Privacy Policy

1. Who we are

OD VAULT ("the Service") is a Computer-Aided Dispatch application operated by Kadys ("the Company", "we", "us"). This policy describes how the Service collects, uses, and safeguards information from individuals ("you", "User") who use the iOS, Android, or web versions.

2. What we collect

2.1 Information you provide directly

• Account information: username, first/last name, role (owner / admin / dispatcher / responder), call tag, optional contact details, hashed password.
• Operational records you create: incident pins, run reports, run notes and addendums, inspection results, walkthrough checkpoints, shift logs, fire-extinguisher and equipment audits, messages sent in channels or DMs, and SOP acknowledgments.
• Asset registry data: NFC tag IDs, equipment attributes, inventory counts, fire-extinguisher locations, floor-plan images you upload.

2.2 Information collected automatically

• Location data (geofenced only): latitude, longitude, and reported GPS accuracy only when you have explicitly enabled location sharing AND your device is inside the organization's "Main Geofence". Outside the geofence, no coordinates leave your device; we record only that you are on duty but off-site.
• Activity logs: timestamps and event types for actions you take (e.g. "logged in", "submitted inspection", "dispatched run"). Used for audit trail and compliance.
• Device metadata: approximate platform identifier (iOS / Android / web), and timestamps of network requests, used to diagnose connectivity issues.
• NFC tag identifiers: when you scan a tag, the tag's identifier string is sent to our server to look up the corresponding asset. We do not collect anything else from the NFC tag.

2.3 Information we do not collect

• We do not collect your location when you are off-site.
• We do not collect your contact list, photos, microphone input, camera input (other than NFC), browsing history, or device identifiers (IDFA / Android Advertising ID).
• We do not run advertising trackers or analytics SDKs.
• We do not collect biometric data, payment data, or government IDs.

3. Why we collect it (legal bases)

• Performance of contract: dispatching, locating responders, logging inspections, displaying assets. These are the core functions you signed up for.
• Legitimate interest: activity logs to detect misuse, compliance audit trails for safety regulators (OSHA, NFPA, etc.), and operational analytics aggregated within your organization.
• Legal obligation: retention of safety inspection records as required by federal or state law.
• Consent: sharing live location is opt-in via the "Share Location" button and revocable at any time.

4. Who we share it with

We share information only as necessary to operate the Service:

• Within your organization: your role's data is visible to authorized users in your organization (e.g. dispatchers see responder locations during incidents). The Owner of the organization can see all data within that organization.
• Hosting and infrastructure: we use third-party cloud providers (currently Render, Inc.) to host the Service. They process data on our behalf under their own terms; we do not control their internal practices.
• Legal requirements: we will disclose information if required by valid legal process (subpoena, court order, lawful government request), and only the minimum necessary to comply.
• Business transfer: if Kadys is acquired or merges with another entity, account data may transfer as part of that transaction. You will be notified before a material change.

We do not sell your personal information. We do not share it with advertisers, data brokers, or unrelated third parties for their own marketing.

5. How long we keep it

• Active account data: retained while your account is active.
• Unpaid / suspended accounts: if an organization's account is suspended for non-payment and remains unpaid for 90 consecutive days, the account and all associated data are permanently and irreversibly deleted. See the Terms of Service for details.
• Operational records (runs, inspections, audits, shift logs, messages): retained indefinitely or until deleted by an owner/admin, because your organization may have legal duties to retain them for several years.
• Location data: only the most recent on-duty coordinates are kept on your User record; we do not retain a continuous historical track.
• Logs: activity logs and server logs retained up to 24 months, then aggregated or deleted.
• Backups: deleted records may persist in encrypted backups for up to 90 days before being purged on the backup-rotation schedule.

6. Your rights

Depending on where you live you may have rights to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your account and associated personal information, subject to lawful retention requirements.
• Object to or restrict certain processing.
• Receive a portable copy of the information you provided.
• California residents (CCPA/CPRA): the rights to know, delete, correct, and not be discriminated against for exercising your rights. We do not sell or "share" personal information as defined under the CCPA.
• EU/UK residents (GDPR/UK GDPR): the rights above, plus the right to lodge a complaint with your national supervisory authority.

To exercise any right, contact us using the details in Section 13. We will respond within the period required by applicable law (typically 30 days).

7. Children's data

The Service is a workplace tool not intended for, or directed at, individuals under 18 years of age. We do not knowingly collect information from minors. If we learn we have collected such data, we will delete it.

8. Location services

Location collection is opt-in on a per-session basis. You enable it by tapping "Share Location" on the live map. Coordinates are transmitted to the server only while your device is inside the organization's Main Geofence; outside that boundary the app sends a "off-site" beacon containing no coordinates, and dispatch sees only that you are on duty. You may revoke location consent at any time by tapping "Stop Sharing" or disabling Location Services for the app in your device settings. The server stores only your most recent coordinate set, not a track history.

9. Security & breach disclaimer

We use commercially reasonable measures to protect your information, including HTTPS in transit, password hashing, and JWT-based authentication. No system is completely secure. We make no representation, warranty, or guarantee that:

• The Service will be uninterrupted or error-free;
• Data will not be lost, corrupted, intercepted, or accessed by unauthorized parties;
• Vulnerabilities will be discovered and patched within any particular timeframe;
• Third-party providers (hosting, ISPs, mobile carriers) will not themselves be compromised.

To the maximum extent permitted by applicable law, you acknowledge that you use the Service at your own risk. The Company shall not be liable for any data loss, unauthorized access, interception, exfiltration, ransomware, denial-of-service event, or other security incident, however caused, including those resulting from the Company's own negligence (excluding gross negligence or willful misconduct where such exclusion is prohibited by law). See the Terms of Service for the full limitation of liability.

If we become aware of a breach affecting your personal information, we will notify affected users and applicable regulators in the manner and within the timeframe required by applicable law.

10. Third-party services

The Service relies on the following sub-processors:

• Render, Inc.: application hosting and SQLite database storage (United States).
• OpenStreetMap tile servers: base map tiles for the live map.
• Apple App Store / Google Play: app distribution for the iOS and Android clients.
• CDN providers (cdnjs, jsDelivr, unpkg): delivery of front-end JavaScript libraries (Leaflet, Three.js, Socket.IO, QR generator).

These providers process limited data on our behalf and are contractually or by their public terms required to safeguard it. We are not responsible for their independent privacy practices and recommend you review their policies if concerned.

11. International users

The Service is operated from and hosted in the United States. By using the Service from outside the United States, you consent to the transfer of your information to the United States, which may have data protection laws different from those in your jurisdiction.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced in-app and/or via the email on file at least 14 days before they take effect. Continued use of the Service after the effective date of an update constitutes acceptance of the revised policy.

13. Contact

Questions, requests, or complaints regarding this Privacy Policy:
Kadys LLC
Email: [email protected]
Postal address available on written request to the email above.