iOS App Privacy Notice

This notice describes how the Code Four iOS app (the "App") collects, uses, shares, retains, and lets users control personal data. It is the privacy policy referenced from the Code Four iOS App Store listing and from inside the App.

The Code Four App is sold exclusively to law-enforcement and public-safety agencies as part of Code Four's enterprise platform. Officers cannot self-register: an agency administrator provisions accounts only after the agency has signed a Memorandum of Understanding or Definitive Agreement covering data processing, subprocessors, and security obligations. By the time a user signs in to the App, their agency has contractually accepted the terms summarized below.

1. What Data the App Collects

The App may collect the following categories of data from authorized users (officers, supervisors, and other agency staff):

• •Account identity. Email address, name, rank, badge number, agency, and role provisioned by the agency administrator.
• •User content. Incident report narratives, transcripts, evidence metadata, AI chat messages, and attached photos or video that the user authors or uploads.
• •Audio. Microphone recordings made during voice-assisted reporting sessions and short voice clips recorded for transcription inside the chat composer.
• •Optional coarse location. Reverse-geocoded street, city, state, and postal code at the start of a voice-assisted session, collected only when the user has enabled the location toggle in the App's Privacy settings. The App never tracks location in the background.
• •Authentication metadata. Sign-in timestamps, device platform, app version, and IP address generated during normal authentication.
• •Operational telemetry. Performance and error metrics generated by the App for reliability and debugging.

2. How the App Collects This Data

• •Account identity is provisioned by the agency administrator before the user ever signs in. Profile fields (e.g., phone number, profile photo) can be updated by the user from inside the App.
• •User content and attachments are authored by the user inside the App or uploaded through explicit affordances (the New Report sheet, the chat composer's attach button, the photo or camera picker). Photo and camera access are gated by the standard iOS system permission dialogs.
• •Audio is captured by the device microphone only after the user grants the iOS microphone permission and only while the user is actively in a voice-assisted session or holding the chat-composer voice button.
• •Coarse location is captured (a single fix at session start, not continuous tracking) only when the user has explicitly enabled the location toggle in the App's Privacy settings AND granted the iOS location permission. Both gates must be on; either disabled means no location is collected.
• •Authentication metadata is generated server-side during sign-in.
• •Operational telemetry is generated by the App and the backend during normal operation. The App does not embed any third-party analytics or advertising SDK.

3. All Uses of That Data

Code Four uses the data above only for the following purposes:

• •Provide the Service. Render reports, transcripts, and evidence; route requests; enforce role-based access controls; produce exports.
• •AI assistance. Power transcription, AI chat, narrative drafting, evidence extraction, and the voice assistant. These features use Google Cloud's Vertex AI / Gemini service, a service offering of our existing cloud provider — see Section 4 for the equal-protection commitments.
• •Security and integrity. Detect abuse, maintain audit logs, secure customer data, and run intrusion detection.
• •Compliance. Respond to lawful subpoenas or court orders directed at the agency or at Code Four. Where legally permitted, Code Four will direct the requesting party to the agency, which is the controller of the underlying data, and will notify the agency in advance if Code Four is required to produce data directly.
• •Aggregated, de-identified platform improvement. Operational metrics such as processing times, error rates, and aggregated latency to improve reliability and performance. These metrics are de-identified at the source and never used to train AI models.

4. Third-Party Processors and Equal Protection

The App relies on three subprocessors. The current authoritative list is published at codefour.us/trust/subprocessors.

AI processing path

The iOS App does not call Vertex AI directly. Device traffic terminates over TLS at Code Four-controlled backend services running in the same Google Cloud project as the rest of our infrastructure. The backend then invokes Vertex AI in the same United States region.

