================================================================================
Last updated: May 5, 2026
The mBirdBreeder application (“the App”) is a bird-management tool designed for
bird breeders, hobbyists and pet-bird owners. It helps users record, organise
and track their birds, breeding pairs, eggs, health treatments, aviary layout
and related statistics.
IMPORTANT — The App is a record-keeping and management tool only. It does not
provide veterinary, medical or professional breeding advice. Each user is solely
responsible for the care, health and welfare of their own birds and pets. The
developer assumes no liability for any decisions made or actions taken based on
data displayed in the App.
By creating an account or using the App you agree to this Privacy Policy. The
App is distributed globally with limited exceptions (see Terms of Use).
================================================================================
1. Information We Collect
1.1 Account Information
When you create an account we collect:
• Email address
• Display name (if provided)
• Profile photo URL (if provided)
• Google account information (if you sign in via Google OAuth 2.0)
• Account creation and last-update timestamps
• Email verification status (for email+password accounts)
• Firebase Auth User ID (UID) — a pseudonymous identifier used to scope all
of your data inside Firestore and Firebase Storage
• Date of birth — only the YEAR of birth is persisted on your device after
the age verification screen; the full date is never transmitted off-device
• Privacy Policy and Terms of Use acceptance timestamp + version (recorded
at registration to provide proof of consent under GDPR Art. 7)
1.2 Bird & Breeding Data
The App stores data you voluntarily enter, including:
• Bird profiles (species, subspecies, name, ring number, sex, birth date,
colour mutation, status, notes, custom incubation days)
• Bird photos uploaded from your device
• Breeding pairs and pairing records
• Egg records (laying date, candling date, expected and actual hatch date,
fertility status, notes)
• Pedigree relationships (parent–offspring, displayed up to 3 generations
in quick view and unlimited depth in the full-screen pedigree explorer;
PDF / PNG export available to Pro users)
• Health and treatment records (medications, vitamins, diseases, veterinary
visits, dosages, scheduled care dates)
• Aviary structure (rooms, aviaries/cage-groups, individual cages, bird
assignments)
1.3 Subscription & Purchase Data
Stored server-side in Google Firebase:
• Subscription status, purchase token, expiry date, payment state and
auto-renewing flag (Cloud Firestore, under your user account)
• Premium subscription status is verified server-side on each request.
It contains no personal data beyond the entitlement flag itself.
• Trial usage record: start date, end date, duration (Cloud Firestore).
Retained even after account deletion as a cross-account anti-abuse marker
so a deleted account cannot re-claim a second 7-day trial.
• Purchase token ownership record (Cloud Firestore, write-protected) —
used solely to prevent the same purchase being claimed by multiple
Firebase accounts. Cleared by the server-side onUserDelete function after
account deletion so a future account on the same Google Play subscription
can re-bind.
Cached locally on your device for offline access:
• Subscription state (free, trial active, premium active, premium expired)
• Trial start and end dates
• Premium expiry date
• Bird count used for access-tier enforcement
Server-side subscription verification is performed by Cloud Functions (region
europe-west1, Belgium) that validate purchases against the Google Play Developer
API. All payment processing is handled entirely by Google Play. We never
collect, store or access payment-card details or financial information.
1.4 App Preferences
Stored locally on your device only (Hive key-value database):
• Language preference (English, Spanish, Greek, Portuguese, Thai, Arabic)
and first-language-chosen flag
• Theme preference (light / dark mode)
• Age verification flag and year of birth (no day/month)
• Consent choices: Analytics on/off, Personalized Ads on/off, CCPA Do-Not-
Sell on/off, the Privacy Policy version accepted, and the timestamp of
the choice
• Internal consent flow flags — transient markers used to manage the
consent and region-detection flow between app sessions. Cleared once
you complete the relevant consent step.
• Region-detection cache — a flag recording whether the Google User
Messaging Platform (UMP) SDK detected your device as being inside a
regulated region (EEA, UK, Switzerland, certain US states). The cache
is valid for 30 days; after that, region detection is re-run on the next
cold start. Used solely to avoid showing returning users the brief
“Setting up…” wait screen on every launch.
• In-app review prompt data (first open date, action count, last prompt
date)
• A flag recording whether the optional battery-optimization exemption
dialog has been shown (premium users only)
1.5 Device & Technical Information
The App uses Firebase Crashlytics to collect crash reports in release builds.
When a crash or non-fatal error occurs, Crashlytics may collect:
• Crash logs and stack traces
• Device model, manufacturer and OS version
• App version and build number
• Free memory and disk space at the time of the crash
Crashlytics data is used exclusively to identify and fix software defects. It
is not used for advertising, profiling or behavioural tracking. Crash reporting
is automatically disabled in debug/development builds.
