This policy explains how CrisisMatrix collects, processes, and protects your personal information in full compliance with UAE PDPL, GDPR, and the EU AI Act.
CrisisMatrix ("we", "our", "us") is an emergency preparedness mobile application operated by Clifford Quadros, operating under Dezign IQ Technologies FZ-LLC (RAKEZ), Ras Al Khaimah, United Arab Emirates (UAE). Our registered contact email is support@crisismatrix.com.
CrisisMatrix is available via the Apple App Store and Google Play Store under the bundle identifier com.crisismatrix.app and accessible at crisismatrix.com.
We are a data controller under the EU General Data Protection Regulation (GDPR) and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) in respect of personal data we process about you.
| Data type | What it includes | Where stored | Who sees it |
|---|---|---|---|
| Account data (optional) | Email address, username, hashed password (if you create an account) | Our secure server (Replit/Supabase) | You only |
| Medical ID Sensitive | Blood type, allergies, medications, medical conditions, emergency contacts you enter voluntarily | On-device only (not uploaded to server) | You + first responders via lock screen |
| Emergency contacts | Names and phone numbers of your SOS contacts | On-device + our server (for SOS delivery) | Used only for SOS broadcasts |
| Location data (SOS) | GPS coordinates at moment of SOS activation | Transmitted once to contacts; not retained on server beyond 90 days | Your designated SOS contacts only |
| Location data (country detection) New | GPS coordinates used to determine ISO country code for emergency number display | On-device only (AsyncStorage, max 24 hours). Never transmitted to our servers. | Not shared — device-local only |
| ARIA conversations | Text queries sent to ARIA when online mode is used | Transmitted to Anthropic API (USA); not stored by us | Anthropic (under DPA) |
| Kit Builder data | Items marked as owned in your 72-hour kit checklist | On-device only | You only |
| Family group data New | Your name, relationship label, check-in status, and group membership when you join a Family Safety Network | Our secure server | Other members of your group |
| Device data | Device model, OS version, app version, crash logs | Aggregated analytics only; no personal identifiers | We (for bug fixes only) |
| Purpose | Data used | Legal basis (GDPR) | Legal basis (UAE PDPL) |
|---|---|---|---|
| Deliver SOS GPS broadcast to contacts | Location, emergency contacts | Vital interests (Art. 6(1)(d)) | Emergency response exception |
| Display local emergency numbers New | GPS → ISO country code (on-device only) | Legitimate interests (Art. 6(1)(f)) | Legitimate interests |
| Power ARIA AI assistant | Text queries | Consent (Art. 6(1)(a)) | Consent |
| Store Medical ID for first responders | Health data | Vital interests (Art. 9(2)(c)) | Health data provision exception |
| Family group status sharing New | Name, status, group membership | Consent (Art. 6(1)(a)) | Consent |
| Improve app performance | Anonymised crash data | Legitimate interests (Art. 6(1)(f)) | Legitimate interests |
| Legal compliance | Account records | Legal obligation (Art. 6(1)(c)) | Legal obligation |
ARIA is an AI system. ARIA (AI Response Intelligence Assistant) is powered by Anthropic's Claude large language model. It is not a licensed medical professional, emergency responder, or first aid instructor. ARIA responses are generated by artificial intelligence and may contain errors, hallucinations, or outdated information.
The EU Artificial Intelligence Act (Regulation EU 2024/1689) applies to AI systems that interact with natural persons, including CrisisMatrix users in the European Union and European Economic Area. The AI Act came into enforcement with respect to general-purpose AI systems on 2 August 2026.
CrisisMatrix uses your device's location for two distinct purposes, each described separately below.
When you activate the SOS feature, your device's GPS coordinates at that moment are transmitted once to your designated emergency contacts via our server. This transmission occurs only when you actively hold the SOS button and confirm the broadcast. SOS location data is retained on our servers for a maximum of 90 days for audit purposes, after which it is permanently deleted.
CrisisMatrix uses your approximate GPS location to determine the ISO country code of your current location. This is used exclusively to display the correct local emergency telephone numbers (police, ambulance, fire) within the app.
CrisisMatrix requests "when in use" (foreground) location permission only. We do not request background location tracking. Location permission is requested when you first open the app. You may revoke this permission at any time in your device Settings → Privacy → Location Services → CrisisMatrix. Revoking location permission will disable the SOS broadcast feature and revert emergency number display to the 112 international fallback.
The SOS feature is a contact notification tool. When activated, it sends a single GPS location broadcast to your pre-designated emergency contacts. It does not contact emergency services (police, ambulance, or fire services) on your behalf. You are responsible for calling emergency services directly.
The app displays a "Call Emergency Services" button that shows the detected local emergency number for your country. When tapped:
The emergency numbers displayed in the app are sourced from publicly available government and international telecommunications databases and are updated periodically. We do not guarantee the accuracy or currency of emergency numbers. Emergency numbers can change. Always verify critical emergency numbers through official government sources for your location.
When you use ARIA in online mode, your text queries are transmitted over an encrypted HTTPS connection to Anthropic's Claude API servers located in the United States. Anthropic processes these queries under a Data Processing Agreement (DPA) with us. Queries are used solely to generate your response and are not used by Anthropic for model training under the standard API tier.
When your device has no internet connection, ARIA operates using a local Retrieval-Augmented Generation (RAG) knowledge base stored entirely on your device. No query data is transmitted anywhere in offline mode.
ARIA does not retain conversation history between sessions. Each conversation starts fresh. We do not store ARIA conversation transcripts on our servers.
See Section 4 for full AI system transparency disclosure required under EU AI Act Article 50.
