LegalPrivacy Policy

Privacy Policy

Chipon Alert

Effective Date: March 29, 2026
Last Updated: March 29, 2026

1. Introduction

Chipon Alert ("we," "us," "our," or the "Service") is a preventive safety intelligence platform operated by Jyv Tech LLC, a company incorporated in the United States, with operations in Nigeria through its subsidiary Tanta Innovative Limited. This Privacy Policy explains how we collect, use, process, and disclose your personal data when you use our mobile application ("App") available on iOS and Android platforms.

Governing Jurisdictions:

  • Primary: Nigeria Data Protection Regulation (NDPR)
  • Secondary: General Data Protection Regulation (GDPR) for EEA residents
  • Subsidiary: Tanta Innovative Limited (Nigeria), a subsidiary of Jyv Tech LLC

We are committed to protecting your privacy and ensuring transparency about how we handle your personal information. Please read this Privacy Policy carefully. If you do not agree with our practices, do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

Authentication & Account Data

  • Phone Number — Required for OTP-based authentication (no passwords)
  • Full Name — Used for profile creation and incident attribution
  • Avatar Photo — Optional profile image (uploaded to S3)

Location Data

  • Home Location — Optional, set during onboarding or in profile
  • Work Location — Optional, set during onboarding or in profile
  • Route Search Locations — Coordinates and addresses searched in the Route Safety feature
  • GPS Coordinates — Real-time location when you submit incident reports or enable proximity alerts
  • Neighborhood Taps — Areas you explore on the safety map (geospatial coordinates)

Incident Reports

When you report a safety incident, we collect:

  • Incident Description — Text describing what you observed
  • Incident Photos — Images you upload (stored on S3)
  • GPS Coordinates — Precise location of the incident
  • Incident Category — Classification (armed robbery, accident, suspicious activity, fire, protest, flooding, road closure, checkpoint, power outage, other)
  • Severity Level — Your assessment (critical, high, medium, low)
  • Timestamp — Date and time of report submission

Search History

  • Route Searches — Addresses and coordinates you search for route safety comparison
  • Map Searches — Locations you search on the safety map

Community Engagement

  • Incident Reactions — Your verification votes on community-submitted incidents (confirms or disputes)
  • User Comments — Optional comments on incidents (if feature is enabled in future versions)

2.2 Information Collected Automatically

Device Information

  • Device Type & Model — iOS or Android device identifier
  • Operating System Version — Your device's OS version
  • App Version — Version of Chipon Alert you are running
  • Device Identifier — Unique device ID (IDFA on iOS, Advertising ID on Android)
  • Device Settings — Language, timezone, locale

Push Notification Data

  • Push Notification Token — FCM token from Firebase Cloud Messaging for delivery of proximity alerts and incident notifications
  • Notification Preferences — Categories you've enabled/disabled, quiet hours settings

Usage Analytics

  • Feature Usage — Which screens, maps, and features you access
  • Interaction Logs — Taps, searches, filters applied, time spent on features
  • Crash Reports — Error logs and stack traces (if you enable crash reporting)
  • Session Data — Login/logout timestamps, session duration

Network Data

  • IP Address — Your network IP address (collected by server logs)
  • Connection Type — WiFi or mobile network
  • HTTP Requests — API endpoints accessed, request/response metadata

Location Data (Continuous)

  • GPS Coordinates — Background location access only when you explicitly enable proximity alerts
  • Geolocation — Coarse location via network/WiFi triangulation
  • Location History — Routes you've traveled (stored only while proximity feature is active)

2.3 Information from Third Parties

Firebase Cloud Messaging (FCM)

  • Push delivery logs and delivery status

Google Maps Integration

  • Reverse Geocoding — Address lookup from your coordinates
  • Map Rendering — Map tiles and geocoding services (Google may collect data per their privacy policy)

SMS Provider (Multitexter)

  • OTP Delivery Logs — Confirmation that your OTP was sent (Multitexter may retain metadata)

