Privacy Policy

1. Introduction

This Privacy Policy explains how we process personal data in the Callouts emergency response and incident management application (the "App"). This App is not a consumer social application, but an operational system used by public-interest and emergency response organisations (including search and rescue units and coast guard services) to coordinate emergency callouts, manage incidents, and ensure public safety.

2. Data Controller

The Data Controller (and, where applicable, data processor) for the Callouts application and platform is Flair Technologies Limited, a company incorporated in Ireland with company number 746522. Your team or organisation may administer membership and use of the App; for the purposes of this policy, Flair Technologies Limited is the data controller responsible for how personal data is processed through the App. For general privacy inquiries related to the App platform, please contact:

Data Protection Contact
Email: privacy@calloutsapp.com

If you have concerns about how your personal data is being processed, you may also contact the Irish Data Protection Commission:

Irish Data Protection Commission
Website: https://www.dataprotection.ie
Phone: +353 57 868 4800

3. Purpose and Legal Basis

3.1 Purpose

We process your personal data to:

• Coordinate emergency callouts and incident management
• Record notifications, acknowledgements, and response timestamps
• Track responder availability and status during active incidents
• Support post-incident reviews, investigations, and accountability
• Ensure public safety and protect life

3.2 Legal Basis

We process your personal data under the following legal bases under GDPR:

Article 6(1)(e) – Public Interest
The processing is necessary for the performance of a task carried out in the public interest. Emergency response and incident management serve a clear public interest in protecting life and public safety.

Article 6(1)(d) – Vital Interests
The processing is necessary to protect the vital interests of the data subject or another natural person. During emergency incidents, processing location and response data directly protects life.

Article 6(1)(c) – Legal Obligation
Where applicable, processing may be necessary to comply with legal obligations (e.g., incident reporting requirements, coronial inquiries, regulatory compliance).

3.3 Enhanced Special Category Data

Where we process special category personal data (such as location data during emergencies or health-related information in incident reports, including casualty data), we rely on:

Article 9(2)(c) – Vital Interests
Processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent. This applies particularly to casualty and medical data recorded during incidents.

Article 9(2)(g) – Substantial Public Interest
Processing is necessary for reasons of substantial public interest, specifically public safety and emergency response. This also applies to casualty and medical data, where consent is not relied upon in emergency situations.

4. Data Categories Collected

We collect and process the following categories of personal data:

4.1 Identity and Role Information

• Full name
• Team/unit affiliation
• Role within the organisation (e.g., Responder, OIC, Admin)
• User identification number

4.2 Contact Details

• Phone number (used for authentication and emergency communications)
• Push notification tokens (device-specific identifiers for delivering alerts)

4.3 App Usage and Operational Data

• Callout notifications sent and received
• Response acknowledgements and timestamps
• Availability status (including "Do Not Disturb" settings)
• Audit logs of app activity for accountability and troubleshooting

4.4 Location Data

• Real-time location coordinates during active callouts (where enabled)
• Location history during active incident responses
• Location data is only collected and transmitted when you are actively responding to a callout and have enabled location tracking

4.5 Device and Security Metadata

• Device identification numbers
• Platform information (iOS/Android)
• Security logs and authentication records
• App version and technical diagnostic data (when enhanced logging is enabled)

4.6 Incident Records

• Callout details (title, description, timestamps)
• Notes added to incidents
• Response records and responder tracking
• Stand-down and closure information

4.7 Casualty and Medical Data

Responders may record operational notes during incidents which can include:

• Casualty condition or status (e.g., conscious, unconscious, stable, critical)
• Observed injuries (e.g., lacerations, fractures, burns)
• Medical needs or actions taken (e.g., first aid administered, medication details, vital signs)
• Welfare or safety-related observations (e.g., signs of hypothermia, distress)

This information is recorded only where necessary to:

• Protect life and ensure the safety of individuals
• Coordinate emergency response efforts effectively
• Ensure continuity of care for casualties
• Support post-incident review, investigations, and legal accountability

5. How We Use Your Data

Your personal data is used exclusively for:

1. Emergency Coordination: Sending callout notifications, tracking responder status, and managing incident response
2. Accountability: Maintaining records of who was notified, who responded, and response times for post-incident review
3. Safety: Tracking location during active incidents to ensure responder safety and coordinate response efforts
4. Audit and Compliance: Maintaining audit logs to support investigations, regulatory compliance, and accountability requirements

5.1 Casualty and Medical Data Use

Casualty and medical data recorded in notes is used to:

• Inform on-scene decision-making and resource allocation
• Provide critical information to other emergency services or medical personnel
• Form part of the official incident record for review and accountability

Responders are instructed to record factual, operationally relevant information only and to avoid unnecessary or speculative personal detail.

