Privacy Policy

This Privacy Policy describes how Nova Citizen ("we," "us," "Nova Citizen," or the "App") collects, uses, shares, and protects information when you use our mobile application, website, and related services (collectively, the "Services"). If you do not agree, please do not use the Services.

---

1. Who We Are

Nova Citizen is a public safety platform that connects residents of Metro Manila and surrounding cities with real-time incident alerts, crowdsourced safety reports, news articles, and official government advisories.

• Data Controller: Nova Citizen
• Contact: [email protected]
• Address: Makati City, Metro Manila, Philippines

For data privacy concerns, you may also contact our Data Protection Officer at [email protected].

---

2. Information We Collect

2.1 Information You Provide

• Account information — name, username, email address, password (hashed), profile photo, optional bio.
• Authentication tokens — generated when you sign in with Google or Apple. We do not see or store your Google or Apple password.
• Incident reports — title, description, category, priority level, timestamp, location coordinates, attached photos or videos.
• Comments and reactions — text content, attached media, the incidents you react to or follow.
• Safety network contacts — names, phone numbers, or email addresses of people you choose to add as emergency contacts.
• SOS sessions — start/end time, location coordinates, check-in messages.
• Support communications — content of emails or messages you send us.

2.2 Information We Collect Automatically

• Location data — when you grant location permission, we collect your device's GPS coordinates to (a) attach to reports you submit, (b) filter the feed and map to incidents near you, and (c) compute distance labels. Location is collected only while the app is in use unless you explicitly enable background tracking for an SOS session.
• Device information — device model, OS version, language, time zone, app version, push notification token.
• Usage data — features you use, screens you visit, search queries, items you view, view counts, reactions, errors and crash logs.
• IP address — collected by our servers and rate-limiting infrastructure to prevent abuse.
• Referral codes — if you signed up via an invitation link, we record the inviting user's referral code for attribution.

2.3 Information from Third Parties

• News articles and official advisories harvested from public RSS feeds of Philippine news organizations (Rappler, Inquirer, ABS-CBN, GMA) and government agencies (NDRRMC, PNP, DOH, MMDA). These contain no personal information about you.
• Authentication providers (Google, Apple) — name, email, and profile picture associated with your account, as you authorize during sign-in.

2.4 Data We Do Not Collect

• We do not collect your contacts list, photos library, or microphone audio unless you explicitly attach a photo or video to a report.
• We do not collect financial or payment information; the Services are free.
• We do not knowingly collect data from children under 13.

---

3. How We Use Your Information

We use the information we collect to:

• Operate the Services — render your feed, map, and alerts; deliver real-time updates; authenticate you; send push notifications.
• Improve safety outcomes — rank incidents by relevance using recency, proximity, content type, and engagement; surface critical alerts in your area.
• Maintain trust and integrity — compute reporter trust scores based on report quality and community confirmations; detect spam, abuse, or false reports.
• Communicate with you — send safety alerts, account notifications, and respond to support inquiries.
• Power features you opt into — Safety Network notifications, SOS sessions, daily challenges, level progression, friend invitations.
• Analyze and improve — diagnose crashes, measure feature usage, plan improvements. We minimize the personal data in analytics where possible.
• Comply with legal obligations — respond to lawful requests from authorities, enforce our Terms of Service, protect against fraud.

---

4. Legal Basis for Processing (Data Privacy Act of 2012)

Under Republic Act No. 10173, we process your personal information on the following bases:

• Your consent — when you create an account, grant location permission, or submit a report.
• Necessity for the performance of a contract — to deliver the Services you have requested.
• Necessity for our legitimate interests — to ensure safety, prevent abuse, and improve the platform, except where overridden by your fundamental rights.
• Compliance with a legal obligation — to respond to lawful government or court requests.
• Protection of vital interests — during an SOS event where contacting emergency services or your safety network may be necessary.

---

5. How We Share Your Information

5.1 Visible to Other Users

Incident reports you submit are shown to other users in the feed and on the map. Your name or username, the report's location, photos, and content are visible. Comments and reactions you make are visible to other users. Your username, display name, avatar, reporter level, and trust score (unless hidden in Privacy Settings) are visible on your public profile.

You can control some of this visibility in Settings → Privacy Settings: hide your activity history, report count, or trust score.

5.2 Service Providers

We share data with the following processors, who act on our behalf:

• Supabase (database hosting, real-time, storage, authentication)
• Mapbox (map tiles and static images)
• Apple Push Notification service and Firebase Cloud Messaging (push delivery)
• Cloud hosting providers for our API servers and harvester workers
• Crash reporting and analytics providers as we adopt them

We require all processors to safeguard your information consistent with this Policy and applicable law.

