Your safety, your data.

“BeWarned,” “we,” “our” refers to the operator of the service available at bewarned.app. For privacy requests and questions about this policy, contact hello@bewarned.app.

Account. Email and a hashed password (or magic-link/OAuth token). Optional display name and public reporter handle. The locale you read in. Your Stripe customer id once you subscribe.

Reports you submit. Location (country, city, neighborhood, optional landmark — never your home address), incident type, free-text description, optional photo with EXIF/GPS stripped client-side before upload.

Activity. Corroboration votes, saved destinations, briefing-generation count (to enforce free-tier limits), buddy-check schedules, moderator actions if applicable.

Technical. IP address (kept in Supabase auth logs only, for abuse prevention and rate limiting), user-agent string, cookie identifiers (auth session, preferred locale, cookie-consent state). We do not fingerprint your device.

We use account data to authenticate you. Report data to power the public feed, corroboration graph, dossier exports, similarity search, and pre-trip briefings. Activity data to enforce rate limits, prevent abuse, and improve moderation. Technical data to keep the service running and detect malicious traffic.

No sale, no sharing for advertising. We do not sell your personal information as that term is defined under the CCPA/CPRA, and we do not share it for cross-context behavioural advertising. We do not run third-party ad networks. California residents have no opt-out to exercise because there is no sale or share to opt out of.

Contract — to provide the service you signed up for. Consent — for email alerts and any non-essential cookies. Legitimate interest — for fraud prevention, moderation, security logging, and protecting the rights of other travelers who rely on the report feed. Legal obligation — for retention of records when law-enforcement requests are received with valid legal process.

Public.Approved reports (without your name) are visible to anyone on the internet. That is the entire point of the service — strangers reading other strangers’ warnings.

Subprocessors. We share data with: Supabase (primary database, auth, and object storage — US-West / Oregon region), Stripe (subscription payments — US, with EU data residency for EU-billed customers), Resend (transactional email — US), Upstash (rate-limit counters — US), Mapbox (map tile rendering on the client only), Vercel (deployment, edge cache, and cron — US).

International transfers (EU/UK/Swiss users).Because our primary infrastructure is hosted in the United States, personal data of EU/EEA/UK/Swiss users is transferred outside their home jurisdiction. We rely on the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, plus supplementary technical measures (encryption at rest and in transit, access controls). A copy of the SCCs in force with each subprocessor is available on request via hello@bewarned.app.

Law enforcement. We disclose data only when compelled by valid legal process (subpoena, court order, or equivalent in the requesting jurisdiction) and only the minimum required. We publish a transparency summary at least annually after our first full year of operation.

Account data: kept while your account is active, deleted within 30 days of account closure. Public reports: kept indefinitely but anonymised (user link severed) on account closure. Audit logs (moderator actions, law-enforcement submissions): retained for 7 years for legal defense and chain-of-custody. Stripe subscription records: governed by Stripe’s retention policy plus our 7-year financial audit requirement. Server access logs: 90 days.

All data in transit is encrypted with TLS 1.2+. Data at rest is encrypted at the database layer by Supabase. Passwords are salted and hashed (bcrypt). Access to production data is limited to the operator and gated behind multi-factor authentication.

If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, as required by GDPR Art. 33–34 and equivalent provisions elsewhere.

You have the right to access, correct, port (export), restrict, object to processing of, and erase your personal data. Most of this is self-serve from /account — including a one-click JSON export of everything we hold on you. For anything we cannot handle through the UI, email hello@bewarned.app. We respond within 30 days (extendable by 60 days for complex requests under GDPR Art. 12(3), with notice to you).

California residents additionally have the right to know what categories of personal information we collect and the purposes, to delete, to correct, and to non-discrimination for exercising any right. We do not engage in “sale” or “sharing” as those terms are defined in the CCPA/CPRA, so no opt-out is required; you may still submit a deletion or access request through the channel above.

If you are in the EU/EEA/UK and unhappy with our response, you may lodge a complaint with your national data-protection authority. A list is at edpb.europa.eu.

We use one strictly-necessary cookie (your auth session) and one functional cookie (your preferred locale and consent state). No analytics cookies, no advertising cookies, no third-party tracking pixels.

BeWarned is not directed at users under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a minor has created an account, email hello@bewarned.app and we will delete it within 7 days.

We do not engage in automated decision-making that produces legal or similarly significant effects on you. Moderation decisions are ultimately made by humans; algorithmic scoring (e.g., corroboration score, similarity ranking) only assists prioritisation.

We will email signed-in users at least 30 days before any material change to this policy. The current version always lives at this URL, with the “Last updated” date at the top.

For privacy questions and rights requests, email hello@bewarned.app. For abuse, moderation, or content-removal issues, email abuse@bewarned.app.