Privacy Policy | Hydroscape-Group Ltd

Last Updated14 March 2026

Version2.0

Data ControllerHydroscape-Group Ltd

Contactinfo@hydroscape-group.co.uk

1. Introduction

Hydroscape-Group Ltd ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This policy explains how we collect, use, store, and protect your information when you use our services, including:

Hydroscape Hub — wildlife monitoring, reporting forms, BioMapper™, A06 licence builder, HydroLibrary, and admin tools at www.hydroscape-group.co.uk and hub.hydroscape-group.co.uk
HydroTasks™ — outdoor task management at tasks.hydroscape-group.co.uk
Client Portal — authenticated access to Wildlife Intelligence and A06 Builder tools
Contractor Listings — the HydroTasks verified contractor network
Pricing Portal — service information at hs-pricing.hydroscape-group.co.uk

This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

Hydroscape-Group Ltd is the data controller responsible for your personal data.

Hydroscape-Group Ltd
Two Hoots, Stamford, United Kingdom
Email: info@hydroscape-group.co.uk

All software architecture, algorithms, and intellectual property within the Hydroscape ecosystem are owned by Rob Harris trading as Metic State Digital. Hydroscape-Group Ltd operates under a non-exclusive commercial distribution licence.

3. Data We Collect

3.1 Data You Provide Directly

Data Type	Examples	When Collected
Identity	Name, title, company/fishery name	Account creation, form submissions, contractor applications
Contact	Email address, telephone number, postal address	Account creation, mailing list sign-up, contractor applications
Location	GPS coordinates (latitude/longitude), What3Words addresses	Wildlife sighting reports, roost counts, deterrent logs, task pinning
Photographic	Wildlife photographs, site evidence images	Sighting reports, roost counts, task documentation
Licensing	Shotgun certificate numbers, fishery details, predation evidence, applicant addresses	A06 licence builder
Contractor Business	Business name, registration numbers, VAT, insurance documents, qualifications	Contractor listing applications
Payment	Handled by Stripe — we never see or store card numbers	Contractor subscription payments

3.2 Data Collected Automatically

Data Type	Purpose
County (reverse geocoded from GPS)	Enriches sighting data with administrative area for regional analysis
AI Verification Results	Species identification, count, and confidence score from submitted photographs
Device/Browser	Service worker caching, PWA functionality — no tracking or analytics cookies

3.3 Data We Do Not Collect

We do not use analytics cookies, advertising trackers, or third-party tracking scripts on any of our platforms. We do not sell, rent, or share your personal data with advertisers or data brokers.

4. How We Use Your Data

Purpose	Lawful Basis	Data Used
Processing wildlife sighting reports	Legitimate interest (ecological monitoring)	Location, count, species, photos, observer name/email (if provided)
A06 licence application drafting	Performance of contract	Applicant identity, site details, shotgun certificate reference, predation evidence
Wildlife Intelligence client access	Performance of contract	Identity, email, access level, species/area lock configuration
Contractor listing and verification	Performance of contract	Business details, credentials, documents
Payment processing	Performance of contract	Email, business name (passed to Stripe)
Mailing list communications	Consent (opt-in checkbox)	Email, name
AI species verification	Legitimate interest (data quality)	Photographs — analysed by Google Gemini AI for species ID and count
Reverse geocoding	Legitimate interest (data enrichment)	GPS coordinates — sent to Google Maps API, returns county name only
Slack notifications (internal)	Legitimate interest (operational monitoring)	Sighting count, county, What3Words — no personal identifiers sent
Regulatory submissions	Legal obligation / legitimate interest	Data shared with Natural England, DEFRA, or equivalent as required for licence applications

5. Third-Party Services

We use the following third-party services to operate the platform. Each processes data only as necessary for the stated purpose:

