission UX | Compliant | "Continue" CTA only; no "Grant All Permissions" button | | 5.1.1(v) — App Functional w/o Permissions | Compliant | App remains fully functional with every permission denied | | 5.1.2 — Data Use and Sharing | Compliant | See Section 3 for emergency-contacts flow | | 5.1.5 — Location Services | Compliant | Location is optional; app functions without it |

App Privacy nutrition label declaration

| Data type | Linked to User | Purpose | |---|---|---| | Contact Info (Name, Email, Phone) | Yes | App Functionality | | Contact Info (Emergency contacts) | Yes | App Functionality | | Identifiers (User ID — Firebase UID) | Yes | App Functionality | | Location (Precise — during SOS) | Yes | App Functionality | | Audio Data (during SOS) | Yes | App Functionality | | Video Data (during SOS) | Yes | App Functionality | | Diagnostics | No | App Functionality | | Tracking | No tracking is performed | — |

This Privacy Policy may be updated. Significant changes will be announced through in-app notifications. The most current version is always at we-safe.io/en/privacy (English) or we-safe.io/tr/privacy (Türkçe).

Data controller: Aymedo · For all privacy-related questions, requests, and inquiries: privacy@we-safe.io