SafePath Privacy Policy

Last Updated: April 19, 2026

SafePath ("we," "our," or "us") is an emergency-preparedness app. This policy explains what information SafePath handles, where it goes, and the controls you have over it. We wrote it to describe what the app actually does, not what we'd like it to do.

• Your profile, emergency contacts, household details, evacuation routes, and preparedness progress are stored on your device only.
• A small set of app preferences (notification settings, accessibility options, location-sharing toggle, and similar) syncs across your devices through Apple's iCloud Key-Value Storage if you are signed into iCloud.
• SafePath operates two backend services on AWS: one that aggregates hazard data from public sources, and one that registers your device for push notifications. Both receive coarse location (zip code or latitude/longitude) but neither receives your profile, contacts, or household information.
• Some features query third-party APIs (USGS, NOAA, EPA, NASA FIRMS, FEMA, Mapbox, Apple MapKit, Google Gemini, and others) directly. We send only the data each request needs.
• A code-level audit of the app shows no third-party analytics SDKs, no crash reporting SDKs, no advertising SDKs, and no user-tracking framework. SafePath does not display the App Tracking Transparency prompt because it does not track you across apps or websites.

Information you provide or generate while using SafePath:

• Profile: display name, email address (provided by Sign in with Apple or entered manually), and optional phone number.
• Location data: zip codes and coordinates for the areas you monitor; your current location when you grant the relevant permission; coordinates of meeting points and evacuation route waypoints you save; optionally a home address with coordinates.
• Emergency contacts: names, phone numbers, email addresses, and relationships for the contacts you add to your plan.
• Household details: names, ages, and relationships for household members; optional accessibility and medical information you choose to enter (such as mobility assistance, oxygen or other medical equipment needs, dietary restrictions, special needs descriptions, and a free-text medications list); pet records including name, breed, weight, vaccination status, optional medications, and optional microchip number.
• Preparedness progress: the checklist items, family-plan steps, and home-safety tasks you mark complete.
• App preferences: notification settings, quiet hours, map and accessibility options, theme, alert filter selections, and feature toggles such as community alerts, location sharing, and anonymous reporting.
• Health Guidance input: the free-text questions you type into the Health Guidance feature (see "Health Guidance Feature" below).

The accessibility, medical, and medications fields under household details are optional. You control whether to enter them, and they are not required to use the rest of the app.

• On-device database (Core Data): your profile, emergency contacts, household members, pets, evacuation routes, meeting points, preparedness progress, and cached alert and hazard data. The Core Data store is local-only — CloudKit synchronization is disabled — and the database is removed when you uninstall the app.
• iOS Keychain: your Apple user identifier, the display name and email Apple provides at first sign-in, your APNs push notification token, your subscription entitlement record, and SafePath's third-party API keys. Keychain entries persist across app reinstalls. They are removed when you sign out inside SafePath, or when you erase your device.
• iCloud Key-Value Storage (NSUbiquitousKeyValueStore): the preferences listed below, synced across your devices when you are signed into the same iCloud account. No personal data (profile, contacts, household, routes) is included in this sync.
• UserDefaults: non-personal app state such as onboarding completion, last-used tab, and consent flags.

The preferences synced through iCloud are: push notification toggle; SMS alert toggle; email alert toggle; emergency bypass toggle; quiet hours on/off and start/end times; preferred map type; auto-refresh toggle; data-usage mode; large text, high contrast, and reduce motion toggles; preferred theme; compact view mode; community alerts toggle; location sharing toggle; and anonymous reporting toggle.

SafePath operates two backend services hosted on Amazon Web Services. They are designed to receive only the data each request needs:

• Hazard aggregation API (https://w647z4siyd.execute-api.us-west-2.amazonaws.com/prod). When SafePath fetches alerts, air quality, shelter, utility status, or travel advisory information, it sends a request containing your latitude/longitude, zip code, country code, or radius — depending on the feature. The backend proxies upstream public sources (USGS, NOAA, NASA FIRMS, FEMA, the U.S. State Department, and others) and returns consolidated results. It does not receive your profile, contacts, or household data.
• Push registration API (https://7uy23d1v79.execute-api.us-west-2.amazonaws.com/v1/register). When you allow push notifications, SafePath registers your device with this service so the backend can deliver alerts to you. The registration payload includes your APNs device token, your iOS vendor identifier (a per-vendor device ID provided by iOS), the APNs environment (sandbox or production), your alert preferences (such as alert types and radius), and the zip codes and coordinates of the locations you have chosen to monitor. This information is stored server-side so the backend can target alerts to your device. It is updated whenever your monitored locations change and when your device receives a new APNs token.

