Privacy Policy

Operator: Slumbr LTD (UK registered company), trading as WithYou (“we”, “us”, “our”)
Contact: contact@slumbr.ai
Effective date: 16 May 2026
Last updated: 16 May 2026

1. Introduction

This privacy policy explains how Slumbr LTD collects, uses, and protects personal data when you use WithYou, a personal safety mobile application that lets you share your location and journey status with people you trust.

WithYou is designed for use by individuals and families, including parents who want to know that their children are safe on journeys such as the walk home from school. Users under 13 may use WithYou with verifiable parental consent, as set out in Section 9.

WithYou is currently in beta, distributed via Apple TestFlight to invited testers. This policy applies to that beta version.

This policy is governed by the UK GDPR and the Data Protection Act 2018. The data controller for WithYou is Slumbr LTD.

2. What data we collect

Account data

• Phone number (required to create and use the account)
• Name (provided during account setup, or imported from your sign-in provider)
• Email address (when you sign in with Google, Apple, or email)
• Authentication tokens issued by Firebase Authentication

Trusted contact data

• Names and phone numbers of contacts you add to your trusted-contact list
• Acceptance status of those contacts (whether they have accepted the contact request)

Journey data

• Precise GPS location, captured periodically during an active journey
• Journey state (active, suspicious, emergency)
• Destination and/or scheduled end time, if you set one
• Journey history (start time, end time, route summary)

Device and technical data

• Apple Push Notification service (APNs) token
• App version and device model
• Crash reports and diagnostic data via Firebase Crashlytics
• Anonymous usage analytics via Firebase Analytics

3. How we use your data

We use your data to:

• Operate the core functionality of WithYou: starting journeys, sharing location with trusted contacts during journeys, sending alerts when you escalate to Suspicious or Emergency states
• Deliver push notifications to you and your trusted contacts, including Critical Alerts that override Do Not Disturb during emergencies
• Authenticate you when you sign in
• Detect crashes and diagnose technical issues
• Understand how the app is used in aggregate, so we can improve it

We do not sell your data. We do not share it with third parties for advertising. We do not use it for automated decision-making with legal or similarly significant effects.

4. Legal basis for processing

Under the UK GDPR, we process your data on the following legal bases:

• Performance of a contract (Article 6(1)(b)): most processing, because we need it to operate the service you have signed up for.
• Legitimate interests (Article 6(1)(f)): crash reporting and aggregate analytics, to keep the app working and improve it.
• Consent (Article 6(1)(a)): optional features that require additional permissions, such as background location use beyond active journeys, or marketing communications if we introduce them. Also, processing of personal data of users under 13 (see Section 9).
• Legal obligation (Article 6(1)(c)): where required by UK law, for example responding to lawful requests from law enforcement.

5. Who sees your data

Your data is visible to:

• You, through the app.
• Your trusted contacts, but ONLY during an active journey, and only after they have explicitly accepted being a trusted contact. They cannot see your location when you are not on a journey.
• Our service providers (data processors), listed in Section 6.

We do not share your data with any other third parties, except as required by law.

6. Service providers we use

• Google (Firebase): Authentication, Firestore, Realtime Database, Cloud Functions, Analytics, Crashlytics, Cloud Messaging. Data: account, journey, contact, technical. Location: EU (europe-west2), with some processing in the US under Standard Contractual Clauses.
• Apple: Sign in with Apple, Push Notification service, TestFlight beta distribution. Data: account, push tokens, beta tester metadata. Location: Global Apple infrastructure.
• Google Maps SDK for iOS: Map rendering. Data: map tile requests with location, processed for rendering only. Location: Global Google infrastructure.

International transfers outside the UK rely on Standard Contractual Clauses or the UK extension to the EU-US Data Privacy Framework, where applicable. Copies of these safeguards are available on request to contact@slumbr.ai.

7. Data retention

• Active account data: kept while your account is active.
• Journey history: kept until you delete the journey or delete your account.
• Trusted contact list: kept while the contact relationship exists. Removing a contact deletes the contact record immediately.
• Account deletion: when you delete your account from Settings, we perform a hard delete of all your account data, journey data, Realtime Database participation, and authentication credentials. This is irreversible. If you signed in with Apple, we also revoke our app’s access to your Apple ID, where a refresh token is available to us.

We do not retain “soft-deleted” copies. Backup retention is limited to Firebase platform-level backups (typically 30 days), which we cannot directly purge but which Google does purge on their schedule.

8. Your rights

Under the UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your data; the in-app account deletion exercises this right
• Restrict processing in certain circumstances
• Object to processing based on our legitimate interests
• Data portability: receive your data in a structured, machine-readable format
• Withdraw consent for processing based on consent
• Lodge a complaint with the Information Commissioner’s Office (ICO)

To exercise any of these rights other than erasure, contact us at contact@slumbr.ai. We will respond within one month.

9. Children and parental consent

WithYou is suitable for use by children under 13 with verifiable parental consent. We recognise that families use WithYou to help children stay safe on journeys such as walking home from school.

Under Article 8 of the UK GDPR, we require verifiable parental consent before we process personal data of any user under 13.

How parental consent works during the beta

During the beta period, parental consent is recorded by email. A parent or guardian must email contact@slumbr.ai with the subject “Parental Consent” before their child’s account is fully activated. The email must include:

• The parent’s or guardian’s full name
• Their relationship to the child
• The child’s phone number used for the WithYou account
• A clear statement that the parent or guardian consents to Slumbr LTD processing the child’s personal data in accordance with this Privacy Policy

We will reply confirming that consent has been recorded.

At public launch, this manual email-based consent process will be replaced by an in-app parental consent flow.

Parental rights

A parent or guardian who has provided consent for a child under 13 has the right to:

• Access the child’s data
• Request correction of inaccurate data about the child
• Request deletion of the child’s account and all associated data
• Withdraw consent at any time, which will result in account deletion

To exercise any of these rights, email contact@slumbr.ai with the subject “Parental Request” and reference the child’s account phone number. We will respond within one month.

If consent has not been provided

If we discover that a child under 13 has created an account without verifiable parental consent, we will pause the account, notify the registered phone number, and delete the account and all associated data if consent is not provided within 14 days.

10. Security

We use industry-standard security measures, including encryption in transit (HTTPS / TLS), encryption at rest (managed by Firebase), authentication tokens for all access, and bcrypt hashing for emergency PINs. No system is perfectly secure; we cannot guarantee that data will never be subject to unauthorised access.

If we discover a personal data breach that affects your rights, we will notify you and the ICO within 72 hours, as required by the UK GDPR.

11. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. For material changes, we will notify you via in-app notice and/or email before the changes take effect.

12. Contact us

Slumbr LTD
contact@slumbr.ai

For data protection queries specifically, please put “Data Protection” in the subject line.

To complain about our handling of your data:
Information Commissioner’s Office, ico.org.uk, 0303 123 1113.