Privacy Policy
Last updated: December 21, 2025
Welcome to Limosa! Your privacy is important to us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services. It also explains your rights under the General Data Protection Regulation (GDPR).
By using Limosa, you consent to the collection and use of information in accordance with this Privacy Policy.
1. Who We Are (Data Controller)
Limosa Software (“we,” “us,” “our”) is the data controller responsible for processing your personal data in accordance with GDPR.
- Company Name: Limosa Software
- Address: Paxtonstraat 3-N, 8013 RP Zwolle, Netherlands
- Email: privacy@limosa.online
If you have any questions about this policy or how we process your data, you can contact us at the details above.
2. What Data We Collect and Why
We collect and process your personal data based on the following legal grounds:
2.1 Information You Provide
| Type of Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Account Information (Email, Display Name, Profile Photo) | To create and manage your account, enable login via Google or Apple | Contractual necessity (Art. 6(1)(b) GDPR) |
| Bird Observations (Species, Date/Time, Notes, Count) | Core functionality — logging and managing your sightings | Contractual necessity (Art. 6(1)(b) GDPR) |
| Location Data (GPS coordinates of sightings) | To log sighting locations, display on maps, generate species distribution data | Consent (Art. 6(1)(a) GDPR) |
| Photos & Media (Including EXIF metadata) | To attach visual records to sightings, display in galleries | Consent (Art. 6(1)(a) GDPR) |
| Community Content (Activities, Comments, Likes) | To enable social features and interaction with other users | Consent (Art. 6(1)(a) GDPR) |
| Privacy Zones (User-defined protected areas) | To automatically hide sighting locations near sensitive areas (e.g., your home) | Consent (Art. 6(1)(a) GDPR) |
2.2 Information Collected Automatically
| Type of Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Device Information (Device type, OS, App version, Device ID) | Technical functionality, push notifications, security | Legitimate interest (Art. 6(1)(f) GDPR) |
| Session Data (IP address, login timestamps, session tokens) | Security, fraud prevention, session management | Legitimate interest (Art. 6(1)(f) GDPR) |
| Usage Analytics (Feature usage, screen views, interactions) | App improvement, performance optimization | Legitimate interest (Art. 6(1)(f) GDPR) |
| Crash Reports (Error logs, stack traces) | Bug fixing, stability improvements | Legitimate interest (Art. 6(1)(f) GDPR) |
| Push Notification Tokens | To deliver notifications about activity, follows, likes | Consent (Art. 6(1)(a) GDPR) |
2.3 Special Categories of Data
We do not intentionally collect sensitive personal data (e.g., race, religion, health data, biometric data). Speech-to-text functionality for species search is processed locally on your device and is not transmitted to our servers.
3. Third-Party Services
We use trusted third-party services to provide and improve Limosa. These providers are contractually obligated to handle your data securely and in compliance with GDPR.
| Provider | Purpose | Data Shared |
|---|---|---|
| Firebase (Google) | Authentication, Analytics, Crashlytics, Performance Monitoring, Push Notifications | Email, device info, usage data, crash logs, push tokens |
| Mapbox | Map display, location visualization | Location coordinates (for map rendering only) |
| DigitalOcean Spaces (AWS S3-compatible) | Media storage (photos) | Uploaded photos and media files |
| OpenAI | AI features (species color generation) | Species names only (no personal data) |
| Apple App Store / Google Play | In-app purchases and subscriptions | Purchase receipts (processed by Apple/Google) |
| MongoDB Atlas | Database hosting | All user data (stored encrypted) |
For more information about how these providers handle data:
4. How We Use Your Data
We use your data to:
- Provide, maintain, and improve the Limosa app
- Enable you to log, manage, and share bird sightings
- Display your observations on maps and in community feeds
- Send notifications about followers, likes, and activity
- Provide customer support and respond to inquiries
- Analyze usage patterns to improve app performance
- Detect and prevent fraud, abuse, and security issues
- Process in-app purchases and subscriptions
We will never sell your personal data to third parties.
5. Location Data and Privacy Controls
Location is central to birdwatching. Here's how we handle it:
- Sighting Locations: When you log a sighting, you can attach GPS coordinates. This data is used to display your sightings on maps and contribute to species distribution data.
