SHEPARD'S BEACON

A Platform of Shepard's Collective Ministries

PRIVACY POLICY

Effective Date: April 3, 2026

1. Introduction and Scope

Shepard's Beacon ("Platform," "we," "us," or "our") is operated by Shepard's Collective Ministries, a Virginia-domiciled organization. Shepard's Beacon is a missing persons tracking and search coordination platform designed to support law enforcement agencies, authorized search organizations, families of missing individuals, and community volunteers in locating missing persons and coordinating search efforts.

This Privacy Policy describes how we collect, use, disclose, store, and protect information obtained through:

• Our web-based platform and administrative dashboard

• Our mobile application (Shepard's Beacon Mobile)

• Our APIs and integration services

• Any communications you send to us

By accessing or using the Platform, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

2. Governing Law and Jurisdiction

Shepard's Collective Ministries is domiciled in the Commonwealth of Virginia, United States of America. This Privacy Policy is governed by and construed in accordance with the laws of the Commonwealth of Virginia, including but not limited to:

• Virginia Consumer Data Protection Act (VCDPA), Va. Code § 59.1-575 et seq.

• Virginia Computer Crimes Act, Va. Code § 18.2-152.1 et seq.

• Virginia Government Data Collection and Dissemination Practices Act

• Applicable federal law, including the Children's Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA) where applicable

Where the Platform operates in, or processes data of individuals located in, Canada, Mexico, or the Bahamas, we additionally apply relevant national data protection frameworks, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Mexico's Ley Federal de Proteccion de Datos Personales en Posesion de los Particulares (LFPDPPP), and the Bahamas' Data Protection Act 2003 (DPA 2003).

3. Definitions

"Case Data": Information directly pertaining to a missing persons case, including case identifiers, descriptors, geographic search data, and associated documentation.

"Biometric Data": Physiological identifiers including facial recognition vectors, voice biometric prints, and derived analytical outputs used for subject identification.

"Controller": Shepard's Collective Ministries, in its capacity as the organization determining the purposes and means of processing personal data.

"Data Subject": Any identified or identifiable natural person about whom personal data is processed on the Platform.

"LEO": Law Enforcement Officer or authorized law enforcement agency partner with verified credentials on the Platform.

"Personal Data": Any information relating to an identified or identifiable natural person, including but not limited to names, contact information, government identifiers, biometric data, and location data.

"Processing": Any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, use, disclosure, or erasure.

"Sensitive Personal Data": Personal data revealing racial or ethnic origin, health information, biometric data, or data concerning a child.

4. Information We Collect

4.1 Account and Identity Information

When you register for an account, we collect:

• Full name, email address, and phone number

• Role designation (e.g., law enforcement, search party member, family initiator, registered user)

• Organization affiliation and professional credentials

• Government-issued identification documents for LEO verification and identity-sensitive roles

• Profile photograph (optional)

4.2 Case and Operational Data

In connection with missing persons cases, we collect:

• Physical descriptions of missing persons (age, height, weight, distinguishing features, last known clothing)

• Last known location, reported sighting data, and geospatial search coordinates

• Case timeline entries, field notes, and investigative documentation submitted by authorized users

• Uploaded media including photographs, audio recordings, and video footage

• Tip and lead submissions from registered and anonymous sources

4.3 Biometric and Multimodal Data

The Platform's Vision Claw feature and AI-assisted identification services may process:

• Facial recognition vectors and biometric templates derived from uploaded photographs

• Voice biometric prints derived from audio recordings, analyzed using speaker verification models

• Derived analytical outputs including likelihood ratio (LR) scores on recognized verbal forensic scales

IMPORTANT: All biometric data processing occurs entirely on Shepard's Beacon-controlled infrastructure. We do not transmit raw biometric data or derived biometric templates to third-party cloud AI providers. Biometric data used for cross-border matching is anonymized into hashed vectors and bucketed descriptors prior to any federated operations.

