Legal Document

Privacy Policy

This policy explains how CrisisMatrix collects, processes, and protects your personal information in full compliance with UAE PDPL, GDPR, and the EU AI Act.

Version 2.1 Effective: 1 July 2026 UAE PDPL compliant GDPR compliant EU AI Act Art. 50 compliant

Table of Contents

  1. Who we are
  2. What data we collect
  3. How we use your data
  4. AI system — ARIA disclosure (EU AI Act)
  5. Location data & emergency numbers
  6. Emergency features
  7. ARIA AI assistant
  8. Family Safety Network
  9. Medical ID & health information
  10. Data sharing & third parties
  11. International data transfers
  12. Data storage & security
  13. Data retention & deletion
  14. Your rights
  15. Children's privacy
  16. Changes to this policy
  17. Contact us
1

Who we are

CrisisMatrix ("we", "our", "us") is an emergency preparedness mobile application operated by Clifford Quadros, operating under Dezign IQ Technologies FZ-LLC (RAKEZ), Ras Al Khaimah, United Arab Emirates (UAE). Our registered contact email is support@crisismatrix.com.

CrisisMatrix is available via the Apple App Store and Google Play Store under the bundle identifier com.crisismatrix.app and accessible at crisismatrix.com.

We are a data controller under the EU General Data Protection Regulation (GDPR) and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) in respect of personal data we process about you.

2

What data we collect

Data typeWhat it includesWhere storedWho sees it
Account data (optional)Email address, username, hashed password (if you create an account)Our secure server (Replit/Supabase)You only
Medical ID SensitiveBlood type, allergies, medications, medical conditions, emergency contacts you enter voluntarilyOn-device only (not uploaded to server)You + first responders via lock screen
Emergency contactsNames and phone numbers of your SOS contactsOn-device + our server (for SOS delivery)Used only for SOS broadcasts
Location data (SOS)GPS coordinates at moment of SOS activationTransmitted once to contacts; not retained on server beyond 90 daysYour designated SOS contacts only
Location data (country detection) NewGPS coordinates used to determine ISO country code for emergency number displayOn-device only (AsyncStorage, max 24 hours). Never transmitted to our servers.Not shared — device-local only
ARIA conversationsText queries sent to ARIA when online mode is usedTransmitted to Anthropic API (USA); not stored by usAnthropic (under DPA)
Kit Builder dataItems marked as owned in your 72-hour kit checklistOn-device onlyYou only
Family group data NewYour name, relationship label, check-in status, and group membership when you join a Family Safety NetworkOur secure serverOther members of your group
Device dataDevice model, OS version, app version, crash logsAggregated analytics only; no personal identifiersWe (for bug fixes only)
3

How we use your data

PurposeData usedLegal basis (GDPR)Legal basis (UAE PDPL)
Deliver SOS GPS broadcast to contactsLocation, emergency contactsVital interests (Art. 6(1)(d))Emergency response exception
Display local emergency numbers NewGPS → ISO country code (on-device only)Legitimate interests (Art. 6(1)(f))Legitimate interests
Power ARIA AI assistantText queriesConsent (Art. 6(1)(a))Consent
Store Medical ID for first respondersHealth dataVital interests (Art. 9(2)(c))Health data provision exception
Family group status sharing NewName, status, group membershipConsent (Art. 6(1)(a))Consent
Improve app performanceAnonymised crash dataLegitimate interests (Art. 6(1)(f))Legitimate interests
Legal complianceAccount recordsLegal obligation (Art. 6(1)(c))Legal obligation
4

AI system disclosure EU AI Act Article 50

⚡ AI Transparency — Required Disclosure under EU AI Act Article 50

ARIA is an AI system. ARIA (AI Response Intelligence Assistant) is powered by Anthropic's Claude large language model. It is not a licensed medical professional, emergency responder, or first aid instructor. ARIA responses are generated by artificial intelligence and may contain errors, hallucinations, or outdated information.

The EU Artificial Intelligence Act (Regulation EU 2024/1689) applies to AI systems that interact with natural persons, including CrisisMatrix users in the European Union and European Economic Area. The AI Act came into enforcement with respect to general-purpose AI systems on 2 August 2026.

What this means for ARIA

AI system transparency information

🤖
ARIA responses are never reviewed by a licensed medical professional before delivery. Always call local emergency services ({local emergency number}) in any life-threatening situation — do not wait for an AI response.
5

Location data & emergency number detection Updated

CrisisMatrix uses your device's location for two distinct purposes, each described separately below.