If the SafePath backend is unreachable, the app falls back to calling the upstream third-party sources directly. See "Third-Party Services" below.

Retention. Device registration records have a 60-day time-to-live in our database. They are refreshed whenever the app launches, whenever your monitored locations change, and whenever your APNs push token changes, so active devices stay registered. Records that are not refreshed for 60 days are automatically deleted by the database. A record is also deleted when Apple's Push Notification service indicates the token is no longer valid (for example, after you uninstall the app).

Server logs. Our backend API Gateways do not have request access logging enabled, so per-request metadata such as your IP address and the full request path are not written to our logs. Our backend Lambda functions emit operational logs to AWS CloudWatch for debugging; those logs record items such as truncated APNs token prefixes, alert counts, alert-filtering outcomes, and error messages, and in rare error paths may include a coordinate used for a single hazard query. The Lambda logs do not include your name, email address, contact list, household details, or profile data. CloudWatch log retention on these log groups currently follows the AWS default (records are not automatically expired); we plan to set a bounded retention period.

If you would like records associated with your device removed, contact us using the address at the end of this policy.

SafePath communicates with the following third-party services. For each, we send only the data the feature requires. These services are governed by their own privacy policies.

• USGS Earthquake Hazards API — earthquake and seismic data. Receives latitude, longitude, search radius, and minimum magnitude.
• NOAA National Weather Service API — weather alerts and forecasts. Receives latitude and longitude.
• NOAA Weather Radio — live emergency radio audio. The app streams from public NOAA broadcasts; no personal data is transmitted.
• EPA AirNow API — air quality data. Receives latitude, longitude, and search radius.
• NASA FIRMS — wildfire and thermal hotspot data. Receives a bounding box of coordinates.
• FEMA Disaster Declarations — historical disaster context. Receives a county or region identifier.
• U.S. State Department Travel Advisory data — country-level advisories. Receives a country code only. Conflict context is normally fetched through the SafePath backend; if that backend is unreachable, the app falls back to GDELT (api.gdeltproject.org), which receives the country name and a search query.
• Mapbox — offline map tiles and routing. Receives latitude, longitude, and tile coordinates. Mapbox also receives standard request metadata (such as your IP address) inherent to any HTTP request.
• Apple MapKit — map display and geocoding, governed by Apple's privacy policy.
• Google Gemini — see "Health Guidance Feature" below.

The Health Guidance feature sends the free-text questions you type to Google's Gemini API to generate informational guidance. Before you use it for the first time, the app shows a multi-step consent screen.

What is sent to Google: the text of your question and the conversation context for the current session. Each request is wrapped with prompt-injection guardrails and a system instruction. We do not attach your name, email, profile information, location, or any SafePath identifier to the request. Google receives standard request metadata (such as your IP address) inherent to any HTTP request.

What is not stored: the conversation history is held only in memory during your active session and is discarded when the session ends. It is not written to your device's database or to any SafePath server.

Limits: the feature is rate-limited on your device (currently 20 requests per session and 50 per day) to discourage misuse and to manage cost.

Health Guidance is informational and is not medical advice. You can avoid using the feature, and you can disable Health Guidance after first use through the app settings.

Note: in a future release we plan to route Gemini requests through the SafePath backend rather than calling Google directly. We will update this policy when that change ships.

SafePath uses Sign in with Apple for account creation. Apple shares your stable user identifier with the app, and on first sign-in also shares the name and email you choose to provide. The app stores those values in the iOS Keychain and uses them to populate your local profile. Subsequent sign-ins reuse the values stored in Keychain. We do not maintain user accounts, passwords, or session tokens on any server we operate.

