Privacy Policy

mybirdID Ltd (“mybirdID”, “we”, “us”) is the data controller for personal data processed through this Service.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights. It applies to all users of mybirdID.com, regardless of where you are located.

Account data: your full name, email address, phone number (optional), and your encrypted password (managed by AWS Cognito - we never see your password in plain text).

Bird records: species, name, physical description, colours, sex, hatch date, mutation. This data relates to your bird, not you personally, but is associated with your account.

Sensitive identifiers: leg ring numbers, microchip numbers and microchip company, CITES/Article 10 certificate numbers. These are stored on disk-encrypted infrastructure and are not shown on any public surface (we only ever publish a boolean “has a microchip” flag, not the number itself). They are visible to you, our administrators, anyone you have granted guardian access on the bird (see Section 5), and, on a found-bird record, anyone in the found-bird's linked chain of custody.

Photographs: images of your birds that you choose to upload, stored in Amazon S3.

Address data: your home address or the address where a bird is kept. Used to help identify a bird's location area if it goes missing.

Location data: GPS coordinates and postcode when reporting a lost or found bird or sighting. Precise coordinates are stored internally and are shown only to the person whose report it is (the bird's owner for a lost report, or the reporter for a sighting or found-bird report), to administrators, and - on the bird's own record - to any guardian you have granted access. Everyone else, whether or not they are signed in, sees an approximate location only: on the Lost & Found list, coordinates are rounded to within approximately 1 km; on individual report pages, only the outward part of the postcode (e.g. “SW1A”) is shown, and precise coordinates are never sent to those pages.

Found bird reports: description, photos, location, and identifiers of a bird you have found. This includes any microchip or ring numbers you provide.

Insurance and admin data: insurance provider and policy number. Stored for your reference only and never shared.

Usage and technical data: IP address, browser type, pages visited, and access timestamps, collected automatically through server logs and standard web infrastructure.

Communications: the content of emails or messages you send to us.

If you are located in the UK or European Economic Area, we process your personal data on the following legal bases under UK GDPR / EU GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)): to provide the Service you have signed up for, including registering your birds, managing your account, and processing payments.
• Legitimate interests (Art. 6(1)(f)): to operate and improve the Service, prevent fraud and abuse, and to match found birds with potential owners. We have assessed that these interests are not overridden by your rights and freedoms.
• Consent (Art. 6(1)(a)): where you opt in to sharing your contact details on a specific lost or found report (via the per-report toggle on the report form), or where you accept a specific Contact Request from another user. Consent is given report-by-report and request-by-request; you can withdraw it by editing the report's share toggles or by revoking an accepted Contact Request from your account.
• Legal obligation (Art. 6(1)(c)): where we are required to process or retain data by law (e.g. financial records for tax purposes).

For users outside the UK/EEA, we process your data on the bases described above, applied in accordance with the privacy laws of your jurisdiction to the extent they impose additional obligations on us.

• To create and manage your account;
• To store and display your bird records to you and, where applicable, to other authorised users, such as guardians you have invited and verified veterinary practices or rescue organisations performing a leg-ring lookup (see Section 5);
• To show limited public information about a lost bird (species, description, area) so that members of the public can assist with a reunion;
• To compare found bird identifiers against our registry and notify you of a potential match, subject to your notification preferences;
• To share your contact details with another user on a specific report, but only when you have either ticked the per-report share toggle on that report, or accepted a Contact Request from that specific user;
• To send you email notifications about your account, subscription, or activity related to your birds (such as a potential match of a found bird);
• To process subscription payments through Stripe;
• To investigate abuse, fraud, or violations of our Terms;
• To keep audit and security logs, including a record of ring and microchip lookups performed by veterinary users on your account, so that access to sensitive identifiers remains accountable and traceable;
• To comply with legal obligations.

Other users of the Service: when a bird is marked as lost, a limited public profile is created (species, description, approximate area, whether the bird has a leg ring or microchip). Ring and microchip numbers are never shown publicly.

Contact details on a specific report. Your name, and (at your discretion) your email address and phone number, may be shown alongside a lost or found report in one of two cases: you ticked the per-report share toggle when you filed the report, or you accepted a Contact Request from another signed-in user on that report. There is no global setting that shares your contact details automatically across all reports. Each disclosure is a separate decision you make at the time of filing or the time of accepting a request.

