Legal & Privacy

Privacy Policy

Last updated: April 12, 2026

Effective date: April 12, 2026

1. Data Controller

Nordic Trade Hub AB

Org.nr: 559519-8192

Mjolnarvagen 10 a, 131 74 Nacka, Sweden

Email: contact@sosready.app

This Privacy Policy explains how Nordic Trade Hub AB ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use the SOSReady mobile application ("the App"). This policy applies to all users of the App, regardless of location, and is designed to comply with the General Data Protection Regulation (GDPR) (EU) and the Lei Geral de Proteção de Dados (LGPD) (Brazil).

2. About SOSReady

SOSReady is an AI-powered family emergency preparedness application available on iOS and Android. The App helps families prepare for crises through readiness scoring, emergency checklists, shelter maps, crisis alerts, family SOS coordination, and AI-powered crisis guidance. The App is available in English, Portuguese (Brazil), Swedish, Spanish, and Estonian.

3. Personal Data We Collect

3.1 Data You Provide Directly

  • Phone number — Used for account authentication via Firebase Auth phone sign-in.
  • Display name — Your chosen name within the App.
  • Home location — Country and city, as entered by you (not derived from GPS).
  • Household composition — Number of adults, children, toddlers, elderly persons, persons with disabilities, and pets in your household.
  • Crisis type preferences — The types of crises you wish to prepare for (e.g., war, pandemic, natural disaster).
  • Emergency contacts — Name, phone number, and relationship of contacts you designate for SOS emergencies.
  • Checklist and supply data — Emergency supply items, their checked/unchecked status, and expiry dates.
  • Readiness score — Calculated from your checklist completion and overall preparation status.

3.2 Data Collected Automatically

  • Device location (GPS) — Collected only when you actively trigger SOS mode. Used to share your location with your emergency contacts and to locate nearby shelters. Location is never tracked continuously or in the background.
  • Analytics events — App usage events collected via Firebase Analytics / Google Analytics 4 (e.g., screen views, feature usage). These events are anonymized and do not identify you personally.
  • Crash reports — Collected via Firebase Crashlytics, including device model, operating system version, and stack traces. No personal data is included in crash reports.
  • Push notification tokens — Generated by Firebase Cloud Messaging, used to deliver crisis alerts and notifications to your device.
  • Device information — Operating system type, app version, and language preference.

3.3 Data We Do NOT Collect

  • We do not access your browsing history.
  • We do not access your device contacts list. Emergency contacts are entered manually by you.
  • We do not access your microphone or camera.
  • We do not collect health data.
  • We do not use advertising identifiers. There are no ads in the App.
  • We never track your location in the background.

4. How We Use Your Data

We process your personal data for the following purposes:

  • Providing the core service — Authentication, storing your preferences, managing your emergency contacts, checklists, and readiness score.
  • Emergency SOS coordination — Sharing your location and sending SMS alerts to your emergency contacts when you activate SOS mode.
  • Crisis alerts — Sending push notifications about relevant crises based on your location and preferences.
  • AI-powered crisis guidance — Providing contextual crisis advice through our AI chat feature using anonymized crisis context.
  • Service improvement — Analyzing anonymized usage patterns to improve App functionality and user experience.
  • Stability and reliability — Monitoring crash reports to identify and fix bugs.
  • Subscription management — Processing premium subscription status through RevenueCat.

5. Legal Bases for Processing

5.1 Under GDPR (Article 6)

Legal BasisApplies To
Consent (Art. 6(1)(a))Push notifications, GPS location access
Performance of a contract (Art. 6(1)(b))Authentication, storing user preferences, emergency contacts, checklist data, and all functionality necessary to deliver the service
Legitimate interest (Art. 6(1)(f))Analytics for App improvement, crash reporting for stability and reliability
Protection of vital interests (Art. 6(1)(d))Location sharing and SMS alerts during active SOS emergencies

5.2 Under LGPD (Article 7)

Legal BasisApplies To
Consent (Art. 7, I)Location access, push notifications
Contract execution (Art. 7, V)Core App functionality and service delivery
Legitimate interest (Art. 7, IX)Analytics, crash reporting, and service improvement
Protection of life or physical safety (Art. 7, VII)Emergency SOS features, including location sharing and emergency SMS

6. Third-Party Services

We share data with the following third-party service providers, each acting as a data processor on our behalf:

6.1 Firebase (Google LLC)

  • Purpose: Authentication, database (Firestore), cloud storage, crash reporting (Crashlytics), analytics, and push notifications (Cloud Messaging).
  • Data shared: Account data, App usage events, crash logs, notification tokens.
  • Location: Data is processed in the United States.
  • Safeguards: Google's Data Processing Terms, which include Standard Contractual Clauses (SCCs) approved by the European Commission.