A Guest Mode option is available if you prefer not to sign in. Guest Mode creates a local-only profile without contacting Apple's identity service.

Because the Apple identifier, name, and email are stored in the Keychain, they persist across app reinstalls. Sign out from inside SafePath to remove them.

If you enable push notifications, SafePath delivers alerts through Apple's Push Notification service (APNs). Delivery is fanned out by SafePath's push registration backend (described under "SafePath Backend Services"). To make this work, the backend stores your APNs device token, your iOS vendor identifier, the locations you have chosen to monitor, and your alert preferences. The notification content itself is generated from the upstream hazard sources and does not include personal information from your profile.

You can disable push notifications at any time in iOS Settings. Removing your device registration from our backend is part of sign-out; if you would like a manual record removal, contact us.

SafePath uses these identifiers:

• Apple user identifier — provided by Sign in with Apple, stored in Keychain, used to recognize you on this device.
• iOS vendor identifier (identifierForVendor) — a per-vendor device ID provided by iOS. Sent to SafePath's push registration backend so we can associate APNs tokens with a device record.
• APNs device token — sent to Apple by iOS and to SafePath's push backend so we can deliver notifications.

SafePath does not use the IDFA (advertising identifier) and does not show the App Tracking Transparency prompt.

SafePath offers an optional Plus subscription (monthly and annual) and one-time tip purchases. All transactions are processed by Apple through StoreKit and the App Store. SafePath verifies receipts on-device using StoreKit's native verification — there is no third-party receipt validation service in the app — and caches your entitlement tier in the Keychain so the app can recognize your subscription offline. Apple's handling of payment and account information is governed by Apple's privacy policy.

Based on a code-level audit of the app, SafePath does not include third-party analytics SDKs (such as Firebase, Mixpanel, Amplitude, or Segment), does not include third-party crash reporting SDKs (such as Sentry, Crashlytics, or Bugsnag), does not include advertising SDKs, and does not use the iOS App Tracking Transparency framework because it does not track you across other companies' apps or websites. The app records local diagnostic logs through Apple's unified logging system; those logs stay on your device unless you choose to share them with us for support.

You can optionally protect access to SafePath with Face ID, Touch ID, or your device passcode. Authentication is handled entirely by iOS through the LocalAuthentication framework. SafePath does not see, store, or transmit your biometric data.

Your data is protected by standard iOS platform security: app sandboxing, device encryption, and the protections you enable on your device (passcode, Face ID, Touch ID). Sensitive items in the Keychain are stored with the kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly attribute. SafePath generates an encryption key for the local Core Data store and stores that key in the Keychain.

Network requests use HTTPS.

We do not sell, rent, or trade your personal information. We do not share your information with advertisers or data brokers. The only information that leaves your device is what is described in "SafePath Backend Services" and "Third-Party Services" above, used solely to deliver app functionality.

• You can view, edit, or delete any information you have entered in the app at any time.
• You can export your profile, emergency contacts, and notification settings in JSON or CSV from Data Management. (The current export does not include household members, pets, or saved evacuation routes; we plan to broaden this.)
• Signing out from inside SafePath erases the local Core Data database and removes Apple identity, push token, and subscription items from the Keychain on this device.
• You can revoke location, notification, and contacts permissions at any time in iOS Settings.
• Uninstalling the app removes the local Core Data database. Items stored in the Keychain (Apple identifier, display name, email, push token, subscription record) persist across reinstall by design — sign out first if you want them removed.
• You can clear iCloud-synced preferences from Data Management; this also removes them from your other devices that are signed into the same iCloud account.

SafePath is a general-audience app and is not directed at children under 13. We do not knowingly collect personal information directly from children under 13. A parent or guardian may choose to record information about a minor as a household member to support emergency planning; that information is stored locally on the parent's device under the same controls that apply to other household data and is not transmitted to SafePath's backend or to third parties. If you believe a child has used SafePath to provide information directly to us, please contact us and we will take appropriate action.

We may update this Privacy Policy as the app changes. When we do, we will revise the "Last Updated" date at the top of this document and make the updated policy available within the app. Continued use of SafePath after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy, or to request removal of records associated with your device from SafePath's backend services, contact us at safepathteam@gmail.com.