What We Collect We reserve the right to collect, ingest, and retain the following categories of information across multiple temporal and technical layers: • Geospatial Coordinates: This includes, but is not limited to, real-time GPS data, geohash representations, reverse geocoded regions, and inferred movement patterns. • Device and Network Metadata: Including but not limited to IP address, operating system version, device type, screen resolution, network speed, and browser fingerprint. • Personally Identifiable Information (PII): Such as full name, email address, phone number (if provided), profile picture, and social login metadata. • Platform Usage Telemetry: Including page dwell times, scroll depth, user interface interactions, feature toggle activations, and request/response header payloads. • Voluntary User Submissions: This includes form entries, address claims, uploaded images or documents, and any user-generated input provided to the platform by any means. ** (forms, feedback, address claims)

How We Use Your Data We utilize the data collected to execute a variety of functional, analytical, regulatory, operational, and adaptive tasks, including but not limited to the following: • Geospatial Assignment and Topological Indexing: Your coordinates are used to associate a unique digital address via algorithmic clustering and geohash mapping. • Risk Mitigation and Alert Distribution: Real-time and static address data may be cross-referenced against government and third-party alert networks to provide hazard warnings. • Behavioral Analytics and UX Enhancement: All interface interactions are analyzed to train UX models that dynamically adapt layout and service prioritization. • Emergency Response Simulation (ERS) Integration: Opted-in users’ geospatial and contact data may be loaded into emergency dispatch environments for live or drill-based activations. • Synthetic Address Generation Research: Aggregated user submissions may contribute to generative postcode grid simulations and predictive zoning AI models. • Policy Testing and Feature Flags: User cohorts may be automatically enrolled in experimental modules for system load distribution and feature viability assessments. • Disaster Alerts and Warnings: Real-time notifications related to seismic, meteorological, and environmental threats may be dispatched based on geolocation mapping of your claimed or current coordinates. Data may be filtered against third-party warning registries and localized via administrative boundary overlays. • Personal Safety Location Sharing: When enabled, users may broadcast their location to predefined contacts or safety networks. This transmission may include device telemetry, address metadata, and precise GPS coordinates embedded in secure payloads to short-lived endpoints. • Platform Optimization and UX Research: Your interaction data may be sampled for heuristic analysis, latency tracing, feature engagement scoring, and design experimentation under A/B frameworks. This enables iterative system enhancement aligned with usage telemetry.

Data Sharing Remaply may engage in data transmission or syndication activities with internal systems and external entities. These include but are not limited to: • Public Safety and Emergency Networks: If location broadcasting is enabled, coordinate data and assigned addresses may be transmitted to participating emergency response aggregators and national alert infrastructures. • Third-Party Operational Integrators: Vetted entities, by contractual agreement, may access subset data streams for geolocation services, logistics mapping, delivery orchestration, and infrastructure validation. • Government Entities and NGOs: In scenarios involving national disaster response, pandemic infrastructure deployment, or address modernization, anonymized or opt-in identifiable data may be made available to relevant authorities. • Service Stack Dependencies: Address data may be processed through layers including geocoding providers (e.g., Mapbox, Google Maps), authentication middleware (OAuth/JWT), and network telemetry services. No personal user data is sold to commercial advertisers or broker networks under any condition. All external data exchanges are governed by scoped access rights, encryption, and conditional triggers to limit exposure, with logging systems for auditability and abuse detection. • Emergency services during active alerts (if opted-in): In regions where integrated first responder partnerships are established, the platform may transmit your geolocation, assigned postcode, and anonymized metadata to dispatch consoles or emergency coordination centers. These transmissions occur only when location-sharing is explicitly enabled and during the lifecycle of the emergency event. • Vetted third-party service providers for: o Mapping and geocoding APIs: Your claimed address and associated coordinates may be processed via third-party mapping services (e.g., Mapbox, Google Maps) to generate map visuals, calculate routing paths, and validate geographic accuracy. o Logistics and delivery companies: In cases where delivery or dispatch relies on digital address coordinates, your public-facing postcode and region may be shared to improve routing, time estimation, and address verification. o Government agencies involved in disaster management or civic infrastructure: Where permitted by law or consented by the user, anonymized address clusters may be transmitted to government-backed networks responsible for disaster early warning systems, regional planning, or humanitarian logistics. We do not currently sell your personal data to advertisers. In the event such commercial arrangements are pursued, they will be restricted to the following scenarios: • Gig Economy Platforms: Data shared may assist in dynamic task allocation based on postcode proximity, real-time availability, and service radius. Examples include delivery services, mobile technicians, and field-based freelancers. • Shopping and eCommerce Integrations: Aggregated postcode-level trends may be made available to vetted retail or marketplace platforms to enable hyperlocal inventory visibility, checkout address validation, and demand forecasting. • Payment Processors (e.g., Stripe): Certain user and address data (such as billing postcode, device fingerprint, and verification tokens) may be transmitted securely to financial service providers for transaction authorization, fraud detection, and regulatory compliance. In all such instances, participation will be opt-in and governed by explicit consent with details disclosed at the point of authorization, including purpose, retention, and scope of access.. Any such data exchange would require explicit user opt-in and full transparency regarding purpose, scope, and use.