1.6 Usage Analytics
The App can use Firebase Analytics to collect aggregated, non-identifying usage
data that helps us understand how the App is used and improve it:
• Automatically collected events (e.g. app open, screen views, app updates)
provided by the Firebase Analytics SDK
• Limited device and locale information (e.g. device model, OS version,
country, language) collected by the SDK
Analytics is OFF BY DEFAULT. It is enabled only after you explicitly opt in
through the consent dialog, the Google UMP form (in regulated regions), or the
Settings → Privacy & Data → Analytics toggle. We do not use Analytics for
individual user profiling, behavioural targeting or marketing. Aggregated
insights are used solely to monitor App performance and prioritise improvements.
If you toggle the CCPA “Do Not Sell or Share My Personal Information” preference
on, Analytics is automatically turned off in the same transaction (CCPA/CPRA
“limit use of sensitive PI” semantics). Toggling Do Not Sell back off does NOT
auto-restore Analytics — re-enabling telemetry must always be an explicit
affirmative action by you.
1.7 Network & Server Logs
When the App connects to Firebase / Google Cloud, the underlying servers
automatically log technical information necessary to operate the service,
including IP addresses (which under GDPR are treated as personal data) and
request timestamps. These logs are managed by Google as a processor on our
behalf. Standard Google Cloud server-log retention is 30–90 days.
1.8 Advertising Identifiers and Consent Strings
When you have opted in to personalized ads, the Google Mobile Ads (AdMob) SDK
reads your Android Advertising ID (AAID) and uses it to serve relevant ads. If
you have not opted in, AdMob serves non-personalized ads only and the AAID is
not used for personalization.
If your device is in a region where the Google User Messaging Platform (UMP)
consent management framework applies (EEA, UK, Switzerland, certain US states),
the UMP SDK writes IAB Transparency & Consent Framework v2 (IAB TCF v2) strings
into OS-level storage. The App reads these strings only to mirror your
purpose-level decisions (storage, personalised-ad profile, personalised-ad
selection, ad measurement) into the in-app Privacy & Data toggles. The App
never transmits the raw TCF strings off-device; they remain visible only to
the AdMob and Analytics SDKs that wrote them.
================================================================================
2. How We Use Your Data — Purposes and Legal Bases
Under GDPR Art. 6 we associate each processing purpose with a specific legal
basis. The table below maps purposes to legal bases:
• Authentication & account management
→ Contract (Art. 6(1)(b))
• Bird / breeding data storage and synchronisation
→ Contract
• Subscription verification
→ Contract + Legitimate interests (Art. 6(1)(f) — anti-fraud)
• Trial enforcement (one-per-user, including post-deletion)
→ Legitimate interests (anti-abuse)
• Crash reporting (Firebase Crashlytics)
→ Legitimate interests (improving stability)
• Aggregated analytics (Firebase Analytics)
→ Consent (Art. 6(1)(a))
• Personalized advertising (AdMob)
→ Consent
• Non-personalized advertising
→ Legitimate interests + ePrivacy compliance
• Local notifications (POST_NOTIFICATIONS permission)
→ Consent
• Age verification (16+)
→ Legal obligation (GDPR Art. 8) + Legitimate interests
• Region detection cache (UMP is_regulated flag)
→ Legitimate interests (UX — avoids repeated wait screens for returning
users)
• Subscription / payment record retention for 7 years
→ Legal obligation (Greek tax law: Π.Δ. 86/2010, Ν. 4308/2014 — KFAS)
We do NOT use your data for individual user profiling, automated decision-
making, behavioural targeting or marketing purposes.
================================================================================
3. Data Storage & Security
3.1 Cloud Storage
Your account and breeding data are stored securely in Google Firebase:
• Firebase Authentication — manages credentials, login sessions, email
verification status and premium status (Custom Claims)
• Cloud Firestore — stores breeding data (birds, pairs, eggs, treatments,
rooms, cages) under user-scoped subcollections, the per-user consent
mirror
records (purchase status, trial usage) in write-protected subcollections
managed exclusively by Cloud Functions. Point-in-time recovery and daily
backups are enabled at the project level.
• Firebase Storage — stores bird photos you upload
Firestore Security Rules enforce strict per-user isolation: each user can only
read and write their own data. Subscription data is additionally write-
protected — only server-side Cloud Functions can create or modify subscription
records. Purchase-token ownership records and Cloud Functions configuration are
completely blocked from client access.