Contact Request notifications. When another user submits a Contact Request on your report, we notify you in the app and by email; the notification carries the requester's name and the message they wrote. If you accept the request, the requester receives a notification whose body carries your email and phone number so they can contact you directly.

Verified veterinary practices and rescue organisations. Accounts we have verified as veterinary practices or animal-rescue / charity organisations can search the registry by a bird's leg ring number. When a search matches a registered bird, the verified searcher is shown the bird's details together with the registered owner's name, email address, and phone number, so they can contact you to reunite a bird in their care. This lookup is not gated by the per-report share toggle or a Contact Request - it is a reunification measure available to vetted professional users on the basis of the legitimate interest in recovering lost or injured birds (Section 3). It is separate from the report-based sharing described above, and applies whether or not your bird is marked as lost. Every such lookup is recorded in an audit log (see Sections 2 and 4) so access to your contact details remains accountable and traceable.

Guardian access (Bird Sharing). If you invite another user as a guardian on one of your birds (a Flock-only feature), that user gains read access to the bird's record (including sensitive identifiers and the active lost-bird report's full location), plus limited write rights such as marking the bird as lost or found. You can revoke a guardian at any time; revocation stops future visibility but does not retract information they have already seen.

Bird ownership transfers. When you transfer a bird to another user, the bird's record (including photographs, vet history, identifiers, and current address) moves to the recipient at the moment they accept. You lose access to that bird's record. The recipient becomes the new data controller for any subsequent edits to the bird.

Found-bird handover chain. When you record a handover of a found bird to another carer, the receiver (whether or not they have a mybirdID account) is sent a claim email containing the giver's display name, the species, and any note you provided. If the receiver has a mybirdID account, they also receive an in-app notification carrying the same information. Once accepted, the receiver and every previous linked carer in the chain retain visibility of the found-bird record so the chain of custody is auditable. If a giver cancels a pending handover, the receiver is emailed and (if they have an account) notified to that effect.

Social-platform link previews. When a lost-bird listing is shared on a social platform (Facebook, X, WhatsApp, iMessage and similar), the platform generates a preview that may include the bird's photograph and listing details. These previews are cached by the social platform itself, outside our control, and may continue to appear on the platform after the bird has been found or the listing has been removed.

Service providers: we share data with the following third-party sub-processors who process data on our behalf:

• Amazon Web Services (AWS): photo storage (S3) and authentication (AWS Cognito). Data is processed in the EU (eu-west-1, Ireland).
• Neon, Inc.: our primary application database (managed PostgreSQL). Data is stored in the UK (London region).
• Vercel, Inc.: web application hosting and deployment.
• SMTP2GO: transactional email delivery (account emails, claim links, contact-request notifications, vet reminders, and the weekly Lost & Found digest). Pinned to the EU data centre for UK GDPR residency.
• Stripe, Inc.: payment processing. Stripe acts as an independent data controller for payment card data. See Stripe's privacy policy at stripe.com/privacy.
• Google LLC (Google Maps Platform): address autocomplete, forward geocoding (address → coordinates), and reverse geocoding (coordinates → city/country). Location coordinates you enter when reporting a lost bird, a sighting, or a found bird are transmitted to Google to resolve area names. See Google's privacy policy at policies.google.com/privacy.
• postcodes.io: free UK-only postcode lookup service (operated by Ideal Postcodes / Mistral Internet Ltd). When a UK postcode is present on a lost, sighting, or found bird report (either in the structured address or in the location description), we send only that postcode to postcodes.io to retrieve the corresponding local authority / borough name. No personal data is transmitted.

Legal requirements: we may disclose personal data where required by law, court order, or to protect the rights, property, or safety of mybirdID, our users, or others.

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

Your personal data is stored and processed in the UK and the EU: our application runs on Vercel in the EU (Dublin, Ireland), the application database is hosted by Neon with data stored in the UK (London region), and photographs and authentication data are stored in AWS in the EU (eu-west-1, Ireland). For UK users, processing in the EU is covered by the UK's adequacy regulations.

Vercel, Neon, and Stripe are US-headquartered companies. Where personal data is processed or transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner's Office and the European Commission.

