Privacy Policy

In plain words — what data heybird collects, why it is needed and how to manage it. We don't sell your data and show no ads.

Effective date: July 1, 2026 Last updated: July 1, 2026

General

This Privacy Policy describes what data the heybird.app service (the "Service", "we") collects, how it is used, and what rights you have regarding that data.

The data controller is the heybird.app service (the "Operator").

For any questions related to data processing, contact us at privacy@heybird.app.

By using the Service, you agree to the terms of this Policy. If you do not agree with them, please do not use the Service.

What data we collect

2.1. Data you provide yourself

When registering and using an account:

  • email address (for signing in via a link sent by email, or with a password);
  • name and a short bio — optional;
  • avatar — optional;
  • preferred interface language;
  • password (stored only as a cryptographic hash; we have no access to your password in plain text).

When you sign in through third-party services (Yandex, VK), we receive from the provider: an account identifier, an email address and, if available, your name and avatar. We do not receive your password from these services.

If you write to us through the contact form, we receive your name, email and message text — they are used only to respond to your inquiry.

2.2. Data about your activity in the Service

  • "Seen" and "Favorites" marks on bird species (your collection) — available after signing in and stored on the server;
  • history of recently viewed places (cities and parks) — before you sign in, it is kept only locally in your browser (localStorage) and is not sent to the server; after signing in, it is saved in your account;
  • account sign-in data (time and IP address of recent sign-ins) — used for account security and kept for as long as the account exists;
  • profile and interface settings.

2.3. Geolocation

The Service may request access to your location to show you birds nearby. Geolocation is requested only with your explicit permission through the browser. Coordinates are used to determine a geographic cell (an area of the map a few kilometers across) and to select species; precise coordinates are not saved in your profile and are not used to track your movements. You can decline geolocation at any time and pick a city manually.

2.4. Technical data

When you visit the Service, the following is processed automatically:

  • IP address;
  • browser and device data (user agent, screen resolution, language);
  • pages you view and the referrer;
  • date and time of requests.

This data is used to operate the Service, to ensure security (including rate limiting) and for anonymized statistics.

When the Service malfunctions, error logs are also generated (without emails or request contents); they are processed in our own monitoring system.

Purposes of processing

We process data to:

  • provide the Service's functionality: your account, bird collection, personalized selections based on location;
  • send transactional emails: sign-in links, confirmations, account-related notifications;
  • send content mailings (for example, seasonal bird selections) — only with your consent, with an unsubscribe link in every email;
  • analyze how the Service is used, in anonymized form, and improve the product;
  • ensure security and prevent abuse.

We do not sell your personal data and do not share it with third parties for advertising purposes. The Service contains no third-party ads and no advertising trackers.

Cookies and similar technologies

The Service uses:

  • sign-in cookies — a session cookie (which also protects against request forgery, CSRF) and, if you chose "remember me" or signed in via an email link, a persistent cookie lasting about 2 weeks; signing in is impossible without them;
  • localStorage — to store the history of recently viewed places before you sign in, and interface settings;
  • Yandex Metrica cookies — for web analytics (see section 5).

You can restrict or delete cookies in your browser settings; some features of the Service may become unavailable as a result.

Web analytics

We use two analytics tools:

Umami — a self-hosted analytics system running on our own infrastructure. It uses no cookies, collects no personal data and shares no data with third parties. Only anonymized visit statistics are collected.

Yandex Metrica — a web analytics service by Yandex LLC. Metrica uses cookies and may record anonymized data about actions on pages (mouse movements, scrolling, clicks) using its Webvisor session-replay technology, to analyze the usability of the interface. Fields containing personal data (email, password, contact form contents) are excluded from recording. The data is processed by Yandex under its own terms. You can opt out of Metrica tracking using blockers or Yandex's own tool.

Sharing data with third parties

We engage a limited set of contractors and external services necessary to run the Service:

  • hosting providers — hosting of servers and databases, and transit routing of traffic (traffic passes through encrypted; no data is stored on transit nodes);
  • object storage — storage of media files (bird photos and sounds, user avatars);
  • email service — delivery of transactional emails and mailings;
  • OAuth providers (Yandex, VK) — only if you chose to sign in through them; they process your data under their own terms as independent controllers.

All contractors get access only to the data required for their function.

Data may be disclosed upon a lawful request from competent authorities in cases provided for by applicable law.

Where data is stored

Data is processed on the servers of the hosting providers we engage, which may be located in different jurisdictions, including outside your country of residence. By using the Service, you agree to such processing. Regardless of server location, we apply the same protection measures described in section 10.

Retention periods

  • Account and collection data — for as long as your account exists.
  • When an account is deleted, its data is removed immediately; copies in backup archives are removed as the backups rotate, no later than 90 days, except for data we are required to keep by law.
  • Technical logs — up to 90 days.
  • Anonymized statistics may be kept indefinitely.

Your rights

You have the right to:

  • find out what data about you is processed;
  • correct inaccurate data (in your profile settings or on request);
  • delete your account and the data associated with it (in your account settings);
  • withdraw consent to mailings (the "unsubscribe" link in every email);
  • revoke the geolocation permission in your browser settings;
  • lodge a complaint with a data protection supervisory authority.

To exercise your rights, write to privacy@heybird.app. We will respond within a reasonable time, not exceeding 30 days.

Security

We apply reasonable technical and organizational protection measures: traffic encryption (HTTPS), password hashing, restricted access to data, rate limiting.

However, no method of transmitting data over the internet is completely secure, and we cannot guarantee absolute protection.

Age of users

The Service is intended for users who can independently give consent to the processing of personal data under applicable law. If a user has not reached that age, an account may be used only with the involvement of a parent or legal guardian.

Changes to this Policy

We may update this Policy. We will notify you of significant changes through the Service or by email. The current version is always available at heybird.app/en/privacy. A Russian version is also available. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

Contact

For any questions related to this Policy and the processing of your data:

Email us at
privacy@heybird.app