Service	Purpose	Data Shared	Location
Google Firebase (Firestore, Auth, Storage, Cloud Functions)	Database, authentication, file storage, server-side processing	All platform data	UK (europe-west2, London)
Google Gemini AI	Automated species identification and count verification on photographs	Sighting photographs only	Google Cloud
Google Maps Geocoding API	Converting GPS coordinates to county name	Latitude/longitude only	Google Cloud
Stripe	Contractor subscription payments	Email, business name, payment details	EU/US (PCI DSS compliant)
Brevo (formerly Sendinblue)	Mailing list management and transactional emails	Email, name	EU
Slack	Internal team notifications of new sightings	Count, county, What3Words — no PII	US
Netlify	Static site hosting (4 sites)	No personal data processed	Global CDN

6. Data Security

We implement the following security measures to protect your data:

Encryption at rest: All data stored in Firebase Firestore and Storage is encrypted using AES-256 with Google-managed keys.
Encryption in transit: All connections use HTTPS/TLS. No unencrypted data transmission.
Authentication: Firebase Authentication with email/password and Google Sign-In. Session tokens expire and auto-refresh.
Access control: Firestore security rules enforce role-based access. Admin operations require a verified custom claim. Client users can only access their own data.
API keys: All sensitive API keys (Gemini, Stripe, Brevo, Slack, Google Maps) are stored server-side in Cloud Functions — never exposed in client-side code.
Data sovereignty: All Firebase services run in the UK region (europe-west2, London).
Payment security: Card details are handled entirely by Stripe. We never see, process, or store card numbers.

7. Data Retention

Data Type	Retention Period	Basis
Wildlife sighting records	Indefinite	Scientific/ecological research (UK GDPR Art. 89)
Roost counts	Indefinite	Scientific/ecological research
A06 licence drafts	Duration of account + 3 years	Contractual and regulatory compliance
User accounts	Duration of account + 1 year after deletion request	Contractual
Contractor applications	Duration of listing + 2 years	Contractual and verification audit trail
Mailing list contacts	Until unsubscription	Consent
Photographs	Indefinite (ecological evidence)	Legitimate interest / scientific research
Portal PDF documents	Indefinite (regulatory archive)	Legal obligation / legitimate interest

8. AI Processing

Photographs submitted with wildlife sighting reports may be analysed by Google's Gemini AI model to verify species identification and count. This processing:

Is performed server-side via Firebase Cloud Functions — photographs are sent to the Gemini API and results are stored in our database
Produces a species verification (Yes/No), count (integer), and confidence score (High/Medium/Low)
Is used to improve data quality and support regulatory evidence — not for profiling or automated decision-making that affects your rights
Can be reviewed and overridden by our team at any time

You have the right to request human review of any AI-generated assessment by contacting us.

9. Your Rights

Under UK GDPR, you have the following rights:

Right of access — request a copy of the personal data we hold about you
Right to rectification — request correction of inaccurate data
Right to erasure — request deletion of your personal data (subject to legal retention requirements)
Right to restrict processing — request that we limit how we use your data
Right to data portability — request your data in a machine-readable format
Right to object — object to processing based on legitimate interest
Right to withdraw consent — where processing is based on consent (e.g. mailing list), you can withdraw at any time

To exercise any of these rights, contact us at info@hydroscape-group.co.uk. We will respond within 30 days.

Note on ecological data: Wildlife sighting records (coordinates, counts, species) that have been anonymised (no observer name or email) are retained indefinitely as scientific data under UK GDPR Article 89. Deletion of your personal identifiers from sighting records will be actioned on request, but the anonymised ecological data will remain in the database for conservation purposes.

10. Cookies

Our platforms use only essential cookies and local storage required for functionality:

Firebase Authentication tokens — session management (essential, auto-expiring)
Service worker cache — offline PWA functionality (essential)
Local storage — form queue for offline submissions, UI preferences (essential)

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

11. Children

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. The "Last Updated" date at the top of this page will reflect the most recent revision. Material changes will be communicated via email to registered users where possible.

13. Complaints

If you are not satisfied with our handling of your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113