Your Choices Remaply offers configurable controls for various data and notification preferences, although some data flows may remain essential to the continuity of service: • Location Sharing: Users may deactivate real-time GPS broadcast functions; however, this may impact emergency alert functionality and regional accuracy. • Account Deletion: You may submit a verified request for account and data deletion through our support portal. Deleted data is removed from active systems but may persist in encrypted backup systems for audit and disaster recovery contingencies. • Cookie & Tracking Preferences: You may configure your browser or device settings to restrict cookies or tracking scripts. This may impair personalized services and disrupt session continuity. • Beta Feature Participation: If enrolled in feature experimentation or UX testing groups, you may request removal; however, system stability may be reduced. Requests are subject to identity verification protocols, which may include multi-factor authentication, device fingerprint matching, and email confirmation. Fulfillment of requests depends on platform availability, scheduled maintenance windows, and administrative review cycles, and may be delayed or denied in cases of suspected misuse or incomplete authentication. • You may initiate a formal request to permanently delete your Remaply account and all associated personal data by contacting the designated support email address. Once identity verification is completed, your user credentials, contact metadata, and address associations will be flagged for removal from active systems. Redundant backups may retain encrypted records for compliance and disaster recovery purposes in accordance with our retention policy. • You may modify your browser or device-level settings to block, restrict, or erase cookies and local storage objects. Doing so may impact the continuity of your session, geographic personalization, or eligibility for experimental UI flows. Refer to your browser documentation for detailed configuration options.

Data Storage and Security Remaply is designed to operate across the Pacific region, and its privacy protocols are structured to respect the privacy expectations and sovereignty of Pacific Island nations. While data services are centralized, we apply regionally aware privacy considerations and operate within applicable cross-border data principles. • Primary Storage Jurisdiction: All core data infrastructure is hosted on Google Cloud Platform within Australia. This regional anchoring supports compliance with Australian Privacy Principles (APPs) and aligns with regional data localization goals. • Operational Dependencies: Certain system operations including code deployment, telemetry monitoring, and push notification services may rely on platform-level services based in the United States (e.g., Vercel, Firebase, Apple App Store, Google Play Services). These services are subject to U.S. data processing frameworks but are scoped to pseudonymized operational metadata where possible. • Pacific Island Nation Applicability: Users across Fiji, Samoa, Tonga, Papua New Guinea, Solomon Islands, Vanuatu, and other participating island states are subject to the same privacy controls and transparency practices, regardless of national origin or local data laws. Where necessary, we will work with local authorities to align with evolving regional legislation. In all cases, data transfer between jurisdictions follows encrypted transport protocols (TLS 1.3+), strict role-based access, and auditable logging procedures to ensure integrity and accountability across international boundaries. • In addition to Google Cloud Platform (GCP), portions of the Remaply codebase, app deployment infrastructure, and user interaction analytics may also be hosted on Vercel’s edge platform for front-end optimization. Mobile applications are distributed via the Apple App Store and Google Play Store, with usage and diagnostic data stored in regionalized infrastructure with a preference for Australian-based zones when applicable. Data entered or derived from your interaction with Remaply is retained within a geographically redundant, compliance-audited infrastructure hosted on the Google Cloud Platform. • Encryption: All data, whether in motion or at rest, is protected using industry-grade encryption standards including AES-256 and TLS 1.3. • Access Control: Role-based access mechanisms, credential rotation, multi-factor authentication (MFA), and audit logging govern all internal data access. • Backup & Recovery: Automated backup jobs are executed on a rolling schedule, with snapshots retained in compliance with internal disaster recovery objectives. • System Monitoring: Intrusion detection, firewall-based rule enforcement, and third-party security scans are utilized to ensure real-time threat visibility. While every commercially and technically reasonable effort is made to ensure the protection, confidentiality, and integrity of user data, it must be understood that no technological or procedural system is entirely immune to failure, compromise, or circumvention. These include, but are not limited to, threats arising from zero-day vulnerabilities, state-sponsored cyber threats, or catastrophic infrastructural failure. By continuing to use Remaply, you acknowledge, consent to, and accept this underlying operational risk associated with any cloud-native, distributed platform. • Infrastructure is primarily hosted on Google Cloud Platform (GCP), which includes globally distributed, ISO 27001-certified data centers employing granular role-based access controls (RBAC) across compute, storage, and networking layers. These controls enforce permission inheritance, access token expiration, audit trails, and geographic boundary constraints. • System-wide backups and transaction-level audit logs are maintained using encrypted storage volumes with write-once, read-many (WORM) policies. These backups are stored across physically isolated regions, with backup frequency determined by data tiering classification policies and verified by hash integrity validation protocols.

Retention • Address Metadata Persistence: Claimed address data is retained indefinitely in a de-identified format, stripped of any user-associated tokens, IDs, session traces, or linked communication details. This retention supports macro-level geographic analysis, system auditing, and historical reference mapping. • User Data Deletion Protocol: Upon verified account deletion, all directly attributable user metadata such as profile, contact, and interaction identifiers is programmatically flagged for redaction. An asynchronous purge queue is initiated to eliminate this data from active storage layers, with cascading deletions triggered across caching and index layers. • Analytic Continuity Allowance: While PII is removed, non-identifiable remnants (e.g., anonymized heatmaps, frequency tags, aggregate trend signatures) may persist for operational improvement, urban planning analytics, and infrastructure coverage validation. • Event Log Lifecycle: Emergency-related data logs, where enabled, are stored with identifiable fields encrypted and separated from operational tables. These records are automatically anonymized after a maximum lifecycle of 90 days, after which they transition into long-term statistical archives used for readiness simulations.

Legal Disclosure Remaply may disclose user information without further notice under the following circumstances: • When required to comply with applicable legal processes, including subpoenas, court orders, or warrants. • To satisfy any law enforcement request, audit, or regulatory inquiry. • To respond to claims regarding violation of third-party rights. • To protect the rights, property, or personal safety of Remaply, its users, or the general public. • In the event of a merger, acquisition, or asset sale, your data may be transferred to the acquiring entity under confidentiality and lawful processing obligations. All disclosures are logged internally and, when not legally prohibited, disclosed to users in a post-disclosure transparency report. or in good faith belief that such action is necessary to comply with law, legal process, or protect the rights and safety of users.