Last Updated: May 13, 2026
📌 Key Points (Plain English)
This Privacy Policy explains how Be Prepared, Inc. collects, uses, and protects your personal information. We are committed to transparency and protecting your privacy rights, including GDPR rights for EU users and CCPA/CPRA rights for California residents.
Welcome to Be Prepared, operated by Be Prepared, Inc., incorporated in the State of Delaware and operating in New Jersey ("we," "us," "our"). We are committed to protecting your personal information and your right to privacy.
This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our website and application (collectively, the "Service"). Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.
Contact Information:
Be Prepared, Inc.
Email: privacy@bepreparedsolutions.co
📌 Key Points (Plain English)
We collect information you provide directly (account details, household data, addresses, payment info), automatically through cookies and analytics (only after consent), and via third-party services that help us operate. The list of subprocessors is in Section 12. We do NOT sell your personal information.
We collect information that you provide directly to us, including:
When you access our Service, we automatically collect certain information:
We receive limited information from third parties acting on your behalf or ours, including: your basic profile (name, email, profile picture) from Google when you use Google Sign-In; payment and dispute status from Stripe; calendar event data from Calendly when you book a BeAdvised session; email delivery and bounce status from Resend.
A complete list of subprocessors with the purpose of each is set out in Section 12.
📌 Key Points (Plain English)
The household questionnaire used for BeReady can include health information (medications, medical conditions, disabilities), precise location, and information about other household members including children. We treat these categories with extra care and process them only to deliver the Service. We do not use them for advertising and we do not sell them.
Because Be Prepared helps users plan for emergencies, the Service can collect categories of personal information that are treated as sensitive under U.S. state laws (including the CPRA in California) and as "special category" data under the EU/UK GDPR. You are never required to provide this information — you may use much of the Service without it — but providing it allows our AI to tailor plans to your household.
California residents have the right under CPRA to limit our use of sensitive personal information to what is necessary to perform the Service. Because we already restrict our use of sensitive information to providing the Service (and do not use it for advertising, profiling for material decisions, or selling), we honor this limit by default. You may confirm or extend this limit at any time by contacting us at the address in Section 16.
📌 Key Points (Plain English)
We use your information to provide the Service (AI plan generation, outage monitoring, order processing, session scheduling), improve our Service, communicate with you, process payments, and comply with legal obligations. We do NOT use your information for advertising to third parties.
We use the information we collect for the following purposes:
Important: We do NOT sell your personal information to third parties. We do NOT use your information for advertising purposes beyond our own Service.
📌 Key Points (Plain English)
Be Prepared uses AI to generate preparedness plans, baseline reports, evacuation routes, and other content. We route requests through OpenRouter to large language models from Anthropic, OpenAI, and Google. The data sent includes your household details, addresses, and any medical conditions or medications you have entered. We rely on each provider's API terms, which prohibit training on API input data; we do not have direct control over their internal handling beyond that contractual commitment.
Be Prepared uses artificial intelligence to generate preparedness plans, baseline location reports, evacuation routes, image content, and other personalized output. This section explains what we send, where it goes, and what is and is not promised by the providers we use.
We deliberately minimize what each AI call sees. The fields below are the ones that may be included in the prompt sent to an AI provider, depending on the feature you are using:
What we never send to AI providers
We do not include your account email address, your last name, your date of birth or birth year, your phone number, your password or one-time codes, or your payment-card data in any prompt sent to an AI provider. These fields stay inside our own systems (and with the specific subprocessors that need them, such as Stripe for payment or Resend for email).
The household editor still encourages you to enter first names or nicknames onlyfor the people in your household. The name field is optional — generic labels such as "Spouse," "Child A," or "Grandma" work too.
When we generate your BeReady preparedness plan, we go a step further: before any LLM call, we replace each household member’s first name with an opaque identifier (Member_1, Member_2, and so on). The AI model produces its plan using those identifiers; we then substitute the real names back in locally, on our servers, after the model has returned its response. The plan you read shows the names you entered — but OpenRouter, Anthropic, OpenAI, and Google never receive your household members’ first names during plan-generation steps.
The same scheme covers free-text fields where a real name might accidentally appear (for example, if you typed "Brian’s insulin" into a medication field): we scrub the known household names from those fields before the LLM call, and re-insert them on the way back. We never combine first names with email, last name, or date of birth on the same call.
One honest exception: the editorial polish step
After the plan is drafted, we run a final editorial pass that polishes voice and checks that each household member is referenced consistently across tabs. That step needs the real names to do its job — placeholders break consistency checks. So the editor stage doesreceive the rehydrated plan (with real first names) once. Every step before it — plan outlining, plan drafting, article-voice copy — sees only placeholders. The editor sees real names; no other LLM call does. We may close this gap in a future update if we can verify the editor can preserve voice without them.
