Privacy Policy
Last updated: 21 May 2026
FireThings ("we", "us", or "our") is committed to protecting your privacy. This policy explains what data we collect, why we collect it, where it is stored, how long we keep it, and what rights you have over your data.
1. Data We Collect
1.1 Account Information
- Email address and display name — used for sign-in via Firebase Authentication.
- Authentication credentials — managed securely by Firebase Authentication (we do not store your password directly).
1.2 Job, Invoice, and Quote Data
- Jobsheet data — customer names, site addresses, job details, defect notes, and signatures you enter into jobsheets.
- Invoice data — customer details, line items, amounts, and bank payment details you enter into invoices.
- Quote data — customer details, quoted items, pricing, linked defects, and quote status.
1.3 Customer, Site, and Asset Data
- Saved customers and sites — names, addresses, and notes you save for quick access.
- Site information — fire alarm system specifications (panel make/model, system category, zones, loops, battery details), building context (type, occupancy), primary contact name and phone number, and access/parking notes.
- Asset records — equipment details (type, make, model, serial number, location, barcode), compliance status, service history, and test records.
- Defect records — descriptions, severity, status, evidence photographs, and linked quotes.
- Floor plans — uploaded images of site layouts with asset placement markers.
- Wiring diagrams — uploaded images with vector stroke annotations. Version history (including all previous versions) is retained as an audit trail.
1.4 BS 5839 Compliance Data
If you use the BS 5839-1:2025 compliance features, we collect and store:
- Responsible person details — name, role, email address, and phone number of the person responsible for the fire alarm system at each site.
- Digital signatures — engineer and responsible person signatures captured during inspection visits.
- Professional qualifications and competency records — qualification types, certificate numbers, issuing bodies, expiry dates, and CPD records.
- Inspection and audit records — inspection visit details, compliance declarations, variation records, cause-and-effect test results, and logbook entries.
- Evidence photographs — photos uploaded as evidence for defects, variations, and cause-and-effect tests.
1.5 PDF Branding
- Logo images — company or personal logos uploaded for PDF branding (PNG, JPG, or SVG, under 1 MB), stored in Firebase Cloud Storage.
- Branding configuration — header style, footer style, cover page settings, and colour scheme preferences.
1.6 Company and Dispatch Data
- Company data — if you join a company, your display name, email, and role are shared with other members to enable dispatch and team coordination.
- Dispatched job data — job details including site addresses, contact names, phone numbers, job descriptions, status, priority, and scheduling information.
1.7 Location Data
- GPS coordinates — captured when using the timestamp camera. Location is only accessed while the camera is actively in use, not in the background.
- Address geocoding — when viewing site or job locations on a map, addresses are geocoded to display map previews. On web, this uses the OpenStreetMap Nominatim service (see Section 7). On mobile, this uses your device's built-in geocoding.
1.8 Photos and Media
- Timestamp camera photos — stored on your device and optionally saved to your device gallery.
- Asset and defect photos — uploaded to Firebase Cloud Storage for cloud access.
- Floor plan and wiring diagram images — uploaded to Firebase Cloud Storage.
1.9 Device and Technical Data
- Usage analytics — anonymous usage events collected via Firebase Analytics. Events do not include customer names, addresses, or other personally identifiable information.
- Crash reports — automatic error and crash reports collected via Firebase Crashlytics. Not active on the web version.
- Device information — device model, OS version, and app version, collected alongside crash reports and analytics.
- Push notification tokens — FCM device tokens used to deliver push notifications for job assignments and status updates.
1.10 Subscription and Billing Data
- Subscription status — your current tier (Free, Solo, or Team), billing period, and entitlements.
- Payment processing — payments are handled by Apple (App Store), Google (Play Store), or Stripe (web). We do not store your full credit card details. We store a Stripe customer ID and subscription ID for web subscribers.
- Purchase history — RevenueCat (iOS/Android) and Stripe (web) retain records of your purchases.
2. Lawful Basis for Processing
Under UK GDPR, we process your data on the following lawful bases:
- Contract performance (Article 6(1)(b)) — processing your job, invoice, quote, asset, and site data is necessary to provide the FireThings service.
- Legitimate interests (Article 6(1)(f)) — usage analytics and crash reporting help us maintain and improve the App.
- Legal obligation (Article 6(1)(c)) — retention of billing records for tax and accounting compliance.
- Consent — where we rely on consent (e.g. push notifications, location access), you can withdraw it at any time through your device settings.
3. Where Your Data Is Stored
- Locally on your device — in an SQLite database. The app works fully offline.
- In the cloud — a backup in Google Cloud Firestore. Uploaded files in Firebase Cloud Storage. All cloud data is encrypted at rest and in transit (TLS/HTTPS).
Firebase Analytics and Crashlytics data is processed by Google on servers in the United States and other countries where Google operates.
RevenueCat processes subscription data on servers in the United States. Stripe processes payment data on servers in the United States and Europe.
On the web version, address geocoding requests are sent to OpenStreetMap Nominatim servers, which receive the address text and your IP address.
4. How Long We Keep It
Your data is retained for as long as your account is active. If you delete your account, all data — both local and cloud — is permanently and irreversibly deleted.
