Privacy Policy | MayDay-IC

1. Introduction

Blue Beard Solutions Inc. ("Company," "we," "us," or "our") operates the MayDay-IC mobile incident command system (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service. We are committed to transparency and compliance with all applicable privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and all applicable state privacy laws.

2. Data Controller Information

Data Controller

Blue Beard Solutions Inc.
Data Protection Officer: info@maydayic.com
For HIPAA inquiries: info@maydayic.com

3. Categories of Personal Information Collected

We collect the following categories of personal information as defined under the CCPA/CPRA:

Category	Examples	Purpose
Identifiers	Name, email, call sign, agency affiliation, IP address	Account management, incident coordination
Professional Information	Job title, certifications, training records, duty status	Role-based access, compliance
Geolocation Data	GPS coordinates during active incidents	Responder safety, resource tracking
Protected Health Information (PHI)	Patient triage data, medical assessments	Emergency medical care coordination
Internet/Electronic Activity	Device info, session data, usage logs	Service operation, security
Biometric Information	ID photo hash (for disclaimer verification)	Identity verification
Audio/Visual Data	PTT communications, damage photos, evidence logs	Incident documentation
Inferences	AI triage recommendations	Decision support (not sole basis for decisions)

4. Sale and Sharing of Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

5. Consumer Rights Under CCPA/CPRA

If you are a California resident, you have the following rights:

Right to Know/Access: Request disclosure of personal information collected, used, disclosed, or sold about you in the preceding 12 months.
Right to Delete: Request deletion of personal information we have collected, subject to legal retention requirements (e.g., HIPAA mandates).
Right to Correct: Request correction of inaccurate personal information.
Right to Data Portability: Receive your personal information in a structured, commonly used, machine-readable format.
Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell or share, but you may still exercise this right).
Right to Limit Use of Sensitive PI: Limit use and disclosure of sensitive personal information to purposes necessary for the Service.
Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

Verification Process

To protect your privacy, we will verify your identity before fulfilling any consumer rights request. We may ask you to confirm your identity using the email address associated with your account or other information we have on file. You may designate an authorized agent to make a request on your behalf by providing written authorization.

How to Submit a Request

Submit requests via email to info@maydayic.com or through our in-app data subject request form. We will respond within 45 days (extendable by an additional 45 days for complex requests).

6. GDPR Rights (European Economic Area)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

Right of Access: Obtain confirmation of whether we process your personal data and receive a copy.
Right to Rectification: Request correction of inaccurate personal data.
Right to Erasure: Request deletion of your personal data, subject to legal retention obligations.
Right to Restrict Processing: Request restriction of processing in certain circumstances.
Right to Data Portability: Receive your personal data in a structured, machine-readable format.
Right to Object: Object to processing based on legitimate interests or direct marketing.
Right Not to Be Subject to Automated Decision-Making: Not be subject to decisions based solely on automated processing with legal or significant effects.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
Right to Lodge a Complaint: File a complaint with your local supervisory authority.

Lawful Basis for Processing

We process personal data under the following lawful bases:

Contract: Processing necessary for performance of our Service agreement.
Legitimate Interest: Security monitoring, fraud prevention, service improvement.
Legal Obligation: Compliance with HIPAA, audit logging, data retention requirements.
Vital Interest: Emergency medical care coordination where patient data is processed to protect life.
Consent: Marketing communications, analytics, optional features.

Cross-Border Data Transfers

Data is processed and stored in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. We implement appropriate safeguards for international transfers, including Standard Contractual Clauses where applicable.

Cookie Policy

MayDay-IC is primarily a mobile application and does not use cookies within the app. Our website may use essential cookies for session management. We do not use tracking or advertising cookies.

7. HIPAA Compliance

MayDay-IC processes Protected Health Information (PHI) as part of emergency medical care coordination. Our handling of PHI is governed by our HIPAA Policy and applicable Business Associate Agreements (BAAs).

We apply the minimum necessary standard to all PHI access and disclosure.
PHI is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Access to PHI is role-based and audit-logged.
We require BAAs with all third-party service providers who may access PHI.

7a. 42 CFR Part 2 — Substance Use Disorder Records

Records related to the treatment of substance use disorders (SUD) — including alcohol and drug treatment — are subject to 42 CFR Part 2, a federal regulation that imposes stricter protections than HIPAA. When a patient record in MayDay-IC is flagged as 42 CFR Part 2 restricted, it is subject to the following additional protections:

Disclosure requires a separate, specific written patient consent — a general HIPAA authorization is not sufficient.
AI-generated recommendations and summaries are suppressed for flagged records.
Any access or disclosure is specifically audit-logged and subject to a mandatory responder acknowledgment.
Re-disclosure is prohibited without additional specific consent.
Records may not be used to initiate or substantiate criminal charges against a patient.

For full details, see our 42 CFR Part 2 Policy.

7b. FERPA — School and Educational Facility Roster Data

The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) protects the privacy of student education records. When MayDay-IC's Facility Census and Roster Management System is used to import school or university rosters during an emergency:

A mandatory FERPA acknowledgment is required before the import proceeds.
Roster data is encrypted at rest using AES-256-GCM encryption.
Access is limited to authorized responders with appropriate role-based permissions.
Disclosure is permitted only under FERPA's health and safety emergency exception (34 CFR 99.36) during the active incident period.
Records are retained for the incident period plus 3 years, then cryptographically purged.