4.4 Device and Usage Data

• IP address, device type, operating system, and browser or app version

• Session activity logs including pages visited, features accessed, and actions taken

• Crash reports, error logs, and performance diagnostics

• Push notification tokens and mobile device identifiers

4.5 Location Data

• Precise GPS coordinates when location services are enabled on a mobile device

• Search area coordinates and perimeter data logged during active search operations

• Approximate location derived from IP address for web sessions

4.6 Communications

• Messages, alerts, and notifications transmitted through the Platform

• SMS communications sent via our Twilio-integrated notification system

• Voice communications where applicable

• Emails and support inquiries submitted to us directly

5. How We Use Your Information

We process personal data only for specified, explicit, and legitimate purposes, including:

5.1 Platform Operations

• Registering and authenticating user accounts

• Providing role-based access to Platform features consistent with your assigned permissions

• Managing active missing persons cases, search coordination, and incident documentation

• Processing and routing tip submissions to authorized investigators

5.2 AI-Assisted Identification

• Running facial comparison analyses between case subjects and uploaded imagery

• Performing voice biometric analysis to support investigative leads

• Generating HDBSCAN geographic clustering and hotspot detection outputs for geospatial intelligence

• Cross-referencing subjects against public missing persons registries through authorized, automated scraping agents

5.3 Safety, Security, and Compliance

• Verifying the professional credentials of law enforcement and organizational partners

• Detecting fraud, unauthorized access, and abuse of Platform features

• Maintaining audit logs to support legal and regulatory compliance

• Responding to lawful requests from law enforcement agencies and courts of competent jurisdiction

5.4 Communications

• Sending case alerts, search updates, and operational notifications via SMS, push notification, and email

• Delivering one-time passcodes (OTPs) for account authentication

• Responding to user inquiries and support requests

5.5 Platform Improvement

• Analyzing aggregated, de-identified usage patterns to improve Platform features and performance

• Conducting internal research and quality assurance activities

• Training AI models using properly consented, de-identified, or synthetic data only

6. Legal Basis for Processing

Under applicable law, including the Virginia Consumer Data Protection Act, we rely on the following legal bases to process your personal data:

• Contractual Necessity: To provide the services you have requested and fulfill our obligations under applicable terms of service.

• Legitimate Interests: To operate, maintain, and improve the Platform in furtherance of public safety and missing persons recovery, where such interests are not overridden by your rights.

• Legal Obligation: To comply with applicable law, court orders, and lawful requests from governmental authorities.

• Consent: Where required by law, and particularly for the collection of biometric data and sensitive personal data, we obtain your explicit consent prior to processing.

• Vital Interests: In certain emergency circumstances where processing is necessary to protect the life of a missing person or other individual.

7. Disclosure of Information

7.1 Authorized Platform Users

Case data is accessible to Platform users according to their assigned role and permission level. Sensitive investigative information is restricted to LEOs, administrators, and authorized organizational partners. Public-facing information may be made available to registered and public users as appropriate to the case type and authorization level.

7.2 Law Enforcement and Government Agencies

We may disclose personal data to law enforcement agencies and government bodies when required by law, pursuant to a valid court order, subpoena, or legal process, or where we have a good-faith belief that disclosure is necessary to prevent imminent harm to a missing person or the public.

7.3 Service Providers

We engage vetted third-party service providers to assist in Platform operations, including:

• Cloud infrastructure and hosting (Google Cloud Platform)

• SMS and voice communications (Twilio)

• Analytics and monitoring services

All service providers are contractually bound to process data solely on our behalf and in accordance with this Privacy Policy and applicable law.

7.4 Cross-Border Data Operations

Where the Platform supports operations in Canada, Mexico, or the Bahamas, anonymized matching data—consisting solely of hashed biometric vectors and bucketed descriptors—may be processed through a federated cross-border matching index. No personally identifiable information is transmitted outside the jurisdiction of origin without appropriate legal safeguards in place.

7.5 No Sale of Personal Data

We do not sell, rent, or trade your personal data to any third party for commercial or marketing purposes. We do not permit third-party advertising within the Platform.

