1. Introduction
Hydroscape-Group Ltd ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This policy explains how we collect, use, store, and protect your information when you use our services, including:
- Hydroscape Hub — wildlife monitoring, reporting forms, BioMapper™, A06 licence builder, HydroLibrary, and admin tools at www.hydroscape-group.co.uk and hub.hydroscape-group.co.uk
- HydroTasks™ — outdoor task management at tasks.hydroscape-group.co.uk
- Client Portal — authenticated access to Wildlife Intelligence and A06 Builder tools
- Contractor Listings — the HydroTasks verified contractor network
- Pricing Page — service information at hydroscape-group.co.uk/pricing
This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller
Hydroscape-Group Ltd is the data controller responsible for your personal data.
Hydroscape-Group Ltd
Two Hoots, Stamford, United Kingdom
Email: info@hydroscape-group.co.uk
All software architecture, algorithms, and intellectual property within the Hydroscape ecosystem are owned by Rob Harris trading as Metic State Digital. Hydroscape-Group Ltd operates under a non-exclusive commercial distribution licence.
3. Data We Collect
3.1 Data You Provide Directly
| Data Type | Examples | When Collected |
|---|---|---|
| Identity | Name, title, company/fishery name | Account creation, form submissions, contractor applications |
| Contact | Email address, telephone number, postal address | Account creation, mailing list sign-up, contractor applications |
| Location | GPS coordinates (latitude/longitude), What3Words addresses | Wildlife sighting reports, water quality observations, roost counts, deterrent logs, task pinning |
| Photographic | Wildlife photographs, site evidence images | Sighting reports, water quality reports, roost counts, task documentation |
| Licensing | Shotgun certificate numbers, fishery details, predation evidence, applicant addresses | A06 licence builder |
| Contractor Business | Business name, registration numbers, VAT, insurance documents, qualifications | Contractor listing applications |
| Payment | Handled by Stripe — we never see or store card numbers | Contractor subscription payments |
| MyHydroscape Account (optional) | Email, display name, profile photo URL (from Google sign-in only). Sign-in method. Timestamps (first sign-in, last sign-in) | Only if you choose to create a free personal account to track your submissions |
3.2 Data Collected Automatically
| Data Type | Purpose |
|---|---|
| County (reverse geocoded from GPS) | Enriches sighting data with administrative area for regional analysis |
| AI Verification Results | Species identification, count, and confidence score from submitted photographs |
| Device/Browser | Service worker caching, PWA functionality — no tracking or analytics cookies |
3.3 Data We Do Not Collect
We do not use analytics cookies, advertising trackers, or third-party tracking scripts on any of our platforms. We do not sell, rent, or share your personal data with advertisers or data brokers.
4. How We Use Your Data
| Purpose | Lawful Basis | Data Used |
|---|---|---|
| Processing wildlife sighting reports | Legitimate interest (ecological monitoring) | Location, count, species, photos, observer name/email (if provided) |
| Processing water quality observations | Legitimate interest (environmental monitoring) | Location, waterbody details, clarity, pollution, photos, observer email (if provided) |
| A06 licence application drafting | Performance of contract | Applicant identity, site details, shotgun certificate reference, predation evidence |
| Wildlife Intelligence client access | Performance of contract | Identity, email, access level, species/area lock configuration |
| Contractor listing and verification | Performance of contract | Business details, credentials, documents |
| Payment processing | Performance of contract | Email, business name (passed to Stripe) |
| Mailing list communications | Consent (opt-in checkbox) | Email, name |
| MyHydroscape personal account (optional) | Consent (you choose to create the account) | Email, display name, photo URL, sign-in timestamps — used only to link your submissions to your dashboard and to send verification notifications |
| AI verification notification email | Legitimate interest (re-engagement after you submit) | Email address, display name, species, county and date from your submission — sent only to signed-in MyHydroscape users when their submission has been verified by Hydro-Vision AI |
| AI species verification | Legitimate interest (data quality) | Photographs — analysed by Google Gemini AI for species ID and count |
| Reverse geocoding | Legitimate interest (data enrichment) | GPS coordinates — sent to Google Maps API, returns county name only |
| Slack notifications (internal) | Legitimate interest (operational monitoring) | Sighting count, county, What3Words — no personal identifiers sent |
| Regulatory submissions | Legal obligation / legitimate interest | Data shared with Natural England, DEFRA, or equivalent as required for licence applications |
5. Third-Party Services
We use the following third-party services to operate the platform. Each processes data only as necessary for the stated purpose:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Google Firebase (Firestore, Auth, Storage, Cloud Functions) | Database, authentication (MyHydroscape accounts use Firebase Auth with Google sign-in and passwordless email links), file storage, server-side processing | All platform data | UK (europe-west2, London) |
| Google Gemini AI | Automated species identification and count verification on photographs | Sighting photographs only | Google Cloud |
| Google Maps Geocoding API | Converting GPS coordinates to county name | Latitude/longitude only | Google Cloud |
| Stripe | Contractor subscription payments | Email, business name, payment details | EU/US (PCI DSS compliant) |
| Brevo (formerly Sendinblue) | Mailing list management and transactional emails | Email, name | EU |
| Slack | Internal team notifications of new sightings | Count, county, What3Words — no PII | US |
| Netlify | Static site hosting (4 sites) | No personal data processed | Global CDN |
6. Data Security
We implement the following security measures to protect your data:
- Encryption at rest: All data stored in Firebase Firestore and Storage is encrypted using AES-256 with Google-managed keys.