A separate limitation: if you provided an out-of-state emergency contact, that person’s name (a different individual from your household) is sent to the LLM that drafts your family’s "Who Does What When" communication grid. Our pseudonymization map covers your household members; we’re evaluating extending it to out-of-state contact names in a future update.
Different features of the Service make different LLM calls. Some calls receive only your address, some receive only household details, some combine both, and BeReady plan generation is now split across several smaller calls each scoped to the minimum data it needs. The current state is:
| Feature / LLM Call | Address? | Household identity + health info? |
|---|---|---|
| BeReady plan — Outline stage (3 parallel calls + 1 synthesis call) | Yes | Pseudonymized first names (Member_N) + health info; full health detail only for the Profile and Kit sub-calls, not the Phases sub-call |
| BeReady plan — Drafting stage (3 parallel calls) | Yes | Pseudonymized first names + health info; same scoping as the outline stage |
| BeReady plan — Article voice copy | City and state only | Pseudonymized first names only (no health info) |
| BeReady plan — Editorial polish (3 parallel calls) | Yes | Real first names + health info — see 5.2 for why this one step is the exception |
| BeAware baseline location report (summarizer + synthesis calls) | Yes | Yes — combined so the report can flag special-needs considerations for your location |
| Emergency contacts lookup | Yes | No |
| Evacuation route generation | Yes (start address) | No |
| Image generation (article and kit imagery) | No | No |
BeReady plan generation used to be a single large LLM call that received your full address and full household identity together. As of May 2026 we split it into the steps shown above, with first names pseudonymized before every call except the final editorial polish (see 5.2). Each sub-call also receives only the fields it needs — for example, the Phases sub-call sees city and state rather than your precise address, and does not receive your full medical free-text. BeAware baseline reports still combine address and household details in one call because the report’s value is naming local hazards in the context of specific household considerations; we are evaluating the same kind of split for that feature.
AI requests are sent through OpenRouter, which routes them to one of several underlying model providers. Active providers currently include:
The exact provider and model for a given feature may change at any time as we improve quality, add new features, or respond to availability. The current routing for a feature can be viewed by contacting us. Each provider has its own privacy policy, retention practices, and processing locations (generally the United States).
OpenRouter, Anthropic, OpenAI, and Google each publish API terms or enterprise terms stating that data submitted via their APIs is not used to train their general-purpose models. We rely on those terms. We do not have direct visibility into the internal handling, logging windows, or abuse-monitoring processes of each provider; please review their public policies for those details:
AI plan generation runs as a background task on Trigger.dev. The task payload (which includes the same data described in Section 5.1) is logged in the Trigger.dev dashboard for debugging and retry purposes and is subject to Trigger.dev’s retention practices.
⚠️ AI Content Disclaimer
AI-generated content may contain inaccuracies, hallucinations, or guidance that conflicts with official emergency instructions. Please refer to our Terms of Service for the full disclaimer regarding AI-generated content. You should always verify critical information with authoritative sources, and in any emergency call 911 (or your local emergency number) and follow official instructions.
📌 Key Points (Plain English)
Be Prepared offers Google Sign-In as an optional authentication method. If you choose to sign in with Google, we receive your name, email address, Google account ID, and profile picture. We use this information solely to create and authenticate your Be Prepared account. We comply with the Google API Services User Data Policy, including the Limited Use requirements.
Be Prepared offers Google Sign-In as an optional way to create and access your account. Using Google Sign-In is entirely voluntary; you may also sign in with an email address and one-time password.
When you choose to sign in with Google, we request the following basic profile information from your Google account via the standard OAuth scopes (openid, email, profile):
We do not request access to Gmail, Google Drive, Google Calendar, Google Contacts, or any other Google service or Restricted Scope.
We do not use Google user data for advertising, we do not sell or share it with third parties for their own purposes, and we do not use it to train artificial intelligence or machine learning models.
Google user data is stored alongside other account data in our Supabase-hosted PostgreSQL database, encrypted in transit (HTTPS/TLS) and at rest. Access is restricted to authorized personnel and subject to the security measures described in Section 10.
You can disconnect Google Sign-In from your Be Prepared account at any time by:
Google API Services User Data Policy — Limited Use
Be Prepared’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
📌 Key Points (Plain English)
EU users have specific rights under GDPR: access your data, correct errors, request deletion, export your data, restrict processing, object to processing, and withdraw consent. Submit requests through our in-app form or email privacy [at] bepreparedsolutions.co. We respond within 30 days.
If you are a resident of the European Economic Area (EEA), you have certain data protection rights under the General Data Protection Regulation (GDPR):
To exercise any of these rights, please submit a request through our in-app data request form (available in your account settings under "Privacy & Data") or contact us at privacy@bepreparedsolutions.co. We will respond to your request within 30 days.
Identity Verification: To protect your privacy, we may require identity verification before fulfilling data requests. We may ask for additional information to confirm your identity.
