Privacy Policy

Data controller

The data controller for the purposes of UK GDPR is Andrew Burnett, operating DetectorVault as a sole trader. You can contact the controller at [email protected].

1. Information We Collect

To provide you with the best experience, we collect the following types of information:

• Account Information: When you register, we collect your name, email address, and password (stored as a salted hash — never in plain text).
• Finds & Content Data: Photos of your finds, descriptions, dates, and any metadata attached to the images you upload.
• Location Data: GPS coordinates and location data when you log a find, use map overlays, or organise a detecting trip.
• Social Data: Comments you make, your interactions with other users' finds, and details of trips you create or attend.
• Technical Data: Standard diagnostic data such as your browser type, device information, and IP address, used to keep the App running smoothly and to apply rate limits to authentication endpoints.

2. How We Use Your Information

We use your data solely to operate and improve DetectorVault. Specifically, we use it to:

• Manage your account and provide support.
• Store your personal finds gallery securely.
• Power the AI identification tool — images of finds submitted for identification are sent to a third-party AI provider for processing (see "International Transfers" below).
• Facilitate the social features, such as displaying your shared finds, comments, and trip invitations to other users.
• Provide accurate map overlays based on your location.

3. How Your Data is Shared

We do not sell your personal data to third parties. Your data is only shared in the following circumstances:

• With Other Users: Information you actively choose to share in the social section (e.g. public finds, comments, and public trips) will be visible to other DetectorVault users. You control what you make public versus what stays in your private vault.
• Service Providers: We use trusted third-party services to run the App — including a cloud-hosting provider (Hetzner Cloud, Germany), an AI provider (Google Gemini API, see below), an email-delivery provider (Resend, EU), and a content-delivery network (Cloudflare). These providers only process your data on our instructions.
• Legal Requirements: We may disclose your information if required to do so by UK law, a court order, or a request from law enforcement.

4. Location Privacy and Safety

We understand that the locations of your permissions and finds are highly sensitive.

• Finds logged in your personal vault remain private to you unless you explicitly tap "share."
• When you share a find publicly or via a public link, GPS coordinates and the linked site name are stripped server-side — other users see the find but never its precise location.
• When organising trips, location details are only shared with the users you invite.
• We strongly advise against sharing precise GPS coordinates of active permissions on the public social feed.

5. Cookies

We use a single strictly-necessary session cookie to keep you signed in. We do not use tracking, analytics, or advertising cookies. Under UK PECR, no consent banner is required for strictly-necessary cookies.

6. International Transfers

When you use the AI identification feature, the photos you submit are sent to Google Gemini for processing. This may involve a transfer of personal data outside the UK to the United States. Google Cloud is certified under the UK Extension to the EU–US Data Privacy Framework, providing an adequate level of protection. You can choose not to use the AI feature; finds save normally without it.

7. Data Security

We implement technical and organisational measures to protect your data from unauthorised access, alteration, or deletion — including TLS encryption in transit, salted password hashes, server-side authorisation checks on every request, rate limits on authentication endpoints, and a private network for administrative access. However, no internet-based service is 100% secure and we cannot guarantee absolute security.

8. Data Retention

We keep your personal data only for as long as your account is active or as needed to provide you with the App's services. If you delete your account from the Account page, we securely delete your personal data, finds, photos, and active sessions from our servers. Some technical logs (e.g. authentication request logs) may be retained for up to 30 days for security and abuse-prevention purposes.

9. Your Rights Under UK GDPR

Under UK data protection law, you have the following rights regarding your personal information:

• Right of Access: You can request a copy of the data we hold about you. You can also export your finds yourself from the Export page.
• Right to Rectification: You can ask us to correct inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): You can delete your account and all associated data from the Account page, or ask us to do it for you.
• Right to Restrict Processing: You can ask us to pause the processing of your personal data.
• Right to Data Portability: You can receive your data in a structured, commonly used format (JSON or CSV — available from the Export page).
• Right to Object: You can object to our processing of your data on grounds relating to your particular situation.
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time without affecting prior processing.
• Rights Relating to Automated Decision-Making: The AI identification tool produces suggestions, never decisions about you — no fully-automated decisions with legal or significant effects are made.

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). We would, however, appreciate the chance to address your concerns directly before you approach the ICO.

10. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to delete your account, please contact us at [email protected].