- Visibility Controls: You can set each sighting to “public,” “followers only,” or “private.”
- Location Visibility: You can choose to show “exact” or “hidden” locations for each sighting.
- Privacy Zones: You can create up to 3 privacy zones (e.g., around your home) to automatically hide sighting locations in those areas from other users.
- No Background Tracking: We do not track your location in the background. Location is only accessed when you actively use location features.
6. Data Sharing and Public Information
6.1 Information Visible to Other Users
The following may be visible to other Limosa users (depending on your privacy settings):
- Your display name and profile photo
- Public sightings, activities, and shared content
- Location data for sightings (unless hidden or in a privacy zone)
- Your followers and following lists
6.2 We Do Not Share Data For Marketing
We do not sell, rent, or share your personal data with third parties for marketing purposes.
6.3 Legal Disclosure
We may disclose your data if required by law, court order, or to protect the rights, safety, and security of Limosa and our users.
7. Data Storage, Retention, and Deletion
- Active Accounts: We retain your data while your account is active.
- Deleted Accounts: When you delete your account, we remove your personal data within 30 days. Some anonymized data may be retained for analytics.
- Sightings: You can delete individual sightings at any time. Shared community observations may be anonymized after account deletion.
- Analytics Data: Anonymized usage analytics are retained for up to 24 months.
- Crash Reports: Retained for up to 90 days to investigate and fix issues.
- Session Logs: Security-related session data is retained for up to 12 months.
8. Your GDPR Rights
Under the GDPR, you have the following rights:
- Right to Access (Art. 15 GDPR) — Request a copy of your personal data.
- Right to Rectification (Art. 16 GDPR) — Correct any inaccurate data in your profile.
- Right to Erasure (Art. 17 GDPR) — Request deletion of your account and data.
- Right to Restrict Processing (Art. 18 GDPR) — Ask us to limit how we use your data.
- Right to Data Portability (Art. 20 GDPR) — Download your sightings and data in a structured format.
- Right to Object (Art. 21 GDPR) — Object to processing based on legitimate interests.
- Right to Withdraw Consent — Revoke consent for location tracking, notifications, and analytics at any time via app settings or device settings.
To exercise these rights, contact us at: privacy@limosa.online
If you believe we are not handling your data lawfully, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via www.autoriteitpersoonsgegevens.nl.
9. Cookies and Tracking Technologies
The Limosa mobile app does not use tracking cookies for advertising. We use:
- Local Storage: To cache data for offline access and improve app performance (via Hive database on your device).
- Secure Token Storage: To keep you logged in securely.
- Firebase Analytics: To understand app usage patterns. You can opt out via your device settings or by disabling analytics in app settings.
10. Data Transfers Outside the EU
Your data may be processed in countries outside the EU/EEA. When this occurs, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions for countries with equivalent data protection standards
- EU-US Data Privacy Framework certification for US-based providers where applicable
Our primary database is hosted in the EU region. Firebase and other Google services operate under Google's Data Processing Addendum with SCCs.
11. Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in Transit: All data is transmitted via HTTPS/TLS encryption.
- Encryption at Rest: Sensitive data is encrypted in our databases.
- Secure Authentication: Firebase Authentication with support for Google and Apple Sign-In.
- Session Security: JWT-based session tokens with automatic rotation and expiration.
- Access Controls: Limited employee access to personal data on a need-to-know basis.
- Regular Security Reviews: We conduct periodic security assessments.
No online service is 100% secure. If you suspect a data breach or security issue, contact us immediately at security@limosa.online.
12. Children's Privacy
Limosa is not intended for users under 13 years old (or 16 in some EU jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately, and we will delete the data.
13. Changes to This Privacy Policy
We may update this policy from time to time. If we make significant changes:
- We will notify registered users via email (if applicable).
- We will display a notice in the app.
- The updated policy will be available at this URL and in the app settings.
The “Last updated” date at the top indicates when the policy was last revised.
14. Contact Us
For any questions, requests, or concerns related to this Privacy Policy, you can contact us at:
- Privacy Inquiries: privacy@limosa.online
- General Support: info@limosa.online
- Security Issues: security@limosa.online
- Address: Paxtonstraat 3-N, 8013 RP Zwolle, Netherlands