Email Service (Resend)

  • Email Delivery Logs — If we send password reset or account notifications via email

3. How We Use Your Information

3.1 Core Service Delivery

We use your personal data to:

  • Authentication & Account Management — Phone number and name to create and maintain your account; OTP delivery for secure login
  • Safety Map Display — Home/work locations and GPS coordinates to show your position on the map and personalize the heatmap view
  • Incident Reporting — Collect, store, and display your incident reports (with attribution) to other users; use photos and coordinates to visualize safety conditions
  • Route Safety Scoring — Search locations and route history to calculate safety scores along alternative routes
  • Proximity Alerts — Real-time location data to trigger notifications when you enter high-risk areas (if enabled)
  • Neighborhood Intelligence — Geospatial data to compute neighborhood safety scores, sub-scores, and trend indicators
  • Community Verification — Your reactions (confirms/disputes) to help validate incident accuracy and crowd-source safety intelligence

3.2 Communication

  • Notification Delivery — Push notifications for alerts, incident updates, proximity triggers
  • Account Notifications — Security alerts, login confirmations, policy updates
  • Support Communication — Responding to your support requests, bug reports, or feedback

3.3 Service Improvement & Analytics

  • Performance Monitoring — Usage analytics to identify feature adoption, user flows, and performance bottlenecks
  • Bug Fixes & Updates — Crash reports and error logs to diagnose and fix issues
  • Personalization — Recommend relevant features and improve the app experience based on your usage patterns
  • Security & Fraud Detection — Monitor unusual login patterns, detect unauthorized access, and prevent abuse
  • Legal Obligations — Comply with Nigerian NDPR, GDPR, and other applicable laws
  • Law Enforcement — Respond to lawful requests from Nigerian law enforcement, courts, or government agencies
  • Terms Enforcement — Enforce the Terms of Service and prevent misuse of the platform

3.5 What We Do NOT Do

We explicitly do NOT:

  • Sell or rent your personal data to third parties
  • Use your data for targeted advertising or behavioral marketing
  • Train machine learning models on your incident reports without consent
  • Share your home/work location with other users (this is private)
  • Monetize your community reports in v1
  • Require KYC (Know Your Customer) identity verification

4.1 NDPR (Nigeria Data Protection Regulation)

Under the NDPR, we process your personal data on the following lawful bases:

Data Type Legal Basis Rationale
Phone number, name (authentication) Consent Your explicit agreement to the Privacy Policy
Incident reports, photos Consent + Legitimate Interest You submit voluntarily; community safety serves legitimate interest
GPS coordinates (incidents) Consent You provide location with each report
Home/work locations Consent You set optionally in your profile
Device info, analytics Consent Necessary to operate the service
Push notification token Consent Required to deliver alerts
Location for proximity alerts Explicit Consent This feature requires background location access and specific opt-in

4.2 GDPR (for EEA Residents)

For residents of EU, EEA, or UK, we process your data under:

Data Type Legal Basis Rationale
Phone number, name, avatar Performance of Contract + Consent Necessary to provide the service; consent for voluntary profile data
Incident reports Legitimate Interest + Consent Public safety serves a legitimate interest; consent given at submission
Location data (incident GPS) Performance of Contract Provided as part of incident submission
Home/work locations Consent Explicitly optional
Background location (proximity alerts) Explicit Consent Only collected when you enable this feature
Analytics & crash reports Legitimate Interest + Consent Service improvement serves legitimate interest
Device identifiers Consent Used for push delivery and analytics

We will NOT rely solely on consent if you withdraw it; we will cease processing for that purpose or establish an alternative legal basis.

5. Data Sharing and Disclosure

5.1 Sharing Within the Service

Your Incident Reports are Public — When you submit a safety incident, the following information is visible to other Chipon Alert users:

  • Incident description (text)
  • Photos you upload
  • GPS coordinates (precise location)
  • Incident category and severity
  • Your name (or "Anonymous" if you choose)
  • Timestamp
  • Community verification count (confirms/disputes)

Your Home/Work Locations are Private — We do NOT share your home or work locations with other users.

Your Route Searches are Private — We do NOT share your route searches or search history with other users.

Your Community Reactions are Private — Your votes (confirm/dispute) on incidents are not attributed to you publicly.

5.2 Sharing with Service Providers (Processors)

We share personal data with the following third parties to operate the Service. These are data processors under contract with us:

Firebase Cloud Messaging (Google)

  • Data: Push notification tokens, notification delivery logs
  • Purpose: Deliver push alerts and proximity notifications
  • Privacy Policy: Google Privacy Policy

Google Maps

  • Data: Search locations, GPS coordinates (for reverse geocoding and map display)
  • Purpose: Provide map tiles, geocoding, and route visualization
  • Privacy Policy: Google Maps/Location Services Privacy

Amazon S3 (AWS)

  • Data: Incident photos you upload
  • Purpose: Cloud storage for image files
  • Privacy Policy: AWS Privacy Notice
  • Security: S3 buckets are private; URLs are not publicly shared

PostgreSQL + PostGIS (Database)

  • Data: All personal data (managed by us, hosted on AWS or managed Postgres provider)
  • Purpose: Application database
  • Hosting: Neon, Supabase, or AWS RDS (TBD)

Redis (Cache)

  • Data: Session tokens, cached queries, rate limiting data
  • Purpose: Performance optimization
  • Hosting: Upstash or AWS ElastiCache (TBD)

Multitexter (SMS Provider)

  • Data: Phone number, OTP code, delivery timestamp
  • Purpose: Send one-time passwords for authentication
  • Privacy Policy: Multitexter Privacy (or equivalent)

Resend (Email Service)

  • Data: Email address (if provided), email content
  • Purpose: Send account notifications and password resets
  • Privacy Policy: Resend Privacy

5.3 Data Processing Agreements

We have executed Data Processing Agreements (DPAs) with all third-party processors to ensure they:

  • Process data only on our instructions
  • Maintain appropriate security measures (ISO 27001 or equivalent)
  • Do not use data for their own purposes
  • Comply with NDPR and GDPR standards
  • Notify us of data breaches within 24 hours

We may disclose your personal data if:

  • Required by Law — Nigerian courts, NDPR authority, or law enforcement agencies issue a lawful request (subpoena, warrant, court order)
  • Prevent Harm — We have reasonable belief that disclosure is necessary to prevent imminent physical harm, death, or serious injury
  • Terms Violation — You violate the Terms of Service (e.g., reporting false incidents, harassment), and disclosure is necessary to enforce our rights
  • Public Health/Safety — A health or safety emergency that requires immediate disclosure (e.g., credible threat to public safety)

In all cases, we will:

  • Provide you with notice of the request (unless legally prohibited)
  • Limit disclosure to only what is legally required
  • Challenge overly broad or inappropriate requests

6. Data Storage and Security

6.1 Where Your Data is Stored

Primary Storage Location: Nigeria (through Tanta Innovative Limited subsidiary)

  • PostgreSQL + PostGIS database hosted in AWS Lagos region (or Neon/Supabase with Nigerian data residency)
  • Redis cache via Upstash (with data replication to Nigeria)

Incident Photos: Amazon S3 (AWS) in Lagos region Backups: Encrypted daily snapshots retained for 30 days

Exceptions (Third-Party Processing):

  • Google Maps API requests may be processed through Google's global infrastructure
  • Firebase Cloud Messaging tokens stored on Google's infrastructure (with no user-identifying data)
  • Multitexter OTP delivery logs retained by Multitexter per their retention policy

6.2 Data Residency & Cross-Border Transfers

NDPR Compliance:

  • Primary data residency is Nigeria (except for essential third-party processing)
  • Cross-border transfers to data processors (Google, AWS) are authorized under NDPR Article 44 (transfer to adequately protected recipients)

GDPR Compliance (for EEA residents):

  • Cross-border transfers to Nigeria/US are based on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) where applicable
  • You have the right to object to such transfers (see Section 7 below)

6.3 Security Measures

We implement industry-standard security controls:

Infrastructure Security

  • TLS/SSL Encryption — All data in transit encrypted with TLS 1.2+
  • Database Encryption — Data at rest encrypted using AES-256
  • Firewall & DDoS Protection — AWS WAF and rate limiting
  • API Authentication — OAuth 2.0 and JWT tokens with short expiration (1 hour)

Application Security

  • Input Validation — All user inputs sanitized to prevent injection attacks
  • Output Encoding — XSS protection on all dynamic content
  • SQL Parameterization — Prepared statements to prevent SQL injection
  • Password Hashing — Not applicable (OTP-only authentication)

Access Control

  • Role-Based Access Control (RBAC) — Engineering staff have limited database access
  • Audit Logging — All database queries logged; access reviewed monthly
  • Multi-Factor Authentication (MFA) — Required for admin access to systems
  • Principle of Least Privilege — Staff access limited to necessary data only

Monitoring & Incident Response

  • Security Monitoring — 24/7 log monitoring for suspicious activity
  • Vulnerability Scanning — Regular penetration testing and code security reviews
  • Incident Response Plan — Documented breach notification procedures (see Section 8)
  • Data Breach Insurance — Cyber liability insurance in place

6.4 Security Limitations

Despite our efforts, no security system is 100% impenetrable. We cannot guarantee absolute security. If you suspect unauthorized access, contact us immediately at privacy@chipon.io.

7. Your Rights

7.1 Rights Under NDPR (Nigeria)

As a data subject in Nigeria, you have the following rights under the NDPR:

Right of Access

You have the right to request a copy of your personal data that we hold. We will provide this within 14 business days (NDPR requirement is 30 calendar days, but we aim for faster response).

How to Request:

  • Send an email to privacy@chipon.io with subject "Data Access Request"
  • Include your phone number and full name
  • Provide proof of identity if not already on file

Right of Rectification

You have the right to correct or update inaccurate or incomplete data. You can modify your name, avatar, home location, and work location directly in the app under Settings > Profile.

For other data:

Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data, subject to exceptions. We will delete:

  • Phone number and account credentials (after anonymizing historical data)
  • Avatar photo
  • Home/work locations
  • Search history

We will NOT delete:

  • Incident reports you submitted (these remain attributed to you but become anonymized)
  • Community reactions (to preserve incident verification history)
  • Legally required records (e.g., for fraud investigation)

To Request:

  • Send "Data Deletion Request" to privacy@chipon.io
  • Provide phone number and confirm you wish to delete the account
  • We will process within 14 business days
  • Account deletion is permanent and irreversible

Right to Restrict Processing

You have the right to restrict how we process your data. You can:

  • Disable proximity alerts (location processing stops immediately)
  • Turn off analytics and crash reporting in app settings
  • Opt out of non-critical notifications

To Restrict:

  • Use in-app settings under Notifications and Privacy
  • Or send "Restrict Processing" request to privacy@chipon.io

Right to Data Portability

You have the right to receive your personal data in a structured, machine-readable format and transmit it to another service.

We provide:

  • CSV export of your profile data (name, phone, locations, search history)
  • JSON export of your incident reports and reactions
  • All incident photos in a ZIP file

To Request:

  • Send "Data Portability Request" to privacy@chipon.io
  • We will provide within 14 business days

Right to Object

You have the right to object to processing of your personal data on grounds relating to your particular situation. This applies specifically to:

  • Analytics and usage tracking (you can disable in settings)
  • Proximity alerts (you can disable at any time)
  • Location-based personalization

Right to Lodge a Complaint

If you believe we have violated your rights under the NDPR, you have the right to lodge a complaint with:

Nigeria Data Protection Commission (NDPC)

You may also contact us first at privacy@chipon.io to resolve the matter.

7.2 Rights Under GDPR (EEA Residents)

If you are a resident of the EU, EEA, or United Kingdom, you have the following additional rights under the GDPR:

All NDPR Rights Apply (Above)

All rights in Section 7.1 apply with the same or stricter standards under GDPR.

You can withdraw consent to our processing of your data at any time. Withdrawal does not affect the lawfulness of processing before consent was withdrawn.

To Withdraw Consent:

  • Go to Settings > Privacy > Manage Consent in the app
  • Or send "Withdraw Consent" to privacy@chipon.io

Right to Automatic Decision-Making

You have the right NOT to be subject to automated decision-making (e.g., algorithmic profiling, automated safety scores). We currently do NOT use automated decision-making that produces legal or similarly significant effects.

Right to Rectification Timing

GDPR requires correction within 30 calendar days (we aim for 7 business days).

Data Portability Format Options

We provide your data in CSV, JSON, and PDF formats at your request.

Right to Lodge a Complaint with Supervisory Authority

If you are in:

8. Children's Privacy

Chipon Alert is not intended for children under 13 years old. We do not knowingly collect personal data from children under 13.

8.1 Age Requirement

By using the app, you confirm that you are at least 13 years old (or the age of digital consent in your jurisdiction, whichever is higher).

If you are between 13 and 18 years old, parental or guardian consent is recommended. We do not verify age; it is your responsibility to comply with your jurisdiction's laws.

8.3 If We Discover Unauthorized Child Use

If we become aware that a child under 13 has created an account:

  • We will delete the account and all associated data immediately
  • We will notify parents/guardians if contact information is available
  • We will not use the child's data for any purpose

Report Child Data:

  • Email privacy@chipon.io with subject "Child Account Report"
  • Include account phone number and any details

9. Data Retention

9.1 Account Data

Data Type Retention Period Reason
Phone number (hashed) Until account deletion + 30 days Anti-fraud, account recovery
Name & avatar Until account deletion User preference, identity
Home/work locations Until deleted by user or account closed User preference, personalization
Search history 90 days Optimize recommendations; auto-purge after 90 days

9.2 Incident Reports & Photos

Data Type Retention Period Reason
Incident text & photos Indefinitely until user deletion Community safety intelligence; historical record
Incident GPS coordinates Indefinitely Heatmap and neighborhood safety scoring
Timestamp & user attribution Indefinitely (author name retained, phone anonymous) Community trust & transparency
Community reactions (votes) Indefinitely Incident verification history

User Deletion Exception: If you delete your account, your incident reports remain published (but with anonymized attribution: "Anonymous User") to preserve community intelligence.

9.3 Technical & Transactional Data

Data Type Retention Period Reason
API logs & requests 30 days Security & debugging
Push notification logs 90 days Delivery tracking & compliance
OTP delivery logs (Multitexter) Per SMS provider policy (typically 30 days) Authentication audit trail
Crash reports & error logs 90 days Bug fixes & performance
Session tokens Until logout or 24 hours Security
Analytics data (aggregated) 1 year Trend analysis & optimization

9.4 Backup & Disaster Recovery

  • Daily encrypted backups retained for 30 days
  • Weekly backups retained for 90 days
  • Monthly backups retained for 1 year
  • Backups are stored securely and are NOT used for marketing or secondary purposes

We may retain data longer if:

  • Required by law or legal proceeding
  • Investigating Terms of Service violations
  • Defending against legal claims

10. Data Transfers and International Processing

10.1 Nigeria ↔ United States (Jyv Tech LLC)

Your data may be transferred from Nigeria to the United States for processing by Jyv Tech LLC (parent company). This is necessary for:

  • Centralized data backup and disaster recovery
  • Engineering support and bug fixes
  • Security monitoring and fraud detection
  • Legal compliance and audit

Legal Basis:

  • NDPR: Transfer to adequately protected recipient (Jyv Tech LLC maintains NDPR-compliant practices)
  • GDPR: Standard Contractual Clauses (SCCs) are in place for EU/EEA residents

10.2 Your Rights Regarding Cross-Border Transfers

You have the right to:

  • Object to transfers — Send "Object to Data Transfer" to privacy@chipon.io, and we will explore alternative storage locations
  • Understand transfer mechanisms — See the "Supplementary Measures" section below
  • Lodge complaints — With NDPC (Nigeria) or your national DPA (EU/EEA)

10.3 Supplementary Measures for GDPR Compliance

For EEA residents, we have implemented supplementary measures to address the "Schrems II" decision:

  • Data minimization — We limit transfers to necessary data only
  • Encryption in transit & at rest — TLS 1.2+ for transit; AES-256 for storage
  • Contractual safeguards — SCCs include data processing terms and adequate liability
  • Regular audits — Annual security and compliance audits
  • Sub-processor lists — Available on request

11. Changes to This Privacy Policy

We may update this Privacy Policy at any time to reflect:

  • Changes in our data practices
  • New regulations or legal requirements
  • Technical improvements or security enhancements
  • Feedback from users or authorities

11.1 How We Notify You

Changes with significant impact (e.g., new data sharing, retention changes):

  • In-app notification — Alert displayed when you next log in
  • Email notification — If email on file, we will email you
  • 30-day advance notice — Changes take effect 30 days after notification
  • Your choice: If you disagree, you may delete your account

Minor updates (e.g., contact email, formatting):

  • Updated policy is effective immediately
  • "Last Updated" date will be revised at the top of this document

11.2 Continued Use = Acceptance

Your continued use of Chipon Alert after changes are posted constitutes acceptance of the updated Privacy Policy. If you do not accept changes, please delete your account.

12. Contact Information

12.1 Data Protection Officer (DPO) & Privacy Inquiries

For all privacy, data protection, and legal requests:

Email: privacy@chipon.io Mailing Address: Jyv Tech LLC Legal & Privacy Team 1301 N Broadway STE 32286, Los Angeles, CA 90012, United States

Response Time:

  • General inquiries: 5-7 business days
  • Data access/deletion requests: 14 business days (per NDPR requirement)
  • Urgent/security issues: 24 hours

12.2 Tanta Innovative Limited (Nigeria Subsidiary)

For Nigeria-specific inquiries:

Email: admin@tantainnovatives.com Address: 25 Segun Gbelee Street, Ikeja, Lagos, Nigeria CAC RC Number: RC 1475301

Regulatory Authority:

Nigeria Data Protection Commission (NDPC)

12.3 Feedback & Suggestions

We welcome your feedback on our privacy practices:

  • Email: team@chipon.io
  • In-app feedback form: Settings > Help > Send Feedback

13. Definitions

Personal Data — Any information relating to an identified or identifiable individual.

Processing — Any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).

Data Controller — The entity determining the purposes and means of processing (Jyv Tech LLC / Tanta Innovative Limited).

Data Processor — The entity processing data on behalf of the controller (e.g., Firebase, Google Maps, AWS).

Data Subject — The individual to whom personal data relates (you).

Consent — Your freely given, specific, informed, and unambiguous agreement to processing.

Legitimate Interest — Our interest in processing that is balanced against your privacy rights.

Data Breach — Unauthorized access, disclosure, or loss of personal data.

NDPR — Nigeria Data Protection Regulation (effective from January 15, 2019).

GDPR — General Data Protection Regulation (effective from May 25, 2018; applies to EU/EEA residents).

14. Acknowledgment

By using Chipon Alert, you acknowledge that you have read and understood this Privacy Policy and agree to our collection, use, and processing of your personal data as described herein.

Last Review Date: March 29, 2026
Policy Version: 1.0

© 2026 Jyv Tech LLC. All rights reserved.

Chipon Alert — Know Before You Go.

Chipon Compliance

Jyv Tech, LLC · Tanta Innovative Limited (RC 1475301) · team@chipon.io