WATCHDESK

This Privacy Statement describes how watchdesk.org (“we,” “us,” or “our”) collects, uses, stores, shares, and protects personal information through the WATCHDESK application (“the Application”), a web-based management platform for volunteer fire departments and emergency services organizations. By using the Application, you acknowledge that you have read and understand this Privacy Statement.

Member Profile Information

We collect and store the following personal information about department members:

• Full legal name (first, middle, last) and nickname
• Email address
• Mobile and home phone numbers
• Date of birth
• Mailing address (street, city, state, ZIP code)
• Driver's license information (state, number, class)
• Social Security Number (full 9-digit, stored encrypted)
• PGFD identification number
• Membership type and status
• Join and termination dates
• Organizational rank and role
• Apparel sizing (t-shirt, hoodie, job shirt, pants)
• Administrative notes

Emergency Contact Information

We collect the following information about a member's designated emergency contact:

• Name and relationship to member
• Address, phone number, and email address

Activity and Service Records

The Application tracks the following member activity:

• Emergency response records (call details, unit assignments, crew roles)
• Meeting attendance
• Drill participation
• Training records (courses, hours, instructors, certifications)
• Collateral duty hours
• Standby and duty crew hours
• Positions held (officer titles, committee assignments, terms of service)
• Military service periods

Authentication and Session Data

• Email address used for login via OAuth (Google Workspace or Microsoft 365)
• Session identifiers (stored as HTTP cookies)
• Username and hashed password (for stations using local authentication only)

Uploaded Files

Members and administrators may upload file attachments (PDF, images, documents) associated with training records, member profiles, response records, and other entities.

Audit and Activity Logs

We automatically log administrative actions within the Application, including the email address of the user performing the action, a timestamp, and a description of the action taken (e.g., record creation, modification, deletion, file uploads).

We use personal information solely for the following purposes:

• Managing department membership rosters and contact information
• Tracking emergency response participation and crew assignments
• Recording training, drills, meetings, and other departmental activities
• Calculating and reporting Length of Service Awards Program (LOSAP) credits to applicable county or municipal programs
• Generating state tax incentive credit reports as authorized by Maryland law
• Managing certifications and qualification tracking
• Providing audit trails for administrative accountability
• Authenticating users and enforcing role-based access controls
• Communicating with members regarding department business

We treat Social Security Numbers with heightened protection:

• Full SSNs are encrypted at rest using AES-256-GCM authenticated encryption with unique random initialization vectors
• Encryption keys are stored in Google Cloud Secret Manager, separate from the database
• Full SSNs are only decrypted when generating official LOSAP or state tax credit forms as required by county or state agencies
• Access to SSN data is rate-limited (maximum 10 requests per 15-minute window) and individually logged
• SSNs are never displayed in standard application views; only a masked format (e.g., ***-**-1234) is shown

Infrastructure

The Application is hosted on Google Cloud Platform (GCP) and uses:

• Google App Engine for application hosting (HTTPS-encrypted in transit)
• Google Cloud SQL (PostgreSQL) for database storage
• Google Cloud Storage for file attachments (not publicly accessible)
• Google Cloud Secret Manager for encryption keys and credentials

Access Controls

• All access requires authentication via OAuth (Google or Microsoft) or local credentials
• Role-based access control limits functionality by assigned role (administrator, data entry, certifier)
• Multi-tenant architecture ensures station data is isolated by station identifier
• File attachments are served through authenticated endpoints only

Session Security

• Session cookies are configured as HttpOnly (not accessible to JavaScript), SameSite (resistant to cross-site request forgery), and Secure (HTTPS only in production)
• Sessions expire after 4 hours of inactivity
• OAuth access tokens are discarded immediately after authentication and are not stored

Password Security

For stations using local authentication, passwords are hashed using bcrypt with a computational cost factor of 12 and are never stored in plaintext.

File Upload Security

Uploaded files are validated through multi-layer verification including MIME type allowlisting, file extension cross-validation, and binary content inspection. Maximum file size is 10 MB.

Within the Application

• Station Administrators can view and edit member records, activity data, and reports for their station
• Data Entry users can add and edit records but cannot delete them
• Certifiers can approve LOSAP and other certified records
• System Administrators (watchdesk.org) can access all stations for technical support and system administration
• Members can view their own profile and activity data

External Disclosure

We may share personal information only in the following circumstances:

• County LOSAP programs: Member names, SSNs, and point totals are included on official LOSAP forms submitted to the applicable county or municipality as required by program rules
• State tax agencies: Member names, SSNs, and qualifying service data are included on state tax incentive credit forms as authorized by Maryland law
• Legal requirements: When required by law, subpoena, court order, or government investigation
• Service providers: Google Cloud Platform serves as our infrastructure provider and processes data on our behalf under Google's data processing terms

• Active member records are retained for the duration of a member's service and indefinitely thereafter to support historical reporting, LOSAP credit verification, and audit requirements
• Terminated member records are retained with a termination date but are not automatically deleted
• Activity logs are retained indefinitely for audit and accountability purposes
• Session data is automatically purged after expiration (4 hours of inactivity)
• File attachments are retained until explicitly deleted by an authorized administrator

Volunteer fire department records may be subject to state or local retention requirements. We retain records in accordance with applicable regulations.

As a member whose data is stored in the Application, you have the right to:

• Access your personal information by viewing your member profile and activity records within the Application
• Request correction of inaccurate personal information by contacting your station administrator
• Request information about what data we hold about you
• Raise concerns about how your data is handled by contacting us at the address below

Certain data (such as historical response records and LOSAP calculations) may be retained even after a correction or deletion request to maintain the integrity of official reports previously submitted to government agencies.

The Application uses a single session cookie (connect.sid) for authentication purposes. This cookie:

• Is strictly necessary for the Application to function
• Contains only a session identifier (no personal data)
• Is not used for tracking, analytics, or advertising
• Is automatically deleted when the session expires or the browser is closed

We do not use third-party tracking cookies, analytics services, or advertising technologies.

The Application is intended for use by volunteer fire department members and administrative personnel. We do not knowingly collect personal information from individuals under the age of 16. If junior or cadet member programs include minors, their information is entered and managed by authorized adult administrators with appropriate parental or guardian consent.

We may update this Privacy Statement from time to time to reflect changes in our practices or applicable laws. Material changes will be communicated through the Application or by other appropriate means. The “Last Updated” date at the top of this statement indicates when the most recent revisions were made.

For questions, concerns, or requests regarding this Privacy Statement or the handling of your personal information, please contact:

admin@watchdesk.org

For a detailed overview of our security controls, see the Security Overview. For a full overview of platform features, see the Platform Overview.