1. Introduction
Hydroscape-Group Ltd ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This policy explains how we collect, use, store, and protect your information when you use our services, including:
- Hydroscape Hub — wildlife monitoring, reporting forms, BioMapper™, A06 licence builder, HydroLibrary, and admin tools at www.hydroscape-group.co.uk and hub.hydroscape-group.co.uk
- HydroTasks™ — outdoor task management at tasks.hydroscape-group.co.uk
- Client Portal — authenticated access to Wildlife Intelligence and A06 Builder tools
- Contractor Listings — the HydroTasks verified contractor network
- Pricing Portal — service information at hs-pricing.hydroscape-group.co.uk
This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller
Hydroscape-Group Ltd is the data controller responsible for your personal data.
Hydroscape-Group Ltd
Two Hoots, Stamford, United Kingdom
Email: info@hydroscape-group.co.uk
All software architecture, algorithms, and intellectual property within the Hydroscape ecosystem are owned by Rob Harris trading as Metic State Digital. Hydroscape-Group Ltd operates under a non-exclusive commercial distribution licence.
3. Data We Collect
3.1 Data You Provide Directly
| Data Type | Examples | When Collected |
|---|---|---|
| Identity | Name, title, company/fishery name | Account creation, form submissions, contractor applications |
| Contact | Email address, telephone number, postal address | Account creation, mailing list sign-up, contractor applications |
| Location | GPS coordinates (latitude/longitude), What3Words addresses | Wildlife sighting reports, roost counts, deterrent logs, task pinning |
| Photographic | Wildlife photographs, site evidence images | Sighting reports, roost counts, task documentation |
| Licensing | Shotgun certificate numbers, fishery details, predation evidence, applicant addresses | A06 licence builder |
| Contractor Business | Business name, registration numbers, VAT, insurance documents, qualifications | Contractor listing applications |
| Payment | Handled by Stripe — we never see or store card numbers | Contractor subscription payments |
3.2 Data Collected Automatically
| Data Type | Purpose |
|---|---|
| County (reverse geocoded from GPS) | Enriches sighting data with administrative area for regional analysis |
| AI Verification Results | Species identification, count, and confidence score from submitted photographs |
| Device/Browser | Service worker caching, PWA functionality — no tracking or analytics cookies |
3.3 Data We Do Not Collect
We do not use analytics cookies, advertising trackers, or third-party tracking scripts on any of our platforms. We do not sell, rent, or share your personal data with advertisers or data brokers.
4. How We Use Your Data
| Purpose | Lawful Basis | Data Used |
|---|---|---|
| Processing wildlife sighting reports | Legitimate interest (ecological monitoring) | Location, count, species, photos, observer name/email (if provided) |
| A06 licence application drafting | Performance of contract | Applicant identity, site details, shotgun certificate reference, predation evidence |
| Wildlife Intelligence client access | Performance of contract | Identity, email, access level, species/area lock configuration |
| Contractor listing and verification | Performance of contract | Business details, credentials, documents |
| Payment processing | Performance of contract | Email, business name (passed to Stripe) |
| Mailing list communications | Consent (opt-in checkbox) | Email, name |
| AI species verification | Legitimate interest (data quality) | Photographs — analysed by Google Gemini AI for species ID and count |
| Reverse geocoding | Legitimate interest (data enrichment) | GPS coordinates — sent to Google Maps API, returns county name only |
| Slack notifications (internal) | Legitimate interest (operational monitoring) | Sighting count, county, What3Words — no personal identifiers sent |
| Regulatory submissions | Legal obligation / legitimate interest | Data shared with Natural England, DEFRA, or equivalent as required for licence applications |
5. Third-Party Services
We use the following third-party services to operate the platform. Each processes data only as necessary for the stated purpose:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Google Firebase (Firestore, Auth, Storage, Cloud Functions) | Database, authentication, file storage, server-side processing | All platform data | UK (europe-west2, London) |
| Google Gemini AI | Automated species identification and count verification on photographs | Sighting photographs only | Google Cloud |
| Google Maps Geocoding API | Converting GPS coordinates to county name | Latitude/longitude only | Google Cloud |
| Stripe | Contractor subscription payments | Email, business name, payment details | EU/US (PCI DSS compliant) |
| Brevo (formerly Sendinblue) | Mailing list management and transactional emails | Email, name | EU |
| Slack | Internal team notifications of new sightings | Count, county, What3Words — no PII | US |
| Netlify | Static site hosting (4 sites) | No personal data processed | Global CDN |
6. Data Security
We implement the following security measures to protect your data:
- Encryption at rest: All data stored in Firebase Firestore and Storage is encrypted using AES-256 with Google-managed keys.
- Encryption in transit: All connections use HTTPS/TLS. No unencrypted data transmission.
- Authentication: Firebase Authentication with email/password and Google Sign-In. Session tokens expire and auto-refresh.
- Access control: Firestore security rules enforce role-based access. Admin operations require a verified custom claim. Client users can only access their own data.
- API keys: All sensitive API keys (Gemini, Stripe, Brevo, Slack, Google Maps) are stored server-side in Cloud Functions — never exposed in client-side code.
- Data sovereignty: All Firebase services run in the UK region (europe-west2, London).
- Payment security: Card details are handled entirely by Stripe. We never see, process, or store card numbers.
7. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Wildlife sighting records | Indefinite | Scientific/ecological research (UK GDPR Art. 89) |
| Roost counts | Indefinite | Scientific/ecological research |
| A06 licence drafts | Duration of account + 3 years | Contractual and regulatory compliance |
| User accounts | Duration of account + 1 year after deletion request | Contractual |
| Contractor applications | Duration of listing + 2 years | Contractual and verification audit trail |
| Mailing list contacts | Until unsubscription | Consent |
| Photographs | Indefinite (ecological evidence) | Legitimate interest / scientific research |
| Portal PDF documents | Indefinite (regulatory archive) | Legal obligation / legitimate interest |
8. AI Processing
Photographs submitted with wildlife sighting reports may be analysed by Google's Gemini AI model to verify species identification and count. This processing:
- Is performed server-side via Firebase Cloud Functions — photographs are sent to the Gemini API and results are stored in our database
- Produces a species verification (Yes/No), count (integer), and confidence score (High/Medium/Low)
- Is used to improve data quality and support regulatory evidence — not for profiling or automated decision-making that affects your rights
- Can be reviewed and overridden by our team at any time
You have the right to request human review of any AI-generated assessment by contacting us.
9. Your Rights
Under UK GDPR, you have the following rights:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your personal data (subject to legal retention requirements)
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — request your data in a machine-readable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — where processing is based on consent (e.g. mailing list), you can withdraw at any time
To exercise any of these rights, contact us at info@hydroscape-group.co.uk. We will respond within 30 days.
Note on ecological data: Wildlife sighting records (coordinates, counts, species) that have been anonymised (no observer name or email) are retained indefinitely as scientific data under UK GDPR Article 89. Deletion of your personal identifiers from sighting records will be actioned on request, but the anonymised ecological data will remain in the database for conservation purposes.
10. Cookies
Our platforms use only essential cookies and local storage required for functionality:
- Firebase Authentication tokens — session management (essential, auto-expiring)
- Service worker cache — offline PWA functionality (essential)
- Local storage — form queue for offline submissions, UI preferences (essential)
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.
11. Children
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this policy from time to time. The "Last Updated" date at the top of this page will reflect the most recent revision. Material changes will be communicated via email to registered users where possible.
13. Complaints
If you are not satisfied with our handling of your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113