Privacy Policy

1. Information We Collect

1.1 Information You Provide

When you create an account or use BirdUp, you may provide us with:

• Account information — email address, display name, username, short biography, and profile avatar image.
• Authentication credentials — we support passwordless sign-in via passkeys (WebAuthn) as well as traditional passwords. Passwords are stored as one-way hashes and are never accessible in plain text. When you sign in, we issue short-lived authentication tokens (JWT) and refresh tokens to keep you logged in securely. These tokens are stored on your device using the operating system’s secure enclave (iOS Keychain / Android Keystore) and are not accessible to other apps.
• Bird sighting data — species observed, date and time of observation, GPS coordinates of the sighting location, location name, number of individuals, observed behaviour, confidence level, breeding activity, and free-text notes.
• Photos — images you attach to sightings (JPEG, PNG, WebP, or HEIC format, up to 15 MB per photo). Please note that uploaded photos may contain embedded metadata (EXIF data) including GPS coordinates, device model, and timestamps. BirdUp does not currently strip EXIF metadata on upload; this data is stored alongside your photos on our servers but is not displayed to other users.
• Communications — any messages, feedback, or support requests you send to us.

1.2 Information Collected Automatically

When you use the Service, we may automatically collect:

• Device information — device model, operating system version, unique device identifiers, and app version.
• Usage data — actions you take within the app (for example, creating a sighting, searching for species, viewing your life list, or syncing data). These events are recorded with your account identifier or an anonymous identifier if you are not signed in.
• Error and performance data — crash reports, stack traces, performance profiles, and session replay recordings. On the mobile app, session replays are captured for approximately 10% of sessions and 100% of sessions where an error occurs. Replays capture screen interactions and may include visible on-screen content such as search terms, sighting notes, and map coordinates. We apply masking to sensitive input fields where technically feasible, but cannot guarantee all on-screen content is excluded. Our server-side error tracking does not capture personally identifiable information.
• Network information — we detect whether your device is online or offline so the app can queue data for sync. We do not log network details.

1.3 Location Information

BirdUp requests access to your device’s location only while you are actively using the app — for example, when logging a sighting or viewing the map. We do not collect location data in the background. You can deny or revoke location permission at any time through your device settings; however, some features (such as placing a sighting on the map) will be limited.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Create and manage your account and authenticate your identity.
• Record and display your bird sightings, including on the shared map.
• Send transactional emails (welcome messages, password resets, email-change confirmations).
• Analyse usage patterns and app performance so we can fix bugs and prioritise new features.
• Monitor for errors, crashes, and security incidents.
• Enforce our terms of service and protect against misuse.
• Comply with legal obligations.

We do not use your information for advertising, and we do not sell your personal information to third parties.

3. How We Share Your Information

We share personal information only in the following circumstances:

3.1 Third-Party Service Providers

We use the following third-party services to operate BirdUp. Each provider receives only the minimum data needed to perform its function.

3.2 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or enforceable government request.

3.3 Safety and Enforcement

We may disclose information where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, potential threats to the safety of any person, or violations of our terms of service.

3.4 Business Transfers

If BirdUp is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

4. Location Privacy and Sensitive Species

Sighting locations are stored as precise GPS coordinates. To protect sensitive species and your privacy:

• Sightings of species flagged as sensitive are displayed publicly with coordinates fuzzed to a 5 km radius.
• All other sightings are displayed with coordinates fuzzed to a 100 m radius.
• Your precise coordinates are stored securely on our servers and are never exposed to other users.
• We maintain an audit trail of changes to sighting records for data integrity and moderation purposes.

5. Data Storage and Security

Your data is stored on servers located in Australia and/or the United States. We use industry-standard security measures to protect your information, including:

• Encrypted connections (TLS/HTTPS) for all data in transit.
• Hashed and salted passwords (bcrypt).
• Passkey-based authentication (WebAuthn) as a phishing-resistant alternative.
• UUID-based identifiers that do not expose sequential patterns.
• Role-based access controls on administrative functions.
• Audit logging of changes to sighting records.

No method of transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

6. Cross-Border Disclosure of Personal Information

In accordance with Australian Privacy Principle 8 (APP 8), we are transparent about where your personal information is sent outside Australia.

Several of our third-party service providers are based in the United States, including Sentry, PostHog, Resend, Cloudflare, and Google. When your data is processed by these providers, it may be stored on servers outside Australia.

