SCOUT · D3 Secure
Privacy Policy
Effective Date:
21 MAY 2026
Last Updated:
21 MAY 2026
1. Introduction
SCOUT is a personal-safety travel intelligence product owned and operated by D3 Secure LLC, a Tennessee limited liability company" ("D3 Secure," "we," "us," "our"). SCOUT helps travelers make informed decisions through personalized threat reports, location-aware proximity alerts, and curated situational awareness data.
This Privacy Policy explains what personal data we collect when you use SCOUT – including the SCOUT mobile application (available on the Apple App Store and Google Play) and the SCOUT Map web application at scout-safe.com – how we use it, who we share it with, and the rights you have over it.
Two commitments we make at the outset:
- We never sell your personal data. Not to advertisers, not to data brokers, not to anyone. There is no business model in which selling user data plays any part.
- We collect only what we need. Every category of data described below is tied to a specific feature you've asked us to provide, or to keeping SCOUT secure and reliable. We don't collect data "just in case it's useful later."
By using SCOUT, you agree to the practices described in this policy. If you don't agree, please don't use the products.
2. Who This Policy Applies To
This policy applies to anyone who:
- Downloads or uses the SCOUT mobile app
- Visits or signs in to the SCOUT Map web application
- Visits the scout-safe.com marketing website
- Purchases a SCOUT subscription through our website, the Apple App Store, or Google Play
- Otherwise interacts with D3 Secure in connection with the SCOUT product
This policy does not apply to third-party services we link to from within the apps (your mobile operating system, the app stores themselves, or external websites). Those services have their own privacy policies, which we encourage you to review.
3. The Data We Collect
We organize this by what the data is for, because that's the most useful way to evaluate whether you're comfortable with the collection.
3.1 Account & Authentication Data
To create and maintain your SCOUT account:
- Email address (required) – used as your sign-in identifier and to send verification + account-related emails.
- Password – stored by Firebase Authentication (a Google service) in hashed/encrypted form. We never see your plaintext password and never store it ourselves.
- Display name (optional, can be changed any time)
- Email-verification status – whether you've confirmed your email address by clicking the verification link.
- Account creation date – used for account management and to calculate your initial free-access period.
3.2 Subscription & Billing Data
To process subscriptions and grant access to paid features:
- Subscription plan and status – which plan you're on (Monthly, Annual, One-Trip), when it was purchased, when it expires, and how many Threat Reports you've used.
- Purchase channel – whether you subscribed via our website, the Apple App Store, or Google Play.
- Receipt / transaction identifiers received from the app stores or our payment processor.
What we don't collect: We do not store your credit card number, bank account number, or other full payment instrument details. Payments are processed by Stripe (web purchases via RevenueCat Web Billing), Apple (iOS in-app purchases), and Google (Android in-app purchases). Each of those processors has its own privacy policy and PCI-DSS compliance posture.
3.3 Location Data
To deliver SCOUT's core "Beacon" and "Proximity Alerts" features:
- Device location (latitude, longitude, accuracy,
altitude, speed, timestamp) – collected only while you have Beacon
enabled. You choose the Beacon mode in Settings:
- Off – no location collected.
- Low – periodic location updates, low battery impact.
- Balanced (default) – uses your device's significant-location-change APIs.
- High – frequent updates for active-travel scenarios.
- Background location – only collected if you've granted background-location permission and Beacon is set to Balanced or High. We never collect background location with Beacon Off.
You can change your Beacon mode or revoke location permission at any time from within the app (Settings → Beacon) or your device's system settings. Disabling Beacon stops new location collection immediately.
We use your location to:
- Show your position on the map relative to nearby threat zones.
- Send proximity alerts if you enter a zone you've subscribed to alerts for.
- Anchor a Threat Report request to a specific area of interest.
We do not use your location to:
- Build a long-term movement history beyond what's necessary for the alert features.
- Share your location with other users (a future "Tour Group" feature would do this only within an explicit, opt-in group you control – that feature is not yet live).