5.3 Public Authorities and Law Enforcement

We may disclose information when we have a good-faith belief that disclosure is required by Philippine law, court order, or to protect the rights, property, or safety of Nova Citizen, our users, or the public — for example, in response to a verified subpoena or in cases of imminent harm.

5.4 Business Transfers

If Nova Citizen is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

5.5 With Your Consent

We may share information for any other purpose with your explicit consent.

---

6. Data Retention

• Account data is retained for as long as your account is active.
• Incident reports remain visible until you or a moderator removes them, or until they are archived after their useful lifespan.
• Location coordinates attached to reports are retained as part of the report record.
• Logs and analytics are retained for up to 12 months for operational and security purposes.
• Trust score history is retained even when hidden from your public profile, since it informs moderation decisions.
• Deleted accounts — when you delete your account, your personal profile data, comments, and unresolved reports are removed within 30 days. Aggregated, anonymized data (counts, heatmap cells) may be retained.

---

7. Your Rights Under the Data Privacy Act

You have the right to:

• Be informed about how your data is processed.
• Object to the processing of your data.
• Access the personal information we hold about you.
• Rectify inaccurate or incomplete information.
• Erase or block your data when it is no longer necessary, withdrawn, or unlawfully processed.
• Damages — claim compensation for inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information.
• Data portability — receive a copy of your data in a structured, commonly used, electronic format.
• File a complaint with the National Privacy Commission (privacy.gov.ph).

To exercise any of these rights, email [email protected] from the address tied to your account. We will respond within 30 days.

---

8. Location Data Specifically

Location is the most sensitive category of data we collect. We are specific about it:

• Foreground only by default. We only access location while the app is open, unless you explicitly start an SOS session that requires background tracking.
• You control permission. You can revoke location permission at any time in your device settings. The feed will fall back to a nationwide view.
• Precision. We use the precision provided by your device. For map rendering and feed ranking, this may be exact coordinates. For background SOS check-ins, we may downsample precision for battery and bandwidth reasons.
• Realtime broadcasts. When you submit a report, its location is published to authenticated subscribers of the unified realtime feed so they can be alerted to nearby incidents. The realtime channel requires authentication and is gated by row-level security policies.

---

9. Photos, Videos, and Media

When you attach a photo or video to a report or comment, it is uploaded to our storage provider (Supabase Storage) and made viewable to other authenticated users.

We strip standard EXIF metadata (including GPS coordinates embedded in the file itself) before serving the media. The reported location attached to the incident is the location you submit, not the location embedded in the photo.

Media is served from a public URL once uploaded. Do not upload content you do not have the right to share.

---

10. Cookies and Similar Technologies (Web)

If you use the Nova Citizen web experience, we use:

• Strictly necessary cookies for authentication and session management.
• Local storage for filter preferences and unread alert counts.

We do not use third-party advertising cookies or trackers. We do not participate in cross-site advertising networks.

---

11. Security

We take reasonable and appropriate measures to protect your information:

• All API traffic is encrypted in transit (HTTPS / TLS 1.2+).
• Passwords (where used) are hashed with industry-standard algorithms.
• Authentication tokens are stored in secure platform-provided keychains (iOS Keychain, Android Keystore).
• Database access is restricted to authorized service accounts and protected by row-level security policies.
• We log access for incident response.
• We follow the principle of least privilege for internal access to user data.

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you and the National Privacy Commission as required under the Data Privacy Act.

---

12. Children

Nova Citizen is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us at [email protected] and we will delete the data promptly.

Users between 13 and 18 should review this Policy with a parent or guardian and obtain consent before using the Services.

---

13. International Transfers

Our service providers may store or process data outside the Philippines (for example, in Singapore, the United States, or the European Union). We rely on contractual safeguards with these providers consistent with the Data Privacy Act's cross-border transfer requirements.

---

14. Daily Challenges, XP, and Referrals

Our gamification features (daily quests, XP, level progression, streaks, invite friends) process:

• Your action history (reports submitted, alerts viewed, map opens, invites sent)
• Your level, total XP, current streak
• Referral codes embedded in invite links you share

This data is stored locally on your device and synced to your account. Referrers are credited only after the invited user successfully creates an account.

---

15. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will:

• Update the "Last updated" date at the top.
• Notify you in-app or by email at least 7 days before the change takes effect.
• Provide a summary of the changes.

Continued use after a change takes effect constitutes acceptance of the updated Policy. If you do not agree, you may delete your account.

---

16. Contact Us

• General privacy questions: [email protected]
• Data Protection Officer: [email protected]
• Bug reports and abuse: [email protected]
• Mailing address: Nova Citizen, Makati City, Metro Manila, Philippines
• Regulator: National Privacy Commission, 5th Floor, Delegation Building, PICC Complex, Vicente Sotto St., Pasay City — privacy.gov.ph — [email protected]

---