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient handles your information consistently with the APPs. These steps include selecting providers with robust privacy and security practices, reviewing their published privacy policies and data processing commitments, using providers that offer contractual data protection terms (such as Data Processing Agreements), and limiting the data shared to only what is necessary for the provider’s function.

By using the Service, you acknowledge and consent to the transfer of your personal information to these overseas recipients for the purposes described in this policy. If you have concerns about cross-border data transfers, please contact us at the details in Section 14.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account data is retained until you delete your account.
• Sighting data is soft-deleted when you remove a sighting and permanently purged after 90 days.
• Error and analytics data is retained according to the retention policies of our third-party providers (typically 90 days for Sentry session replays, and as configured in PostHog).
• Transactional email records are retained by Resend for up to 30 days for delivery monitoring, after which message content is purged. Delivery metadata (timestamps, status) may be retained longer. See Resend’s privacy policy for details.

When you delete your account, we will delete or de-identify your personal information within 30 days, except where we are required by law to retain it.

8. Your Rights Under the Australian Privacy Principles

Under the Privacy Act 1988 (Cth), you have the right to:

• Access the personal information we hold about you (APP 12).
• Request correction of inaccurate, out-of-date, or incomplete information (APP 13).
• Complain to us if you believe we have breached the APPs.

In addition, as a service commitment, we also offer you the ability to:

• Delete your account and all associated personal information.
• Export your sighting data by contacting us.

To exercise any of these rights, contact us at the details in Section 14. We will respond to your request within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. Notifiable Data Breaches

In the event of an eligible data breach as defined under Part IIIC of the Privacy Act 1988 (Cth), we will:

• Take immediate steps to contain the breach and assess whether it is likely to result in serious harm to any affected individuals.
• If serious harm is likely, notify the Office of the Australian Information Commissioner (OAIC) and all affected individuals as soon as practicable.
• Provide affected individuals with a description of the breach, the kinds of information involved, and recommendations about steps they should take in response.
• Document the breach, our assessment, and the remedial actions taken, regardless of whether notification was required.

We will communicate breach notifications to you via the email address associated with your BirdUp account. If we are unable to reach you by email, we will publish a notice on our website at www.birdup.com.au.

10. Children’s Privacy

BirdUp does not impose a minimum age requirement. We believe birding is for everyone, including young people and families.

However, we take the privacy of children seriously and apply the following safeguards:

• We do not knowingly collect more personal information from children under 16 than is necessary to provide the Service.
• Children under 16 should only create an account with the consent and involvement of a parent or guardian. During sign-up, users are asked to confirm they have parental consent if they are under 16.
• We do not use personal information collected from children for analytics or product improvement purposes beyond what is strictly necessary to operate the Service.
• Parents or guardians may contact us at any time to review, correct, or request deletion of their child’s personal information. We will action these requests within 14 days.
• If we become aware that a child under 16 has created an account without verified parental consent, we will suspend the account and take steps to delete the associated personal information within 30 days unless a parent or guardian contacts us to confirm consent.

We are monitoring the development of Australia’s Children’s Online Privacy Code under the Online Safety Act and will update our practices as requirements are finalised.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at the details in Section 14.

11. Offline Use and Data Sync

BirdUp is designed to work offline. When you are without internet connectivity:

• Sightings are stored locally on your device using a local database (SQLite).
• Data is synced to our servers automatically when connectivity is restored.
• No data is sent to third-party analytics or error-monitoring services while you are offline.

12. Cookies and Similar Technologies

The BirdUp website may use cookies or similar technologies for session management and analytics. The mobile app does not use cookies. Authentication tokens are stored securely via the operating system’s secure enclave (iOS Keychain / Android Keystore) and are not accessible to other apps or processes.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page and, where appropriate, notify you via the app or email. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at:

15. App Store and Google Play Disclosures

Apple App Store

• Data collected: Email, name, user ID, photos, precise location (while using), usage data, crash data, performance data.
• Data linked to identity: Email, name, user ID, sighting data.
• Data not linked to identity: Crash data, performance data.
• Data used to track you: None. BirdUp does not track you across other companies’ apps or websites.

Google Play Store

• Data shared with third parties: Analytics events (PostHog), crash reports (Sentry), email address (Resend for transactional email only).
• Data collected: Precise location (while app is in use), email address, name, user ID, photos, app interactions, crash logs, performance diagnostics.
• Security practices: Data is encrypted in transit. You can request that your data be deleted.