Data Controller
The data controller responsible for your personal data is:
[Company Legal Name]
trading as The SPRK Factory
Product: Taxon (taxon.app)
Location: European Union (Germany)
Privacy inquiries: [email protected]
Data Protection Officer: [To be appointed]
"Taxon" refers to the mobile application, the website at taxon.app, and all associated services operated by [Company Legal Name]. "We", "us", and "our" refer to [Company Legal Name] in its capacity as data controller.
Data We Collect
We collect different categories of data depending on how you interact with us. The table below sets out each category clearly.
2A. Website and Pre-Launch Forms (Current)
The following data is collected through the Taxon landing page at taxon.app:
| Category | Data Elements | Source |
|---|---|---|
| Contact & Identity | Email address | Waitlist signup form |
| Professional Profile | Name, role, institution, research focus | Pilot application form |
| Qualitative Feedback | Open-text descriptions of field data workflows, pain points, feature requests | Pilot application form |
| Usage & Analytics | Pages visited, session duration, referrer URL, device type, browser, approximate geographic region (country/city level) | Google Analytics 4 (or equivalent analytics platform) |
| Technical Identifiers | IP address (anonymised), cookie identifiers, browser fingerprint signals | Automatically on page load |
2B. Taxon Mobile Application (Pre-Launch — Future Processing)
The Taxon app is not yet publicly available. The following describes data processing that will occur once the app launches. This policy will be updated before launch and presented to users during account creation.
| Category | Data Elements | Source |
|---|---|---|
| Account Data | Full name, email address, institution/organisation, role | Account registration |
| Field Observations | Species identifications (scientific name, common name, taxon rank), observation notes, abundance counts, observer name | In-app data entry |
| Location Data | GPS coordinates (latitude, longitude, altitude, accuracy), site names, habitat descriptors | Device GPS via app |
| Media | Photographs (JPEG/RAW with EXIF metadata), audio recordings (species calls) | Device camera / microphone via app |
| Equipment Data | Sensor/trap identifiers, deployment coordinates, deployment dates, retrieval status, maintenance notes | In-app data entry |
| Sync & Usage Metadata | Sync timestamps, record counts, app version, device OS, session identifiers, offline duration logs | Automatically generated by app |
Observation and equipment data entered into Taxon is primarily ecological research data. Where that data contains information from which an individual could be identified (for example, because an observer's name is recorded alongside an observation), it constitutes personal data and is processed in accordance with this policy.
Legal Basis for Processing
Under GDPR Article 6, every processing activity must rest on a valid legal basis. We process your personal data under one or more of the following bases:
Consent — Article 6(1)(a)
We rely on your freely-given, specific consent for: analytics cookies and non-essential tracking on our website; email marketing or product-update communications; and any processing of personal data within the app that goes beyond what is strictly necessary to provide the service. You can withdraw consent at any time without detriment by contacting [email protected] or adjusting your cookie preferences.
Performance of a Contract — Article 6(1)(b)
Once you create a Taxon account, we process your account data (name, email, institution) and sync metadata because it is necessary to deliver the service you have contracted with us for, including storing and synchronising your field data and maintaining your account.
Legitimate Interests — Article 6(1)(f)
We process certain data on the basis of our legitimate interests in operating and improving Taxon, provided those interests are not overridden by your privacy rights. This includes: maintaining website security and preventing abuse; conducting internal product analytics to improve user experience; communicating directly with pilot applicants about their application status; and responding to support requests. We have carried out a balancing test and conclude that these interests are proportionate and that data subjects would reasonably expect such processing.
Legal Obligation — Article 6(1)(c)
Where required by applicable EU or German law (for example, tax record-keeping obligations or responding to lawful requests from competent authorities), we will process the minimum personal data necessary to fulfil that obligation.
Purposes of Processing
We only use your data for the purposes described below. We do not sell personal data. We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.
Waitlist management
To record your interest in Taxon and notify you when early access becomes available. Legal basis: Consent.
Pilot programme selection
To evaluate pilot applications, contact selected applicants, and onboard pilot users. Legal basis: Legitimate interests (pre-contractual relationship); Consent (for qualitative workflow data).
Product development and user research
To understand how ecologists work in the field and design features that solve real problems. Qualitative feedback is analysed in aggregate where possible. Legal basis: Consent.
Website analytics and improvement
To understand which pages perform well, diagnose technical issues, and improve the site experience. Analytics data is IP-anonymised and aggregated. Legal basis: Consent (analytics cookies).
Service delivery (app)
To store, synchronise, and export your field observation and equipment data; to maintain your user account; to enable collaboration within research teams. Legal basis: Performance of contract.