- Sell or share your location with advertisers or data brokers (see §5).
3.4 Personalization Profile (Optional)
If you opt in to personalization (Settings → Personalization), SCOUT can tailor Threat Reports and alerts more precisely to your profile. The fields are:
- General appearance descriptors (e.g., ancestral-region tone, hair colour including coverings such as hijab/turban/wig) – used to estimate visibility and culturally relevant safety considerations for a destination.
- Travel context (age range, languages spoken, mobility needs) – used to weight risk factors.
Personalization is entirely opt-in and off by default. When off, Threat Reports use generic regional baselines. The personalization fields are stored in your account and used only by the Threat Report generator and the alert tuner. They are never shared with anyone outside D3 Secure.
You can clear your personalization data at any time from Settings → Personalization → Clear All. You can also choose not to provide any of these fields – they are all optional.
3.5 Push Notification Tokens
If you allow notifications, your device provides us a Firebase Cloud Messaging (FCM) token – an opaque identifier that lets us send push notifications to your specific device. We store one token per device per account. Revoking notification permission at the operating-system level stops new notifications immediately.
3.6 User-Generated Content
- Threat Reports you request – including the geographic area you selected and (if personalization is on) a snapshot of the profile data used to generate the report. Reports are stored under your account so you can view and re-download them.
- Itineraries (future feature) – trip plans you create or import. Stored only in your account.
3.7 Technical & Usage Data
To keep SCOUT secure, debug problems, and improve the product:
- Device information – model, OS version, app version, screen size, language/locale. Used for compatibility checks and to investigate bug reports.
- IP address – captured in server access logs. Used for security (rate limiting, anomaly detection) and to detect the country of origin for tax/locale purposes. IP addresses are not used to build cross-app browsing profiles.
- API request logs – endpoint accessed, response code, timestamp, anonymized request ID. Retained for 30 days to support security investigations and debugging.
- Crash reports – if SCOUT crashes, we may receive a stack trace through Firebase Crashlytics. Crash reports may include device state but do not include your location, personalization profile, or threat report content.
3.8 Cookies & Similar Technologies (Web Only)
The SCOUT Map web application at scout-safe.com uses:
- Strictly necessary cookies – session cookie for keeping you signed in (set after successful Firebase Auth exchange); CSRF protection; cookie-consent record. These cannot be disabled without breaking sign-in.
- Functional cookies – your display preferences (theme, units, last viewed location).
- No advertising cookies, no third-party tracking pixels, no cross-site analytics tags.
The mobile app does not use web cookies. Both platforms may use device-local storage (SQLite, SharedPreferences, Keychain/Keystore) for offline cache and credential safekeeping – none of which is transmitted anywhere except in the API calls described elsewhere in this policy.
4. How We Use Your Data
For each category of data above, the corresponding uses are:
| What | Why |
|---|---|
| Account & authentication data | Sign you in; verify your email; let you recover your password; send account-related transactional emails. |
| Subscription & billing data | Grant access to paid features; enforce quotas; send receipts; resolve billing support tickets. |
| Location data | Show your position on the map; deliver proximity alerts; anchor Threat Report requests. |
| Personalization profile | Tailor Threat Reports and alerts (only if you opted in). |
| Push notification tokens | Deliver alerts to the correct device. |
| User-generated content | Show you your own reports; allow re-download. |
| Technical & usage data | Investigate bugs; secure the service; comply with our legal obligations. |
We do not use any of this data for:
- Advertising or behavioural retargeting (we run no ads in either app).
- Sale to data brokers.
- Inferring sensitive characteristics (medical conditions, sexual orientation, political views, etc.) – none of these are part of the personalization profile.
- Cross-app or cross-device tracking outside SCOUT.
5. How We Share Your Data
We share personal data only with the parties listed below, only for the purposes listed, and only the minimum necessary fields. We never sell personal data.