BS 5839 compliance records are stored as immutable audit records and cannot be individually edited or deleted while your account is active. They are permanently deleted when you delete your account.
Exceptions to deletion:
- Subscription and billing records (purchase history, transaction IDs) are retained for 7 years after account deletion to comply with UK tax and accounting law (HMRC).
- Crash reports are retained by Google for approximately 90 days.
- Analytics data is retained by Google for approximately 14 months.
- Company data — shared company data is retained for other company members. Your member record is deactivated rather than deleted.
- Anonymous aggregated analytics with no personal identifiers may be retained to improve the service.
5. Who Can Access Your Data
Your personal data is stored under your unique user account and protected by security rules that prevent any other user from reading or writing it.
If you join a company, certain data is shared with other company members:
- Your display name, email, and role are visible to other company members.
- Dispatched job data is shared between dispatchers, admins, and engineers.
- Shared company sites, customers, asset records, floor plans, wiring diagrams, and site information are accessible to company members according to permissions.
- BS 5839 compliance data is shared between company members according to roles and permissions.
- Engineer competency records are visible to team managers and the engineer themselves.
Company data is protected by security rules that restrict access to authenticated members only. No data is shared outside your company.
We do not sell, share, or provide your data to third parties for marketing or advertising. We do not use your data for cross-app tracking. We do not access or review your individual jobsheets, invoices, or financial data.
6. Your Rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
- Right of access — all your data is visible within the app at any time.
- Right to rectification — you can edit your data at any time within the app.
- Right to erasure — you can delete individual records or your entire account from Settings. See our account deletion page for full details.
- Right to data portability — you can export your data as PDF documents. Contact us if you require another format.
- Right to object — you may object to processing based on legitimate interests. Contact us using the details in Section 10.
- Right to restrict processing — you may request restriction in certain circumstances. Contact us to discuss.
- Right to lodge a complaint — you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Third-Party Services
Google Firebase Services
- Firebase Authentication — account sign-in and management.
- Cloud Firestore — cloud data backup and synchronisation.
- Firebase Cloud Storage — secure file storage for uploaded images and generated PDF reports.
- Firebase Crashlytics — crash and error reporting. Not active on web.
- Firebase Analytics — anonymous usage analytics.
- Firebase Remote Config — server-side feature configuration. Does not collect personal data.
- Firebase Cloud Messaging (FCM) — push notifications for job assignments and status updates.
- Firebase Cloud Functions — server-side processing for company management, subscription provisioning, and push notification delivery.
All Firebase services are subject to the Google Cloud Privacy Notice and Firebase Terms of Service. We have a Data Processing Agreement (DPA) with Google.
RevenueCat
RevenueCat manages in-app purchase subscriptions on iOS and Android. It processes your app user ID, purchase receipts, and entitlement status. RevenueCat does not receive your name, email, or app content data. RevenueCat privacy policy.
Stripe
Stripe processes web subscription payments. When you subscribe via the web, Stripe processes your payment card details, email address, and billing information. We store only a Stripe customer ID and subscription ID. Stripe privacy policy.
OpenStreetMap / Nominatim
On the web version, address geocoding uses the OpenStreetMap Nominatim service, which receives address text and your IP address. Map tiles are loaded from OpenStreetMap servers. On mobile, geocoding uses your device's built-in services instead. OpenStreetMap privacy policy.
Apple App Store / Google Play Store
If you subscribe via in-app purchase, Apple or Google processes your payment. Their respective privacy policies apply.
8. App Permissions
FireThings requests the following device permissions. Each is requested only when needed and can be denied or revoked in your device settings:
| Permission | Purpose |
|---|---|
| Camera | Timestamp camera for site documentation; barcode scanning for asset register |
| Location (while in use) | GPS coordinates overlaid on timestamp camera photos |
| Microphone | Decibel meter tool for fire alarm sound level testing |
| Photo library | Saving photos to your gallery; selecting images for logos and jobsheets |
| Notifications | Push notifications for job assignments and status updates |
No permissions are required to use the core features. Location and microphone are only accessed while the relevant feature is in use, never in the background.
9. Children
FireThings is a professional tool for fire alarm engineers. It is not intended for children under 13. We do not knowingly collect personal data from children.
10. Data Controller and Contact
FireThings is registered with the Information Commissioner's Office (ICO) as a data controller.
Data controller: George Christopher Scott, trading as FireThings
Email: support@firethings.co.uk
ICO registration: ZC102827
We aim to respond to all data protection enquiries within 30 days.
11. International Data Transfers
Some of our third-party service providers process data outside the United Kingdom:
- Google (Firebase) — processes data in the United States and other countries. Relies on Standard Contractual Clauses and the UK International Data Transfer Agreement.
- RevenueCat — processes data in the United States. Covered by Standard Contractual Clauses.
- Stripe — processes data in the United States and Europe. Certified under the UK Extension to the EU-US Data Privacy Framework.
- OpenStreetMap — servers located internationally. Only receives address text and IP addresses (no account data).
12. Changes to This Policy
We may update this privacy policy from time to time. Any changes will be reflected in the "Last updated" date at the top of this document. Continued use of the app after changes constitutes acceptance of the updated policy.