Privacy Policy

Aura Safety by First-24 Health LLC
Effective date: April 16, 2026
Last updated: April 16, 2026

First-24 Health LLC ("we", "our", "us") operates the Aura Safety mobile application ("the App"). This Privacy Policy describes how we collect, use, and protect information when you use Aura Safety.

Privacy-first design: Aura Safety processes your biological signature entirely on your device. Raw biometric data (motion, tremor, cardiac patterns) never leaves your phone. Only signed verification results — not the underlying biometric data — are transmitted.

1. Information We Collect

1.1 Information you provide directly

Account data: name, email address, sign-in method (Apple ID, Google account, or magic link)
Profile information: display name, optional phone number
Family member contacts: names, phone numbers, relationships of family members you add
Emergency contacts: names, phone numbers, emails of contacts you designate
Meeting labels: optional text labels you assign to group verifications

1.2 Information collected automatically

Motion sensor data (accelerometer + gyroscope): used on-device to compute your unique biological signature. Raw motion data is never transmitted.
Location data (GPS): captured during ride monitoring, emergency SOS, and proximity verification. Shared only with your designated emergency contacts during active emergency events.
Bluetooth and UWB ranging data: used for in-person family verification; processed on-device.
Camera access: used only when scanning QR codes during proximity verification.
Microphone access: used only when capturing audio evidence during duress events you initiate.
Device identifiers: anonymous device ID for sync across your own devices, push notification tokens (FCM).
Crash and diagnostic data: automatically reported via Sentry when the app crashes, helping us fix bugs.
Usage analytics: anonymous app usage events via PostHog (which screens you visit, feature usage). Does not include biometric or location data.

1.3 Information we do NOT collect

We do not collect or store your raw biometric data (tremor patterns, cardiac micro-motion, or fingerprints) on our servers.
We do not access your contacts, photos, calendar, or files outside what is explicitly required for safety features and granted by you.
We do not collect health records or medical data. Aura Safety is not a medical device.
We do not sell your personal information to third parties.

2. How We Use Information

Purpose	Data used
Verify your identity for account access	Email, sign-in tokens (Apple/Google)
Compute biological identity signature	Motion sensor data (on-device only)
Detect duress and dispatch silent SOS	Motion data, location, emergency contacts
Verify family member identity (Kin)	Verification results between enrolled family devices
Monitor rideshare safety	Location, optional driver/vehicle info you enter
Generate proximity meeting receipts	Bluetooth/UWB ranging data, biological verification results
Process subscription payments	Apple App Store / Google Play purchase tokens (via RevenueCat)
Send push notifications	Device push tokens (FCM)
Improve the app	Anonymous usage analytics (PostHog), crash reports (Sentry)

3. Data Storage and Security

On-device storage: baseline signatures, attestation records, evidence captures, family member info, and emergency contacts are stored locally in encrypted SQLite databases.
Cloud storage: account information and synced records are stored on Supabase (PostgreSQL) with Row-Level Security ensuring you can only access your own data.
Encryption: all data in transit is encrypted with TLS 1.2+. Sensitive cloud-stored data uses AES-256 encryption at rest.
Cryptographic signing: evidence captures are HMAC-SHA256 signed and hash-chained for tamper-evidence.
Hardware-rooted security: on iOS, signing operations use the Secure Enclave; on Android, hardware-backed Keystore where available.

4. Third-Party Services

We use the following third-party services to operate Aura Safety. Each has their own privacy policy:

Service	Purpose	Privacy policy
Supabase	Authentication and cloud database	supabase.com/privacy
RevenueCat	Subscription management	revenuecat.com/privacy
Firebase Cloud Messaging	Push notifications	firebase.google.com/support/privacy
Sentry	Crash reporting	sentry.io/privacy
PostHog	Anonymous analytics	posthog.com/privacy
Sign in with Apple	Authentication	apple.com/legal/privacy
Google Sign-In	Authentication	policies.google.com/privacy

5. Sharing Your Information

We share your information only in these limited circumstances:

With your family members you have explicitly added (verification status, location during emergencies)
With your emergency contacts you have designated (location and status during active SOS events)
With service providers listed in Section 4, only as needed to operate the app
To comply with law when legally required by valid legal process
To protect safety if we reasonably believe disclosure is necessary to prevent imminent harm

We do not sell your personal information.

6. Your Rights

6.1 Access and portability

You can export all your data from Settings → Data → Export My Data. The export is a JSON file containing all records associated with your account.

6.2 Deletion

You can delete your account and all associated data from Settings → Account → Delete Account & Data. Deletion is permanent and processed within 30 days.

6.3 Opt-out

Disable analytics: Settings → Privacy → Analytics
Disable crash reporting: Settings → Privacy → Crash Reporting
Disable continuous attestation: Settings → Safety → Continuous Attestation
Disable location services: device Settings → Privacy → Location Services

6.4 GDPR rights (EU residents)

If you are in the European Union, you have additional rights including: right to access, rectify, erase, restrict processing, object to processing, and data portability. Contact us at privacy@first24health.com to exercise these rights.

6.5 CCPA rights (California residents)

California residents have the right to know what personal information we collect, the right to delete, and the right to opt out of sale (we do not sell information). Contact privacy@first24health.com.

7. Children's Privacy

Aura Safety is not directed to children under 13. We do not knowingly collect information from children under 13. Parents may add children as family members within the Kin module; in that case, the parent is responsible for the child's data and consent.

8. International Users

Aura Safety is operated from the United States. By using the app, you consent to the transfer of your information to the United States, which may have different data protection laws than your country.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app and via email. Your continued use after changes constitutes acceptance of the updated policy.

10. Contact Us

Questions about this Privacy Policy or your data:

Email: privacy@first24health.com
Mail: First-24 Health LLC, [Mailing address]

11. Medical Device Disclaimer

Aura Safety is a personal safety platform. It is not a medical device. It does not diagnose, treat, cure, or prevent any disease. The biological signature analysis is solely for identity verification and duress detection — it is not a substitute for medical evaluation.