Privacy Policy

Last updated · 2 June 2026

Jungle Journal is a wildlife identification and journaling app for Southern Africa. We built it with privacy as a design principle: your photos, your journal entries, and the AI that identifies wildlife all live on your phone - not on our servers. This policy explains the few things we do collect, why, and how to control them.

If anything in this policy is unclear, contact us at [email protected].

In one paragraph: We store your account email (or Apple Sign-In ID), a unique account identifier, and any community map sightings you choose to share publicly. Wildlife identification runs entirely on your device - your photos are never uploaded for identification. We use PostHog to collect anonymised usage analytics (which features get used, not who used them). You can delete your account at any time from Settings → Account → Delete Account, which permanently removes your data from our servers.

1. About this notice

This notice satisfies our disclosure obligations under the South African Protection of Personal Information Act, 2013 (POPIA), the EU General Data Protection Regulation (GDPR), and equivalent laws in other regions.

Responsible party. Jungle Journal is operated by Nelson Chainho, based in South Africa. The designated Information Officer under POPIA s.55 is Nelson Chainho, reachable at [email protected].

Lawful basis for processing. We process your personal information on two lawful bases: (a) your consent, given when you create an account and grant permissions in the app, and (b) contractual necessity, in order to deliver the services you signed up for (identification, journal sync, community map). We do not rely on legitimate interest for any new processing.

Voluntary vs mandatory. Providing an email address (or Apple Sign-In) is mandatory - without it we cannot create an account or restore your session. All other data is voluntary: you can use Jungle Journal without ever sharing a sighting to the community map, setting a profile photo, or supplying a display name. The consequence of not providing the mandatory data is simply that you cannot create an account.

No automated decision-making. We do not make decisions about you using algorithms alone (POPIA s.71, GDPR Art.22). The on-device species identifier suggests species; you always decide what to save.

2. Data we collect

Account data

When you create an account, we store:

Your email address (for email signup) or your Apple Sign-In identifier (for Sign in with Apple).
A unique account ID generated by our authentication provider, Supabase.
The date and time your account was created.

We do not collect your name, age, gender, address, or phone number.

Community map sightings

When you choose to share a sighting to the community map (this is opt-in at each capture), we upload:

The species name you photographed.
The conservation status of that species.
The exact location of the sighting. Accurate coordinates make the community map useful to other naturalists trying to find what is being seen near them.
The time of the sighting, rounded to the nearest hour.
Your account ID, so the sighting can be deleted with your account.

Species blocked from the community map. Sightings of the following species are never uploaded, regardless of who reports them. The sighting still saves to your personal on-device journal - nothing about it leaves your phone.

All rhinoceros species and subspecies (White Rhino, Black Rhino).
All pangolin species (Temminck's Pangolin and any others).

The block list mirrors the public reporting policy of the Latest Sightings platform and reflects the species under the most direct illegal-trade poaching pressure. We can extend this list at any time if conservation advice changes; we will not silently shrink it.

We do not upload the photograph itself.

Community map sightings are automatically deleted from our servers 48 hours after they are reported.

Usage analytics

We use PostHog (a privacy-friendly analytics platform, hosted in the EU) to understand how the app is used. The events we collect are:

Sign-up, sign-in, sign-out, account deletion.
Capture and journal-save events, with metadata like the field book, conservation status, and image quality score (no photo, no location).
Community map share events (whether shared, not what was shared specifically).

Analytics events do not contain your email, your name, your photos, your coordinates, or any identifying personal information. They are tied to your account ID only after you sign in; before sign-in they use a randomly generated device identifier.

You can opt out of analytics by deleting the app - there is no separate analytics opt-out, because we do not collect anything personally identifying.

Location data (on-device only)

The app may ask for permission to access your location. When granted, your location is used:

To tag sightings in your private journal (stays on your device).
To show your position on the in-app map.
To attach a location to community map sightings you choose to share, so other users can find what was seen and where (see above).

Your phone's location is read on-device. We only upload it when you explicitly share a sighting to the community map. For species on our block list (rhinos, pangolins) it is never uploaded, even when you try to share.

Photos and journal entries

Photos you capture and journal entries you write are stored exclusively in your phone's app storage. They are not uploaded to our servers, backed up online, or shared with any third party. If you delete the app, these are deleted with it.

There is one exception, and it only happens when you ask for it: see Print orders below.

Print orders (opt-in)

You can order a print in two ways, and both are entirely opt-in:

From the app: if you tap Buy a print on a photo and confirm the on-screen notice, we upload a full-resolution copy of that one photo to our print service so it can be produced and shipped. This is the only time a photo leaves your device, it is strictly per-photo, and nothing else in your journal is uploaded.
From our website (Print Shop): if you upload a photo on our website to order a print, that image is sent to our print service for the same purpose. We use it only to produce and deliver your order.

To fulfil an order you place on our website, we also collect and store:

The product you chose (orientation and size) and the price.
Your name, email, and phone number.
Your delivery address.

We share the photo and these delivery details with our print and courier partners solely to produce and deliver your order. Payment is handled on our website by PayFast, a South African payment provider; we never see or store your full card details. The uploaded photo is kept only as long as needed to fulfil the order and is then removed.