Storage Security Rules enforce: authenticated access only, user-scoped paths,
maximum file size of 5 MB, and image-only content type validation.
When you delete your account, the App wipes everything it can reach under
your user-scoped paths (birds, pairs, eggs, treatments, rooms, cages, consent
mirror, profile document, photos, and any related subscription records).
3.2 Local Storage
App preferences, review data, age verification, consent choices, the region-
detection cache and a local cache of subscription state are stored on your
device in a local database. Data categories stored locally include:
• Language and theme preferences
• Age-verification flag (year only) and region-detection cache
• Consent choices and internal consent flow flags
• Offline cache of subscription state (premium flag, trial/expiry dates,
bird count)
• In-app review prompt tracking
• Miscellaneous flags (e.g. whether the battery-optimization explanation
dialog has been shown)
The Google UMP SDK and the Google Mobile Ads SDK may write IAB TCF v2 consent
strings into OS-level storage. These strings are managed by the Google SDKs,
not by the App.
3.3 Security Measures
• User-scoped access control via Firebase Security Rules
• Secure token-based authentication with automatic token refresh
• Re-authentication required before sensitive operations (account deletion).
In rare cases the user may be asked to re-enter their password before the
Firebase Auth account itself is deleted.
• HTTPS-only enforcement via Android network security configuration
(cleartext traffic prohibited)
• Code obfuscation and resource shrinking via ProGuard/R8 in release builds
• Photos stored in user-scoped storage paths inaccessible to other users,
with server-enforced 5 MB size limit and image-only content type
validation
• Subscription data write-protected in Firestore — only Cloud Functions can
modify subscription records
• Server-side purchase verification via Google Play API (prevents client-
side tampering)
• First-verify-wins purchase token ownership: a purchase token validated
under one Firebase account cannot later be claimed by a different account
• Password strength requirements enforced at registration
• Login rate limiting to protect against brute-force attempts
• Email verification for email+password accounts (dedicated verify-email
screen with cooldown-protected resend)
• Input sanitization for user-provided names (HTML stripping, length
limits)
• Application backup disabled at the OS level (allowBackup=”false”) to
prevent extraction of cached data
• Automated server-side post-deletion cleanup — wipes write-protected
subscription documents and frees purchase-token ownership records
3.5 Per-user consent mirror (audit trail)
Each time you save or change a consent choice (Analytics, Personalized Ads, Do
Not Sell, or completing the consent dialog / Google UMP form), the App writes a
best-effort copy of the decision to your user profile in the cloud.
The mirror lets us:
• Answer GDPR data-subject requests (“what did this user consent to, and
when?”) with an authoritative server-side record.
• Restore your consent choices automatically when you sign in on a different
device, so you don’t have to re-make the decision.
Transient “placeholder” markers written by the App’s internal flow control (see
§1.4) are NEVER mirrored to Firestore — only real, user-given consent decisions
are. The mirror is best-effort: if the network is unavailable when you change a
setting, the local copy remains the source of truth and the next successful
save mirrors the latest state.
================================================================================
4. Third-Party Services
The App integrates the following third-party services. Each is listed with the
GDPR “relationship” we have with the provider:
• Firebase Authentication, Cloud Firestore, Firebase Storage, Cloud
Functions, Firebase Remote Config — Data Processor (Google acts on our
instructions per the Firebase Data Processing Addendum)
• Firebase Crashlytics — Data Processor
• Firebase Analytics — Joint Controller / Processor (Google’s role varies
by deployment; configured here to act primarily as Processor with
aggregated, non-identifying events)
• Google Sign-In (OAuth 2.0) — Independent Controller for Google’s own
credential data + Processor for the data we receive from it
• Google AdMob — Joint Controller (Google determines means and purposes for
ad serving; our role is limited to deciding whether to integrate it and
to honour your consent choice)
• Google User Messaging Platform (UMP) — Processor on behalf of Google for
the consent UX in regulated regions; the consent decisions you make in
the form are stored as IAB TCF v2 strings on your device and shared with
Google AdMob (Joint Controller relationship as above)
• Google Play Billing — Independent Controller (Google manages all payment
data)
================================================================================
5. Advertising
Free-tier users see banner ads served by Google AdMob. Pro / trial users do not
see ads.
• Personalized ads — only when you have explicitly opted in via the consent
dialog, the Google UMP form (in regulated regions) or Settings → Privacy &
Data → Personalized Ads.
• Non-personalized ads — used by default and whenever consent is missing,
refused or revoked.
