Privacy Policy

This Privacy Policy explains how Firedash collects, uses, shares, and protects personal data when you use our mobile apps (iOS and Android), our web dashboard, our station touchscreen display, and this website. It also describes your rights under the EU General Data Protection Regulation (GDPR) and how to exercise them.

Who we are

Firedash is operated by Tadej Korošak s.p., a sole proprietorship registered in Slovenia at Slovenskogoriška cesta 5, Ptuj. You can reach us at [email protected]. Throughout this policy, "we", "us", and "Firedash" refer to this entity.

Scope of this policy

This policy applies to personal data processed through the Firedash mobile apps for iOS and Android, the web dashboard at app.firedash.io, the station touchscreen display, and the marketing website at firedash.io. It does not apply to third-party websites or services linked from Firedash.

Our role: controller and processor

Firedash is typically provided to a fire brigade or fire-safety organization (the "brigade"). For data you generate as a member of a brigade — such as incident records, crew assignments, attendance logs, and connected-device state — the brigade is the data controller and Firedash is the data processor acting on the brigade's instructions under a data-processing agreement. For your individual account and authentication data, for analytics and crash diagnostics we collect from our apps, and for visitors to this website, Firedash is the controller.

Account data

When your brigade administrator creates your account, or when you sign in, we process your name, email address, role within the brigade, brigade membership identifier, and a secure hash of your password. We never store your password in plain text.

Operational and incident data

While you use the service we process data your brigade creates and assigns to you: incidents you participate in (time, address, type, status, description, assigned crew and vehicles), activities and attendance you log, messages you send in operational rooms, facility and fire-plan records you access, and responses you submit (for example, confirming availability for an incident).

Device telemetry

If your brigade connects hardware — switches, sensors, hydrants, or controllers — the service processes telemetry those devices send (state changes, timestamps, device identifiers). This data drives the live dashboard, automations, and incident responses.

Location data

The mobile app requests access to your device location so we can (a) place you on the incident map and (b), if your brigade enables the feature and you grant permission, trigger location-based alerts and geofence events when you enter or leave an area your brigade has defined. On iOS and Android this can include background location for enabled operational workflows. We only collect location while you are signed in as a brigade member, and we do not share it with advertising or analytics providers.

Camera and microphone

With your permission, the mobile app uses the camera to scan QR codes and attach photographs to incidents or activities, and the microphone for two-way audio rooms. Camera and microphone data are captured only while you are actively using those features.

Push notifications

To deliver push notifications we store a device push token issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM), together with a platform indicator (iOS or Android) and a device identifier used to route a notification to the right device. The token is removed when you sign out or remove the device from your account; invalid tokens are cleaned up during routine maintenance.

Automatically collected data

Our apps send pseudonymous usage events and crash diagnostics to Firebase Analytics and Firebase Crashlytics so we can measure reliability and improve the product. The marketing website uses Google Analytics 4 — see our Cookie Policy for details. Our servers log IP addresses, user-agent strings, and timestamps for security, abuse prevention, and debugging; these logs are kept for up to 30 days and then deleted.

Legal basis for processing

We process personal data on one or more of the following GDPR legal bases: performance of a contract (Art. 6(1)(b)) — to deliver the service you or your brigade subscribe to; legitimate interests (Art. 6(1)(f)) — to keep the service secure, diagnose crashes, and improve reliability; legal obligations (Art. 6(1)(c)) — for tax, accounting, and statutory record-keeping; and consent (Art. 6(1)(a)) — where required for optional features such as analytics cookies or location permissions.

Why we use your data

We use personal data only to (a) operate the service, including authentication, incident management, device control, and notifications; (b) secure the platform against abuse and fraud; (c) communicate with you about the service, including updates, security notices, and replies to your support requests; (d) diagnose crashes and improve reliability; and (e) comply with our legal obligations. We do not sell personal data and we do not use it for third-party advertising.

Who we share data with

We share personal data only with sub-processors that help us run the service and with parties you or your brigade explicitly instruct us to share with. Our current sub-processors are: Google LLC (Firebase Cloud Messaging for push notifications, Firebase Analytics for aggregate usage measurement, Firebase Crashlytics for crash diagnostics, and the Google Maps SDK for displaying maps); Postmark for transactional email such as password resets and invitations; Cloudflare, Inc. for object storage of file attachments, CDN, and DDoS protection; and our cloud-hosting provider for the application servers and database. Each sub-processor is bound by a data-processing agreement that requires protections equivalent to those described here.

International data transfers

Our primary infrastructure is located in the European Union. Some sub-processors listed above — notably Google — may process data on servers outside the EU, including in the United States. Where this occurs, transfers are protected by the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

How long we keep data

We keep personal data only for as long as we need it. Account data is kept while your account is active and, after a deletion request, removed from active systems within 30 days; limited records may remain for up to 90 days where needed for security, dispute handling, or legal obligations. Incident and operational records are retained by your brigade for as long as the brigade requires them. Crash diagnostics are kept for up to 90 days; server logs are kept for up to 30 days; backups rotate on a 30-day cycle. Longer retention periods apply only where the law requires it (for example, invoicing records).

How we protect your data

We use TLS encryption in transit, encryption at rest for the production database and object storage, role-based access control, multi-factor authentication for administrative accounts, audit logging, and least-privilege access for our staff. We review our security controls regularly and keep dependencies patched.

Your rights

Under GDPR you have the right to (a) access your personal data and receive a copy; (b) correct inaccurate data; (c) request erasure of your data ("right to be forgotten"); (d) restrict or object to processing based on legitimate interests; (e) data portability — receive your data in a structured, machine-readable format; (f) withdraw any consent you have given, without affecting processing that took place before the withdrawal; and (g) lodge a complaint with a supervisory authority. To exercise any of these rights, email [email protected] from the address on your account. We respond within one month.

Deleting your account and data

To delete your account, send an email to [email protected] from the address on your account with the subject line "Account deletion request". If you no longer have access to that address, include the name of your brigade so we can verify your identity another way. We delete personal account data from active systems and confirm completion in writing within 30 days. Operational records (for example, your attendance in a historical incident log) remain under your brigade's control and are governed by the brigade's own retention policy.

Children

Firedash is a professional tool for fire brigades and is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, contact [email protected] and we will take appropriate steps to delete it.

Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page shows when the current version took effect. For material changes we will notify affected users by email or through the app before the changes take effect.

Supervisory authority

If you are in Slovenia and believe we have handled your data improperly, you can lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec), Dunajska cesta 22, 1000 Ljubljana, [email protected], www.ip-rs.si. If you are in another EU country, you may contact your national data protection authority.

Contact

For any privacy question or to exercise a right, contact us at [email protected]. For postal correspondence: Tadej Korošak s.p., Slovenskogoriška cesta 5, Ptuj.