5.1 — SOS GPS broadcast

When you activate the SOS feature, your device's GPS coordinates at that moment are transmitted once to your designated emergency contacts via our server. This transmission occurs only when you actively hold the SOS button and confirm the broadcast. SOS location data is retained on our servers for a maximum of 90 days for audit purposes, after which it is permanently deleted.

5.2 — Emergency number country detection New

CrisisMatrix uses your approximate GPS location to determine the ISO country code of your current location. This is used exclusively to display the correct local emergency telephone numbers (police, ambulance, fire) within the app.

5.3 — How location permission works

CrisisMatrix requests "when in use" (foreground) location permission only. We do not request background location tracking. Location permission is requested when you first open the app. You may revoke this permission at any time in your device Settings → Privacy → Location Services → CrisisMatrix. Revoking location permission will disable the SOS broadcast feature and revert emergency number display to the 112 international fallback.

6

Emergency features New

6.1 — SOS broadcast

The SOS feature is a contact notification tool. When activated, it sends a single GPS location broadcast to your pre-designated emergency contacts. It does not contact emergency services (police, ambulance, or fire services) on your behalf. You are responsible for calling emergency services directly.

6.2 — Emergency call button

The app displays a "Call Emergency Services" button that shows the detected local emergency number for your country. When tapped:

🚨
CrisisMatrix does not contact emergency services. In any life-threatening situation, always call your local emergency services directly. Do not rely on the SOS broadcast or any app feature as a substitute for calling emergency services.

6.3 — Emergency number accuracy

The emergency numbers displayed in the app are sourced from publicly available government and international telecommunications databases and are updated periodically. We do not guarantee the accuracy or currency of emergency numbers. Emergency numbers can change. Always verify critical emergency numbers through official government sources for your location.

7

ARIA AI assistant

Online mode (Claude API)

When you use ARIA in online mode, your text queries are transmitted over an encrypted HTTPS connection to Anthropic's Claude API servers located in the United States. Anthropic processes these queries under a Data Processing Agreement (DPA) with us. Queries are used solely to generate your response and are not used by Anthropic for model training under the standard API tier.

Offline mode (on-device RAG)

When your device has no internet connection, ARIA operates using a local Retrieval-Augmented Generation (RAG) knowledge base stored entirely on your device. No query data is transmitted anywhere in offline mode.

Conversation history

ARIA does not retain conversation history between sessions. Each conversation starts fresh. We do not store ARIA conversation transcripts on our servers.

EU AI Act compliance

See Section 4 for full AI system transparency disclosure required under EU AI Act Article 50.

8

Family Safety Network New

The Family Safety Network is a voluntary opt-in feature that allows a group of people to share safety status during emergencies. The following applies when you create or join a Family group:

8.1 — What is shared within your group

8.2 — Consent and group membership

You may only add individuals to a Family group who have voluntarily agreed to join. Adding individuals to a group without their explicit consent may violate their privacy rights under UAE PDPL and GDPR. Group join codes must only be shared with individuals who have consented to participate.

8.3 — Data stored on our servers

Family group membership, status, and group configuration are stored on our secure servers for the duration of the group's existence. When you leave a group, your member record is deleted within 30 days. When a group is dissolved by the group creator, all member data associated with that group is deleted within 30 days.

8.4 — Visibility

Family group data is visible only to members of your specific group. It is not visible to other CrisisMatrix users, the general public, or to us except for technical support purposes.

9

Medical ID & health information Updated

Your Medical ID contains sensitive health information including blood type, allergies, medications, and medical conditions. This constitutes a special category of personal data under GDPR (Article 9) and sensitive personal data under UAE PDPL.

Storage

Your Medical ID data is stored exclusively on your device using encrypted local storage. It is never transmitted to our servers or any third party. The Medical ID is designed to be accessible from your device's lock screen to first responders without requiring your passcode.

First aid guide content — important disclaimer

⚠️
The CPR, AED, Recovery Position, and first aid guides in CrisisMatrix are for reference and educational purposes only. They do not constitute professional medical training or advice. Following these guides does not qualify you to perform these procedures. We strongly recommend completing a certified first aid and CPR course from an accredited provider (Red Cross, St John Ambulance, or equivalent). CrisisMatrix is not liable for outcomes resulting from following guide content.

Accuracy of guide content

First aid and emergency guide content is reviewed periodically against current WHO, Red Cross, Resuscitation Council, and FEMA guidelines. However, medical and emergency protocols change. Always verify critical procedures with current certified training and local professional guidance.

