Privacy Policy

EMMS ("we," "us," "our") operates the EMMS mobile application and related services. This Privacy Policy explains how we handle information in connection with your use of the EMMS app and website. EMMS is operated by Clean Slate Data Inc., a company incorporated in British Columbia, Canada.

EMMS is designed with a zero-knowledge architecture. This means we have engineered the system so that we cannot access the content of your messages or files — by design, not just by policy.

1. Information We Do Not Collect

Due to our end-to-end encryption architecture and zero-knowledge design:

• We cannot read your messages or files. All content is encrypted on your device before transmission. We do not hold decryption keys.
• We do not store your phone number in plain text on our servers. Communication is routed via hashed identifiers. When a recipient opens a secure link, their phone number is passed to our SMS provider (Twilio) solely to deliver the verification code — see Section 5.
• We do not access your contacts, photos, or camera roll. Files captured or selected within EMMS stay within the app's encrypted sandbox.
• No third-party service can access your message or file content. End-to-end encryption ensures content is inaccessible to anyone except the sender and recipient.
• We do not back up your data to cloud services. The app explicitly excludes all data from iCloud, iTunes, and Google Cloud backups.
• We do not record, transcribe, or store voice call audio. Call media (audio) is transmitted directly between devices using encrypted WebRTC and is never processed or retained by our servers.

2. Information We Process

To deliver messages and maintain the security of the service, we process limited technical information:

• Hashed device identifiers — used for message routing and security event detection. These are not linked to your personal identity.
• Limited metadata — such as timestamps, message event types (sent, delivered, read), and hashed sender/recipient identifiers. This supports delivery confirmation, security monitoring, and abuse prevention.
• Push notification tokens — provided by Apple Push Notification service (APNs) and Google Firebase Cloud Messaging (FCM) to deliver notifications. These services receive device tokens and notification metadata but not message contents or file data.
• SMS verification codes — when a recipient opens a secure link, their phone number is transmitted to our SMS provider (Twilio) solely to deliver the one-time verification code. The secure link itself is sent by the user through their own phone's native messaging app. The SMS provider does not receive message contents, file data, or patient clinical details.
• Call signaling metadata — when you place or receive a voice call, our server facilitates the initial connection (exchanging network addresses between devices). This signaling data is transient and not stored. A brief call log (direction, duration) is saved locally on your device only.
• Automated error diagnostics — in the event of a technical fault, a scrubbed error report may be sent to our servers containing technical metadata such as app version, OS version, event type, and anonymized stack traces. Error reports are automatically stripped of any personal identifiers, phone numbers, and message content before transmission.
• Your registered phone number — visible to other EMMS users you communicate with. This is a deliberate transparency measure for a platform serving healthcare professionals. Restricting your profile (name, specialty, organisation, avatar) does not hide your phone number from contacts.

3. Data Storage and Location

• Core server infrastructure is located in Canada. Certain delivery services — including push notifications and SMS verification — operate through third-party providers whose infrastructure may extend beyond Canada. These providers receive only the minimum technical metadata required for delivery and never receive message or file contents.
• Messages and files are held on our servers only as long as needed for delivery. After being read, they are deleted as soon as practical. Unopened messages are automatically deleted after a limited period (for example, 30 days).
• On your device, all data is encrypted at rest within the app's isolated sandbox, protected by your PIN and/or biometric lock.

4. Data Retention and Deletion

• EMMS is not a permanent archive. Messages and files are ephemeral by design.
• On-device data can be configured to auto-delete after a set period (for example, 1 day or 7 days).
• Due to our zero-knowledge architecture, deleted data cannot be recovered — by you or by us. There is no backup, cloud sync, or restore capability.
• You may delete your account at any time via Settings → Security → Danger Zone. This permanently removes your account and all associated data.

5. Third-Party Services

EMMS uses the following third-party services in a limited capacity:

• Apple Push Notification service / Google Firebase Cloud Messaging — for push notification delivery only. These services receive device tokens and basic notification metadata but not message contents, file data, or patient information. Firebase may collect basic device-level information (device type, OS version) as part of standard SDK operation.
• Twilio — for delivering verification codes to SMS secure link recipients. When a recipient opens a secure link, Twilio sends the one-time access code to their phone number. Twilio receives the recipient's phone number solely for this purpose. The initial secure link itself is sent by the user through their own phone's native messaging app — not through EMMS or Twilio. Twilio does not receive message content, file data, or patient clinical information from EMMS.
• RevenueCat — for subscription and entitlement management. RevenueCat receives an anonymized app user ID, purchase events, and basic device information required to verify subscription status. RevenueCat operates from US-based infrastructure. No message content, file data, or patient information is shared with RevenueCat.
• TURN/STUN relay — when a direct peer-to-peer connection cannot be established for voice calls, audio is relayed through our TURN server. The relayed audio remains encrypted (DTLS-SRTP) and is never decrypted, stored, or inspected by the relay server.

We do not sell, rent, or share your data with any third party for advertising, marketing, or profiling purposes. No third-party service can access your encrypted message or file content.

6. Privacy Rights

EMMS is built around core privacy principles — including data minimization, consent, and strong technical safeguards. Due to our zero-knowledge architecture, we hold very limited information about you. You have the right to:

• Request access to the limited technical data we hold (hashed identifiers and metadata).
• Request deletion of your account and associated data.
• Withdraw consent at any time by deleting the app and your account.

Because we cannot identify you from the data we hold, access requests may require verification through the app's built-in identity mechanisms.

7. Security

EMMS employs end-to-end encryption for all messages and files. Encryption keys are generated and stored on your device — our servers never have access to them. Additional security measures include:

• App lock with PIN and biometric authentication
• Screenshot and screen recording detection — the app monitors for capture events and alerts users. Note: operating system limitations mean screenshots cannot be fully prevented on all devices.
• Three-tier authentication failure escalation (self-heal, lock, or data wipe)
• Encrypted app sandbox — files never written to camera roll or shared storage
• Single-device sign-in with automatic remote wipe on device change
• Lost or stolen device protection — if your device is lost or stolen, signing in on a replacement device automatically revokes the previous session and triggers deletion of locally stored data. You can also contact support with your Unique ID to request a remote session revocation.
• Encrypted voice calls (DTLS-SRTP via WebRTC)

8. For Healthcare Professionals

EMMS is intended for licensed healthcare professionals in Canada. It is not designed for or directed at individuals under the age of 18.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app and will require your active acknowledgement before you can continue using the service.

10. Contact

For privacy-related questions or requests, contact us within the app via Settings → Contact Us, or email:

EMMS is operated by Clean Slate Data Inc., a company incorporated in British Columbia, Canada.