• Users aged 16-17 — always served non-personalized ads regardless of
consent (per Google Families policy).
• California residents — see the dedicated California section below for the
“Do Not Sell or Share My Personal Information” right.
The Google Mobile Ads SDK is initialised lazily — it is loaded only when a
free-tier (or expired-over-limit) user actually sees a banner. Pro and trial
users never trigger the SDK load, so no Advertising ID is read and no ad-
network calls are made for them. In debug builds the App always uses Google’s
official test ad units to avoid sending invalid traffic to the production unit.
================================================================================
6. International Data Transfers
The App is distributed globally (with limited exceptions noted in our Terms of
Use). Your data may be processed by Google’s global infrastructure, which spans
multiple regions. The legal basis for international transfers depends on your
jurisdiction:
• EU/EEA → Third countries: EU-U.S. Data Privacy Framework (Adequacy
Decision EU 2023/1795) and Standard Contractual Clauses (Decision
2021/914/EU)
• UK → Third countries: UK-U.S. Data Bridge and UK International Data
Transfer Agreement (IDTA)
• Other jurisdictions: applicable bilateral or unilateral safeguards per
Google’s Data Processing Addendum
Cloud Functions for this App run in the europe-west1 (Belgium) region (within
the EU). Other Firebase services may process data in the United States or in
other Google data-centres.
Details:
• https://cloud.google.com/terms/data-processing-addendum
• https://policies.google.com/privacy/frameworks
================================================================================
7. Data Retention
We retain your data only as long as necessary for the purposes described in
this Policy:
• Account & breeding data — for as long as your account remains active.
Deleted within 30 days after you trigger account deletion.
• Subscription & invoicing records — retained for 7 (seven) years after the
last transaction, to comply with Greek tax law (Π.Δ. 86/2010 and Ν.
4308/2014, KFAS).
• Trial usage record — retained beyond account deletion as a cross-account
anti-abuse marker (so a deleted account cannot re-claim a second 7-day
trial). Contains only start/end dates and duration; no identifying
breeding data.
• Per-user consent mirror (users/{uid}/consent/current) — kept while the
account exists; deleted with the rest of the user’s Firestore data on
account deletion.
• Region-detection cache (local, on-device) — 30 days, then re-evaluated on
next cold start.
• Crash reports (Firebase Crashlytics) — 90 days (Google default).
• Analytics events (Firebase Analytics) — 14 months (configured maximum
that minimises retention while still being useful).
• Server logs (IP addresses, request logs) — 30 to 90 days (Google Cloud
default).
• Privacy Policy / Terms acceptance record — for the lifetime of your
account, plus 7 years (proof of consent).
================================================================================
8. Your Rights (GDPR / EU & EEA)
If you reside in the EU, EEA or another jurisdiction that recognises GDPR-
equivalent rights, you have the following rights with respect to your personal
data:
• Right of access (Art. 15) — request a copy of the personal data we hold
about you
• Right to rectification (Art. 16) — ask us to correct inaccurate or
incomplete data
• Right to erasure / “to be forgotten” (Art. 17) — ask us to delete your
data; you can also self-serve via Settings → Delete Account
• Right to restriction of processing (Art. 18) — ask us to limit how we
process your data while a query is open
• Right to data portability (Art. 20) — receive your data in a structured,
machine-readable format
• Right to object (Art. 21) — object to processing based on legitimate
interests, including profiling (we do not profile)
• Right to withdraw consent (Art. 7(3)) — at any time, via Settings →
Privacy & Data, with no effect on processing carried out before
withdrawal. In regulated regions you can additionally re-open the Google
UMP form via Settings → Manage Privacy Choices.
• Right not to be subject to solely-automated decisions (Art. 22) — we do
not make automated decisions
You have the right to lodge a complaint with the competent supervisory
authority. The lead authority for this controller (Greek establishment) is:
• Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων
Προσωπικού Χαρακτήρα — ΑΠΔΠΧ)
• Address: Λεωφ. Κηφισίας 1-3, 11523 Αθήνα, Ελλάδα
• Phone: +30 210 6475600
• Web: http://www.dpa.gr
• Email: contact@dpa.gr
You may also lodge a complaint with the supervisory authority of your EU/EEA
country of residence.
