1. Introduction

Welcome to ZoneAlert, an emergency alert application developed and operated by Bon.do ApS ("Bon.do", "we", "us", "our"). ZoneAlert is designed to provide real-time emergency notifications based on your location. We are deeply committed to protecting your personal data and respecting your privacy, especially given the sensitive nature of location data.

This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the ZoneAlert mobile application. This policy is drafted in accordance with the General Data Protection Regulation (GDPR) and relevant Danish data protection laws.

2. Data Controller

Bon.do ApS, located at Rantzausmindevej 228, 5700 Svendborg, Denmark (CVR: 43473425), is the data controller responsible for your personal data collected through the ZoneAlert application.

Contact: info@bon.do | Phone: +45 20 40 59 42

3. Information We Collect

To provide emergency alert services, we collect and process the following types of personal data:

3.1 Location Data

• Precise Location: We continuously collect your device's GPS coordinates (latitude and longitude) to verify if you are within emergency alert zones.
• Background Location: ZoneAlert requires access to your location even when the app is closed or not in use. This is essential for providing real-time emergency alerts when you enter or are within a danger zone.
• Location History: We temporarily store location data for the purpose of alert zone verification. Historical location data is not retained beyond what is necessary for service functionality.

3.2 Push Notification Tokens

• Firebase Cloud Messaging (FCM) Token: A unique device token used to send emergency push notifications to your device. This token is managed by Google Firebase services.

3.3 Account Data

• Email Address: Used for account creation, authentication, and critical service communications.
• Password: Stored in encrypted form via Supabase authentication service. We never have access to your plain-text password.
• User ID: A unique identifier assigned to your account for service functionality.

3.4 Device Information

• Device ID: A unique identifier for your mobile device.
• Operating System: OS version (iOS/Android version) for compatibility and technical support.
• App Version: The version of ZoneAlert installed on your device for debugging and updates.
• Device Model: The make and model of your device for troubleshooting purposes.

4. How We Use Your Data

We use your personal data exclusively for the following purposes:

• Emergency Alert Zone Verification: To determine if you are within or entering an active emergency zone and trigger appropriate alerts. (Legal basis: Legitimate interest / Consent)
• Push Notification Delivery: To send critical emergency notifications to your device via Firebase Cloud Messaging. (Legal basis: Legitimate interest / Consent)
• User Authentication: To securely manage your account and app access via Supabase authentication. (Legal basis: Performance of contract)
• App Functionality: To maintain, operate, and improve the core functionality of the ZoneAlert service. (Legal basis: Performance of contract / Legitimate interest)
• Technical Support: To diagnose technical issues and provide user support. (Legal basis: Legitimate interest)
• Service Improvement: To analyze aggregated and anonymized usage patterns for improving app performance and user experience. (Legal basis: Legitimate interest)
• Legal Compliance: To comply with applicable laws and regulations. (Legal basis: Legal obligation)

We do not use your location data for marketing, advertising, or any purposes beyond emergency alert functionality.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties. We only share your data with the following service providers acting as data processors under strict contractual agreements:

• Firebase / Google Cloud Platform: For push notification delivery via Firebase Cloud Messaging (FCM). Google acts as a data processor under our Data Processing Agreement.
• Supabase: For secure user authentication and account management. Supabase processes authentication data on our behalf under strict data processing terms.
• Cloud Infrastructure Providers: For hosting backend services and databases (e.g., AWS, Google Cloud). All data is encrypted at rest and in transit.

International Data Transfers: Some of our service providers (Firebase, Supabase) may process data outside the EU/EEA. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and compliance with GDPR requirements for international transfers.

Legal Disclosure: We may disclose your personal data if required by law, court order, or government request, or to protect the rights, safety, and security of ZoneAlert users or the public.

6. Data Security

We implement industry-standard technical and organizational measures to protect your personal data:

• End-to-End Encryption: All data transmitted between your device and our servers is encrypted using TLS/SSL protocols.
• Encryption at Rest: All stored data, including location data and account information, is encrypted in our databases.
• Access Controls: Strict access controls ensure that only authorized personnel can access personal data, and only when necessary for service operation.
• Secure Authentication: Passwords are hashed and stored securely via Supabase's authentication system. We never store plain-text passwords.
• Regular Security Audits: We conduct regular security assessments and vulnerability testing.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Location Data: Location coordinates are processed in real-time and temporarily stored only for immediate alert zone verification. We do not retain long-term location history.
• Account Data: Your email, user ID, and authentication data are retained as long as your account remains active.
• Device Information: Device data is retained for as long as the app is installed and your account is active.
• Push Notification Tokens: FCM tokens are retained as long as the app is installed and active on your device.

When you delete your account, all associated personal data is permanently deleted from our systems within 30 days, except where we are required by law to retain certain information.

8. Your Rights under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can request correction of inaccurate or incomplete data.
• Right to Erasure (Right to be Forgotten): You can request deletion of your personal data. You can delete your account directly within the ZoneAlert app.
• Right to Restriction of Processing: You can request that we limit how we use your data.
• Right to Data Portability: You can request transfer of your data to another service provider in a machine-readable format.
• Right to Object: You can object to processing based on legitimate interests. Note that objecting to location processing will prevent the app from functioning properly.
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw consent at any time by disabling location permissions or deleting the app.

To exercise these rights, please contact us at info@bon.do. We will respond to your request within 30 days.

You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) if you believe we have not handled your personal data appropriately.

9. Location Permissions and Control

ZoneAlert requires location permissions to function. Here's how you can manage these permissions:

• iOS: Go to Settings → Privacy & Security → Location Services → ZoneAlert. You can choose "Always", "While Using the App", or "Never". For emergency alerts to work, "Always" is required.
• Android: Go to Settings → Apps → ZoneAlert → Permissions → Location. You can choose "Allow all the time", "Allow only while using the app", or "Don't allow". For emergency alerts to work, "Allow all the time" is required.

Important: If you disable location permissions, ZoneAlert will not be able to provide emergency alerts. The core functionality of the app depends on accessing your location.

10. Children's Privacy

ZoneAlert is not intended for use by children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at info@bon.do, and we will delete such data.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or app functionality. We will notify you of significant changes by:

• Posting the updated policy within the ZoneAlert app
• Updating the "Last Updated" date at the top of this policy
• Sending a notification via email or push notification for material changes

Your continued use of ZoneAlert after such changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Bon.do ApS
Rantzausmindevej 228
5700 Svendborg
Denmark
CVR: 43473425
Email: info@bon.do
Phone: +45 20 40 59 42

13. Supervisory Authority

You have the right to lodge a complaint with the relevant supervisory authority:

Datatilsynet (Danish Data Protection Agency)
Borgergade 28, 5.
1300 Copenhagen K
Denmark
Email: dt@datatilsynet.dk
Phone: +45 33 19 32 00