GDPR Compliance

1. Introduction

The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy. If you are located in the European Economic Area (EEA), this page outlines your rights and how we comply with GDPR requirements.

2. Data Controller

Are You Alive? acts as the data controller for personal data collected through our Service. This means we determine the purposes and means of processing your personal data.

Contact our Data Protection team at: [email protected]

3. Legal Basis for Processing

We process your personal data under the following legal bases:

3.1 Contract Performance

Processing necessary to provide the Service you've requested:

• Account creation and management
• Check-in functionality
• Friend system features
• Emergency contact notifications

3.2 Consent

Processing based on your explicit consent:

• Contact syncing for friend suggestions
• Marketing communications (optional)
• Non-essential analytics

3.3 Legitimate Interests

Processing necessary for our legitimate business interests:

• Service improvement and analytics
• Security and fraud prevention
• Customer support

4. Your Rights Under GDPR

As an EEA resident, you have the following rights:

4.1 Right of Access

You can request a copy of the personal data we hold about you. We will provide this information within 30 days.

4.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data. You can also update most information directly in the app.

4.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. You can also delete your account directly in the app settings.

4.4 Right to Restrict Processing

You can request that we limit the processing of your personal data in certain circumstances.

4.5 Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format.

4.6 Right to Object

You can object to processing of your personal data based on legitimate interests or for direct marketing purposes.

4.7 Rights Related to Automated Decision Making

We do not currently use automated decision-making or profiling that produces legal effects.

5. Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: [email protected]
• Subject line: "GDPR Request - [Type of Request]"

We will respond within 30 days. We may request identification to verify your identity before processing requests.

6. Data Transfers

Your data may be transferred to and processed in countries outside the EEA. When this occurs, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for certain countries
• Binding Corporate Rules where applicable

7. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when processing is likely to result in high risk to the rights and freedoms of individuals.

8. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours (where required)
• Notify affected individuals without undue delay if the breach is likely to result in high risk
• Document all breaches and our response

9. Supervisory Authority

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

You can find your local supervisory authority at: European Data Protection Board Members

11. Detailed Breakdown of Your GDPR Rights

To ensure you have full control over your digital footprint, we have implemented tools and processes that allow you to exercise your GDPR rights with ease.

11.1 Right to Access and Portability

You have the right to know exactly what data we hold about you. This includes your account profile, check-in history, friend list, and notification settings. When you request your data, we will provide it in a standard, machine-readable JSON format. This allows you to "port" your data to another service provider if you choose to do so.

11.2 Right to Erasure (The "Right to be Forgotten")

If you decide to leave **Are You Alive?**, you have the right to have all your personal information permanently deleted from our systems. This includes:

• Your hashed contact data
• Your friendship connections
• Your entire check-in history
• Your profile metadata (bio, avatar URLs)

Please note that some data may persist in our encrypted backups for up to 30 days before being fully overwritten.

12. How to Submit a Data Subject Access Request (DSAR)

We have streamlined the process for submitting a formal DSAR. You do not need a lawyer or a complex form. Simply email **[email protected]** with the subject line "Formal DSAR Request."

To protect your privacy, we will require you to verify your identity using the email address associated with your account. Once verified, our Data Protection team will process your request within 30 calendar days, free of charge.

13. Data Protection Impact Assessments (DPIA)

As part of our commitment to "Privacy by Design," we conduct a formal Data Protection Impact Assessment (DPIA) for every major new feature we develop. A DPIA helps us identify and minimize any privacy risks before a single line of code is released to production.

For example, when we designed our friend recommendation system, our DPIA led us to the decision to use one-way cryptographic hashing of phone numbers, ensuring that we never store "plain text" contacts on our servers.

14. Our Unified Response to Data Breaches

While we implement multi-layered security, we are prepared for the worst-case scenario. Our Data Breach Response Plan is activated the moment a potential vulnerability or unauthorized access is detected.

• **Identification:** Our automated systems and security researchers identify the scope of the breach.
• **Containment:** We immediately isolate the affected systems to prevent further loss.
• **Notification:** If your data is affected and carries a high risk to your rights, we will notify you and the relevant Supervisory Authority within 72 hours.
• **Review:** After any incident, we conduct a "post-mortem" to learn and strengthen our defenses.

15. The Future of Privacy Law and Our Compliance Roadmap

The landscape of global privacy law is constantly shifting. Beyond GDPR, we are already aligning our practices with emerging regulations like the EU AI Act and the various evolving state-level privacy laws in the United States.

We don't view compliance as a "box-ticking" exercise. We view it as a fundamental part of our mission to build a safer, more respectful internet. Whether you are in Berlin, London, New York, or Kathmandu, you deserve the same high standard of privacy.

17. The Principle of Accountability

Under GDPR, the principle of accountability requires us to demonstrate that we comply with all other principles of the regulation. We don't just say we're private; we prove it through our internal documentation, our training of staff, and our regular security audits.

We maintain a "Record of Processing Activities" (ROPA) as required by Article 30 of the GDPR. This record is a living document that maps every piece of data we collect to its legal basis, storage location, and retention period.

18. Our Commitment to Data Protection by Default

"Data Protection by Default" means that our Service is configured to be as private as possible right out of the box. You don't have to go through complex menus to "opt-out" of invasive tracking, because that tracking doesn't exist in the first place.

For example, your profile is set to "Private" by default, and your check-in status is only visible to people you have explicitly accepted as Friends. We believe the burden of privacy should be on the provider, not the user.

19. The Intersection of GDPR and Safety Technology

Building a safety app under GDPR presents unique challenges. We must balance the need for rapid data sharing (in an emergency) with the strict requirements of data protection. Our solution is "Conditional Disclosure."

Your emergency contact's data is only processed when a specific condition is met: a missed check-in. This ensures that we are only processing the minimum amount of data necessary at the moment it is actually needed for your safety.

20. Contacting the Supervisory Authority

If you feel that our processing of your personal data infringes on the GDPR, you have the right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.