6. Data Sharing

6.1 Within Your Organisation

Your personal data is accessible to:

• Team administrators and officers in charge (OICs)
• Team members (limited to information necessary for coordination, such as responder status during active callouts)

6.2 External Sharing

Organisational Teams
We may share your data with the organisation(s) that your team(s) belong to. This includes:

• Team membership information
• Response records and availability status
• Incident participation records

This sharing is necessary for the organisation to manage its emergency response operations and ensure accountability.

Authorities and Investigators
We may be required to share data with:

• Investigative authorities conducting incident reviews
• Coroners or similar oversight bodies
• Regulatory bodies with jurisdiction over emergency services

Such sharing occurs only where legally required or necessary for public interest purposes.

Technical Service Providers
We use third-party service providers (including AWS, Expo) under strict data processing agreements to host and operate the App. These providers process data only as necessary to provide technical services and are bound by data protection obligations.

6.3 No Commercial Use

We do not sell, rent, or share your personal data for commercial purposes.

7. Data Retention

7.1 Incident Records

Callout and incident records are retained for defined periods (typically 7 years or as required by law) to:

• Evidence what occurred during incidents
• Support legal proceedings, coronial inquiries, and regulatory reviews
• Maintain accountability and operational history

7.2 Other Data

• User account data: Retained while you remain a team member
• Location data: Retained only during active callouts and deleted after incident closure (typically within 90 days unless required for investigations)
• Audit logs: Retained for 90 days unless required for specific investigations
• Notification tokens: Retained while your account is active

7.3 Casualty Notes Retention

Casualty notes form part of the official incident record. Such records are:

• Retained in line with incident retention policies (typically 7 years or as required by law)
• Not deleted or edited on request where required for legal, investigatory, or public-interest purposes
• Maintained to ensure the integrity of contemporaneous operational records

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You may request access to the personal data we hold about you.

8.2 Right to Rectification (Article 16)

You may request correction of inaccurate or incomplete personal data.

8.3 Right to Restriction (Article 18)

You may request restriction of processing in certain circumstances.

8.4 Right to Object (Article 21) – Limited Application

You may object to processing based on public interest or legitimate interests. However, this right may be limited in emergency response contexts, particularly for data (including casualty data) where processing is necessary to protect life, public safety, or for legal accountability.

8.5 Right to Erasure (Article 17) – Limited Application

Important: The right to erasure does not generally apply to incident records, callout history, response data, or casualty notes, as retention is required for:

• Legal obligations (e.g., incident reporting requirements)
• Public interest (e.g., accountability, investigations)
• Vital interests (e.g., ensuring emergency response effectiveness, protecting life)

You may request erasure of non-incident data (e.g., your user account after leaving a team), subject to retention requirements for audit and accountability purposes.

8.6 Exercising Your Rights

To exercise your rights, contact your team administrator or email privacy@calloutsapp.com. We will respond within one month, though complex requests may take longer.

9. Security Measures

We implement technical and organisational measures to protect your personal data:

9.1 General Safeguards

• Access Control: Role-based access controls ensure data is accessible only to authorised personnel
• Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest (database encryption)
• Secure Hosting: Data is hosted on AWS infrastructure with appropriate security controls
• Audit Logging: Comprehensive audit logs track access and modifications
• Authentication: Strong authentication requirements (phone number verification, JWT tokens)

9.2 Casualty Data Safeguards

• Restricted Access: Access to casualty notes is strictly limited to authorised personnel who require it for operational, review, or accountability purposes.
• Auditability: All access to casualty notes is logged and auditable.
• Data Minimisation: Responders are instructed to record only factual, operationally relevant information and to avoid unnecessary or speculative personal detail.

10. International Transfers

Personal data may be processed outside the European Economic Area (EEA), primarily by AWS services hosted in the EU (eu-west-1 region). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable
• Data processing agreements with service providers

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified through the App. The latest version is always available at https://calloutsapp.com/privacy-policy.

13. Contact

For privacy inquiries:

• Email: privacy@calloutsapp.com
• Support: support@calloutsapp.com

Last Updated: January 2026