Equal-protection commitments

Each subprocessor provides protection of user data that is the same or equivalent to the protection described in this notice:

• •No training on Customer Data. Google Cloud's Vertex AI customer terms commit that prompts and responses sent to Vertex AI are not used to train Google's foundation models. Code Four's own no-training commitment is in our Terms of Service Part B and every customer agreement.
• •Encryption at rest with customer-managed keys. Backend services that handle Customer Data are deployed with customer-managed encryption keys and configured to take the service offline if the encryption key is revoked. Primary databases are encrypted with hardware-backed keys on regular automatic rotation.
• •Encryption in transit. TLS 1.2+ on every device-to-server and server-to-subprocessor hop.
• •United States data residency. All Customer Data is processed and stored in United States cloud regions only. Our backend enforces a U.S.-region allowlist for AI calls. Google Cloud's data-processing posture is designed to support FedRAMP and CJIS-aligned controls; AWS GovCloud is an isolated FIPS-mode region.
• •Least-privilege access. Each backend service runs with a dedicated identity scoped to that service's purpose. Cross-service access is not granted by default.
• •Audit logging. Authentication events, configuration changes, and material data operations are continuously logged. Audit-log retention is in line with CJIS Security Policy guidance, with at least one log destination configured with locked retention to prevent reduction.
• •Identity hardening. Multi-factor authentication is enabled for all users. Password policy requires minimum length and full character-class complexity. Officers cannot self-register; only agency administrators can provision users.

5. Permission Before Data Is Sent

The App obtains explicit user permission before any data is sent to Vertex AI / Gemini, in line with App Store Review Guideline 5.1.2(i):

• •Pre-sign-in disclosure. The App's sign-in screen displays a third-party AI disclosure directly under the "Continue with email" button, with a tappable link to this notice. The disclosure is visible before any sign-in.
• •Bundled AI Data Processing notice. After authentication and before any AI feature is reachable, the App presents a full-screen notice that enumerates the data classes that may be sent, names the third-party processor ("Google Cloud Vertex AI / Gemini"), and includes a "View privacy policy" button linking to this page. The user must tap "Agree and Continue" before any AI feature loads.
• •Per-feature just-in-time prompts. The first time a user taps the chat microphone, attaches a photo to a chat message, or starts a voice-assisted session, a per-surface sheet appears naming the AI processor and linking back to this notice. Translation sessions show a per-session disclaimer every time, by design.
• •iOS system permissions. Microphone, camera, photo library, and location access are each gated by the standard iOS permission dialog. Each Info.plist purpose string explains why the permission is requested and links the use to the AI feature it enables.
• •Optional, off by default. Coarse location is opt-in, off by default, and used only at the start of an explicit voice-assisted session. The App never tracks location in the background.

6. Data Retention

• •Reports, narratives, transcripts, evidence: retained per the agency's configured retention policy. The agency administrator controls these settings.
• •Voice-assisted session audio: stored in encrypted United States cloud storage per the agency's configured retention policy.
• •Audit logs: retained in line with CJIS Security Policy guidance, with locked retention configured to prevent reduction.
• •Authentication metadata: retained for the lifetime of the account plus a backup-retention period.
• •Operational telemetry: retained de-identified for a limited period.

7. How to Revoke Consent or Request Deletion

• •Revoke AI processing acknowledgement at any time. Open the App's Profile tab → Privacy → toggle "Allow AI data processing" off. Doing so clears the bundled AI Data Processing acknowledgement and every per-surface just-in-time acknowledgement, so the disclosures fire again on next use.
• •Disable location. Profile → Privacy → toggle "Use location for guided reports" off. The App will stop sending location immediately. You can also revoke the iOS location permission in Settings → Code Four → Location.
• •Delete your account. Profile → scroll to "Delete Account" → confirm by typing your email. Account deletion removes the sign-in record and signs you out of every device. Past reports and audit-log entries that name you remain in the agency's tenant per the agency's retention policy and applicable law.
• •Data subject requests. Because the agency is the controller for officer-authored content, requests to access, correct, or delete underlying content are routed through the agency administrator. You can also email support@codefour.us and Code Four will coordinate with the agency.
• •Sign out from any device. Profile → Sign Out. Active sessions are revoked at the identity provider.

8. Other Information

Children. The App is not directed to children. Users must be employed or contracted by a public-safety agency in good standing.

International transfers. The App is designed for U.S. agency customers and processes data in U.S. regions only.

Changes to this notice.Material changes to this notice will be communicated to customer-agency administrators with at least 30 days' notice where feasible. The "Last Updated" date at the top of this page reflects the most recent revision.