Effective date: 17 April 2026 · Last updated: 17 April 2026 · Version 1.0
SpotiD stores your emergency contact information securely so that, if something happens to you, a first responder or bystander can scan your SpotiD tag and reach the right people quickly. We only collect what we need for that purpose and never sell your data.
01 Who we are
SpotiD is operated by Think GTM Ltd, registered at Davidson House, The Forbury, Reading, RG1 3EU (UK) (“SpotiD”, “we”, “us”, “our”). We are the data controller for the personal information processed through our app, website, and physical NFC/QR tags.
If you have any questions about how we handle your data, please contact our privacy team at privacy@spotid.co.uk
02 What we collect
Information you provide
Account information — name, email address, and (if using Sign in with Apple) the Apple identifier associated with your account.
Profile & emergency contact data — your name, date of birth, emergency contacts (names and phone numbers), and any optional medical information you choose to add (blood type, allergies, medications, conditions).
Tag management data — the NFC/QR identifiers linked to your account and your assigned tag names and labels.
Information collected automatically
Scan logs — when a SpotiD tag is scanned, we record a timestamp and an anonymised indicator of the scan event. We do not capture the identity of the person who scanned the tag.
Device & usage data — device type, operating system, app version, and crash/diagnostic data to help us maintain service reliability.
IP address — collected transiently for security purposes (fraud prevention, abuse detection) and not retained for more than 30 days in identifiable form.
Information we do not collect
We do not collect payment card details (handled by third-party payment processors), precise GPS location, or any biometric data.
Medical information is special category data. Under UK GDPR and equivalent legislation, medical information carries enhanced protections. We treat it with the highest level of care and never use it for any purpose other than displaying it in an emergency scan context.
03 How we use your data
Purpose
Data used
Legal basis
Displaying your emergency profile when a tag is scanned
Profile & emergency contact data, medical info
Vital interests / Consent
Creating and managing your account
Account info
Contract performance
Sending scan alert notifications to you or your contacts
Emergency contact data, scan logs
Contract performance / Vital interests
Maintaining service security and preventing abuse
IP address, device data
Legitimate interests
Improving the app and diagnosing issues
Anonymised usage & crash data
Legitimate interests
Complying with legal obligations
As required by law
Legal obligation
We do not use your data for targeted advertising, profiling for marketing purposes, or any automated decision-making that produces legal or similarly significant effects.
04 Legal basis for processing
We rely on the following legal bases under UK GDPR (and equivalent legislation in other jurisdictions):
Consent — for processing special category data (medical information) and for sending non-essential communications. You may withdraw consent at any time by updating your profile or contacting us.
Contract performance — to provide the SpotiD service you have signed up for.
Vital interests — in the event of an emergency, displaying your profile to a bystander or first responder protects your life or the lives of others.
Legitimate interests — to operate, secure, and improve our service, where those interests are not overridden by your rights.
Legal obligation — where we are required to process or disclose data by law.
05 Who we share data with
When a tag is scanned
The emergency profile associated with a scanned tag is visible to whoever scans it — this is core to the service. You control exactly what appears on this profile. You can hide, limit, or remove any field at any time from within the app.
Service providers
We work with a small number of trusted third-party processors who act only on our instructions:
Supabase — database and authentication infrastructure.
Apple — Sign in with Apple authentication.
[Payment processor] — handling of any paid plan subscriptions.
We may disclose your data if required to do so by a court order, regulatory authority, or other legal process, or where we believe disclosure is necessary to protect the safety of any person.
Business transfers
If SpotiD is acquired or merged, your data may transfer as part of that transaction. You will be notified in advance and your rights under this policy will continue to apply.
We do not sell, rent, or trade your personal data to any third party.
06 How long we keep your data
Account & profile data — retained for as long as your account is active. If you delete your account, your profile and emergency contact data are permanently deleted within 30 days.
Scan logs — retained in anonymised form for up to 12 months for service analytics, then deleted.
IP addresses — retained for up to 30 days for security purposes, then deleted.
Backup copies — encrypted backups are purged within 90 days following account deletion.
You can request earlier deletion of any data at any time — see Your rights below.
07 Security
We take the security of your emergency data seriously. Our measures include:
Encryption in transit (TLS 1.2+) and at rest for all personal data.
Row-level security policies enforced at the database layer.
Access controls limiting data to authorised personnel only.
Regular security reviews of our infrastructure and dependencies.
No system is completely infallible. If you become aware of any security issue, please contact us immediately at security@spotid.co.uk
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with our legal obligations.
08 Your rights
Under UK GDPR (and equivalent legislation), you have the following rights:
Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — request deletion of your data (“right to be forgotten”).
Restriction — ask us to limit how we process your data in certain circumstances.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests or for direct marketing.
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, email privacy@spotid.co.uk with the subject line “Data Rights Request”. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk (UK users) or your local supervisory authority.
09 International data transfers
SpotiD is primarily operated from the United Kingdom. Some of our service providers may process data outside the UK or European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, such as:
UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs), as applicable.
Transfers to countries with an adequacy decision from the UK Government or European Commission.
You may request details of the specific safeguards applied to any transfer by contacting us.
10 Children
SpotiD is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with their data, please contact us and we will delete it promptly.
For users aged 13–17, we recommend that a parent or guardian reviews and consents to the use of SpotiD on their behalf.
11 Cookies and tracking
Our website uses a minimal set of cookies:
Essential cookies — required for the website and app to function (session management, authentication state). These cannot be disabled.
Analytics cookies — anonymised usage data to understand how our site is used. You may opt out via the cookie consent banner.
We do not use advertising or third-party tracking cookies. The SpotiD mobile app does not use cookies.
12 Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent in-app notice at least 14 days before the changes take effect. The “Last updated” date at the top of this page will always reflect the most recent revision.
Continued use of SpotiD after the effective date of any update constitutes your acceptance of the revised policy.
13 Contact us
For any privacy-related questions, requests, or concerns:
We aim to respond to all enquiries within 5 business days.
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