Security and fraud prevention
To detect and prevent unauthorised access, abuse, or other security threats to our systems and to your data. Legal basis: Legitimate interests.
Transactional communications
To send essential service communications: account confirmations, security alerts, significant policy updates, and billing notifications (when billing is introduced). Legal basis: Performance of contract or legitimate interests.
Legal compliance
To meet our obligations under applicable EU and German law, including tax, financial, and regulatory requirements. Legal basis: Legal obligation.
Data Retention Periods
We keep personal data only for as long as necessary for the purpose for which it was collected, or as required by law. The following retention periods apply:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Waitlist email addresses | Until launch + 6 months, or until you unsubscribe | Purpose of collection ends at launch or on withdrawal of consent |
| Pilot application data | 12 months from application date | Time needed to onboard and assess pilot cohort |
| Open-text workflow feedback | 24 months, or until anonymised | Product development cycle; anonymised versions retained indefinitely |
| Website analytics data | 14 months (Google Analytics default, with anonymisation) | Standard analytics retention; IP anonymised at collection |
| App account data | Duration of account + 30 days following deletion request | Service delivery; 30-day grace period for accidental deletion |
| Field observation & ecological data | Duration of account, or until explicitly deleted by user | Ecological records have long-term scientific value; user controls deletion |
| GPS coordinates & media | Duration of account, or until explicitly deleted by user | Integral to observation record; user controls deletion |
| Sync and usage metadata | 90 days rolling | Technical support and debugging only |
| Security and server logs | 90 days | Incident detection; minimised in line with German hosting requirements |
| Financial / billing records | 10 years | German tax law (Abgabenordnung §147) and commercial law requirements |
When a retention period expires, data is securely deleted or irreversibly anonymised. Where deletion is technically complex (for example, backup media), data is flagged for deletion and overwritten at the next scheduled backup cycle, within 90 days at the latest.
Third-Party Data Sharing
We do not sell, rent, or trade your personal data. We share data only with the categories of recipients listed below, and only to the extent necessary.
Where a third party processes personal data on our behalf, they do so as a data processor under a written data processing agreement (DPA) that complies with GDPR Article 28. They may not use your data for their own purposes.
Web Analytics
Consent requiredGoogle Analytics 4 (or a privacy-focused alternative such as Plausible or Fathom) is used to understand how visitors use the Taxon website. IP addresses are anonymised before storage. Analytics are only activated after you accept analytics cookies via the cookie consent banner.
Processor: Google LLC (Google Analytics) or equivalent. DPA in place. Data may be transferred under Standard Contractual Clauses — see Section 7.
Cloud Infrastructure & Hosting
EU-hostedOur servers and databases are hosted within the European Union (Germany). Personal data processed through the Taxon app — including observation data, account data, and media — is stored on EU infrastructure. Hosting providers are bound by DPAs and process data only as instructed.
Infrastructure hosted in Germany. No personal data stored outside the EU/EEA by default.
Transactional Email Delivery
NecessaryAn email service provider is used to send transactional messages (account confirmations, waitlist notifications, pilot acceptance emails). Your email address is shared with this provider for delivery purposes only.
Provider: [To be confirmed prior to launch]. DPA will be in place. EU-based or SCC-covered transfer.
Legal & Regulatory Disclosure
Legal obligationWe may disclose personal data to competent authorities (courts, law enforcement, regulatory bodies) where required by applicable EU or German law, or where necessary to establish, exercise, or defend legal claims. We will inform you of any such disclosure unless prohibited from doing so by law.
Business Transfers
ConditionalIn the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data held by us may be transferred to the acquirer. We will notify affected users before any such transfer takes place and the acquirer will be required to honour the commitments made in this policy.
International Data Transfers
Our primary infrastructure is located within the European Union (Germany). By default, your personal data does not leave the EU/EEA. However, some of our third-party service providers (such as Google Analytics) may process data in countries outside the EU/EEA, including the United States.
Where personal data is transferred to a country that has not been granted an adequacy decision by the European Commission, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V. These safeguards include:
- Standard Contractual Clauses (SCCs) — the European Commission-approved model clauses (2021/914/EU) incorporated into our data processing agreements with relevant third-party processors.
- EU-US Data Privacy Framework — where applicable, transfers to US-based processors certified under the EU-US Data Privacy Framework (implemented 2023).
- Adequacy decisions — where data is transferred to a country the European Commission has determined provides an adequate level of data protection.
You may request details of the specific transfer mechanisms in place for any particular third-party processor by contacting [email protected].
Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. These rights are not absolute and may be subject to exceptions, but we will always respond to requests transparently and within the timeframes required by law. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days, with a possible 60-day extension for complex requests (you will be informed of any extension).
