Privacy Policy

🐋 Introduction

Whale Locator ("we," "us," or "our") operates the website whalelocator.com and the Whale Locator mobile application (together, the "Service"). This policy explains how we collect, use, and protect your information.

By using the Service you agree to this policy.

📋 Information We Collect

Account information: name, display name, email address, and password (stored securely via Firebase Authentication). Optionally: profile photo, date of birth, country, and community role.

Sighting reports: sighting location coordinates, species, count, direction of travel, behaviour, notes, and photos you upload. Your device location is collected at the time of reporting to place the sighting on the map.

Automatically collected: device type, browser, operating system, and IP address (used for rate limiting and security — not stored long-term).

🔧 How We Use Your Information

Purpose	Data Used
Display sighting reports on the map	Display name, sighting data, photos
Account emails (verification, welcome, password reset)	Email address, display name
Content moderation and abuse prevention	Account info, IP address
Community tier and rewards system	Sighting count, points
Research and conservation data backup	Sighting data
Provide data to conservation and enforcement partners	Sighting and vessel tracking data

🤝 Data Sharing

With other users: your display name, profile photo, tier level, and sighting reports are visible to authenticated users. Your email, password, and private profile fields are never shared.

With conservation partners: we work with NGOs, First Nations Governments, and federal, provincial, and state enforcement agencies. We may share aggregated sighting and vessel tracking data with these partners. Individual identities are not shared without consent unless required by law.

Service providers: Firebase (Google) for authentication and database, Google Workspace for email, Netlify and Render for hosting.

We do not sell your personal information.

🚢 AIS Vessel Tracking Data

Whale Locator displays publicly available AIS (Automatic Identification System) vessel positions. AIS data is broadcast publicly by vessels as required by maritime law and is received via third-party data providers. This is public maritime safety information, not personal data.

🔒 Data Security

All data is transmitted over HTTPS. Passwords are managed by Firebase Authentication and never stored in plaintext. Database access is restricted via security rules. Server-side rate limiting protects against abuse. No security method is 100% guaranteed.

🗂️ Data Retention

Account data is retained while your account is active. Sighting reports are retained indefinitely for research and conservation. Vessel track data is automatically deleted after 24 hours. IP addresses are not stored beyond the current session.

⚖️ Legal Bases for Processing (EEA / UK / Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP):

Purpose	Legal Basis
Account creation and authentication	Performance of a contract (Art. 6(1)(b) GDPR)
Subscription delivery and billing	Performance of a contract (Art. 6(1)(b) GDPR)
Sighting submission and display	Consent (Art. 6(1)(a) GDPR), granted each time you submit a sighting
Push notifications	Consent (Art. 6(1)(a) GDPR), granted by enabling notifications
Content moderation, fraud and abuse prevention	Legitimate interest (Art. 6(1)(f) GDPR) in platform integrity
Data sharing with conservation and enforcement partners	Legitimate interest (Art. 6(1)(f) GDPR) in marine conservation and, where applicable, compliance with legal obligations
Research and statistical analysis	Legitimate interest (Art. 6(1)(f) GDPR), with data aggregated or anonymised where feasible

You may withdraw consent at any time by contacting us or by disabling the relevant feature in the app. Withdrawal does not affect processing carried out before withdrawal.

🌍 International Data Transfers

Whale Locator is operated from Canada. Personal data may be stored or processed on servers located in Canada, the United States, and other countries where our service providers operate (including Google Firebase, Netlify, and Render). When we transfer personal data from the European Economic Area, United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, including the Standard Contractual Clauses adopted by the European Commission and supplementary technical measures such as encryption in transit.

✅ Your Rights

All users:

Access and correction: view and edit your account information and profile within the app.
Deletion: request deletion of your account and personal data by emailing contact@whalelocator.com. Requests are processed within 30 days. Anonymised sighting data may be retained for research and conservation.
Data portability: request a copy of your data in a commonly used, machine-readable format by email.

Additional rights for users in the European Economic Area, United Kingdom, and Switzerland:

Right of access (Art. 15 GDPR): confirmation of whether we process your data and a copy of that data.
Right to rectification (Art. 16): correction of inaccurate or incomplete data.
Right to erasure (Art. 17): deletion of your data in the circumstances set out in the GDPR.
Right to restriction of processing (Art. 18): temporary suspension of processing in certain circumstances.
Right to data portability (Art. 20): receipt of your data in a structured, machine-readable format and transmission to another controller where technically feasible.
Right to object (Art. 21): objection to processing based on legitimate interest, including profiling.
Right to withdraw consent (Art. 7(3)): withdrawal of consent at any time, without affecting prior processing.
Right not to be subject to automated decision-making (Art. 22): we do not make decisions producing legal or similarly significant effects based solely on automated processing.
Right to lodge a complaint (Art. 77): you may file a complaint with your national supervisory authority. A list of EU authorities is maintained at edpb.europa.eu. UK users may contact the Information Commissioner’s Office (ICO); Swiss users may contact the Federal Data Protection and Information Commissioner (FDPIC).

Additional rights for users in California, Colorado, Connecticut, Utah, Virginia, and other U.S. states with applicable privacy legislation: you have the right to know what personal information we collect, request deletion, request correction, opt out of the sale or sharing of personal information (we do not sell personal information), and not be discriminated against for exercising your rights.

To exercise any of the rights above, contact contact@whalelocator.com. We will respond within the time frame required by applicable law (30 days under GDPR, extendable once by up to 60 days for complex requests). We may request information to verify your identity before processing a request. These rights are provided in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), the GDPR, the UK GDPR, the Swiss FADP, applicable U.S. state privacy laws, and other applicable privacy legislation.

👶 Children's Privacy

Whale Locator is not directed at children under 18. We do not knowingly collect information from children under 18. Contact us at contact@whalelocator.com if you believe a child has provided personal information.

📝 Changes to This Policy

We may update this policy and will revise the effective date above. Continued use of the Service constitutes acceptance of the updated policy.

📧 Contact

Email: contact@whalelocator.com

Website: whalelocator.com

WHALE LOCATOR