Privacy Policy

Command Bridge ("Command Bridge," "we," "us," or "our") provides a cloud-based emergency operations platform designed for government agencies, public safety organizations, and emergency management departments. This Privacy Policy describes how we collect, use, disclose, and protect information in connection with our platform, website, mobile applications, and related services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you are using the Services on behalf of a government agency or organization, you represent that you have the authority to bind that entity to this Privacy Policy.

1. Information We Collect

Account and Profile Data

When agency administrators create user accounts, we collect information necessary to provision and manage access to the platform, including:

• Full name, email address, and phone number
• Job title, role, and organizational affiliation
• Authentication credentials (managed through our identity provider)
• Profile preferences and notification settings

Operational and Incident Data

In the course of using Command Bridge for emergency operations, authorized users may create, upload, or transmit data related to incidents and operations, including:

• Incident reports, situation updates, and operational logs
• Damage assessments, inspection records, and field observations
• GPS coordinates and location data of field personnel and assets
• Photographs, documents, and other file attachments
• Resource allocation and logistics records
• Communications, notifications, and task assignments

This data is owned by the subscribing agency and processed by Command Bridge solely to provide the Services as directed by the agency.

Device and Usage Data

We automatically collect certain technical information when you access the Services, including:

• Device type, operating system, and browser information
• IP address and approximate geographic location
• Application version (for mobile app users on iOS and Android)
• Feature usage patterns, page views, and session duration
• Error logs and performance diagnostics

Public Portal Data

Members of the public may interact with Command Bridge through agency-operated public portals. When citizens use these portals, we may collect:

• Name, email address, phone number, and physical address
• Damage report submissions, including descriptions and photographs
• GPS coordinates associated with reported damage or incidents
• Alert subscription preferences and communication opt-ins

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Services: Operating the platform, authenticating users, processing incident data, and enabling emergency operations workflows
• Communications: Sending operational notifications, alerts, status updates, and system announcements via SMS, voice, email, and in-app messaging
• Location Services: Tracking GPS positions of field personnel to support situational awareness, resource coordination, and personnel safety during operations
• AI-Assisted Features: Generating summaries, suggested actions, damage assessment analysis, and other AI-powered capabilities using authorized operational data
• Mapping and Visualization: Rendering geographic data on maps, displaying incident locations, and supporting spatial analysis of operations
• Security and Compliance: Maintaining audit logs, detecting and preventing unauthorized access, enforcing access controls, and meeting regulatory obligations
• Platform Improvement: Analyzing usage patterns to improve performance, reliability, and user experience
• Public Portal Operations: Processing citizen damage reports, managing alert subscriptions, and facilitating public communication during emergencies

3. Data Sharing and Third Parties

We do not sell personal information. We share data only as necessary to provide the Services, comply with legal obligations, or as directed by the subscribing agency. The following categories of third-party service providers process data on our behalf:

Authentication

Auth0 (Okta) provides identity management and authentication services, including single sign-on (SSO) and multi-factor authentication. Auth0 processes user credentials and authentication tokens.

Communications

Twilio provides SMS and voice notification services. Phone numbers and message content are transmitted to Twilio to deliver operational alerts and notifications. SendGrid and Postmark provide transactional email delivery services. Email addresses and message content are transmitted to these providers to deliver system notifications, alerts, and operational communications.

Cloud Infrastructure and Storage

Linode (Akamai) Object Storage (S3-compatible) provides secure file storage for documents, photographs, and other attachments uploaded to the platform. All stored files are associated with the uploading agency and subject to tenant-level access controls.

Artificial Intelligence

OpenAI (GPT-4o) provides AI capabilities including text summarization, suggested actions, and analytical features. Operational data sent to OpenAI for processing is transmitted securely and is not used by OpenAI to train its models, in accordance with our data processing agreement. AI features are optional and can be disabled by agency administrators.

Mapping and Geospatial Services

ArcGIS/Esri provides mapping, geocoding, and geospatial analysis services. Location data, including GPS coordinates and address information, is transmitted to Esri to render maps and support spatial operations.

Other Disclosures

We may also disclose information when required by law, subpoena, court order, or governmental regulation; to protect the rights, safety, or property of Command Bridge, our users, or the public; or in connection with a merger, acquisition, or sale of assets, in which case affected users will be notified.