Right of Access
You have the right to request a copy of the personal data we hold about you (a Subject Access Request). We will provide this in a commonly-used electronic format at no charge. Art. 15 GDPR
Right to Rectification
You have the right to ask us to correct inaccurate personal data or complete incomplete data. App users can update most data directly in account settings. Art. 16 GDPR
Right to Erasure
You have the right to request deletion of your personal data ("right to be forgotten") where there is no overriding legal ground for continued processing — for example, where you withdraw consent and no other legal basis applies. Art. 17 GDPR
Right to Restriction
You have the right to request that we restrict processing of your data in certain circumstances — for example, while you contest the accuracy of data we hold, or while an objection is pending. Art. 18 GDPR
Right to Data Portability
Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly-used, machine-readable format (such as JSON or CSV) and to transmit it to another controller. Art. 20 GDPR
Right to Object
You have the right to object at any time to processing of your personal data where the legal basis is legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds. You also have an absolute right to object to direct marketing. Art. 21 GDPR
Right to Withdraw Consent
Where we process your data on the basis of consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal date. To withdraw consent, contact [email protected], or use the unsubscribe link in any email we send you, or adjust your cookie preferences on the website. Art. 7(3) GDPR
Identity verification: To protect your data, we may need to verify your identity before processing a rights request. We will ask for the minimum information necessary to confirm you are who you say you are. We will not charge a fee for reasonable requests, but may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive.
Children's Data
Taxon is designed for professional and academic use by field ecologists, researchers, and conservation practitioners. The service is not directed at children under the age of 16.
We do not knowingly collect personal data from children under 16 years of age. If you are under 16, please do not use our website or application and do not provide any personal information.
If we become aware that we have inadvertently collected personal data from a child under 16 without verifiable parental consent, we will take prompt steps to delete that data from our records. If you believe we may have collected data from a child under 16, please contact us immediately at [email protected].
Where Taxon is used in educational settings involving students under 16 (for example, university fieldwork courses supervised by an instructor), the educational institution or supervising researcher is responsible for obtaining appropriate consent from students or their guardians and for ensuring compliance with applicable child data protection requirements.
Security
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, destruction, alteration, unauthorised disclosure, or access, in accordance with GDPR Article 32.
Encryption in transit
All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Encryption at rest
Data stored on our servers is encrypted at rest. On-device data in the app is encrypted using device-level encryption.
Access controls
Access to personal data by our team is limited to those who need it, controlled by role-based permissions and two-factor authentication.
Breach notification
In the event of a personal data breach posing a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay.
Despite these measures, no method of transmission or storage is 100% secure. If you have concerns about the security of your data, or to report a potential vulnerability, please contact [email protected].
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we offer, or applicable law. The "Last updated" date at the top of this page will always reflect the date of the most recent revision.
Where we make a material change to how we process your personal data — for example, adding a new purpose for processing, engaging a new category of third-party processor, or significantly extending retention periods — we will notify you before the change takes effect by:
- Displaying a prominent notice on the Taxon website and app; and/or
- Sending an email to the address registered with your account or waitlist submission.
Where the change requires a fresh legal basis (for example, we begin processing for a new purpose that requires consent), we will obtain your consent before proceeding with the new processing.
Non-material changes (such as corrections of typographical errors, clarifications of existing practices, or updates to our company address) will be made without specific notice.
We recommend reviewing this policy periodically. Continued use of the Taxon website or app after a material change is posted constitutes your acknowledgement of the updated policy, subject to any requirement to obtain fresh consent.
Version history: This is version 1.0 of the Taxon Privacy Policy, effective 20 March 2026. Prior versions will be made available on request by contacting [email protected].
Contact Us and Lodge a Complaint
If you have any questions about this Privacy Policy, wish to exercise a data subject right, or have a concern about how we handle your personal data, please contact us:
Data Protection Officer
[To be appointed]
The DPO contact details will be published here prior to app launch and registered with the supervisory authority.
Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority if you believe we have not handled your personal data in accordance with GDPR. As a Germany-based company, our lead supervisory authority is:
The Federal Commissioner for Data Protection and Freedom of Information
Bundesbeauftragte fur den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153, 53117 Bonn, Germany
Website: www.bfdi.bund.de
You also have the right to lodge a complaint with the supervisory authority in the EU member state where you live, work, or where an alleged infringement of GDPR took place. A full list of EU data protection authorities is available at edpb.europa.eu.
We would, however, appreciate the opportunity to address your concern before you approach a supervisory authority. Please contact us first at [email protected].
Questions about this policy?
Our privacy team is here to help. We aim to respond within 72 hours.