The National Emergency AED Registry (“NEAR,” “PulsePoint,” “we,” “our,” or “us”) is committed to protecting the privacy of individuals whose data we collect and process. This Privacy Policy explains what information we collect, why we collect it, how it is used, and your rights under the General Data Protection Regulation (GDPR) and other applicable privacy laws. We process personal data in accordance with Article 6 of the GDPR, which sets out lawful bases for processing, and we provide this notice in compliance with Article 13 of the GDPR.

By using our services, including the NEAR registry, PulsePoint AED mobile apps, collection forms, or related APIs, you acknowledge that you have read and understood this policy. This policy is effective as of March 26, 2025, and was last updated on September 22, 2025.

1. Data Controller Contact Information

The PulsePoint Foundation is the data controller responsible for the personal data processed under this policy.

Mailing Address
PulsePoint Foundation
PO Box 12594
Pleasanton, CA 94588-2594

Email
dpo@pulsepoint.org (Data Privacy Officer)

Website
near-registry.org

If you have any questions about this policy or how we process personal data, you may contact us directly using the information above or reach out to your local data protection authority.

2. Types of Data We Collect

We collect the following categories of data when you use our AED collection forms, such as aed.new or AED Admin in PulsePoint Central, or the PulsePoint AED mobile apps:

a) AED Data

• AED location (business/location name, address, GPS coordinates).
• Optional AED details (e.g., manufacturer, model, serial number).
• Optional AED-related images (contextual device image to help locate in an emergency).
• Optional Co-located Resources (e.g., Bleeding Control Kits, Naloxone, and Epinephrine).
• Optional AED Responsible Party (name, email, phone number).

b) User Account Information

• Email address (required for account creation).
• Password (securely encrypted).
• Optional profile image.
• Optional notification and app preferences.

c) Third-Party or External Data

• Optional name, email, and phone number of a responsible party. If you submit another person's data, you must confirm that you have informed them and obtained their consent, or have another lawful basis for sharing their information. We process this data in accordance with our legitimate interest in supporting the rapid deployment of AEDs during emergencies.
• Information about the location of cardiac arrest emergencies reported by public safety agencies (AED-needed alerts).
• Mobile push notification tokens (for sending AED-needed alerts).

d) Support Ticket (content varies by support channel)

• Name, email, and any other information provided in the message or attachments.
• IP address, app version, operating system, and device type (for security and troubleshooting).
• PulsePoint AED app settings (for troubleshooting).

e) Post-incident Responder Survey

• Information related to responder actions.

Sensitive Data Warning

Please refrain from submitting sensitive personal information in support requests and responder surveys unless strictly necessary.

Children's Data

Our services are not intended for individuals under the age of 13 (or 16 in EU jurisdictions where applicable). If we learn that we have collected personal data of a minor without verifiable parental consent, we will promptly delete that data.

3. How and Why We Use Your Data

We process personal data for specific purposes and only where we have a lawful basis under GDPR:

When we rely on legitimate interests, we perform a Legitimate Interest Assessment (LIA) to ensure that our interests do not override your fundamental rights and freedoms. You may request a summary of this assessment by contacting us.

4. Sharing of AED Data

AED data is shared with relevant parties to support emergency response and improve public safety.

Public Safety Organizations AED data is shared with public safety agencies and their authorized technology partners (e.g., ProQA Paramount, APCO Intellicomm, PowerPhone Total Response) to improve device utilization.

Trained Responders Non-public AED details (e.g., cabinet access codes) may be shared with trained community responders when they are alerted to a nearby cardiac arrest.

General Public Basic AED location data, images, and associated resources may be publicly displayed to promote awareness and avoid duplicate entries.

We do not sell or disclose information for marketing purposes.

Aggregated data can be used for analysis, reporting, research, and technology development to enhance the effectiveness of the registry. This data is fully anonymized and cannot be linked back to individual users.

5. Use of Third-Party Processors

We may engage trusted third-party service providers to assist in operating the registry, mobile apps, and support services. These providers only process data under our instructions and are bound by a Data Processing Agreement (DPA) to ensure the protection of personal data.

Categories of processors include cloud hosting providers, mobile OS providers, and help desk services. A detailed list of third-party processors (e.g., AWS, Apple, Zoho Corporation) is available upon request. Please contact us at dpo@pulsepoint.org.

If you are located in the EU/EEA, your personal data may be transferred to and processed in countries outside of the European Economic Area, including the United States. Where such transfers occur, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (SCCs), to ensure your data remains protected in accordance with GDPR requirements.

6. Receiving AED-Needed Alerts

When a cardiac arrest occurs near a registered AED, device subscribers receive an alert requesting they retrieve and deliver the AED to the emergency scene.

• AED-needed alerts require explicit user opt-ins. We obtain such consent through clear, in-app permissions. You may withdraw consent at any time through your account settings.
• These alerts are based on AED location, not user location, and do not require location permissions.
• Recipients must either be the responsible party or have permission from the responsible party to receive notifications for a specific AED.
• Subscriber email addresses are shared with registry administrators and responsible parties to evaluate and manage responders.
• Responders receive a post-incident responder survey if notified of a nearby need, participation in which is optional.
• Authorized public safety agency personnel receive post-incident responder survey responses to measure the effectiveness of their programs and monitor the well-being of responders.

7. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights regarding your personal data:

Access Request a copy of the personal data we hold about you.

Rectification Correct inaccurate or incomplete data.

Erasure Request deletion of your data when it is no longer needed or if you withdraw consent. Withdrawing consent is free of charge and can be done easily through your account profile or by contacting us.

Restriction Request that we limit processing in specific circumstances.

Objection Object to processing based on legitimate interest.

Portability Request that we transfer your data to another service provider.

Complaint Lodge a complaint with your local supervisory authority.

To exercise these rights, email us at dpo@pulsepoint.org. We will respond within 30 days, as required by GDPR. You also have the right to file a complaint with your local supervisory authority.

8. Data Retention

We retain data only for as long as necessary for the purposes outlined in this policy:

AED Records Retained while they remain valid and useful for emergency response.

User Accounts To delete your account and associated data, log in to your account profile and select Delete Account, or email dpo@pulsepoint.org with your request. Account data will be removed within 30 days.

Responder Surveys Retained for 12 months for reporting, then anonymized.

Support Tickets Retained for up to 24 months to resolve issues and maintain service quality, then securely deleted.

Aggregated Data Anonymized data may be retained indefinitely for statistical and research purposes.

9. Security Measures

We implement technical and organizational measures to protect personal data, including:

• Encryption of data in transit and at rest.
• Role-based access controls for sensitive systems.
• Regular security reviews and audits.
• In the event of a data breach, we will notify affected users without undue delay and the appropriate supervisory authority within 72 hours, as required by GDPR Articles 33 and 34.
• Consent mechanisms are explicit and logged.

Only authorized personnel have access to personal data.

10. Changes to This Privacy Policy

We reserve the right to update this policy periodically to reflect changes in our practices or applicable legal requirements.

• The most current version will always be available at near-registry.org/privacy-policy.
• If we make significant changes, we will notify registered users via email.

11. Contact Information

If you have questions about this policy or your rights, PulsePoint Foundation has appointed a Data Protection Officer (DPO) who can be reached at dpo@pulsepoint.org.

12. Summary of Key Points

Here's the bottom line on your data and our commitments:

• We only use personal data for public safety purposes, never for marketing.
• You control your data and can request deletion or updates at any time.
• AED data may be shared with public safety agencies, responders, and the public to improve emergency response.
• We take security and privacy seriously, using strong safeguards to protect your data.