6.2 RevenueCat (RevenueCat Inc.)

  • Purpose: Subscription and in-app purchase management for premium features.
  • Data shared: Anonymous app user IDs and purchase receipts from the App Store / Google Play. No personal data such as name or phone number is shared.

6.3 Twilio (Twilio Inc.)

  • Purpose: SMS delivery for SOS emergency broadcasts.
  • Data shared: Emergency contact phone numbers, only when you activate SOS mode. Messages are transient and are not stored long-term by Twilio.

6.4 Nodexa AI

  • Purpose: AI-powered crisis guidance chat.
  • Data shared: Anonymized crisis context and your messages during active crisis chat sessions. No personally identifiable information (such as your name or phone number) is sent to Nodexa AI.

7. Data Storage and Security

  • All personal data is stored in Firebase Firestore on Google Cloud Platform infrastructure.
  • Data is encrypted in transit using TLS (Transport Layer Security) and at rest using AES-256 encryption.
  • Access to production data is restricted to authorized personnel only and protected by role-based access controls.

8. Data Retention

Data TypeRetention Period
Account and profile dataRetained for as long as your account exists. Deleted upon account deletion request.
Emergency contacts and checklistsRetained for as long as your account exists. Deleted upon account deletion request.
SOS session dataRetained for 90 days for safety and audit purposes, then automatically deleted.
Analytics dataFollows Google Analytics retention settings (14 months by default).
Crash reportsRetained for 90 days.
Push notification tokensRetained for as long as your account exists. Automatically invalidated when the App is uninstalled.

9. Your Rights

9.1 Rights Under GDPR (EU/EEA Users)

  • Right of access — You may request a copy of the personal data we hold about you.
  • Right to rectification — You may request correction of inaccurate or incomplete personal data.
  • Right to erasure — You may request deletion of your personal data ("right to be forgotten").
  • Right to restrict processing — You may request that we limit how we use your data.
  • Right to data portability — You may request your data in a structured, commonly used, machine-readable format.
  • Right to object — You may object to processing based on legitimate interest.
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — You may file a complaint with a supervisory authority. For Sweden, this is the Integritetsskyddsmyndigheten (IMY) at www.imy.se.

9.2 Rights Under LGPD (Brazilian Users)

  • Confirmation of processing — You may request confirmation that we process your personal data.
  • Access to data — You may request access to your personal data.
  • Correction — You may request correction of incomplete, inaccurate, or outdated data.
  • Anonymization, blocking, or deletion — You may request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in violation of the LGPD.
  • Data portability — You may request portability of your data to another service provider.
  • Deletion of data processed with consent — You may request deletion of data processed on the basis of your consent.
  • Information about third-party sharing — You may request information about which third parties have received your data.
  • Right to deny consent — You may refuse to provide consent and be informed of the consequences of doing so.
  • Right to revoke consent — You may revoke previously given consent at any time.

9.3 How to Exercise Your Rights

To exercise any of the rights described above, contact us at:

  • Email: contact@sosready.app
  • Mail: Nordic Trade Hub AB, Mjolnarvagen 10 a, 131 74 Nacka, Sweden

We will respond to your request within 30 days (GDPR) or 15 days (LGPD), as applicable. We may ask you to verify your identity before processing your request.

10. International Data Transfers

Your personal data may be transferred to and processed in the United States through our use of Firebase (Google Cloud), RevenueCat, and Twilio. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, as incorporated into Google's Data Processing Terms and our agreements with other processors, and supplementary measures as required by the Court of Justice of the European Union's Schrems II ruling, including encryption in transit and at rest. For transfers of data from Brazil, we rely on the contractual safeguards and data protection measures described above, in accordance with LGPD requirements for international transfers.

11. Children's Privacy

SOSReady is not directed at children under 16 years of age. We do not knowingly collect personal data from children. The household composition feature (which records the number of children in a household) does not collect any personal data about the children themselves. If a parent or guardian becomes aware that their child has provided us with personal data without their consent, they should contact us immediately at contact@sosready.app. We will promptly delete any such data from our systems.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you through the App or via other appropriate means before the changes take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised. We encourage you to review this policy periodically.

13. Contact Us

Nordic Trade Hub AB

Nordic Trade Hub AB, Mjolnarvagen 10 a, 131 74 Nacka, Sweden

Email: contact@sosready.app

Supervisory Authorities

  • Sweden: Integritetsskyddsmyndigheten (IMY) — www.imy.se
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd
  • Other EU/EEA countries: You may contact your local data protection authority.