🔐 Privacy Policy – Druidz.app

Last updated: December 2025

This Privacy Policy describes how the Druidz application (hereinafter "the Application") and the druidz.app website (hereinafter "the Website") collect, use, store and protect users' personal data.

Publisher

The Application is published by:

Vincent PITON – Sole proprietorship under the micro-entrepreneur regime
SIREN: 840 667 414
Address: 54 rue Amiral Lacaze, 97410 Saint-Pierre, Réunion Island
Email: druidzcontact@gmail.com

Druidz is committed to complying with the General Data Protection Regulation (GDPR) and Data Protection legislation.

1. 📌 Data Collected by the Druidz Application

As part of using the Druidz mobile application, the publisher collects and processes only data strictly necessary for the service to function.

No data is sold, transferred or used for advertising purposes.

1.1. Identification Data

  • Email address (required to create an account and ensure its recovery).
  • Username publicly visible in certain features (rankings, contributions).
  • Encrypted internal identifier allowing user account management.

1.2. User-Generated Data

This data is strictly related to application usage:

  • Created recipes.
  • Notes, comments, presence votes, reports.
  • Observations made via Pl@ntNet integration (images, species proposals, blurred location).
  • History of Pl@ntNet identifications made in the application.
  • "Exploration trace": list of visited map tiles (zoom 15), allowing:
    • display of personal exploration map;
    • participation in "Hall of Great Crossings" ranking.

This data is never made publicly available individually.
Only a statistical summary may be displayed:

  • total distance explored,
  • longest single crossing,
  • main exploration country.

1.3. Location Data

  • Point location provided by device (with explicit consent) to display natural points and improve Pl@ntNet accuracy.
  • Blurred location data (Z15 tile level) used for the exploration system.

No exact location is stored permanently.

1.4. Pl@ntNet Identification Data

When the user performs an identification from the application, the request is transmitted to the Pl@ntNet service, which processes and retains data according to its own privacy policy.

The user is informed that an identification involves:

  • sending the photo,
  • sending a blurred location,

to the Pl@ntNet service.

1.5. Premium Account Data

In case of Premium subscription:

  • A hashed device identifier may be retained to prevent massive map download abuse (fraudulent API key use).
  • No banking data is ever retained by Druidz: payments are made exclusively via Stripe, which acts as a processor within the meaning of GDPR.

1.6. Technical Data

  • Anonymized technical logs (crashes, server errors, response times).
  • Aggregated usage data to improve service quality.

No advertising analysis, no third-party tracking is used.

2. 🎯 Processing Purposes

Collected data is used to:

  • Manage your user account
  • Unlock Premium features
  • Ensure moderation and quality of contributions
  • Display your progress (exploration, hall of great crossings)
  • Guarantee service security (anti-abuse, offline fraud)
  • Operate the Pl@ntNet API
  • Improve the application (anonymized statistics)

✔ We do not do any advertising targeting.
✔ No commercial profiling is performed.

Legal Basis for Processing

Processing is based on:

  • contract performance (article 6.1.b GDPR) for account and service features;
  • user consent (article 6.1.a GDPR) for optional features such as location;
  • publisher's legitimate interest (article 6.1.f GDPR) for security, abuse prevention and service improvement.

3. 🤝 Data Sharing

Druidz only shares your data with:

3.1. Pl@ntNet

For plant identifications.
Only data sent for identification is transmitted to them.

3.2. Technical Providers (GDPR Data Processors)

These services process your data on behalf of Druidz, in compliance with GDPR:

  • Google Cloud Platform (GCP) – Backend hosting and database → Europe (Belgium)
  • Firebase Hosting – Static website hosting
  • SendGrid (Twilio) – Transactional email delivery (password reset, notifications)
  • Stripe – Secure payment processing

📋 GDPR Compliance: All these service providers have signed a Data Processing Agreement (DPA) ensuring the protection of your data in accordance with the General Data Protection Regulation (GDPR). A detailed register of data processors is available upon request at druidzcontact@gmail.com.

3.3. Legal Obligations

In case of judicial requisition.

✔ No data is sold to third parties.

3.4. External Translation Services

The Application may offer the User a link to an external translation service to facilitate understanding or contribution to existing content.

This link redirects to an independent third-party tool (such as Google Translate), outside the Druidz Application. The Publisher performs no translation, does not control content generated by this third-party service and does not retrieve any results.

Any translation submitted in the Application results from a voluntary choice by the User, who may freely copy, modify, correct or rewrite content before submission.

The published translation is considered original User Content, for which the User assumes full responsibility.

4. 🌍 Transfers Outside the European Union

Data hosted by Druidz is stored exclusively in the European Union (Belgium / Finland / Netherlands depending on active GCP zone).

Only Pl@ntNet requests may be processed outside the EU according to their infrastructure.

