# Privacy and data specification — Fuglelyde beta2

## Summary

- **No login**, **no tracking cookies** (first-party session memory only in the browser during use).
- **Location** is **fuzzed to ~1 km** before inclusion in any payload intended for upload. Exact GPS is used **only client-side** for map feedback where needed; the **uploaded** representation uses the fuzzed coordinates (and/or grid cell metadata).
- **TLS (HTTPS)** encrypts data **in transit** between the browser and **fuglelyde.dk**. It does **not** make the server “blind”: the server **terminates TLS** and sees plaintext. Do **not** describe this as **zero-knowledge** unless you add cryptographic protocols that prevent the server from reading content (not in v1).
- **Ephemeral-until-upload**: client-side buffers (audio windows, queue items) exist in RAM until explicitly sent by auto-upload or flushed; they are not described as durable backups.

## ~1 km grid / fuzzing rule

**Intent:** reduce re-identification from precise coordinates while keeping regional ecology usefulness.

**Implementation approach (agreed):**

- Compute a **quantized** latitude/longitude pair aligned to approximately **1 km** steps (latitude-dependent spacing for longitude).
- **Upload** uses **only** fuzzed coordinates (and human-readable locality if you add it later with the same policy).
- **Map display** may show the **cell center** or fuzzy circle; avoid plotting the user’s exact dot on the shared map if the product promise is fuzzed upload.

**Document in UI:** Short Danish copy: *“Din position afrundes til ca. 1 km før data sendes.”*

## Fields potentially uploaded (observation / ingest row)

Exact set should stay minimal. Typical fields:

| Field | Notes |
|-------|--------|
| `timestamp` | ISO 8601 UTC or local with offset (document which). |
| `lat`, `lon` | **Fuzzed** coordinates only. |
| `scientific_name` / `species_id` | From BirdNet post-process + mapping table. |
| `confidence` | Model score 0–1. |
| `rms_dbfs` | Optional coarse signal metric (distinct from confidence). |
| `client_session` | Optional opaque id for same-session dedupe (no PII). |

**Not uploaded by default:** raw continuous audio (unless you add explicit clip upload later); exact home address from Nominatim.

## Retention

- **Server:** define per-deployment (e.g. observation rows kept for analysis); **no promise** of indefinite storage without user-visible policy.
- **Client:** refresh clears RAM; PWA cache holds static assets only unless you add IndexedDB for queue persistence later.

## Subprocessors / third-party flows

| Flow | Service | Data sent | Purpose |
|------|---------|-----------|---------|
| Map tiles | OSM tile CDN (via **your PHP tile proxy**) | **Tile coordinates** (z/x/y) — not user identity | Map background |
| Geocoding (optional) | **Nominatim** (public) | **Search query** (address string) | Resolve search to coordinates client-side |
| Model assets | **CDN** (e.g. TensorFlow.js, model host) | **HTTP requests** for scripts/binaries | Load inference runtime |

**Nominatim usage policy:** respect rate limits, identify app with a valid **User-Agent** and contact (per OpenStreetMap Foundation guidelines).

## GDPR / household activity

- **Article 2(2)(c) GDPR** may exempt purely personal or household processing **for a single household** in some cases.
- If **friends** use **your** hosted app and upload to **your** server, you may be a **controller** for their personal data (location, timestamps, etc.). Risk may be low, but **household exemption** may not cover all scenarios. A **short, honest privacy note** on the site remains good practice.

## Future: right to be forgotten (RTBF)

- **Roadmap:** when **audio clips** or identifiable rows are stored, offer a **surgical delete** path (by id/session) rather than promising it in v1 without implementation.

## TLS vs “zero-knowledge” wording

- **TLS:** protects **in transit** against network eavesdroppers.
- **Not TLS:** hiding data from **your own server** — that requires different cryptography (not claimed here).