The Family Safety Network is a voluntary opt-in feature that allows a group of people to share safety status during emergencies. The following applies when you create or join a Family group:
You may only add individuals to a Family group who have voluntarily agreed to join. Adding individuals to a group without their explicit consent may violate their privacy rights under UAE PDPL and GDPR. Group join codes must only be shared with individuals who have consented to participate.
Family group membership, status, and group configuration are stored on our secure servers for the duration of the group's existence. When you leave a group, your member record is deleted within 30 days. When a group is dissolved by the group creator, all member data associated with that group is deleted within 30 days.
Family group data is visible only to members of your specific group. It is not visible to other CrisisMatrix users, the general public, or to us except for technical support purposes.
Your Medical ID contains sensitive health information including blood type, allergies, medications, and medical conditions. This constitutes a special category of personal data under GDPR (Article 9) and sensitive personal data under UAE PDPL.
Your Medical ID data is stored exclusively on your device using encrypted local storage. It is never transmitted to our servers or any third party. The Medical ID is designed to be accessible from your device's lock screen to first responders without requiring your passcode.
First aid and emergency guide content is reviewed periodically against current WHO, Red Cross, Resuscitation Council, and FEMA guidelines. However, medical and emergency protocols change. Always verify critical procedures with current certified training and local professional guidance.
| Third party | Purpose | Data shared | Safeguards |
|---|---|---|---|
| Anthropic, PBC (USA) | ARIA AI responses | Text queries (online mode only) | DPA; SCCs for EU transfers |
| Supabase (server infrastructure) | Account, SOS, Family group data | Account records, SOS logs, Family group data | DPA; EU data residency available |
| Apple / Google | App distribution; in-app purchases (Phase 2) | Purchase receipts (Phase 2 only) | Apple/Google platform agreements |
| RevenueCat (Phase 2) | Subscription management | Purchase records, subscription status | DPA; SOC 2 Type II certified |
| Emergency contacts (your chosen contacts) | SOS notification | Your GPS location at SOS activation | You choose who receives this |
We do not sell your personal data. We do not share personal data with advertisers. CrisisMatrix is ad-free.
CrisisMatrix is operated from the UAE. When EU/EEA users use ARIA in online mode, their query text is transferred to Anthropic's servers in the United States. The UAE does not currently have an EU adequacy decision. We rely on Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c) for transfers of EU personal data to the USA.
Anthropic's Data Processing Addendum (DPA) incorporating SCCs is available at anthropic.com/legal. Our DPA with Anthropic is available upon request at support@crisismatrix.com.
Family group and account data held on Supabase servers is subject to Supabase's data processing terms and the region of server deployment selected.
Medical ID data, Kit Builder data, and emergency number country detection results are stored on your device using iOS Keychain / Android EncryptedSharedPreferences / AsyncStorage as appropriate. This data is only accessible by the CrisisMatrix app.
Account data, SOS logs (max 90 days), and Family group data are stored on our servers using AES-256 encryption at rest and TLS 1.3 encryption in transit.
All communication between the app and our servers, and between our servers and Anthropic's API, uses TLS 1.3 encryption.
In the event of a data breach involving personal data, we will notify affected users and relevant supervisory authorities (UAE Data Office; relevant EU supervisory authority for EU users) within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and UAE PDPL.
| Data type | Retention period | How to delete |
|---|---|---|
| Medical ID | Until you delete it or uninstall the app | Profile → Medical ID → Delete |
| Emergency contacts | Until you remove them | Profile → Contacts → Remove |
| SOS event logs | 90 days from event | Auto-deleted; request earlier deletion via email |
| ARIA conversation data | Not retained (session only) | N/A — not stored |
| Country code (GPS detection) | Max 24 hours on device | Automatically expires; or clear in Profile |
| Family group data | Until you leave the group (then 30 days) | Family → Leave Group |
| Account data | Until account deletion | Profile → Account → Delete Account |
| Anonymised analytics | Up to 2 years (aggregated, no personal data) | Cannot be individually deleted (no personal data) |
To request deletion of all your personal data, contact us at support@crisismatrix.com with subject line "Data Deletion Request". We will process your request within 30 days as required by GDPR Article 17 and UAE PDPL.
Depending on your location, you have the following rights regarding your personal data:
Request a copy of all personal data we hold about you.
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data ("right to be forgotten").
Request your data in a structured, machine-readable format.
Object to processing based on legitimate interests.
Request restriction of processing in certain circumstances.
Withdraw consent at any time for consent-based processing. Withdrawal does not affect past processing.
EU users: lodge a complaint with your national supervisory authority. UAE users: contact the UAE Data Office (uaedataoffice.gov.ae).
To exercise any of these rights, email support@crisismatrix.com. We will respond within 30 days (GDPR) or the timeframe required by UAE PDPL.
CrisisMatrix is rated 17+ on the Apple App Store and requires users to be at least 17 years old. We do not knowingly collect personal data from children under 13 (USA COPPA) or under 16 (GDPR). If we become aware that a child under the applicable age has provided personal data, we will delete it immediately. If you believe a child has provided data to us, contact support@crisismatrix.com.
We may update this Privacy Policy from time to time. Material changes will be notified to you via in-app notification at least 14 days before they take effect. The "Effective" date at the top of this document will be updated. Your continued use of the app after the effective date constitutes acceptance of the updated policy.
Previous versions of this policy are available on request from support@crisismatrix.com.
For all privacy-related queries, requests, or complaints:
EU users who are dissatisfied with our response may escalate to their national data protection supervisory authority. UAE users may contact the UAE Data Office at uaedataoffice.gov.ae.