10

Data sharing & third parties

Third partyPurposeData sharedSafeguards
Anthropic, PBC (USA)ARIA AI responsesText queries (online mode only)DPA; SCCs for EU transfers
Supabase (server infrastructure)Account, SOS, Family group dataAccount records, SOS logs, Family group dataDPA; EU data residency available
Apple / GoogleApp distribution; in-app purchases (Phase 2)Purchase receipts (Phase 2 only)Apple/Google platform agreements
RevenueCat (Phase 2)Subscription managementPurchase records, subscription statusDPA; SOC 2 Type II certified
Emergency contacts (your chosen contacts)SOS notificationYour GPS location at SOS activationYou choose who receives this

We do not sell your personal data. We do not share personal data with advertisers. CrisisMatrix is ad-free.

11

International data transfers

CrisisMatrix is operated from the UAE. When EU/EEA users use ARIA in online mode, their query text is transferred to Anthropic's servers in the United States. The UAE does not currently have an EU adequacy decision. We rely on Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c) for transfers of EU personal data to the USA.

Anthropic's Data Processing Addendum (DPA) incorporating SCCs is available at anthropic.com/legal. Our DPA with Anthropic is available upon request at support@crisismatrix.com.

Family group and account data held on Supabase servers is subject to Supabase's data processing terms and the region of server deployment selected.

12

Data storage & security

On-device storage

Medical ID data, Kit Builder data, and emergency number country detection results are stored on your device using iOS Keychain / Android EncryptedSharedPreferences / AsyncStorage as appropriate. This data is only accessible by the CrisisMatrix app.

Server-side storage

Account data, SOS logs (max 90 days), and Family group data are stored on our servers using AES-256 encryption at rest and TLS 1.3 encryption in transit.

API communication

All communication between the app and our servers, and between our servers and Anthropic's API, uses TLS 1.3 encryption.

Security incidents

In the event of a data breach involving personal data, we will notify affected users and relevant supervisory authorities (UAE Data Office; relevant EU supervisory authority for EU users) within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and UAE PDPL.

13

Data retention & deletion

Data typeRetention periodHow to delete
Medical IDUntil you delete it or uninstall the appProfile → Medical ID → Delete
Emergency contactsUntil you remove themProfile → Contacts → Remove
SOS event logs90 days from eventAuto-deleted; request earlier deletion via email
ARIA conversation dataNot retained (session only)N/A — not stored
Country code (GPS detection)Max 24 hours on deviceAutomatically expires; or clear in Profile
Family group dataUntil you leave the group (then 30 days)Family → Leave Group
Account dataUntil account deletionProfile → Account → Delete Account
Anonymised analyticsUp to 2 years (aggregated, no personal data)Cannot be individually deleted (no personal data)

To request deletion of all your personal data, contact us at support@crisismatrix.com with subject line "Data Deletion Request". We will process your request within 30 days as required by GDPR Article 17 and UAE PDPL.

14

Your rights

Depending on your location, you have the following rights regarding your personal data:

Right of access

Request a copy of all personal data we hold about you.

Right to rectification

Request correction of inaccurate or incomplete personal data.

Right to erasure

Request deletion of your personal data ("right to be forgotten").

Right to portability

Request your data in a structured, machine-readable format.

Right to object

Object to processing based on legitimate interests.

Right to restrict

Request restriction of processing in certain circumstances.

Right to withdraw consent

Withdraw consent at any time for consent-based processing. Withdrawal does not affect past processing.

Right to lodge a complaint

EU users: lodge a complaint with your national supervisory authority. UAE users: contact the UAE Data Office (uaedataoffice.gov.ae).

To exercise any of these rights, email support@crisismatrix.com. We will respond within 30 days (GDPR) or the timeframe required by UAE PDPL.

15

Children's privacy

CrisisMatrix is rated 17+ on the Apple App Store and requires users to be at least 17 years old. We do not knowingly collect personal data from children under 13 (USA COPPA) or under 16 (GDPR). If we become aware that a child under the applicable age has provided personal data, we will delete it immediately. If you believe a child has provided data to us, contact support@crisismatrix.com.

16

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to you via in-app notification at least 14 days before they take effect. The "Effective" date at the top of this document will be updated. Your continued use of the app after the effective date constitutes acceptance of the updated policy.

Previous versions of this policy are available on request from support@crisismatrix.com.

17

Contact us

For all privacy-related queries, requests, or complaints:

EU users who are dissatisfied with our response may escalate to their national data protection supervisory authority. UAE users may contact the UAE Data Office at uaedataoffice.gov.ae.