Privacy Policy
Last updated: 11 April 2026
1. Introduction
Yardsong ("we", "us", "our") operates the Yardsong web and mobile application. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
Yardsong is operated from Australia and is subject to the Australian Privacy Act 1988. If you are located in the European Economic Area (EEA), we also comply with the General Data Protection Regulation (GDPR) as it applies to your use of our service.
2. Information We Collect
Account information
When you create an account we collect your email address and, if you sign in via a third-party provider (e.g. Google, Apple), your name and profile photo as provided by that service.
Usage data
We collect information about how you interact with the app, including observations logged, survey responses, and feature usage. This data is associated with your account.
Location data
With your permission, we collect location data to associate observations with geographic coordinates. You can revoke location access at any time through your device settings.
Photos
Photos you upload as part of observations are stored securely and associated with your account.
Cookies and similar technologies
Yardsong uses essential cookies for authentication (session management via Supabase). We use Vercel Analytics for anonymous, aggregate usage statistics — this service uses a privacy-friendly beacon and does not set tracking cookies. You can opt out of analytics via the cookie consent banner or by contacting us.
3. How We Use Your Information
- To provide and maintain the service
- To generate biodiversity assessments and reports
- To improve and personalise your experience
- To communicate with you about your account or the service
- To monitor aggregate usage patterns and improve service reliability
Lawful basis (GDPR): We process your data on the basis of legitimate interest (providing and improving the service) and, where applicable, your consent (location data, analytics). You may withdraw consent at any time without affecting the lawfulness of prior processing.
4. AI Processing
We use AI services to assist with species identification and habitat assessment. All personal information is anonymised before being sent to any AI provider. We never send your name, email, or precise location to third-party AI services.
5. Data Sharing and Subprocessors
We do not sell your personal information. We share data with the following service providers (subprocessors) who help us operate the app:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database and authentication | All account and application data | Australia (ap-southeast-2) |
| Anthropic | AI-powered insights | Anonymised text only — no personal information | United States |
| Vercel | Hosting and CDN | Request data, anonymous analytics | Global (Sydney PoP) |
| Resend | Transactional email | Email address, email content | United States |
| Stripe | Payment processing | Name, email, payment details | United States |
| Sentry | Error monitoring | Error data (PII scrubbed), device info | United States |
We may also share data with legal authorities if required by law.
6. Cross-Border Data Transfers
Your primary data is stored in Australia (Supabase ap-southeast-2 region). Some personal information may be transferred to the United States through our subprocessors listed above. We take reasonable steps to ensure these providers maintain appropriate data protection standards, including reviewing their privacy policies and, where available, Data Processing Agreements (DPAs).
7. Data Security
We use industry-standard security measures including encryption in transit (TLS) and at rest, row-level security on all database tables, and regular security reviews. Authentication tokens are securely managed and integration credentials are encrypted.
8. Data Retention
- Account and observation data: Retained while your account is active, deleted upon account deletion.
- Analytics data: Anonymous, aggregate usage statistics retained for up to 90 days.
- AI processing logs: Anonymised request logs retained for up to 30 days for service improvement, then deleted.
- Email records: Delivery metadata retained for up to 12 months.
- Error logs: Retained for up to 90 days (PII scrubbed).
9. Your Rights
Under the Australian Privacy Act 1988
You have the right to access, correct, and request deletion of your personal information (Australian Privacy Principles 12 and 13).
Under the GDPR (for EEA residents)
You have the right to:
- Access your personal data (Article 15)
- Rectification — correct inaccurate data (Article 16)
- Erasure — request deletion of your data (Article 17)
- Data portability — receive your data in a machine-readable format (Article 20)
- Object to processing based on legitimate interest (Article 21)
- Restrict processing in certain circumstances (Article 18)
How to exercise your rights
- Data export:Download a complete copy of your data from Settings > Export my data.
- Correction: Update your profile directly in the app, or contact us to correct any data you cannot edit yourself.
- Deletion: Delete your account from Settings. This permanently removes all associated data.
- Other requests: Contact us at privacy@yardsong.com. We will respond within 30 days.
10. Children's Privacy
Our service is designed for adults and university-age students. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will promptly delete it.
11. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will also notify you by email.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at privacy@yardsong.com.