Privacy Policy

Last updated: April 15, 2026

1. Introduction

Command Established ("Command Established," "we," "our," or "us") provides a software platform that fire departments use to manage incidents, personnel, training, inventory, applications, payments, and related operations.

This Privacy Policy explains what information we collect, how we use it, who we share it with, how long we keep it, and the choices and rights available to you. It is written for the United States and reflects how the platform actually works today. The platform is offered to United States–based fire departments and their personnel; it is not directed to users outside the United States.

1.1 Our role: processor for departments, controller for accounts

Most of the information in the platform is entered by fire departments — records about their personnel, applicants, community-risk-reduction (CRR) program participants, incidents (including emergency-medical-services data), inventory, and so on. With respect to that information, the fire department is the controller, and Command Established acts as a service provider / processor that handles the data on the department's behalf and according to its instructions.

For a narrower set of information — accounts that sign in to Command Established directly, billing contacts, and people who contact us for support — Command Established is the controller.

Where this distinction matters in this policy, we say so.

2. Information We Collect

2.1 Account information (Command Established as controller)

When someone creates an account, signs in, contacts support, or pays for the service, we collect:

• Name, email address, and (optionally) profile photo
• A password hash and, if you enroll, multi-factor authentication ("MFA") credentials. MFA may include a TOTP secret (encrypted at rest), a phone number for SMS codes, and/or one or more WebAuthn / passkey public keys with associated device metadata
• If you sign in with Google, your Google account identifier
• API keys you create (stored as a one-way hash; we keep only a short prefix for display)
• Email-verification and password-reset codes (short-lived)
• Communications you send us for support, billing, or sales

2.2 Department-tenant information (Command Established as processor)

Fire departments use the platform to record and manage:

• Personnel records — name, contact details (email, phone, address), rank, status, certifications, hire/join dates, national personnel identifiers (e.g., PSID), call signs
• Incident reports — incident metadata, narratives, locations (GPS coordinates), apparatus and personnel involvement, and detail modules required by the National Emergency Response Information System ("NERIS"), including fire, rescue, hazmat, and emergency-medical-services (EMS) modules (see Section 8)
• Training records — courses, attendance, completion times, certificates
• Inventory and apparatus — equipment, vehicles, photos, test/inspection records
• Stations, hydrants, pre-plans, points of interest — including location coordinates
• Applications and permits — applicant contact information, custom application questions and answers, supporting file uploads, inspection results, payment status
• Community Risk Reduction (CRR) programs — activity records that may include limited information about minors entered by department personnel (see Section 9)
• Computer-Aided Dispatch (CAD) email ingestion — raw dispatch emails and PDF attachments we receive from a department's dispatch system are stored and parsed into incident records
• Files and attachments — documents, PDFs, photos, and images uploaded by department users
• Audit records — every create, update, and (in some cases) read action is logged with the actor, timestamp, and a before/after delta of the changed fields. This is a core feature of the platform; departments rely on it for accountability and records-management

2.3 Information collected automatically

When you use the service, we automatically collect:

• IP address (stored with each session and login attempt, including failed attempts)
• Browser user-agent string and basic device characteristics
• Session identifiers and timestamps
• Pages visited, features used, and other product-usage events (see Section 5)
• Approximate geolocation derived from IP address (e.g., to improve address autocomplete)
• Application errors and performance traces (see Section 5)

We do not collect precise device GPS location for tracking purposes. GPS coordinates appear in the platform only when a department or user enters or attaches them to a record (e.g., an incident location).

2.4 Payment information

Subscription billing and permit-fee collection are processed by Stripe. Card numbers and full payment instrument details are entered into Stripe-hosted fields and are not stored by Command Established. We retain Stripe-issued identifiers (customer ID, payment intent IDs), invoice records, payment status, and refund history.

