Privacy Policy

mybirdID Ltd (“mybirdID”, “we”, “us”) is the data controller for personal data processed through this Service.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights. It applies to all users of mybirdID.com, regardless of where you are located.

Account data: your full name, email address, phone number (optional), and your encrypted password (managed by AWS Cognito - we never see your password in plain text).

Bird records: species, name, physical description, colours, sex, hatch date, mutation. This data relates to your bird, not you personally, but is associated with your account.

Sensitive identifiers: leg ring numbers, microchip numbers and microchip company, CITES/Article 10 certificate numbers. These are stored encrypted at rest and are only visible to you and our administrators.

Photographs: images of your birds that you choose to upload, stored in Amazon S3.

Address data: your home address or the address where a bird is kept. Used to help identify a bird's location area if it goes missing.

Location data: GPS coordinates and postcode when reporting a lost or found bird or sighting. Precise coordinates are stored internally and are only visible to the person who submitted the report and to administrators. All other users - whether signed in or not - see coordinates approximated to within approximately 1 km to protect the privacy of the reporter.

Found bird reports: description, photos, location, and identifiers of a bird you have found. This includes any microchip or ring numbers you provide.

Insurance and admin data: insurance provider and policy number. Stored for your reference only and never shared.

Usage and technical data: IP address, browser type, pages visited, and access timestamps, collected automatically through server logs and standard web infrastructure.

Communications: the content of emails or messages you send to us.

If you are located in the UK or European Economic Area, we process your personal data on the following legal bases under UK GDPR / EU GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)): to provide the Service you have signed up for, including registering your birds, managing your account, and processing payments.
• Legitimate interests (Art. 6(1)(f)): to operate and improve the Service, prevent fraud and abuse, and to match found birds with potential owners. We have assessed that these interests are not overridden by your rights and freedoms.
• Consent (Art. 6(1)(a)): where you opt in to sharing your contact details (email or phone) with finders of birds that may match yours. You can withdraw this consent at any time in your account settings.
• Legal obligation (Art. 6(1)(c)): where we are required to process or retain data by law (e.g. financial records for tax purposes).

For users outside the UK/EEA, we process your data on the bases described above, applied in accordance with the privacy laws of your jurisdiction to the extent they impose additional obligations on us.

• To create and manage your account;
• To store and display your bird records to you and, where applicable, to other authorised users (such as veterinary professionals on your account);
• To show limited public information about a lost bird (species, description, area) so that members of the public can assist with a reunion;
• To compare found bird identifiers against our registry and notify you of a potential match, subject to your notification preferences;
• To share your contact details with a finder, but only if you have explicitly opted in to this in your account settings;
• To send you email notifications about your account, subscription, or activity related to your birds (such as a potential found-bird match);
• To process subscription payments through Stripe;
• To investigate abuse, fraud, or violations of our Terms;
• To comply with legal obligations.

Other users of the Service: when a bird is marked as lost, a limited public profile is created (species, description, approximate area, whether the bird has a leg ring or microchip). Ring and microchip numbers are never shown publicly.

Finders (Lost & Found): your name and, at your discretion, your email address and phone number may be shown to a user who has reported finding a bird that matches yours. This sharing only occurs if you have enabled the corresponding option in your account notification settings. You can change these settings at any time.

Veterinary users: if you grant a verified veterinary professional access to your bird's records, they will be able to see the information you have recorded.

Service providers: we share data with the following third-party sub-processors who process data on our behalf:

• Amazon Web Services (AWS): cloud infrastructure, photo storage (S3), and authentication (Cognito). Data is processed in the EU (eu-west-1, Ireland).
• Neon, Inc.: managed PostgreSQL database hosting. Data residency is configured in the EU.
• Vercel, Inc.: web application hosting and deployment.
• Stripe, Inc.: payment processing. Stripe acts as an independent data controller for payment card data. See Stripe's privacy policy at stripe.com/privacy.

Legal requirements: we may disclose personal data where required by law, court order, or to protect the rights, property, or safety of mybirdID, our users, or others.

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

Our primary data infrastructure is located in the European Union (AWS eu-west-1, Ireland). For users in the UK, transfers to the EU are covered by the UK's adequacy regulations.

Vercel and Stripe are US-headquartered companies. Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission and the UK Information Commissioner's Office.

• Account and bird records: retained for as long as your account is active. On account deletion, your personal data and bird records are permanently deleted within 30 days, except where we are required to retain them by law.
• Found bird reports: retained for 2 years after the report is marked as resolved, then deleted.
• Financial records: retained for 7 years as required by UK tax law.
• Server logs: retained for up to 90 days.
• Backups: encrypted database backups may retain data for up to 35 days after deletion from the live system.

If you are located in the UK or EEA, you have the following rights under UK GDPR / EU GDPR:

• Access: to request a copy of the personal data we hold about you.
• Rectification: to request correction of inaccurate data.
• Erasure: to request deletion of your data (“right to be forgotten”), subject to legal retention obligations.
• Portability: to receive your data in a structured, machine-readable format.
• Restriction: to request that we restrict processing of your data in certain circumstances.
• Objection: to object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Many of these rights can be exercised directly within your account settings (e.g. updating contact details, managing notification preferences, or deleting your account). For other requests, contact us at help@mybirdID.com. We will respond within 30 days.

Users outside the UK/EEA may have similar rights under applicable local law. We will endeavour to honour reasonable requests regardless of your location.

We use only the cookies necessary to provide the Service:

• Session cookies: to keep you logged in during your visit.
• Authentication tokens: issued by AWS Cognito to maintain your authenticated session.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify you personally. We may use aggregated, anonymised analytics to understand how the Service is used overall.

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews.

Sensitive identifiers (microchip numbers, ring numbers, CITES numbers) are stored in a way that limits exposure. These fields are not indexed in a manner that would allow bulk enumeration.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please contact us at help@mybirdID.com and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a notice on the Service. The updated policy will take effect on the date stated.

We encourage you to review this policy periodically. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have a concern about how we handle your personal data, please contact us first at help@mybirdID.com and we will do our best to resolve it.

If you are in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

If you are in the EU/EEA, you have the right to lodge a complaint with the supervisory authority in your country of residence.