Privacy Policy

Effective date: January 1, 2026 · Last updated: January 1, 2026

This Privacy Policy describes how Amani ("we", "our") handles personal information in connection with the Amani mobile and web applications ("the Service"). The Service is provided to staff at partner schools only — there is no public sign-up.

1. Information we collect

We collect only the information needed to operate the Service.

Account information

• Full name, work email address, role at the school.
• Optional: room or area assignment; emergency-response role (e.g. principal, nurse).
• Phone number (optional, for SMS fallback during an incident).

Profile photo (optional)

• You may upload a photo so colleagues can recognize you during an incident. Photos are stored in our managed cloud storage and shown only to other staff at your school.
• We request access to your camera and photo library only at the moment you choose to upload a photo, and only to upload that single photo. We do not access either resource at any other time.

Push notification token

• A device-specific token issued by Apple Push Notification service or Firebase Cloud Messaging, used solely to deliver incident notifications to your device. The token contains no personal data.

Incident data

• When you trigger or respond to an incident, we record the action, your school, your room (if assigned), the timestamp, and the response you submitted (e.g. "safe", "needs help").
• School administrators can view this data for incidents at their own school only.

Diagnostic data

• Aggregated, non-identifying error logs that help us fix bugs. No incident content is included.

2. How we use information

• To deliver the core Service: incident alerts, status tracking, response coordination, and administrative analytics.
• To authenticate you and keep your session secure.
• To send push notifications related to active incidents at your school.
• To diagnose and fix technical issues with the Service.

We do not use your data for advertising. We do not sell your data. We do not share your data with third parties except as described below.

3. Data sharing and processors

The following service providers process data on our behalf:

• Supabase, Inc. — managed Postgres database, authentication, file storage, and realtime delivery. Acts as a data processor under our instructions.
• Apple Push Notification service and Google Firebase Cloud Messaging — push notification delivery only. They receive a device token and the notification payload at the moment a notification is sent.
• Expo / EAS — used to build and update the mobile app. Does not receive personal data from your account or incidents.

We do not transfer your data to any third party outside this list.

4. Per-school isolation

Amani is engineered so that each school's data is read-only to users at that school. Cross-school reads are blocked at the database level. Platform administrators (operated by Amani staff) have access only for support and maintenance and are bound by confidentiality obligations.

5. Data retention

• Incident records are retained for the lifetime of your school's contract with Amani so that historical performance analytics remain available.
• Profile photos are retained until you replace them or delete your account.
• Push notification tokens are retained while the app is installed on your device and rotated automatically. You can revoke them by uninstalling the app or disabling notifications in OS settings.
• When your account is deleted, your profile information is removed within 30 days. Incident records you triggered or responded to are retained but anonymized (your name is replaced with "Removed"), so school-level analytics remain valid.

6. Your rights

• You can request access to or correction of your account information by emailing support (see below).
• You can request deletion of your account by contacting your school administrator or our support email.
• You can revoke camera, photo-library, or notification permissions at any time in your device settings.
• If you are in a jurisdiction with additional rights (e.g. GDPR, CCPA, UAE PDPL), those rights apply.

7. Children

Amani is for school staff, not students. We do not knowingly collect personal information from children under 13.

8. Security

We use TLS in transit, encryption at rest provided by our managed database, and row-level security policies that prevent cross-school reads even at the database layer. No system is perfectly secure; if you suspect a security issue, contact us immediately.

9. Changes to this policy

If we materially change this policy, we will notify you in the app before the change takes effect.

10. Contact

Questions about this policy or your data? Email support@amaniuae.net.