4. Data Security

We implement administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of data processed through the Services. Our security measures include:

• Multi-Tenant Data Isolation: PostgreSQL Row-Level Security (RLS) policies enforce tenant-level data separation at the database layer. Application logic cannot bypass these controls.
• Immutable Audit Logs: Every user action is recorded with structured before/after diffs, user attribution, and timestamps. Database triggers prevent modification or deletion of audit records.
• Encryption: Data is encrypted in transit using TLS 1.2 or higher. Sensitive data at rest is protected using industry-standard encryption.
• Access Controls: Fine-grained role-based access control (RBAC) with 50+ permissions across all platform modules. Access is enforced at both the API and user interface layers.
• Authentication Security: RS256 JWT verification, configurable session timeouts, failed login lockout, IP allowlisting, and enterprise SSO support.
• Network Protections: CSRF protection, strict CORS policies, multi-tier rate limiting, and CAPTCHA protection on public-facing endpoints.
• API Key Security: API keys are hashed using SHA-256 before storage. Plaintext keys are never retained.

While no system can guarantee absolute security, our architecture is designed to meet the security requirements of government agencies handling sensitive and law-enforcement-related data.

5. Data Retention

We retain data for as long as necessary to provide the Services and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention practices include:

• Account Data: Retained for the duration of the agency's subscription and for a reasonable period afterward to support account reactivation or legal obligations.
• Operational and Incident Data: Retained in accordance with the subscribing agency's data retention policies and applicable public records laws. Agencies may configure retention periods and request data export or deletion.
• Audit Logs: Retained in immutable form for the duration required by the agency's compliance and records retention policies. Audit logs cannot be modified or deleted through the application.
• Public Portal Data: Citizen-submitted data is retained in accordance with the managing agency's policies and applicable public records retention requirements.
• Usage and Diagnostic Data: Retained for up to 24 months for platform improvement and troubleshooting purposes.

Upon termination of an agency's subscription, we will provide a reasonable period for data export. After that period, data will be securely deleted or anonymized, except as required by law.

6. Government and Law Enforcement Data

Command Bridge is designed to serve government agencies that may process sensitive, classified, or law-enforcement-related data. We recognize the heightened privacy and security obligations associated with this data and have implemented the following measures:

• Data Classification: The platform supports data classification levels including public, internal, sensitive, law enforcement, and health designations. Access to classified data is restricted based on user roles and permissions.
• CJIS Alignment: Our security architecture is designed to align with Criminal Justice Information Services (CJIS) Security Policy requirements, including access controls, audit logging, and data encryption.
• Agency Data Ownership: All operational data entered into Command Bridge remains the property of the subscribing agency. We process this data solely as a service provider under the direction of the agency.
• Law Enforcement Requests: We will notify the subscribing agency of any law enforcement request for their data unless legally prohibited from doing so. We do not voluntarily disclose agency data to law enforcement without the agency's consent, a valid legal process, or an emergency involving imminent danger.

7. Public Portal and Citizen Data

Government agencies using Command Bridge may operate public-facing portals that allow citizens to submit damage reports, subscribe to emergency alerts, and access public information. With respect to citizen data:

• Citizen data submitted through public portals is collected on behalf of the managing agency and is subject to that agency's own privacy policies and applicable public records laws.
• Citizens may opt in to receive SMS, voice, or email alerts. Alert subscriptions can be managed or canceled at any time through the public portal or by contacting the managing agency.
• Damage reports and associated photographs are stored securely and are accessible only to authorized personnel within the managing agency.
• CAPTCHA protection is used on public portal forms to prevent automated abuse.
• We do not use citizen-submitted data for marketing, advertising, or any purpose unrelated to the emergency management services provided to the agency.

8. Children's Privacy

Command Bridge is a business-to-government platform and is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe that a child under 13 has provided personal information through our Services, please contact us at privacy@cmd-bridge.com.

9. Your Rights and Choices

Depending on your jurisdiction and relationship with the Services, you may have the following rights regarding your personal information:

• Access and Portability: Request a copy of the personal information we hold about you in a structured, commonly used format.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to applicable legal retention requirements and public records obligations.
• Opt-Out of Communications: Unsubscribe from non-essential communications at any time. Operational notifications required for platform functionality may not be opted out of while an account is active.
• Data Processing Restrictions: Request restrictions on certain processing activities where permitted by applicable law.

For agency users: Please contact your agency administrator to exercise rights related to your account data. Agency administrators can manage user accounts, permissions, and data through the platform's administration tools.

For citizens: Please contact the managing agency directly, or reach out to us at privacy@cmd-bridge.com and we will direct your request to the appropriate agency.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and notify subscribing agencies through the platform. We encourage you to review this Privacy Policy periodically.

11. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:

We will respond to all legitimate requests within 30 days. In certain circumstances, we may require additional time, in which case we will notify you of the extension and the reasons for it.