7c. PREA — Correctional Facility Inmate Census Data

The Prison Rape Elimination Act (34 U.S.C. § 30301 et seq.; 28 CFR Part 115) establishes confidentiality requirements for information related to sexual abuse allegations and inmate vulnerability in correctional facilities. When inmate census data is imported into MayDay-IC:

A mandatory PREA acknowledgment is required before the import proceeds.
Inmate records are encrypted at rest and accessible only to authorized responders.
PREA-sensitive fields (vulnerability flags, housing assignments) are subject to enhanced access controls.
No inmate information is accessible to other inmates through any MayDay-IC interface.

7d. CJIS — Criminal Justice Information

The FBI's Criminal Justice Information Services (CJIS) Security Policy governs access to and use of Criminal Justice Information (CJI). MayDay-IC is not currently a CJIS Authorized Recipient and does not have direct access to CJIS Division databases. However, MayDay-IC implements security controls aligned with CJIS Security Policy requirements — including advanced authentication (TOTP MFA), immutable audit logging, AES-256 encryption, and role-based access controls — to support law enforcement users and prepare for potential future CJIS integration. Law enforcement agencies using MayDay-IC are responsible for ensuring their use complies with their applicable CJIS requirements and Security Addendums.

7e. NEMSIS — EMS Patient Care Data

MayDay-IC supports export of patient care records in NEMSIS version 3.5.0 XML format for submission to state EMS databases and NHTSA's National EMS Database. NEMSIS exports contain PHI and are subject to HIPAA. Additional controls include:

A one-time NEMSIS disclaimer acknowledgment required before accessing the export function.
Export access limited to authorized roles (EMS Coordinator, Incident Commander, admin).
All export events are audit-logged with user identity, timestamp, and the records exported.
NEMSIS exports conform to the NEMSIS v3.5.0 schema.

For full details on FERPA, PREA, CJIS, and NEMSIS compliance, see our FERPA / PREA / CJIS / NEMSIS Policy.

8. State Privacy Laws

In addition to the CCPA/CPRA, we comply with the following state privacy laws. Residents of these states have similar rights to access, delete, correct, and port their personal data, as well as the right to opt out of targeted advertising (we do not engage in targeted advertising) and the right to appeal a denial of a consumer rights request.

Virginia Consumer Data Protection Act (VCDPA)
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Utah Consumer Privacy Act (UCPA)
Oregon Consumer Privacy Act (OCPA)
Texas Data Privacy and Security Act (TDPSA)
Montana Consumer Data Privacy Act (MCDPA)
Iowa Consumer Data Protection Act
Delaware Personal Data Privacy Act
New Jersey Data Privacy Act
New Hampshire Privacy Act
Indiana Consumer Data Protection Act
Tennessee Information Protection Act
Maryland Online Data Privacy Act

Universal Opt-Out Mechanism

We honor browser-based universal opt-out signals, including the Global Privacy Control (GPC). When we detect a GPC signal, we treat it as a valid opt-out request under applicable state laws.

Appeal Process

If we deny your privacy rights request, you have the right to appeal. To appeal, contact us at info@maydayic.com with the subject line "Privacy Rights Appeal." We will respond within 60 days. If your appeal is denied, you may contact your state attorney general.

9. Children's Privacy (COPPA)

MayDay-IC is designed for use by authorized emergency personnel aged 18 and older. We do not knowingly collect personal information from individuals under 18 years of age. If we become aware that we have collected personal information from a person under 18, we will delete such information promptly.

10. Automated Decision-Making and AI

MayDay-IC uses artificial intelligence for triage recommendations and incident analysis. These AI-generated outputs are advisory tools only and are never the sole basis for medical or operational decisions. All AI recommendations are subject to human review and override by authorized emergency personnel. You have the right to request human review of any AI-assisted decision.

11. Third-Party Service Providers

We share data with the following categories of third-party service providers, each under appropriate contractual protections:

Provider	Purpose	Privacy Policy
OpenAI	AI-powered triage and advisory features	openai.com/privacy
Google Maps	Mapping and geolocation services	policies.google.com/privacy
Stripe	Payment processing	stripe.com/privacy
National Weather Service (NWS)	Weather alerts (public domain)	Public domain data
CHEMTREC	Hazardous materials reference data	Emergency response reference

12. Data Retention

We retain personal information only as long as necessary for the purposes described in this policy or as required by law:

Data Type	Retention Period	Legal Basis
Protected Health Information (PHI)	6 years	45 CFR 164.530(j) (HIPAA)
42 CFR Part 2 SUD Records	6 years	42 CFR Part 2 / HIPAA
School/Educational Roster Data (FERPA)	Incident + 3 years	34 CFR Part 99 (FERPA)
Correctional Facility Census (PREA)	Incident + 3 years	28 CFR Part 115 (PREA) / HIPAA
NEMSIS EMS Export Records	6 years	HIPAA / NHTSA NEMSIS requirements
Financial/Billing Records	3 years	IRS requirements
Session/Authentication Data	1 year	Security best practices
Audit Logs	6 years	HIPAA, CJIS, compliance requirements
Incident Records	6 years	Legal and regulatory requirements

13. Security

We implement technical, administrative, and physical safeguards to protect your personal information. These include AES-256 encryption at rest, TLS 1.2+ encryption in transit, role-based access controls, multi-factor authentication, continuous security monitoring, and regular security assessments. For details, see our HIPAA Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days before the effective date by email or in-app notification. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

15. Contact Us

For privacy inquiries, data subject requests, or complaints:
Email: info@maydayic.com

For HIPAA-specific inquiries:
Email: info@maydayic.com

Blue Beard Solutions Inc.
Data Protection Officer