================================================================================
9. United Kingdom Residents
If you are a resident of the United Kingdom, the UK GDPR and the Data
Protection Act 2018 apply to the processing of your personal data. You have the
same rights as EU residents (above), and you may lodge a complaint with:
• Information Commissioner’s Office (ICO)
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
• Phone: 0303 123 1113
• Web: ico.org.uk
================================================================================
10. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA)
as amended by the California Privacy Rights Act (CPRA) provides you with
specific rights:
• Right to Know — request information about personal information we have
collected, used, disclosed, or sold/shared in the past 12 months
• Right to Delete — request deletion of personal information we have
collected
• Right to Correct — request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing — we do not “sell” personal
information in the traditional sense; however, advertising activity
through Google AdMob may constitute “sharing” under CPRA. You can opt out
via Settings → Privacy & Data → “Do Not Sell or Share My Personal
Information”. Toggling this preference on automatically disables
Analytics in the same transaction (CCPA “limit use of sensitive PI”
semantics).
• Right to Limit Use of Sensitive Personal Information — we do not collect
sensitive personal information as defined by CPRA
• Right to Non-Discrimination — we will not discriminate against you for
exercising any of these rights
To exercise these rights, contact us at mbirdtraining@gmail.com. We will
verify your identity (typically via your account email) before processing the
request.
Categories of personal information collected under CCPA disclosure framework:
• Identifiers — email, account ID (Firebase UID)
• Internet activity — app usage, device identifiers (AAID, only when you
opt in)
• Geolocation — coarse only, derived from IP address; we do not collect
precise GPS
• Inferences — subscription tier
We do NOT collect: biometric, health, financial-account, racial/ethnic,
religious, sexual orientation, or other sensitive categories of personal
information.
================================================================================
11. Other Regional Rights
Brazil (LGPD)
Brazilian residents have rights under the Lei Geral de Proteção de Dados
Pessoais (Law 13.709/2018) similar to GDPR. The Brazilian Data Protection
Authority is the ANPD (anpd.gov.br).
Canada (PIPEDA / Quebec Law 25)
Canadian residents may exercise rights under the Personal Information
Protection and Electronic Documents Act. Quebec residents have additional
rights under Law 25. Complaints: Office of the Privacy Commissioner of
Canada (priv.gc.ca).
Australia (Privacy Act 1988)
Australian residents have rights under the Australian Privacy Principles.
Complaints: OAIC (oaic.gov.au).
South Africa (POPIA)
South African residents may contact the Information Regulator
(justice.gov.za/inforeg).
Other jurisdictions
Residents of other countries may have local data-protection rights. Contact
us for assistance and we will respond in line with applicable law.
================================================================================
12. Children’s Privacy
The App is intended for users aged 16 and over. We implement an age-
verification screen during onboarding to enforce this requirement (only the
year of birth is persisted on-device — the full date is never transmitted).
We do NOT knowingly collect data from:
• Children under 13 (per US COPPA)
• Children under 16 (per the strictest EU GDPR Art. 8 member-state
implementations)
• Children under the local definition of “minor” for digital consent in
jurisdictions where this is higher than 16
If you believe we have inadvertently collected data from a child below the
applicable age, contact mbirdtraining@gmail.com and we will delete the data
promptly.
================================================================================
13. Cookies & Tracking Technologies
The App is a native Android application — it does not use HTTP cookies. The
persistent identifiers used are:
(i) the Firebase Auth UID (required for the service),
(ii) the App Instance ID used by Firebase Analytics when you opt in,
(iii) the Android Advertising ID (AAID) used by AdMob for personalized ads
when you opt in, and
(iv) IAB TCF v2 consent strings written by the Google UMP SDK in regulated
regions (see §1.8).
You can reset the AAID at any time from your Android device settings.
================================================================================
14. Changes to this Policy
We may update this Privacy Policy from time to time. The current version date
is shown at the top. When the policy version changes, the App detects the
version mismatch on next sign-in and presents a non-dismissible re-acceptance
dialog before you can continue using the service. You can either accept the
new version or reject and sign out. The decision is recorded server-side in
your user profile (timestamp, version, jurisdiction hint, platform) as proof
of consent under GDPR Art. 7.
================================================================================
15. Contact
Privacy questions, GDPR / CCPA requests, or any other data-protection enquiry:
mbirdtraining@gmail.com
================================================================================
Identity of the Data Controller
For the purposes of the EU General Data Protection Regulation (Regulation (EU)
2016/679, “GDPR”) and equivalent laws in other jurisdictions, the Data
Controller is:
• Name: Marios Theodosis
• Address: Poliviou 26, 26443 Patra, Greece
• Contact email: mbirdtraining@gmail.com
A Data Protection Officer (DPO) has not been appointed because the controller
does not meet the GDPR Art. 37 thresholds (the controller is not a public
authority and processing does not consist of large-scale, systematic monitoring
or special-category data).
================================================================================
mbirdTraining 