SafeHaven is a food allergy travel safety platform operated as a community-driven service. SafeHaven acts as the Data Controller for personal data collected through this application. Contact: safehaven@bki.info.pl

• Name and email address (registration) • Allergen profile (optional — health data, special category under GDPR Art. 9) • Emergency contacts (optional) — name, phone number, and relationship; data of a third party provided voluntarily by the user for emergency assistance purposes • Medications (optional) — type, name, and notes (health data, special category under GDPR Art. 9) • Reviews and ratings you submit • Language preferences • Device and usage data (with consent) • Location data (only when you grant permission) • Cookie preferences

• Consent (Art. 6(1)(a) GDPR) — for allergen profile data, emergency contacts, analytics cookies, marketing cookies, and location data • Contract performance (Art. 6(1)(b)) — for account creation and service delivery • Legitimate interest (Art. 6(1)(f)) — for security, fraud prevention, and service improvement • Explicit consent (Art. 9(2)(a)) — for health-related data (allergen profile, medications, and any health-related notes in the allergy card)

SafeHaven does not sell your personal data. Data may be shared with: • Google Places API — for venue information (governed by Google's ToS) • Hosting provider — for infrastructure (within EU/EEA) • Law enforcement — when required by law All third-party processors are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance. Allergy card data (allergens, emergency contacts, medications) is never shared with third parties — it is used only to generate your personal card (PNG/PDF) on your device when you request it.

SafeHaven uses three categories of cookies: • Necessary — session management, language preference, cookie consent state. Cannot be disabled. • Analytics — anonymous usage statistics to improve the app. Opt-in only. • Marketing — personalized content and campaign tracking. Opt-in only. Analytics are powered by Google Analytics 4 (measurement ID: G-F34FE7MFNT). Google Analytics collects anonymised data about page views, session duration, and device type. Data is processed by Google Ireland Limited and may be transferred to the USA under Standard Contractual Clauses. You can opt out via cookie preferences or by installing the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout). Cookie preferences can be changed at any time from Account Settings.

You have the right to: • Access — request a copy of your personal data • Rectification — correct inaccurate data • Erasure — request deletion of your data ("right to be forgotten") • Restriction — limit how your data is processed • Portability — receive your data in a structured format • Objection — object to processing based on legitimate interest • Withdraw consent — at any time, without affecting prior processing To exercise these rights, contact: safehaven@bki.info.pl

SafeHaven implements appropriate technical and organizational measures including: • Encryption in transit (TLS/HTTPS) • Encrypted storage for sensitive data • Access controls and authentication • Regular security reviews • Incident response procedures

• Account data — retained while your account is active, deleted within 30 days of account deletion request • Allergy card data (allergens, emergency contacts, medications) — deleted together with the account within 30 days of deletion request • Reviews — anonymized upon account deletion • Analytics data — aggregated and anonymized after 26 months • Cookie consent preferences — stored locally on your device

Data Controller: Bartosz Karski (operating as SafeHaven) Email: safehaven@bki.info.pl For data protection enquiries or to exercise your rights (access, rectification, erasure, portability, objection), contact us at the email above. You have the right to lodge a complaint with the supervisory authority: Urząd Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warszawa https://uodo.gov.pl

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA): • Right to Know — request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell. • Right to Delete — request deletion of personal information we have collected about you, subject to certain exceptions. • Right to Correct — request correction of inaccurate personal information. • Right to Opt-Out — opt out of the sale or sharing of your personal information. SafeHaven does not sell personal data. You can opt out of data sharing for analytics and marketing by managing your cookie preferences. • Right to Data Portability — receive your data in a portable format. • Right to Non-Discrimination — we will not discriminate against you for exercising any of your rights. To exercise your rights, use the Data Request form in Account Settings or contact us at safehaven@bki.info.pl. We will respond within 45 days as required by CCPA.