- Encryption in transit: All connections use HTTPS/TLS. No unencrypted data transmission.
- Authentication: Firebase Authentication with email/password and Google Sign-In. Session tokens expire and auto-refresh.
- Access control: Firestore security rules enforce role-based access. Admin operations require a verified custom claim. Client users can only access their own data.
- API keys: All sensitive API keys (Gemini, Stripe, Brevo, Slack, Google Maps) are stored server-side in Cloud Functions — never exposed in client-side code.
- Data sovereignty: All Firebase services run in the UK region (europe-west2, London).
- Payment security: Card details are handled entirely by Stripe. We never see, process, or store card numbers.
7. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Wildlife sighting records | Indefinite | Scientific/ecological research (UK GDPR Art. 89) |
| Roost counts | Indefinite | Scientific/ecological research |
| A06 licence drafts | Duration of account + 3 years | Contractual and regulatory compliance |
| User accounts | Duration of account + 1 year after deletion request | Contractual |
| MyHydroscape personal accounts (optional) | Until sign-out & deletion request. Your submissions remain in the dataset but lose the account link | Consent / scientific research for the underlying sightings |
| Contractor applications | Duration of listing + 2 years | Contractual and verification audit trail |
| Mailing list contacts | Until unsubscription | Consent |
| Photographs | Indefinite (ecological evidence) | Legitimate interest / scientific research |
| Portal PDF documents | Indefinite (regulatory archive) | Legal obligation / legitimate interest |
8. AI Processing
Photographs submitted with wildlife sighting reports may be analysed by Google's Gemini AI model to verify species identification and count. This processing:
- Is performed server-side via Firebase Cloud Functions — photographs are sent to the Gemini API and results are stored in our database
- Produces a species verification (Yes/No), count (integer), and confidence score (High/Medium/Low)
- Is used to improve data quality and support regulatory evidence — not for profiling or automated decision-making that affects your rights
- Can be reviewed and overridden by our team at any time
You have the right to request human review of any AI-generated assessment by contacting us.
9. Your Rights
Under UK GDPR, you have the following rights:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your personal data (subject to legal retention requirements)
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — request your data in a machine-readable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — where processing is based on consent (e.g. mailing list), you can withdraw at any time
To exercise any of these rights, contact us at info@hydroscape-group.co.uk. We will respond within 30 days.
10. Ecological Data Exception
Note on ecological data: Wildlife sighting records (coordinates, counts, species) that have been anonymised (no observer name or email) are retained indefinitely as scientific data under UK GDPR Article 89. Deletion of your personal identifiers from sighting records will be actioned on request, but the anonymised ecological data will remain in the database for conservation purposes.
11. Mobile App — Hydroscape Monitoring Portal
The Hydroscape Monitoring Portal app available on Google Play is a Trusted Web Activity (TWA) wrapper that delivers this website as an installable Android app. All data handling described in this policy applies identically whether you access Hydroscape via a web browser or via the installed app. No additional data is collected because you use the app.
The following device permissions may be requested at the point you use a specific feature:
| Permission | Why Requested | When Prompted |
|---|---|---|
| Camera | To take a photograph of a species, water-quality sample, or deterrent when submitting a report. Captured images are stored only when you choose to submit the form. | When you tap "Take photo" on any reporting form, or use the HydroVision AI species identifier. |
| Microphone | To record a short audio sample for HydroVision AI audio-based species identification (e.g. bird calls). | When you tap the microphone button inside the HydroVision AI feature. Not used anywhere else. |
| Precise location (GPS) | To pin the exact location of a sighting, roost, water-quality sample, or deterrent deployment. Precise location is essential for ecological data quality — the platform is valueless without accurate coordinates. | When you tap "Use my location" on a reporting form, or when the form auto-pins on open. You can always decline and enter a location manually. |
| Storage / Photos | To attach an existing photograph from your device gallery to a report. | When you tap "Choose from gallery" on any reporting form. |
| Internet | Required for all submissions, updates, and synchronisation. | Granted automatically; core app functionality depends on it. |
You can revoke any permission at any time via your device's Android Settings → Apps → Hydroscape Monitoring Portal → Permissions. Revoking a permission will disable the relevant feature but will not affect submissions you have already made.
The app does not access contacts, SMS, call logs, calendar, device identifiers for advertising, or any health/fitness data. It contains no third-party advertising SDKs. It does not track you across other apps or websites.
12. Requesting Data Deletion
To request deletion of your personal data, email info@hydroscape-group.co.uk with the subject line "Data deletion request" and include the email address you used with Hydroscape. We will action the request within 30 days and confirm completion in writing. If you have a MyHydroscape account, you may also delete it from within the app at www.hydroscape-group.co.uk/my-hydroscape.html.
Note that anonymised ecological data (coordinates, counts, species) without personal identifiers will be retained under UK GDPR Article 89 for scientific/conservation purposes. Your name, email, and any identifying metadata will be removed.
13. Cookies
Our platforms use only essential cookies and local storage required for functionality:
- Firebase Authentication tokens — session management (essential, auto-expiring)
- Service worker cache — offline PWA functionality (essential)
- Local storage — form queue for offline submissions, UI preferences (essential)
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.
14. Children
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.
15. Changes to This Policy
We may update this policy from time to time. The "Last Updated" date at the top of this page will reflect the most recent revision. Material changes will be communicated via email to registered users where possible.
16. Complaints
If you are not satisfied with our handling of your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113