RefAid Mobile App Data Protection – FAQs

The RefAid app is for migrants, refugees and displaced people, and for the volunteers and organizations that assist them. It shows the location of and types of aid available on a map, with information about the opening days and hours. RefAid is being used in 50 countries by 8,000 nonprofits, aid organizations and government entities. RefAid is for Refuge.

All of the aid shown in the app is from trusted and vetted aid organizations and official government service providers. Only organizations officially registered in their country of operation, or who have been vetted by their peers, are permitted to post services on RefAid. In RefAid all organizations, using the Content Management System (CMS), can see all organizations and their services. They can determine if any providers are not acting according to best practices in the humanitarian sector and they can flag any issues to RefAid. Failure to act in accordance with best practices will result in the removal of a service provider from RefAid. The aid is categorized by type including: Legal/Admin/Info; Food; Shelter; Water; particular aid for Parents and Children, Unaccompanied Children, Women and Men; Health; Education; and Toilets and Showers.

Can RefAid ever be used to identify migrants?

No. RefAid does not retain any personally-identifying information about its end users other than unverified email addresses, age verification (users must be 13 years old or older) and chosen passwords. We do not store location data, nor do we store users search histories in a personally-identifying way. RefAid’s data cannot be used to locate or identify individual migrants by RefAid or any third party. Organizations using the service provider platform have no access to app user information. Additionally, government service providers are not permitted to send geolocated push notifications to end users through RefAid; they can only post official services and locations.

What user data is retained by RefAid?

RefAid is acutely aware of the vulnerabilities experienced by migrants and refugees across the globe, which are only exacerbated in countries with no domestic data protection frameworks. We realize data privacy can be a life or death matter, and we therefore take the issue of user privacy and data security very seriously. For this reason in some countries RefAid does not allow any government employees to have access to the platform (although they can download the app and see what is publicly available).

To create a user profile on the RefAid app we ask users to provide an email address, password, and verify they are over 13 years of age but no documentation is requested. This email address will never be verified, meaning users are free to provide non-identifying and/or fake information to ensure anonymity. While we do retain emails and age verifications provided by users, none of this data will ever be confirmed or verified in any way. In addition, RefAid does not use “cookies” to track user activity.

Is user data ever shared with third parties?

No. trellyz does not share any data with third parties. Our data is securely hosted in Amazon Web Services hosting facilities located in the United States and Europe depending on the location of the service provider and the user accessing the app. RefAid is acutely aware of the lack of data protections in place for migrants and refugees across the globe. While government agencies may be invited to use the RefAid CMS to share services provided to refugees and migrants, governments are never able to access user data or locations. Furthermore, the government cannot use the messaging system to communicate with end users by location or otherwise.

Is RefAid GDPR compliant?

Yes. GDPR stands for General Data Protection Regulation. It is a law created in the European Union (EU) to protect personal data. Although it was passed in Europe, it affects businesses worldwide. We use the GDPR standards in other countries because it is the highest level of data protection. We also adhere to the CCPA (California Consumer Privacy Act).

GDPR and CCPA regulate how personal data can be processed by private businesses, state administration and other organizations. Processing includes anything related to the collection, aggregation, mining or sharing of data. GDPR and CCPA also empower people to request that their data be erased and RefAid will comply with any request to erase relevant data made by service providers or users.

How does RefAid collect data from nonprofit and government users?

Service providers can enter their own services information directly into the RefAid platform or they can bulk upload through an Excel or CSV file. The RefAid team and RefAid ambassadors (organizations that have volunteered to help onboard smaller organizations in their countries) are always available to help other organizations enter their services in the app. Organizations retain ownership of their data and may request that their data be removed from RefAid at any time.