Table of Contents
1. Who We Are
WildStash is a mobile application for community-driven mapping of wild plants (fruits, herbs, bushes, fruit trees) in publicly accessible locations.
If you have any questions about how your personal data is processed, please contact us at the email address above.
2. What Data We Collect
We collect only the data necessary to provide the WildStash service. We do not collect data for advertising or profiling purposes.
2.1 Account Data
When you create an account, we collect:
- Email address — used for login and essential service communications.
- Nickname — your publicly visible display name.
- Password — stored only as a cryptographic hash (PBKDF2-SHA-512). We never store or have access to your plaintext password.
2.2 Location Data
- Spot coordinates — the geographic coordinates (latitude and longitude) of plant spots you create. This data is submitted manually by you when adding a spot to the map.
- We do not perform continuous location tracking. The app accesses your device's location only when you explicitly request it (e.g. to centre the map on your position or to set a spot's location).
2.3 Photos
- You may attach photos to spots you create.
- EXIF metadata (including GPS data) is stripped on your device before the photo is uploaded. We never receive the original EXIF data.
2.4 Device and Network Information
Through Cloudflare's infrastructure, we automatically receive:
- IP address — used for security and abuse prevention.
- Device type — basic device information transmitted via standard HTTP headers.
This data is processed in server logs and is not linked to your user profile.
2.5 Usage Data
- Group memberships — which groups you belong to.
- Spot confirmations — records of spots you have confirmed visiting.
3. How We Use Your Data
We use your data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Creating and managing your account | Art. 6(1)(b) — performance of a contract |
| Displaying spots on the map | Art. 6(1)(b) — performance of a contract |
| Providing group functionality | Art. 6(1)(b) — performance of a contract |
| Storing and displaying your spot photos | Art. 6(1)(b) — performance of a contract |
| Processing location data for spot creation | Art. 6(1)(a) — your consent |
| Security monitoring and abuse prevention | Art. 6(1)(f) — our legitimate interest |
| Rate limiting and infrastructure protection | Art. 6(1)(f) — our legitimate interest |
4. Where Your Data Is Stored
All data is stored exclusively within the European Union:
- Cloudflare D1 (database) — EU jurisdiction.
- Cloudflare R2 (photo storage) — EU jurisdiction.
- Cloudflare Workers (application logic) — processing at Cloudflare's edge, with data storage restricted to EU.
Data Processor: Cloudflare, Inc. acts as our data processor. We have accepted Cloudflare's Data Processing Addendum (DPA), which includes EU Standard Contractual Clauses. Cloudflare is a participant in the EU-US Data Privacy Framework.
5. How Long We Keep Your Data
| Data | Retention Period |
|---|---|
| Account data (email, nickname) | Until you delete your account |
| Spots and photos | Until you delete them or delete your account |
| Server logs (IP address, device info) | 30 days (Cloudflare standard retention) |
When you delete your account, all your personal data, spots, and photos are permanently removed.
6. Your Rights Under GDPR
Under Articles 15 to 22 of the GDPR, you have the following rights:
- Right of access — You can request a copy of all your personal data. Use the data export feature in the app (available at
GET /users/me/data-export), or contact us by email. - Right to rectification — You can correct your personal data at any time through the profile editing feature in the app.
- Right to erasure ("right to be forgotten") — You can delete your account and all associated data through the app (available at
DELETE /users/me/account), or contact us by email. - Right to data portability — You can export your data in JSON format through the app.
- Right to object — You can object to the processing of your data based on our legitimate interest (Art. 6(1)(f)).
- Right to withdraw consent — Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority. The relevant authority is:
UODO (Urzad Ochrony Danych Osobowych / Polish Data Protection Authority)
ul. Stawki 2, 00-193 Warszawa, Poland
Website: https://uodo.gov.pl
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
7. Security Measures
We take the security of your data seriously and implement the following measures:
- Encryption in transit — All communications use HTTPS with TLS 1.3, enforced by Cloudflare.
- Password security — Passwords are hashed using PBKDF2-SHA-512. We never store plaintext passwords.
- EXIF stripping — Photo metadata (including GPS coordinates) is removed on your device before upload.
- Three-level visibility system — You control who can see your spots (public, group, or private). Private and group spot coordinates are never exposed through public API responses.
- Rate limiting — API access is rate-limited to prevent abuse (100 requests/minute for anonymous users, 300 requests/minute for authenticated users).
8. Third-Party Services
WildStash uses the following third-party services:
| Service | Purpose | Personal Data Shared |
|---|---|---|
| Cloudflare (Workers, D1, R2) | Infrastructure, hosting, data storage | Yes — as data processor (see Section 4) |
| OpenStreetMap / OpenTopoMap | Map tile rendering | No personal data shared |
| Nominatim (OpenStreetMap) | Geocoding (location search) | No personal data shared (search queries only) |
| Wikipedia / Wikidata | Species descriptions and names | No personal data shared |
| GBIF | Species taxonomy data | No personal data shared |
9. Cookies and Tracking
WildStash does not use cookies. Authentication tokens (JWT) are stored securely in Android EncryptedSharedPreferences on your device. We do not use any analytics or advertising trackers.
10. Children's Privacy
WildStash is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at [email protected], and we will promptly delete such data.
11. International Data Transfers
Your data is stored within the EU (see Section 4). Cloudflare, Inc. is headquartered in the United States but is a certified participant in the EU-US Data Privacy Framework, and we have restricted all data storage to EU jurisdiction. No personal data is transferred outside the EU for storage purposes.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will:
- Update the "Last updated" date at the top of this document.
- Notify you via an in-app notification.
We encourage you to review this policy periodically.
13. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact:
Slawomir Szostak
Email: [email protected]