5.1 Service Providers (Sub-Processors)
These are vendors who process data on our behalf under contract. Each is bound to handle your data only for the purpose we hire them for.
| Provider | Purpose | Data shared |
|---|---|---|
| Google (Firebase Authentication) | Account credentials, password storage, email verification, ID-token verification | Email, password (hashed by Firebase), display name, verification status |
| Google Cloud (Firestore, Cloud Run, Cloud SQL, Cloud Logging, Secret Manager, Artifact Registry) | Hosting, database, secret management | Substantially all account, subscription, location, and usage data |
| Google (Firebase Cloud Messaging) | Push notification delivery | FCM token, notification payload |
| RevenueCat | Cross-platform subscription management | App User ID (your Firebase UID), purchase events, subscription state |
| Stripe (via RevenueCat Web Billing) | Web payment processing | Payment-method details (collected by Stripe, never seen by D3 Secure), email, billing country |
| Apple App Store / Google Play | In-app purchase processing on their platforms | Per the app stores' own privacy practices |
| Anthropic | Server-side language-model classification of news and threat data (no user-content classification) | Public news article text and metadata – not your personal data |
| News providers (NewsAPI, GDELT, others) | Public news ingestion | None of your personal data |
| Firebase Crashlytics | Troubleshooting and root cause analyses | User ID, device state |
Each provider's privacy practices are governed by their own published policies. We periodically review our sub-processor list and update this policy when material changes occur.
5.2 Legal & Safety Disclosures
We may disclose personal data without your consent if we believe in good faith that disclosure is necessary to:
- Comply with a valid legal process (subpoena, court order, lawful government request).
- Enforce our Terms of Service or investigate violations.
- Protect the rights, property, or safety of D3 Secure, our users, or the public.
When we receive a legal request, we evaluate it carefully and push back on overbroad demands. Where law permits, we will notify you of a request affecting your data before responding.
5.3 Business Transfers
If D3 Secure is acquired, merged, or otherwise reorganized, your personal data may transfer to the acquiring entity. We will notify you (by email and/or a prominent notice in the app) before any such transfer becomes effective and explain any change in privacy practices.
5.4 Aggregated or De-Identified Data
We may publish or share aggregated or de-identified statistics (e.g., "X% of SCOUT users enable background-location Beacon mode") that cannot reasonably be linked back to you. This is not personal data.
6. Data Security
We design SCOUT around defense-in-depth security controls. Specifically:
- Encryption in transit – all communication between your device and SCOUT servers is over HTTPS (TLS 1.2 or higher). API requests are authenticated with Firebase ID tokens; webhook callbacks from payment processors are authenticated with shared secrets stored in Google Secret Manager.
- Encryption at rest – your data is stored on encrypted Google Cloud Platform infrastructure (Cloud SQL, Firestore). Secrets used by our backend are stored in Google Secret Manager with audited access.
- Least-privilege access – only the D3 Secure engineers who need access to a given dataset can reach it. Access is logged and reviewed.
- Audit trail – every administrative action (account provisioning, manual subscription grants, configuration changes) is recorded in an immutable audit log for after-the-fact review.
- Vulnerability management – we monitor our dependencies for known security vulnerabilities and patch promptly. Our codebase is scanned for secrets and common security flaws in continuous integration.
D3 Secure designs its controls to align with SOC 2 principles around security, availability, and confidentiality.
No system is perfectly secure. Despite our controls, no internet-connected service can guarantee absolute security against every threat. If we ever experience a security breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law, without undue delay.
7. Data Retention
We keep personal data only as long as we need it for the purposes described in this policy:
| Data | Retention |
|---|---|
| Account data (email, password hash, display name) | For the lifetime of your account, then 30 days after account deletion for cooling-off and legal-hold review, then permanently removed |
| Subscription & billing records | For the period required by applicable tax and accounting law (typically 7 years in the US), then removed |
| Beacon location history | 90 days – older entries are automatically purged |
| Threat Reports | For the lifetime of your account, unless you delete them sooner |
| API request logs / access logs | 30 days |
| Crash reports | Firebase Crashlytics |
When you delete your account, we delete all personal data not required by law to retain. Backups containing your data are overwritten in the ordinary course (typically within 30 days).