3. How We Use Information

We use the information described above to:

• Provide, operate, and maintain the platform and its features
• Authenticate users, secure accounts, and detect and prevent abuse, fraud, and unauthorized access
• Process payments and manage subscriptions
• Send transactional messages (e.g., verification emails, password resets, payment receipts, applicant notifications, MFA codes via SMS)
• Generate AI-assisted content where the department has enabled such features (see Section 6)
• Index records to enable search within a department's data
• Monitor service performance, debug errors, and improve the product
• Respond to support requests
• Comply with legal obligations and enforce our Terms of Use

For tenant data, we process information only as needed to provide the service to the department and as the department instructs. We do not use personal information from a department's tenant to build profiles for advertising or to train third-party AI models.

4. Sub-processors

We use a small number of carefully selected third-party vendors ("sub-processors") to operate the service — for cloud hosting, email and SMS delivery, payment processing, error monitoring, product analytics, search indexing, geocoding, and AI features.

A current list of our sub-processors, with the purpose of each, is published at /subprocessors. We update that page when sub-processors change.

5. Cookies, Analytics, and Error Monitoring

5.1 Strictly necessary

We use first-party cookies and browser storage that are strictly necessary for the service to work — for example, to keep you signed in. These cannot be disabled.

5.2 Product analytics (Amplitude)

We use Amplitude to understand how the product is used so we can improve it. The Amplitude browser SDK sets first-party cookies and uses local storage to maintain a device identifier across sessions, and records events such as page views, feature interactions, and (after sign-in) your user ID together with limited account properties. We also send a smaller set of usage events from our servers to Amplitude.

We do not use Amplitude for advertising, and we do not allow Amplitude to use your information for its own purposes beyond providing analytics to us.

5.3 Error and performance monitoring (Sentry)

We use Sentry to capture application errors, crash reports, and performance traces. Error reports may include the URL, the user ID of the signed-in user, the browser/device, and a snapshot of relevant application state at the time of the error.

5.4 No advertising and no consent banner

We do not run advertising on the platform, do not use third-party advertising cookies, and do not engage in cross-context behavioral advertising. Because the service is offered in the United States and we do not use advertising cookies, we do not display a cookie consent banner. United States residents may exercise the choices described in Section 12 below.

6. AI-Assisted Features

The platform offers optional AI-assisted features — for example, generating an incident narrative from structured fields, suggesting inventory categories, summarizing review findings, and parsing CAD email attachments. These features use Google Cloud's Vertex AI (Gemini) models.

When a department uses an AI feature, the relevant inputs (for example, the structured incident data being summarized, the inventory item being categorized, or the document being parsed) are sent to Google Vertex AI for processing. Google processes this information as our sub-processor and, under our agreement with Google, does not use it to train Google's foundation models. AI-generated output is stored in the department's tenant alongside other records and may be reviewed and edited by department personnel.

7. Information Sharing and Disclosure

We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under California law.

We disclose information only as follows:

• To the fire department that controls the data. Personnel, applicants, patients, and CRR participants whose information is in a department's tenant should direct privacy requests to that department first.
• To sub-processors listed at /subprocessors, under written agreements that limit how they may use the information.
• To comply with law — for example, in response to a valid subpoena, court order, or other lawful request, or where disclosure is necessary to protect rights, safety, or property.
• In a corporate transaction — e.g., a merger, acquisition, financing, or sale of assets — subject to the protections of this policy.
• With your consent — when you have explicitly directed us to share information with a third party.

8. Health and EMS Information

Incident reports may include information about the medical condition, treatment, and transport of patients encountered by a department's EMS operations (for example, NERIS EMS detail modules). We treat this information with heightened care: it is encrypted in transit and at rest, access is limited to authorized department users, and we restrict our personnel's access to it to what is necessary to operate and support the service.

Command Established does not currently sign Business Associate Agreements ("BAAs") under the U.S. Health Insurance Portability and Accountability Act ("HIPAA"). Departments that are HIPAA-covered entities, or that consider their EMS records to be protected health information, should evaluate the platform against their own HIPAA obligations and contact us before entering identifiable patient information.

9. Minors

Use of the service requires you to be at least 18 years old. Accounts that sign in to Command Established are intended only for adults.