5. 🔒 Security and Confidentiality

Druidz implements several measures:

  • Mandatory HTTPS encryption
  • Hashing of sensitive identifiers (bcrypt / SHA256 depending on use)
  • Secure JWT tokens
  • GCP security (IAM, firewall, isolated VPC)
  • Encrypted backups
  • Access logging (logs)
  • Authentication via secure providers (Google, Apple)

✔ No sensitive data in clear text is accessible.

6. ⏳ Retention Period

  • User account: until account deletion
  • Contributions: anonymized upon account deletion, then retained when necessary for service operation, in accordance with article 17.3 of GDPR
  • Technical logs: between 7 and 90 days
  • Pl@ntNet identification data: according to their rules

7. 🗑️ Account Deletion

You can delete your account from the application:

👉 Settings → Delete my account

A double confirmation will be requested to prevent accidental deletion.

⚠️ This action is irreversible.

This results in:

  • Permanent deletion of your personal data (email, password, OAuth identifiers)
  • Anonymization of your public contributions (recipes, translations, comments)
  • Automatic cancellation of your Premium subscription (if active)
  • Permanent and non-refundable loss of all your purchases: quotas, tile top-ups, Pl@ntNet credits
  • Deletion of your exploration history and statistics
  • Deletion of your votes and preferences
  • Immediate disconnection from your account
  • Permanent inaccessibility of the account

Important note: Your public contributions (recipes, translations, comments) are preserved in an anonymized manner with the label "Deleted account". They remain accessible in the application to maintain collaborative content coherence, but can no longer be linked to your real identity.

Your username can no longer be reused by another account.

8. User Rights – Personal Data & Contributions

In accordance with the General Data Protection Regulation (GDPR), each user has the right to access, rectify, delete, object to and port their personal data, in the strict sense.

8.1 Personal Data Covered by These Rights

Considered as personal data are:

  • email address;
  • username;
  • connection data (internal identifier, tokens, device hash);
  • blurred location data used for main features;
  • private elements linked to account: votes, reports, exploration traces, settings.

This data can be modified or deleted via account settings, or upon request to the data controller.

8.2 Public Contributions Not Subject to Right of Rectification

Certain data produced by the user is integrated into the application's collaborative content database. This notably includes:

  • published recipes;
  • translations;
  • public reports;
  • aggregated presence votes;
  • exploration traces used for global rankings;
  • possible comments associated with plants or spots.

These contributions are not considered "personal data" once they no longer allow user identification, in accordance with CNIL guidelines on anonymization.

8.3 Account Deletion and Anonymization

Upon account deletion, Druidz applies the following rules:

  • personal data (email, username, identifier, private data) is permanently deleted;
  • all public contributions are anonymized (replacement of author by "Deleted User" or equivalent);
  • the contribution itself may be retained, in accordance with article 17.3 of GDPR, as long as it no longer constitutes personal data.

This retention is necessary for normal application operation (e.g.: maintaining recipe coherence, presence voting, or anonymized exploration rankings).

8.4 No Individual Deletion of Contributions

The user cannot demand individual deletion of recipes, translations, comments, votes or reports already integrated into the database, as long as they are anonymized.

This rule follows CNIL position:

"Data is considered non-personal when it no longer allows direct or indirect identification of a natural person."

Thus:

  • contributions remain usable,
  • they are no longer linked to the user,
  • there is therefore no more personal data to delete.

8.5 Access to a Copy of Data

The user can request, before account deletion, access and a copy of their personal data within the meaning of GDPR.

This copy may include, when this data is linked to the user's account:

  • email address;
  • username;
  • account settings;
  • exploration traces (tiles);
  • votes and reports;
  • Pl@ntNet identifications performed from the application;
  • content written by the user (notably recipes, comments, translations), as long as they are not anonymized.

Not included in this copy:

  • anonymized data no longer allowing user identification;
  • aggregated or derived data for statistical purposes;
  • application's global databases (plants, maps, spots, other users' recipes);
  • content whose communication would infringe the rights and freedoms of other persons.

The provision of this data is carried out in a structured, commonly used and machine-readable format, within the limits of a reasonable request not affecting service operation nor third-party rights.

📩 To exercise your rights: druidzcontact@gmail.com

9. 🍪 Cookies

The Druidz website does not place any tracking cookies.
Only technical cookies may be used for website operation.

10. 📄 Modifications

This policy may be updated.
The update date appears at the top of the document.

11. ⚖️ Contact

For any questions regarding this policy:

📧 druidzcontact@gmail.com

Supervisory Authority (France): CNIL - www.cnil.fr

12. 🛡️ Data Protection Officer (DPO)

Druidz is not required to appoint a Data Protection Officer (DPO), in accordance with article 37 of GDPR.

13. 🌐 Governing Language and Version

This Privacy Policy is written in French.

In case of translation into one or more languages, only the French version shall prevail in case of divergence, interpretation or dispute.