Limitations: Some requests may be limited by legal obligations. For example, we may retain certain information as required by law or for legitimate business purposes (such as completing transactions or resolving disputes).
📌 Key Points (Plain English)
California residents have rights under CCPA/CPRA: right to know, delete, opt-out, non-discrimination, and correction. We do NOT sell your personal information. Contact privacy [at] bepreparedsolutions.co to exercise your rights. We respond within 45 days.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
To exercise these rights, contact us at privacy@bepreparedsolutions.co. We will respond within 45 days as required by law.
ℹ️ We Do Not Sell Personal Information
Be Prepared does not sell, rent, or share your personal information with third parties for their own marketing purposes. We have not sold personal information in the preceding 12 months.
📌 Key Points (Plain English)
We use industry-standard security measures (encryption, secure servers, access controls) to protect your data. We retain different categories of data for specific periods. Address data is encrypted at the application layer for enhanced protection.
We implement appropriate technical and organizational measures to protect your personal data:
We retain your personal data according to the following schedule:
| Data Category | Retention Window | Notes |
|---|---|---|
| User account & profile | Active account; deleted within 30 days of account deletion | Some fields may be retained longer if required by law |
| Household data (BeReady) | Until you delete it or your account | Soft-deleted plans recoverable for 30 days |
| Preparedness plans | Until you delete them | Soft-delete, recoverable for 30 days |
| Addresses & geocoded coordinates | Until removed or 30 days after account deletion | Encrypted at the application layer |
| BeAware baseline location reports | Auto-expire after 1 year | Cached up to 30 days for re-use |
| Utility outage events | 30 days after resolution | Pseudonymized for product analytics |
| FEMA IPAWS alerts | Until alert expiry + 7 days | Government source data |
| BeAdvised bookings | 3 years from session date | For service-history and dispute purposes |
| Order & payment records | 7 years | Required by tax / financial recordkeeping; pseudonymized after account deletion where possible |
| User activity log (analytics) | 24 months | IP address rotated/truncated where feasible |
| System / error logs | 12 months | Used for security, fraud prevention, debugging |
| Trigger.dev background-task logs | Per Trigger.dev policy (typically 30 days) | Includes AI prompt payloads |
| Render hosting logs | Per Render policy (typically 30 days) | May include IP and request metadata |
| Microsoft Clarity recordings | Per Microsoft policy (typically 13 months) | Loaded only after analytics/marketing consent |
| Disclaimer-acceptance records | 7 years | Used to evidence acknowledgement of safety notices; retained longer than the underlying plan |
| Marketing-email opt-in / opt-out | 3 years after opt-out | To honor opt-out across re-registration |
Account Deletion: When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or financial record-keeping). Order and transaction records are pseudonymized and retained as required by tax law.
⚠️ Security Disclaimer
While we strive to protect your personal data using industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. You use the Service at your own risk.
📌 Key Points (Plain English)
We share your information only with trusted service providers necessary to operate the Service, when required by law, or with your explicit consent. We do NOT sell your data to third parties.
We share your personal information only in the following circumstances:
We share information with third-party service providers who perform services on our behalf. The complete current list, with the purpose of each, is in Section 12 (Subprocessor List). Each provider is contractually obligated to protect your information and use it only for the purposes we specify.
ℹ️ User ID Tracking for Marketing Attribution
If you are logged in and have granted marketing cookie consent, we send your anonymized user ID to Google Ads. This allows us to measure which marketing campaigns lead to signups and conversions. Your user ID is a random alphanumeric string that does not contain any personally identifiable information. You can withdraw consent at any time by updating your cookie preferences, which will immediately stop user ID tracking.
We may disclose your information if required to do so by law or in response to:
If Be Prepared is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service before your information is transferred and becomes subject to a different privacy policy.
We may share your information for other purposes with your explicit consent or at your direction.
🔒 We Do NOT Sell Your Data
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. Your data is used solely to provide and improve our Service.
📌 Key Points (Plain English)
A current list of service providers (subprocessors) that may receive your personal information to help us run the Service, with the purpose of each. We update this list as our stack changes.