3. How we use your data

Data	Purpose
Email / Apple ID	To authenticate you when you open the app
Account ID	To attach your sightings and analytics events to a stable identifier
Community map sightings	To show other users where wildlife has recently been seen
Usage analytics	To understand which features matter, identify bugs, and improve the app
Location (on-device)	To tag sightings, show the map, and attach to shared community sightings

We do not use your data to:

Train AI models (the identification model is pre-trained and never updated with user data without explicit future opt-in).
Sell or rent to third parties.
Show advertising.
Build a marketing profile.

4. Who we share data with

We rely on three third-party services. Each receives only the minimum data needed for its job.

Provider	What they receive	Where data is stored
Supabase (auth + database)	Your email / Apple ID, account ID, community sightings	Frankfurt, Germany (EU)
PostHog (analytics)	Anonymised event data	Frankfurt, Germany (EU)
Apple (Sign in with Apple)	Only what is needed to verify the sign-in token	Apple's data centres
PayFast (payments, print orders only)	Order amount and payment details you enter at checkout	South Africa
Print & courier partners (print orders only)	The photo you chose to print, plus your name and delivery address	South Africa

These providers are bound by their own privacy policies and applicable data protection laws. We do not give them permission to use your data for their own purposes.

We may also share data if we are legally required to (e.g. by a court order). We will push back on any request we believe to be overbroad or unlawful.

5. Where your data is stored & cross-border transfer

All server-side data is stored in Frankfurt, Germany (the European Union) - both Supabase and PostHog are configured to use their EU regions. Data may be processed elsewhere transiently (e.g. content delivery networks for our static site), but the system of record is in the EU.

Cross-border transfer notice (POPIA s.72). Because we are a South African operator using EU-hosted infrastructure, your personal information leaves South Africa. By creating an account you consent to this transfer. The EU's GDPR provides a level of data protection that is substantially similar to, and in several respects stricter than, POPIA - this satisfies the "adequacy" requirement in POPIA s.72(1)(a). Aside from print orders (below), we do not transfer your data to any jurisdiction outside the EU.

Print orders. If you place a print order, the photo you chose plus your order and delivery details are processed in South Africa by our payment provider (PayFast) and our print and courier partners, purely to produce and ship that order.

6. How long we keep your data (retention)

POPIA s.14 requires us to tell you how long we hold your personal information. Our retention periods are:

Account data (email / Apple ID, account record): retained for as long as your account is active. Deleted within 24 hours of you tapping Delete Account.
Community map sightings: auto-deleted from our servers 48 hours after they were reported. There is no archive.
Push token & notification preferences: retained with your account. Deleted with your account.
Profile photo & display name: retained with your account. Deleted with your account.
Print orders: the uploaded photo is removed once the order is fulfilled. Order and delivery records are kept only as long as needed for fulfilment, tax, and consumer-protection obligations, then deleted.
Usage analytics events (PostHog): retained for up to 24 months, then permanently aggregated or deleted. Reset to a fresh identifier on sign-out.
Server logs (Supabase request logs): retained by our provider for up to 7 days for security and debugging, then automatically purged.

We do not retain data for longer than these periods unless required to by law.

7. Your rights

You have the following rights over your data under POPIA (South Africa), GDPR (European Union), and equivalent laws elsewhere:

Access. Request a copy of the data we hold about you.
Correction. Ask us to correct anything that is wrong.
Deletion. Permanently remove your account and associated data - built into the app, see Settings → Account → Delete Account.
Portability. Request your data in a structured, machine-readable format.
Objection. Object to specific uses of your data.
Withdraw consent. Stop using the app at any time.
Complain. Lodge a complaint with the South African Information Regulator (inforegulator.org.za) or your local data protection authority.

To exercise any of these rights, email [email protected]. We respond within 30 days.

Account deletion in detail

When you tap Delete Account, we:

Delete your row in our users table, which cascades to delete every community sighting attached to your account.
Delete your authentication record, which invalidates your session and frees up your email / Apple ID to be used again.
Reset your analytics distinct identifier so events from the next user of the device are not attributed to you.

Your on-device journal and photos are not affected by account deletion - they remain on your phone. If you want to remove them too, delete the app.

Deletion is irreversible. There is no recovery, no archive, no soft-delete grace period.

8. Children

Jungle Journal is rated 4+ in the App Store. We do not knowingly collect data from children under 13 without parental consent. If you believe a child has created an account, email [email protected] and we will delete the account immediately.

9. Security

We take reasonable steps to protect your data:

All network traffic uses HTTPS / TLS.
Database access is enforced by row-level security, so authenticated users can only read and modify their own data.
Passwords are hashed by Supabase using bcrypt; we never see or store plaintext passwords.
Our codebase is audited for hard-coded secrets and improper data handling before each release.

No system is perfectly secure. If we ever discover a breach affecting your data, we will notify you within 72 hours and report it to the relevant authority as required by law.

10. Changes to this policy

We may update this policy when the app changes. The "Last updated" date at the top reflects the most recent change. For material changes (anything that expands what we collect or how we use it), we will notify you in the app before the change takes effect.

11. Contact

Email: [email protected]
Website: junglejournal.org
Operator: Nelson Chainho, South Africa

If you have a privacy concern, please reach out before lodging a regulatory complaint - we want to fix issues quickly.