• Account and bird records: retained for as long as your account is active, except where a lapsed Flock subscription triggers the bird-retention limit described in the next bullet. When you close your account, your personal data, bird records, and reports filed solely by you are permanently deleted within 30 days, except for the specific exceptions below.
• Birds kept after a Flock subscription lapses: if you drop from Flock to the free tier, your additional birds (everything beyond your first) are retained but become read-only. If the subscription stays lapsed for one year, we then permanently delete all but one bird: we keep the oldest (first-registered) bird that isn't currently reported lost, and delete the rest together with their photographs and the records relating only to them. We do not delete a bird while it has an active lost-bird report, and we never delete records another person is party to (others' sightings or found-bird reports, contact requests, guardian access, or birds you've transferred). We email you around 30 days and 7 days beforehand and only delete once those reminders have been sent; renewing beforehand cancels it. The year is counted from a continuous lapse, and this applies only to subscriptions that lapse after this rule took effect. We retain a minimal audit record (which bird, and the date) of any such deletion.
• Found bird reports: kept while active so they remain searchable for matching. Once a report is resolved - reunited with its owner, or removed by the finder or carer - it is permanently deleted, together with its photographs, after 1 year.
• Found-bird handover history: where you have given or received a found-bird handover, the row recording the handover (the display name you used at the time and the date) is kept after you close your account so other carers in the chain, the original finder, and any later finders can verify the bird's chain of custody. Your personal contact details are removed; only the cached display name from the time of the handover remains.
• Transferred bird records: birds you transferred to another user belong to that user from the moment they accept; their records aren't affected when you close your account.
• Financial records: retained for 7 years as required by UK tax law.
• Payment-processor records: Stripe retains its own records of historical transactions in line with its own retention policies and applicable law.
• Anonymised or aggregated data that can't reasonably be linked back to you is retained indefinitely.
• Server logs: retained by our hosting provider for up to 30 days.
• Backups: encrypted database backups may retain data for up to 35 days after deletion from the live system.

If you are located in the UK or EEA, you have the following rights under UK GDPR / EU GDPR:

• Access: to request a copy of the personal data we hold about you.
• Rectification: to request correction of inaccurate data.
• Erasure: to request deletion of your data (“right to be forgotten”), subject to legal retention obligations.
• Portability: to receive your data in a structured, machine-readable format.
• Restriction: to request that we restrict processing of your data in certain circumstances.
• Objection: to object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Many of these rights can be exercised directly within your account settings (e.g. updating contact details, managing notification preferences, or deleting your account). For other requests, contact us at help@mybirdID.com. We will respond within 30 days.

Users outside the UK/EEA may have similar rights under applicable local law. We will endeavour to honour reasonable requests regardless of your location.

We use only cookies that are strictly necessary to provide the Service, plus a small number of third-party services that may set cookies when you use a specific feature. We do not use advertising cookies, social media cookies, or analytics or tracking cookies of any kind.

Strictly necessary cookies (set by us):

• Session cookies: to keep you logged in during your visit.
• Authentication tokens: issued by AWS Cognito to maintain your authenticated session.

These cookies are essential to operate the Service and do not require consent. Without them you could not sign in or use your account.

Third-party services (used only for specific features):

• Stripe: when you start a membership payment, we send you to Stripe's hosted checkout to process the transaction. Stripe sets its own cookies on its checkout pages to process the payment and prevent fraud. See Stripe's privacy policy at stripe.com/privacy.
• Google Maps: on pages where you enter an address or pin a location (for example, saving an address or reporting a lost bird), we load Google Maps to provide address autocomplete and the map. Google may set cookies when its maps load. Maps are loaded only on those pages, only when you use the feature. See Google's privacy policy at policies.google.com/privacy.

We do not use analytics or behavioural-tracking cookies, and we do not use any third-party web-analytics service (such as Google Analytics). We do keep internal server and audit logs - for example, a record of ring and microchip lookups performed by veterinary users, described in sections 2 and 4 - but these are server-side records kept for security and accountability, not cookies, and are not used to track your browsing. If we introduce web analytics in future, we will update this policy and, where required, ask for your consent first.

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews.

Sensitive identifiers (microchip numbers, ring numbers, CITES numbers) are stored in a way that limits exposure. They are not shown on any public surface, and access to the underlying records is gated by application-layer authorisation checks rather than by being available through a public API.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please contact us at help@mybirdID.com and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will give you at least 14 days' notice by email or by posting a notice on the Service. The updated policy will take effect on the date stated in that notice.

We encourage you to review this policy periodically. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have a concern about how we handle your personal data, please contact us first at help@mybirdID.com and we will do our best to resolve it.

If you are in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

If you are in the EU/EEA, you have the right to lodge a complaint with the supervisory authority in your country of residence.