We use the following service providers (subprocessors) to operate the Service. Each receives only the personal information needed for the stated purpose and is bound by a written agreement requiring appropriate security and confidentiality.
| Provider | Purpose | Categories Shared | Location |
|---|---|---|---|
| Supabase, Inc. | Authentication, PostgreSQL hosting | Account, profile, household, plans, addresses | USA |
| Render | Web and worker hosting, runtime logs | Request metadata, IP, error logs | USA (Oregon) |
| Stripe, Inc. | Payment processing, subscription billing | Name, email, billing address, payment instrument | USA + global |
| OpenRouter | Routes AI requests to model providers | Prompt payload (see Section 5) | USA |
| Anthropic, PBC | Claude LLM for plans, reports, chat | Prompt payload | USA |
| OpenAI | GPT LLM (text + image generation) | Prompt payload | USA |
| Google LLC (Gemini API) | Gemini LLM | Prompt payload | USA + global |
| Google LLC (Maps Platform) | Address autocomplete, geocoding, Places, Routes | Addresses, coordinates | USA + global |
| Google Ads | Marketing measurement (consent-gated) | Hashed user ID, conversion events | USA + global |
| Microsoft (Clarity) | Session replay, heatmaps (consent-gated) | Interaction recordings, hashed user ID | USA + global |
| Trigger.dev | Background-task orchestration, retries | Task payloads (incl. AI prompt data) | USA |
| Resend | Transactional and marketing email delivery | Email address, message content | USA |
| Calendly | BeAdvised session scheduling | Name, email, scheduling answers | USA + global |
| Firecrawl | Web research / scraping for content workflows | No user PII; outbound only | USA |
| SerpAPI | Search-engine results for research workflows | No user PII; outbound only | USA |
| Decodo (proxy) | Outbound proxy for selected scrapers | No user PII; outbound only | Global |
| WeatherAPI | Weather data for monitored locations | Coordinates only | USA + global |
| AirNow (US EPA) | Air-quality data | Coordinates only | USA |
| FEMA IPAWS, USGS, NOAA, NWS, USFS, HIFLD, NFIP | Government data sources for hazard analysis and alerts | Coordinates only; public APIs | USA |
This list may change as our infrastructure evolves. Material changes will be reflected in the "Last Updated" date and, where required by law, communicated to you directly.
📌 Key Points (Plain English)
Our Service is intended for adults. Account holders must be 18 or older. Adult account holders may include information about other household members, including children, solely for household preparedness planning. We do not knowingly let children under 13 create accounts (COPPA), do not allow users under 18 to create accounts at all, and never use information about children for advertising or for AI model training.
Be Prepared accounts are intended for individuals aged 18 and over. Our Terms of Service require users to be at least 18 years old to create an account. We do not knowingly let individuals under 18 register, and we do not knowingly direct marketing to people under 18.
BeReady plans can be more useful when they reflect your full household, which often includes minors. An adult account holder may choose to enter limited information about a child — such as first name, age, special needs, and medical considerations — for the sole purpose of household preparedness planning. By providing this information you represent that you are the parent or legal guardian of the child (or otherwise have authority to share it) and that you consent on the child's behalf to its processing for that purpose.
We treat information about minors in the household as sensitive personal information (Section 3): used only to deliver the Service to you, never used for advertising, never used to train AI models, and never sold or shared for cross-context behavioral advertising.
We do not knowingly collect personal information directly from children under 13 in the United States in a manner that requires verifiable parental consent under the Children's Online Privacy Protection Act (COPPA). Information about a child entered by an adult account holder is collected from the adult, not from the child. If you are a parent or guardian and believe a child under 13 has interacted with the Service in a way that collected personal information directly from them, contact us at privacy@bepreparedsolutions.co and we will promptly delete it.
At any time, an adult account holder may remove information about a child from their household profile through the in-product editor or by contacting us at the address in Section 16.
📌 Key Points (Plain English)
Be Prepared is a U.S. business. Your information is stored and processed primarily in the United States. For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms with our subprocessors.
Be Prepared, Inc. is incorporated in the State of Delaware and operates in New Jersey, United States. Your information is stored and processed primarily on infrastructure located in the United States, and is also accessible from any country where our subprocessors operate (see Section 12).
When personal information is transferred from the European Economic Area, United Kingdom, or Switzerland to a country that has not received an adequacy decision from the European Commission or relevant supervisory authority, we rely on one or more of the following safeguards:
You may request a copy of the safeguards applicable to a specific transfer by emailing the address in Section 16.
If you access the Service from outside the United States, you understand that data protection laws in the destination jurisdiction (the United States and others) may differ from those of your country of residence. By using the Service, you agree to the international transfer of your information as described above.
📌 Key Points (Plain English)
We may update this Privacy Policy periodically. We will notify you of significant changes via email or prominent notice on our Service. Continued use after changes indicates acceptance.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this Privacy Policy.
We will notify you of any material changes by:
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you should stop using the Service and may delete your account.
📌 Key Points (Plain English)
For privacy questions or to exercise your rights, contact us at privacy [at] bepreparedsolutions.co or through our in-app data request form. We respond within 30 days (45 days for CCPA requests).
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Be Prepared, Inc.
Privacy Inquiries: privacy@bepreparedsolutions.co
In-App Data Requests:Available in your account settings under "Privacy & Data"
We will respond to your inquiry within 30 days. For GDPR requests, we will respond within 30 days as required by law. For CCPA/CPRA requests, we will respond within 45 days as required by law.