8. Your Rights
Depending on where you live, you may have specific rights over your personal data. We honor the following rights for all users, regardless of location:
- Access – you can request a copy of the personal data we hold about you.
- Correction – you can update profile data directly in the app (Settings), or request correction of any other field.
- Deletion – you can delete your account from Settings → Account → Delete Account, which initiates deletion of your personal data as described in §7.
- Portability – you can request your personal data in a machine-readable format (we'll provide JSON).
- Withdrawal of consent – for processing based on consent (such as personalization or background location), you can withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.
- Objection – you can object to processing based on our legitimate interests; we will weigh your objection against the interest and respond.
To exercise any of these rights, contact us at the address in §12. We will respond within the timeframe required by applicable law (typically 30 days; up to 90 days for complex requests with notice to you).
8.1 California Residents (CCPA / CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act and California Privacy Rights Act, including:
- The right to know what personal information we collect, use, and disclose.
- The right to delete personal information.
- The right to correct inaccurate personal information.
- The right to opt out of "sale" or "sharing" of personal information – we do neither, so there is nothing to opt out of, but this disclosure is required.
- The right to limit the use of sensitive personal information.
- The right not to be discriminated against for exercising any of these rights.
To exercise these rights, contact us at the address in §12. We will not require you to create an account to make a request. While neither D3 Secure nor SCOUT will ever sell or share your personal information, feel free to email privacy@scout-safe.com if ever you wish to communicate, in accordance with CCPA/CPRA practices, any concerns you might have regarding this policy or your personal information.
8.2 EU/EEA, UK, and Swiss Residents (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described above plus:
- The right to lodge a complaint with a supervisory authority in your country.
- The right to know the legal basis on which we process your data (consent for personalization and background location; contract for paid features; legitimate interest for security and product improvement; legal obligation for tax records).
Data transfers outside the EEA/UK – our infrastructure runs primarily in the United States (Google Cloud's us-central1 region). Where we transfer personal data of EEA/UK residents to the US, we rely on the European Commission's Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.
8.3 Other Jurisdictions
We aim to honor analogous rights in other jurisdictions to the extent applicable law requires. If you live in a jurisdiction with specific privacy rights not described above, please contact us and we will work with you.
9. Children's Privacy
SCOUT is not intended for and should not be used by children under the age of 18 and only in the U.S. with parental consent and in accordance with US COPPA may children 13 and older use SCOUT. We do not knowingly collect personal data from children below these ages. If you believe we have inadvertently collected such data, please contact us and we will delete it.
10. Marketing Communications
We may send you email about:
- Transactional matters – account verification, subscription receipts, security alerts, important changes to the service. You cannot opt out of these because they are essential to your use of SCOUT.
- Product updates and tips (optional) – only if you've opted in. Every marketing email includes an unsubscribe link.
We will not share your email address with third parties for their marketing purposes.
11. Changes to This Policy
If we make material changes to this policy, we will notify you by email and post a prominent notice in the apps and on scout-safe.com at least 30 days before the change takes effect. The "Last Updated" date at the top of this document reflects the most recent revision. Minor non-material changes (e.g., grammar, additional clarification) may be made without notice.
Your continued use of SCOUT after a policy change becomes effective constitutes acceptance of the revised policy. If you do not agree with the changes, you may delete your account before the effective date.
12. Contact Us
For privacy questions, data-rights requests, or to report a privacy concern:
- Email: privacy@scout-safe.com
- Postal: 501 Union Street - Suite 545 - Nashville, Tennessee USA
For EU/EEA residents, you may also contact our EU representative or your national data-protection authority.
For UK residents, you may contact the Information Commissioner's Office (ICO) at https://ico.org.uk.