8. Children's Data

The Platform is designed for use by adults. We do not knowingly create user accounts for persons under the age of 18. However, personal data about missing children (persons under 18) is necessarily processed in connection with active missing persons cases. Such data is:

• Treated as Sensitive Personal Data requiring heightened protection

• Accessible only to authorized users on a need-to-know basis

• Retained only for the duration necessary to support case resolution and comply with applicable law

• Processed in compliance with COPPA and applicable state laws governing the handling of minors' data

9. Data Retention

We retain personal data for no longer than necessary to fulfill the purposes for which it was collected. Specific retention periods include:

• Active Case Data: Retained throughout the duration of an active missing persons case and for a defined archival period thereafter, consistent with applicable law enforcement data governance standards.

• Biometric Data: Retained only as long as required for active case identification. Derived hashed vectors in the cross-border matching index are reviewed and purged on a defined schedule.

• Account Data: Retained for the duration of an active account and for a reasonable period following account closure to support dispute resolution and legal compliance.

• Audit Logs: Retained for a minimum period required by applicable law and our internal compliance obligations.

Upon expiration of the applicable retention period, data is securely deleted or anonymized in a manner that prevents reconstruction of personal identifiers.

10. Data Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction, including:

• Encryption of data in transit using TLS and at rest using industry-standard encryption protocols

• Role-based access controls (RBAC) enforced at the ORM and application layer, based on a defined permission matrix

• Multi-factor authentication for administrative and sensitive role access

• Continuous monitoring, intrusion detection, and anomaly alerting

• Regular security assessments and vulnerability management practices

• On-infrastructure biometric processing with no external AI API transmission

No system can guarantee absolute security. In the event of a data breach affecting your personal data, we will notify affected individuals and applicable regulatory authorities as required by law.

11. Your Privacy Rights

11.1 Virginia Residents

As a Virginia resident, you have the following rights under the Virginia Consumer Data Protection Act (VCDPA):

• Right to Know: The right to confirm whether we are processing your personal data and to access that data.

• Right to Correct: The right to correct inaccuracies in your personal data.

• Right to Delete: The right to request deletion of personal data you have provided to us, subject to applicable exceptions.

• Right to Data Portability: The right to obtain a copy of your personal data in a portable, machine-readable format.

• Right to Opt Out: The right to opt out of the processing of your personal data for purposes of targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects. Note: We do not engage in these activities.

• Right to Appeal: The right to appeal our decision regarding a privacy request within a reasonable period.

11.2 Residents of Other Jurisdictions

Residents of Canada, Mexico, and the Bahamas may have additional rights under applicable national law. We will honor valid rights requests consistent with applicable legal requirements.

11.3 Submitting a Rights Request

To exercise any of your privacy rights, please contact us using the information in Section 14. We will respond within the timeframes required by applicable law (generally 45 days under the VCDPA, with a 45-day extension where reasonably necessary). We may need to verify your identity before processing your request.

12. Third-Party Links and Integrations

The Platform may integrate with or link to third-party services, including law enforcement databases, public registries, and partner organization platforms. This Privacy Policy applies only to data processed by Shepard's Beacon. We are not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party services you access through the Platform.

13. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. Material changes will be communicated to registered users via email or in-Platform notification at least 30 days prior to the effective date of the change. Continued use of the Platform following the effective date of any change constitutes your acceptance of the revised Privacy Policy.

14. Contact Information

Questions, concerns, or requests regarding this Privacy Policy or our data practices may be directed to:

Shepard's Collective Ministries

Attn: Privacy Officer — Shepard's Beacon

Domicile: Commonwealth of Virginia, United States of America

Email: privacy@shepardsbeacon.app

Web: www.shepardsbeacon.app

This Privacy Policy is effective as of April 3, 2026 and supersedes all prior versions.

Shepard's Collective Ministries · Serving Communities Through Faith, Technology, and Action