1. What we collect, and why
Resident accounts
- Email address — your sign-in identifier and how we contact you about your account.
- Name — shown to the dispatched guard so they can address you.
- Street address — used to assign you to a security zone and to direct the guard to your home during an alert.
- Government ID document — submitted once during registration so we can verify the address you registered matches the address on your ID. Reviewed by an admin and retained while your account is active. Auto-deleted within 30 days of account closure.
- Live GPS coordinates — captured ONLY at the moment you press the panic button. We do not run background location tracking. The guard sees your location for the duration of the active incident; after the incident is resolved, we retain the coords with the incident record for 90 days.
- Push notification token — used to deliver alerts about your incident's status (acknowledged, en route, on scene, resolved).
- Payment information — processed by Stripe. PatrolForce never sees your full card number; we store only a Stripe customer reference.
Guard accounts
- Email, name, badge ID, assigned cluster — operational data for dispatch.
- Live GPS pings every 30 seconds while on duty — recorded so admins can verify the patrol is happening and so dispatch knows the guard's location at incident time.
- Notes you write on incidents — visible to the resident and admins.
Website pledges
- Name, email, address, postal code (FSA only) — used to gauge demand in your zone and notify you when service activates.
2. What we don't collect
- We never collect data from your phone except as listed above.
- We never share data with advertisers. We never sell data. We have no advertising business.
- We do not access your contacts, photo library (other than the one ID document you upload), microphone, or other apps.
3. How we use the data
- Operate the panic-dispatch service.
- Verify residents are who they say they are (ID document review, one-time).
- Process subscription payments (via Stripe).
- Coordinate incident response between residents, guards, and (when needed) police.
- Generate aggregate operational metrics (e.g. how many incidents per cluster) for internal analysis.
4. Retention
| Data | Retention |
|---|---|
| Active resident profile + ID document | While account active; auto-deleted within 30 days of account closure |
| Live GPS during incident | Tied to the incident record; redacted from incident 90 days after resolution |
| Incident records (anonymised) | Retained indefinitely as aggregate operational data; PII anonymised on account deletion |
| Push tokens | Active session only |
| Payment records (Stripe) | Subject to Stripe's retention policy |
| Guard records | Retained for 2 years after account closure for legal audit purposes. Guards are paid contractors; their patrol logs may be subpoenaed in civil or criminal proceedings that take many months to resolve. After 2 years, records are fully purged. |
| Website pledges | Until you ask us to delete them, or until your zone activates and you sign up |
5. Account deletion
You can delete your account from Profile → "Delete my account" in the iOS app. We comply with App Store guideline 5.1.1(v).
For residents: profile, ID document, and push token are deleted immediately. Past incidents are anonymised (your name, address, and identifier are replaced with redacted values). Stripe customer records are detached.
For guards: profile is marked deleted immediately and access revoked. Patrol logs and incident participation records are retained for 2 years under the audit-retention policy above, then fully purged.
You can also email privacy@sentinel.example.com to request deletion.
6. GDPR / Canadian PIPEDA rights
You can request export or deletion of your personal data at any time.
- Export: in-app via Profile → Settings → "Download my data", or email privacy@sentinel.example.com.
- Delete: as described in §5 above.
- Correction: edit your profile in-app, or email us.
7. Sharing with third parties
- Stripe — payment processing. Their privacy policy: stripe.com/privacy
- Apple — push notification delivery via APNs.
- Police, when an incident is in progress — the guard may share your name, address, and incident description with responding officers as part of normal dispatch coordination.
- Insurance partners — when you opt in to a PatrolForce-certified zone insurance discount, we share confirmation that you're an active subscriber. We do not share incident details.
8. Security
- Per-user data is stored under file mode 0600 (owner read/write only) in directories of mode 0700 (owner only).
- Passwords are hashed with scrypt before storage.
- Session tokens are random 256-bit values, stored on the device in iOS Keychain via expo-secure-store.
- ID documents are stored encrypted at rest on our server.
- We do not log your password, payment details, or content of guard notes outside the database.
9. Children
PatrolForce is intended for adult subscribers responsible for a residence. We do not knowingly collect data from anyone under 18.
10. Changes to this policy
If we materially change this policy, we'll notify you in-app at least 14 days before the change takes effect.
11. Contact
Companion document: our Terms of Use covers the rules of the service itself — eligibility, subscription, cancellation, acceptable use, and limitations of liability.