NativeAtlasNa

NSW Bird Sighting Atlas

Privacy Policy

Last updated: 2026-04-28

NativeAtlas (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains what personal information we collect, how we use it, who we share it with, and the rights you have under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Information we collect

  • Account data: username, display name, email address, password hash (PBKDF2; we never store plaintext).
  • Sighting data: species observed, location (latitude/longitude), date, photos, audio, free-text notes.
  • Detection uploads: photos and videos you submit for AI analysis. EXIF metadata (including embedded GPS) is stripped before storage.
  • Technical data: IP address, user agent, request timestamps. Used for security and rate-limit purposes; retained for 90 days.

2. How we use it

  • To operate the platform (display sightings, run AI detection, manage your account).
  • To detect abuse and enforce our Terms of Service (audit log of authentication events and admin actions).
  • To improve the AI models, only when you explicitly contribute media as training data.

3. Who we share it with

We use the following processors. None of them receive more data than they need to provide their service.

  • Microsoft Azure — hosting, application logs (Application Insights), Key Vault. Data residency: Australia East.
  • Microsoft Azure AD B2C — authentication (when enabled).
  • Stripe — subscription billing (when enabled). We never see your full card number.
  • Cloudflare — reverse proxy, WAF, DDoS mitigation. Sees IPs and request URLs.
  • OpenStreetMap / Nominatim — geocoding for location search. Receives the search string only.
  • Wikimedia, Xeno-canto — species reference photos and audio. Receives no user data.

We do not sell your data and we do not share it with advertising networks.

4. Public versus private

Sightings submitted to a club are visible to that club’s members. Some clubs configure their data as publicly visible on the map; some don’t. Photos you upload to a species page are public. Your profile photo is visible to anyone who can see your username. Detection uploads (photos/videos you submit for AI analysis) are private to you.

5. Your rights

You can:

  • Request a copy of your data (we’ll respond within 30 days).
  • Correct or update your account details from your profile page.
  • Delete your account and associated personal data. Sightings you submitted may be retained in aggregate (anonymised) form for scientific record.
  • Lodge a complaint with the Office of the Australian Information Commissioner.

6. Cookies

We use a small number of essential cookies for authentication and session management. We do not use analytics, advertising, or tracking cookies. See our cookie policy for details.

7. Security

We use PBKDF2-HMAC-SHA512 password hashing, HTTPS everywhere, strict cookie attributes, rate limiting, and an append-only audit log. Despite this, no system is completely secure; if you spot a vulnerability, please email [security-email] or see /.well-known/security.txt.

8. Contact

Privacy enquiries: [privacy-email]
Postal: [postal address]

9. Changes

We may update this policy. Material changes will be communicated via the email address on your account at least 14 days before they take effect.

Reconnecting to server...