Privacy Policy

1. Overview

SafeSignals LLC ("SafeSignals," "we," "us," or "our") operates the SkimGuard mobile application and the safesignals.io website (collectively, the "Services"). This Privacy Policy explains what information we collect, how we use it, and what choices you have.

By using the Services, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Services.

2. Information We Collect

2.1 Information you provide

• Account registration: email address, name, and password (consumer and business accounts)
• Business account details: business name, address, location type, and contact information
• Payment information: processed exclusively by Stripe. SafeSignals does not store payment card data.
• Contact form submissions: name, email, company, and message content
• User-submitted scan reports: photos, text descriptions, and GPS coordinates (voluntarily submitted)

2.2 Information collected automatically

• Location data: GPS coordinates at the time of each scan. Location access is required for the app to function — scans without location cannot be validated or added to the community map.
• scan data: Detected Bluetooth device identifiers (MAC addresses, hashed), advertisement characteristics (signal strength, interval, manufacturer data), and scan results. Raw MAC addresses are hashed before storage using SHA-256; the original addresses are not retained.
• Camera and photo library access: The app requests access to your camera and/or photo library only when you voluntarily submit a community report (for example, to document a suspected skimmer not detected by the automated scan). This access is entirely optional, requires your explicit permission at the time of use, and is never used for any other purpose. Photos submitted with reports are stored securely and associated with the specific report. We do not access your camera or photos in the background or outside the report submission flow.
• Device information: Device type, operating system version, app version, and installation identifier.
• Usage analytics: App session data, feature usage patterns, and crash reports. Collected via Firebase Analytics in anonymized form.
• IP address: Collected on server requests; used for fraud prevention and geolocation at the country/state level only.

2.3 Information we do not collect

• We do not read, access, or store any data from the payment terminal itself
• We do not collect your card number, account number, or any payment credential
• We do not access your contacts or microphone
• We do not track your location when the app is not actively in use (no background location)
• We do not access your camera or photo library except as described in Section 2.2 above

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the SkimGuard Services
• Build and maintain the community scan map
• Generate terminal risk ratings and safety verdicts
• Send account-related notifications (trial expiration, scan reminders for Premium subscribers)
• Provide customer support
• Detect and prevent fraud, abuse, and coordinated false reporting attacks
• Comply with legal obligations
• Operate our business analytics (ad targeting is conducted by AdMob per their policies; we do not share personal data with AdMob beyond standard SDK integration)
• Create and sell anonymized, aggregated data products as described in Section 5 below

We do not use your information for any purpose not described in this policy without obtaining your consent first.

4. Scan Data & Community Map

Every scan you perform contributes to the SkimGuard community map. The following applies to how your scan data is handled:

• Anonymization: Your personal identity is never associated with map-visible scan results. Scans are attributed to a pseudonymous user identifier, not your name or email.
• MAC address hashing: Detected device MAC addresses are hashed (SHA-256) immediately upon collection. The original MAC address is not retained in our systems.
• GPS precision: For community map display purposes, GPS coordinates are rounded to a precision that identifies the terminal location without pinpointing your exact position at time of scan.
• Scan history (Premium subscribers): Your personal scan history — including precise GPS and timestamps — is stored and accessible only to you in your account. It is not shared with other users.
• Deletion: You may request deletion of your scan history at any time via the app or by contacting [email protected].

5. Data Licensing

SafeSignals offers commercial data products derived from aggregated, anonymized scan data to third parties including financial institutions, insurance companies, and payment processors. By using the Services, you acknowledge and agree that:

• Anonymized, aggregated scan data may be included in commercial data products
• No personally identifiable information is included in any licensed dataset
• GPS data in licensed datasets is aggregated to grid-cell or ZIP code level — precise scan coordinates are never included
• Datasets require a minimum of five independent scans at a location before inclusion
• All data licensees are required to execute a Data Processing Agreement
• You may opt out of inclusion in data licensing products by contacting [email protected]. Opting out does not affect your ability to use the Services.

6. Information Sharing

We do not sell, trade, or rent your personally identifiable information. We may share information with:

6.1 Service providers

We use third-party vendors to operate our Services. These providers access information only as needed to perform their services and are contractually prohibited from using it for other purposes:

• Google Firebase: Database, authentication, analytics, push notifications
• Stripe: Payment processing
• RevenueCat: Subscription management
• Google AdMob: Advertising (free and unsubscribed tiers only)
• Salesforce: Customer relationship management and lead tracking
• Google reCAPTCHA v3: Bot and spam protection on contact forms. reCAPTCHA collects hardware and software information and sends it to Google for analysis. Use of reCAPTCHA is subject to Google's Privacy Policy and Terms of Service.

6.2 Law enforcement

We may disclose information to law enforcement authorities when required by law, valid legal process, or when we believe disclosure is necessary to prevent imminent harm. Where possible, we will notify affected users prior to disclosure unless prohibited by law.

6.3 Business transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will notify you before your information is transferred and becomes subject to a different privacy policy.

6.4 With your consent

We may share your information in other circumstances with your explicit consent.

7. Data Retention

• Account data: Retained as long as your account is active. Deleted within 30 days of account deletion request.
• Scan history (personal): Retained until you delete it or delete your account.
• Community map data (anonymized): Retained indefinitely as part of the community dataset. This data has no personal identifiers and cannot be linked to your account.
• Contact form submissions: Retained in our CRM for up to 3 years for business relationship purposes.
• Billing records: Retained for 7 years as required by tax and accounting obligations.

8. Security

We implement industry-standard technical and organizational measures to protect your information, including:

• TLS/HTTPS encryption for all data in transit
• Encryption at rest for all Firestore data via Google Cloud's default encryption
• Role-based access controls limiting who within SafeSignals can access personal data
• SHA-256 hashing of MAC addresses before storage
• Regular security reviews and penetration testing

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

9. Children's Privacy

The SkimGuard Services are not directed to children under the age of 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children under these ages. If you believe we have inadvertently collected information from a child, please contact us at [email protected] and we will delete it promptly.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: Request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale/sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
• Right to correct: Request correction of inaccurate personal information.
• Right to limit sensitive data use: We do not use or disclose sensitive personal information beyond what is necessary to provide the Services.
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights.

To exercise your California privacy rights, contact us at [email protected] or use the in-app privacy request form. We will respond within 45 days.

11. European Users (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, the following applies:

Legal basis for processing

• Contract performance: Processing necessary to provide the Services you requested
• Legitimate interests: Fraud prevention, security, analytics, and improving the Services
• Consent: Processing for data licensing products and marketing communications
• Legal obligation: Compliance with applicable law

Your rights under GDPR

• Right of access, rectification, erasure, and data portability
• Right to restrict or object to processing
• Right to withdraw consent at any time (without affecting prior processing)
• Right to lodge a complaint with your local supervisory authority

We are in the process of appointing an EU representative. For GDPR-related requests, contact [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and/or by prominent notice within the app. The "Last updated" date at the top of this policy reflects the most recent revision.

Your continued use of the Services after any changes become effective constitutes your acceptance of the revised policy.

13. Contact Us

For questions, requests, or concerns about this Privacy Policy or how we handle your data: