Privacy Policy

EverSafe Pro is operated by Ian Leitch, trading as EverSafe Pro, based in New Zealand. We take the privacy of the people who use our service — and especially the sensitive medical information of the people in their care — extremely seriously.

This Privacy Policy explains what personal information we collect, why we collect it, how we use and store it, who we share it with, and what rights you have in relation to your data.

EverSafe Pro operates across six markets and complies with the following applicable privacy laws:

• New Zealand: Privacy Act 2020 and Information Privacy Principles
• Australia: Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
• United Kingdom: UK GDPR and the Data Protection Act 2018
• Ireland: GDPR (EU) 2016/679 as applied in Ireland and the Data Protection Act 2018 (Ireland)
• United States: No single federal privacy law applies; state-level laws including the California Consumer Privacy Act (CCPA) may apply depending on your state of residence
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation

Where the requirements of these laws differ, we apply the most protective standard across our whole service.

Account holder information

• Full name and email address
• Billing address and payment method details (handled by Stripe — see section 5)
• Phone number (if provided)
• Relationship to the primary user (e.g. daughter, son)

Primary user information (the person protected by the Service)

• Full name, date of birth, gender, and photograph
• Blood type, organ donor status, and languages spoken
• Home address
• Medical history including diagnoses, past surgeries, implanted devices, allergies, critical conditions, and current medications
• Do Not Resuscitate (DNR) status and advance care directive information, where provided
• Emergency contacts and their relationship to the primary user
• GP, specialist, and other healthcare provider contact details

Family member information

• Name and email address of invited family members
• Messages, photos, and events posted to the family noticeboard
• Access level and permissions set by the account holder

Usage and technical information

• QR code scan events — timestamp, approximate geographic region (if available), and device type
• Account login activity and session data
• Credit usage and billing transaction history
• Device information for the tablet (device ID, session token)

We use the information we collect solely for the purposes of providing the Service:

• Producing and delivering personalised ICE cards and keyring tags to the address provided
• Displaying emergency information on the primary user's ICE Page when it is accessed via QR code
• Providing account management features via the Admin Portal
• Delivering family noticeboard content, photo frame content, and event notifications to the tablet
• Sending service notifications including ICE review reminders, renewal notices, and account alerts
• Processing payments and managing billing via Stripe
• Delivering ScamWatch alerts to the primary user's tablet
• Responding to support requests submitted by the Subscriber or family members
• Complying with applicable legal obligations

We do not use your information for advertising, profiling, or data brokering. We do not sell personal information to any third party. We do not use medical information for any purpose other than delivering the Service as described above.

The ICE Page associated with each primary user is intentionally designed to be publicly accessible — accessible by anyone with an internet connection who scans the QR code, without requiring a login, account, or application.

This is a fundamental design decision. Emergency responders — including paramedics, police, and hospital staff — must be able to access critical medical information immediately, without any barrier. Requiring login or a specific app would defeat the purpose of the Service.

By completing setup and approving the ICE Page, the Subscriber acknowledges and agrees that the information displayed on the ICE Page is publicly accessible to anyone who scans the QR code. Subscribers should only include information on the ICE Page that they are comfortable being visible in this way. We recommend limiting the ICE Page to medically critical information and emergency contacts only.

EverSafe Pro does not index ICE Pages with search engines and does not publicly advertise or distribute ICE Page URLs. Access is by QR code only.

We share personal information only with the following third-party service providers who are necessary to deliver the Service. Each provider is bound by a data processing agreement and may only process data on our instruction:

• Supabase — database hosting and user authentication. Primary data store for all account and primary user information. Hosted on AWS infrastructure.
• Vercel — web application hosting for the Admin Portal, family member portal, and ICE Page service. Infrastructure hosted in data centres internationally.
• Stripe — payment processing. Stripe stores and processes all payment card information. EverSafe Pro does not receive or store raw card numbers. Stripe is PCI DSS Level 1 certified.
• Resend — transactional email delivery. Used to send account notifications, ICE review reminders, renewal notices, and invite emails.
• Twilio — SMS and voice services used for certain alert and notification features.

We do not share personal information with any other third party except where required by law — for example, in response to a valid court order or where disclosure is necessary to protect the safety of a person.

We retain your personal information for as long as your subscription is active. After your subscription lapses or your account is closed:

• All account data, primary user medical information, family connections, and noticeboard content are retained for 90 days and then permanently deleted. This window exists to allow reactivation without loss of data.
• Consent records (records of your agreement to these Terms and the Privacy Policy at the time of signup) and payment transaction records are retained for 7 years in accordance with financial record-keeping obligations under New Zealand law and applicable international standards.
• QR scan event logs are retained for the duration of the active subscription and deleted with the account data.

If you request deletion of your data before the 90-day period has elapsed, we will delete it within 30 days of the request, except where retention is legally required.

We protect your information using the following measures:

• All data is encrypted in transit using TLS (Transport Layer Security) and encrypted at rest in the Supabase database
• Access to the database is restricted to authenticated service connections using role-based access control
• Family member access to primary user information is governed by permissions set by the account holder and enforced at the database level (Row Level Security)
• Passwords are hashed using industry-standard algorithms and are never stored in plain text
• Administrative access to production systems is restricted to authorised personnel only

No security system is perfect. While we take significant precautions, we cannot guarantee absolute security. In the event of a data breach that is likely to cause serious harm, we will notify affected individuals and relevant authorities as required by applicable law.

EverSafe Pro handles medical information with particular care. Medical information is classified as sensitive personal data under most privacy laws and carries the highest level of protection we provide.

Medical information is:

• Used only to display the ICE Page and produce physical ICE cards
• Never used for research, advertising, analytics, or any purpose beyond service delivery
• Never shared with healthcare providers, insurance companies, or government agencies except where required by law
• Deleted permanently within 90 days of account closure or deletion request

By entering medical information into EverSafe Pro, the Subscriber confirms they have the informed consent of the primary user or the legal authority to act on their behalf.

Depending on your jurisdiction, you have the following rights in relation to your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information (you can also update most information directly in the Admin Portal)
• Deletion: Request deletion of your account and associated data
• Portability: Request a copy of your data in a structured, machine-readable format
• Restriction: Request that we limit the processing of your data in certain circumstances
• Objection: Object to certain processing activities
• Withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time

To exercise any of these rights, email hello@eversafe.pro with your request. We will respond within 30 days. We may ask you to verify your identity before processing your request.

If you are based in the UK, EU, or Ireland and are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority (e.g. the ICO in the UK, the Data Protection Commission in Ireland, or your EU member state's supervisory authority).

The EverSafe Pro marketing website (eversafe.pro) uses no tracking cookies, no advertising cookies, and no third-party analytics scripts. We do not use Google Analytics or any similar tracking tool on the marketing site.

The Admin Portal and family member portal use session cookies that are strictly necessary for authentication. These cookies are set only when you log in and are deleted when you log out or your session expires. No analytics or advertising cookies are set on any EverSafe Pro domain.

The EverSafe Pro Service is not directed at children under the age of 18 and we do not knowingly collect personal information from children. The account holder must be at least 18 years of age.

Family members who are invited to the noticeboard by the account holder may be any age, but account access (login) is only available to persons aged 18 or over.

If you believe we have inadvertently collected personal information from a person under 18 without appropriate consent, please contact us at hello@eversafe.pro and we will delete the information promptly.

EverSafe Pro serves customers in New Zealand, Australia, the United Kingdom, Ireland, the United States, and Canada. The infrastructure and third-party services we use may store and process data in countries other than your own, including the United States and the European Union.

Where we transfer personal data internationally, we ensure appropriate safeguards are in place:

• For transfers from the UK and EU/EEA: Standard Contractual Clauses (SCCs) approved by the European Commission or the UK ICO, or transfers to countries with an adequacy decision
• For transfers from Australia: compliance with Australian Privacy Principle 8 regarding cross-border disclosure
• For transfers from New Zealand: compliance with Information Privacy Principle 12 regarding trans-border data flows

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services we offer, or applicable law. Material changes will be communicated by email at least 30 days before they take effect.

The date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically. Continued use of the Service after the effective date of an updated policy constitutes acceptance of that update.

For any privacy-related enquiry, to exercise your rights, or to report a concern, please contact:

EverSafe Pro
Email: hello@eversafe.pro
We aim to respond to all privacy enquiries within 5 business days.