Security & Compliance

Your medical information is among the most sensitive data there is. Here is how we protect it — and how we stay accountable.

Security Never Blocks Emergency Care

Our security model is designed so that a first responder scanning your tag always sees the life-saving basics instantly — no account, no app, no password. Protection applies to everything beyond that emergency view. In any medical emergency, CALL 911 IMMEDIATELY.

1. Tiered Emergency Access

Scanning a FirstAidTag does not expose your full medical record. Access is tiered:

Public emergency view: Only the critical information you choose to make visible to responders — allergies, conditions, and emergency instructions needed to help you.
PIN-protected details: Sensitive sections of your profile can be locked behind an emergency PIN that you share only with people you trust. PINs are stored hashed — we cannot read them.
Account access: Editing your profile always requires signing in to your account. A scanned tag can never be used to change your information.

2. Every Access Is Logged

Transparency is a security feature. When your tag is scanned or your emergency profile is viewed:

  • The access is recorded with the date and time, so you can review it later in your dashboard's access history.
  • Your emergency contacts can be notified in real time that your medical ID was accessed.
  • Security-relevant account events (sign-ins, sensitive changes) are tracked separately so unusual activity can be identified.

3. Technical Safeguards

Data Protection

  • • All traffic encrypted in transit (HTTPS/TLS)
  • • Passwords and emergency PINs stored as one-way hashes, never in plain text
  • • Payment details handled by our payment processor — card numbers never touch our servers

Account Security

  • • Two-factor authentication (2FA) available
  • • Session-based sign-in with trusted-device tracking
  • • Phone and email verification before sensitive features are enabled

Note: No system is 100% secure. We take reasonable, industry-standard measures and improve them continuously.

4. Location Data Handling

Location features are consent-based and purpose-limited:

  • Location is only captured when you share it or when an emergency/safety feature you enabled requests it — the browser or device always asks for permission first.
  • Location share links expire and can be deactivated; shared coordinates are only visible to the people you send the link to.
  • Deletions of location data are themselves logged, so there is an accountable record that removal happened.

5. Privacy Law Compliance

FirstAidTag is built for Canadian users first and operates in line with PIPEDA (Personal Information Protection and Electronic Documents Act):

Consent

We record when and how you consent to SMS messages, privacy terms, and data collection — and you can withdraw consent at any time.

Purpose limitation

Medical data is used to display emergency information and power the safety features you enable. Nothing else.

Access & correction

You can view and edit your complete profile at any time from your dashboard, and request a copy of your data.

Openness & accountability

Our Privacy Policy explains exactly what we collect. You can complain to the Privacy Commissioner of Canada if we fall short.

We do not sell personal information, share medical data for marketing, or use health information for advertising. For EU/UK users, we align with GDPR principles. See our Privacy Policy for full details.

6. Data Retention & Deletion

Your data belongs to you. You can request account deletion at any time, and we will delete or anonymize your data within 30 days, except where the law requires us to keep records. Emergency-related records may be retained longer for legal compliance and safety documentation.

7. Infrastructure

FirstAidTag runs on Amazon Web Services (AWS) cloud infrastructure with access restricted to authorized personnel on a need-to-know basis. Service providers we work with (such as our SMS gateway and email providers) are bound by confidentiality obligations and receive only the data needed to deliver their service.

8. Reporting a Security Concern

Found a vulnerability, or have a question about how we handle your data? We want to hear from you.

FirstAidTag Security & Privacy Team

Security reports: security@firstaidtag.com

Privacy questions: privacy@firstaidtag.com

We ask that vulnerabilities be reported privately so we can fix them before details are shared publicly. We aim to respond within 7 business days.

This page summarizes our practices in plain language. The Privacy Policy and Terms of Service are the governing documents.