Department personnel may, in the course of running community-risk-reduction programs (such as juvenile-firesetter intervention or children's fire-safety education), enter limited information about minor program participants — for example, a first name, age range, or notes about the activity. The fire department is the controller of that information, is responsible for any required parental or guardian consent, and determines what is recorded. We do not knowingly collect personal information directly from children under 13.

10. Data Security

We use reasonable administrative, technical, and physical safeguards to protect information, including:

• Encryption in transit (TLS) and at rest for our databases and object storage
• AWS KMS for encrypting particularly sensitive fields (such as MFA secrets)
• Password hashing with a modern algorithm; we never store plaintext passwords
• Role-based access controls within each department's tenant
• Strict limits on Command Established personnel access to customer data, with logging and review
• Continuous error and security monitoring
• Vendor reviews of our sub-processors

No system is perfectly secure. If we become aware of a security incident affecting your information, we will notify the affected department(s) and, where required by law, affected individuals.

11. Data Retention and Deletion

The platform is built around a long-lived operational record-keeping model. By default:

• Records are archived rather than hard-deleted. When a user "deletes" a record, it is marked archived (with the actor and timestamp) and removed from normal views, but the underlying data remains in the department's tenant for recovery, audit, and legal-records purposes.
• The audit log of changes (who changed what, when, and from/to what value) is retained for the life of the department's account so departments can meet their own records and accountability requirements.
• Account credentials and session data (e.g., session IP and user-agent records, login attempts) are retained for a rolling period appropriate to fraud and abuse detection.
• Files and attachments stored in object storage follow the same archived-not-erased model.

When a department's contract with Command Established ends, the department may request that we hard-delete its tenant data. Unless the department directs otherwise, we will delete or de-identify tenant data within a reasonable period after termination, subject to legal-hold and back-up retention requirements. Backups are overwritten on a rolling cycle.

If you have a personal account and would like it closed, contact us at the address in Section 13.

12. Your Privacy Rights

12.1 General rights

Depending on where you live and your relationship to Command Established, you may have rights to:

• Know what personal information we hold about you
• Access a copy of that information
• Correct inaccurate information
• Request deletion of your information
• Opt out of certain processing
• Not be discriminated against for exercising these rights

If your information is in a department's tenant (you are a member of a fire department, an applicant, a CRR participant, or an EMS patient), the department is the controller and we will refer your request to them. If you have a Command Established account or other direct relationship with us, contact us at the address in Section 13 and we will respond within the timeframe required by applicable law (generally 45 days, with one extension where permitted).

We will verify your identity before fulfilling a request and may need additional information from you to do so.

12.2 California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you the rights described in Section 12.1, plus the right to:

• Know the categories and specific pieces of personal information we collect, the sources, the business purposes, and the categories of third parties we disclose to
• Opt out of the "sale" or "sharing" of personal information, and limit the use of "sensitive personal information"
• Designate an authorized agent to make a request on your behalf

We do not "sell" personal information and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under California law. If this changes in the future, we will update this policy and provide a "Do Not Sell or Share My Personal Information" link.

The categories of personal information we collect, the sources, and the disclosures we make are described in Sections 2, 3, 4, and 7 of this policy. We retain personal information as described in Section 11.

12.3 Other state privacy laws

Residents of other U.S. states with comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and others) generally have similar rights to access, correct, delete, and obtain a portable copy of their personal information, and to opt out of targeted advertising, sale, or certain profiling. Because we do not engage in targeted advertising or sale of personal information, the opt-out is effectively built in. To exercise other rights, contact us at the address in Section 13.

12.4 How to make a request

Send your request to privacy@commandestablished.com. Please describe the right you wish to exercise and provide enough information for us to verify your identity and locate your records.

13. Contact Us

For privacy questions, requests, or complaints, contact us at:

Email: privacy@commandestablished.com

14. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top and, for material changes, provide additional notice (for example, an in-product notice or email to account administrators) before the changes take effect. Continued use of the service after the updated policy takes effect constitutes acceptance of the changes.