HERPID+ — PRIVACY POLICY Last Updated: April 27, 2026 Developer / Publisher: BOTAKIB Location: Toronto, Ontario, Canada Contact Email: botakibapps@gmail.com 1. Introduction This Privacy Policy explains how HerpID+ (“the App”) collects, uses, stores, and protects your information. By using the App, you agree to the practices described below. HerpID+ is a wildlife-identification, hobbyist and educational tool. It helps users identify animals and plants, learn about species, request AI-generated captive-care guidance, and organize findings into personal collections. 2. Information We Collect HerpID+ collects only the information necessary to operate the App and its features. 2A. User-Provided Information When using the App, you may provide: Photos and images you upload or capture Nicknames for species Collection names and folders Saved AI-generated text (scan results, care guides, “egg” summaries) You must only upload images that you own or have rights to use. 2B. Account Information HerpID+ uses Firebase Authentication. You may access the App through: Anonymous guest accounts (created automatically) Google Sign-In (if chosen) Firebase may collect: Email address (Google sign-in only) Unique Firebase user ID Basic authentication metadata Anonymous accounts do not include personal identity information. For Google Sign-In, Firebase may also provide basic profile information such as display name and profile photo URL. This is used only to display your profile in-app and is not stored in Firestore/Storage by HerpID+. 2C. Automatically Collected Data HerpID+ uses Firebase services, which collect certain technical and usage data needed to operate, secure, and improve the App, including: Device type and model Operating system version App version Crash logs (for stability/diagnostics): Firebase Crashlytics collects crash reports such as crash stack traces and associated app/device information to help diagnose and fix crashes. Performance diagnostics (such as app responsiveness and network request timing) used to help identify and fix performance issues. Basic in-app usage events (such as scans, care guides, collections, and egg feature actions) for analytics and security/fraud prevention. (see 5A) These usage events can include subscription purchase-flow events (for example, starting a purchase, purchase completion, and restore/verification outcomes) for analytics and reliability. HerpID+ uses Firebase Analytics. On Android, Firebase Analytics automatically collects an app-instance ID (a random identifier assigned to each installation), the Android Advertising ID (if available), and a masked IP address that Google uses to derive coarse location (for example, country or region). Google Analytics for Firebase also collects in-app purchase and subscription events (including parameters such as product ID, product name, and price) for analytics and reliability. HerpID+ does not use this data for advertising or remarketing, and the App does not show ads. The App does not collect: GPS location. Contact lists. Phone numbers. Payment card information. The App does not contain advertising. Network & Security Log Data (Service Providers) When the App communicates with our service providers (such as Firebase/Google), they may process basic network and security log data such as IP address, user-agent information (browser/app request metadata), timestamps, and device-related identifiers to operate the service, provide security protections, prevent abuse, and (in some cases) produce aggregated metrics. This can occur, for example, when using Firebase Cloud Functions, Firebase Authentication, Firebase Hosting (website deletion page), and Firebase Performance Monitoring. 2D. Device Identifiers (Firebase Installations ID) HerpID+ uses a persistent, anonymous device identifier (“FID”) to enforce scan limits, prevent abuse, and maintain system integrity. The FID: Contains no personal identity data Is not linked to your Google account May persist across reinstalls Is never sold, shared, or used for marketing 2E. Subscription and Purchase Information (Google Play) If you subscribe to Premium through Google Play, Google provides the App and our backend with subscription purchase data needed to verify and restore your Premium entitlement, including: a purchase token (a receipt identifier for the subscription purchase), the subscription identifier (for example, the subscription product/base plan you purchased), and subscription state information (such as whether the subscription is active, canceled, expired, in grace period, or on hold) retrieved via Google Play’s developer APIs when verifying your entitlement. We use this information only to: (a) verify Premium access, (b) restore Premium on reinstall or account changes, and (c) prevent fraud/abuse. When verification succeeds, HerpID+ writes a subscription verification record to Firebase Firestore that includes: packageName, productId (or subscription/base plan identifier), purchaseToken, uid (linked at time of verification), and updatedAt. These verification records are retained after account deletion and are not reset by uninstalling the App. If verification cannot be completed (for example due to missing permissions or connectivity), a verification record may not be created until verification succeeds. We do not receive or store payment card numbers, billing addresses, or payment methods. All billing and payment processing is handled exclusively by Google Play. 2F. Promotional / Redemption Codes If you redeem a promotional code for Premium access, we process the code and store redemption metadata (such as the time of redemption and the resulting Premium expiry) to apply the entitlement and prevent fraud/abuse. Code usage totals and anti-fraud records (such as maximum uses and last-used time) may be retained for integrity and enforcement. 3. How We Use Your Information We use your information to: Identify species using AI Save and display your scan history Create and manage your collections Generate AI-based captive care guidance Maintain accounts and authentication Improve App performance and stability Enforce usage limits (including Premium fair-use limits) Protect the App from abuse Measure feature usage (such as scans, care guides, collections, and eggs) to improve the App. We do not sell your data. We do not use your data for advertising. We do not train AI models on your photos or personal data. Free-Tier Limit Tracking HerpID+ uses anonymous device identifiers (FID) and account IDs to enforce free-tier limits such as: Daily scan limits. Lifetime egg creation limits/Active egg limits. Daily care guide limits. Daily collection add and creation limits. These FID-based limit-tracking/enforcement records are retained after account deletion and are not reset by uninstalling the App. Premium subscribers bypass free-tier limits through secure server-side verification, and Premium fair-use limits are enforced to prevent abuse and protect service stability. 4. AI Processing and Image Handling HerpID+ uses Google's cloud artificial intelligence services to analyze uploaded images. When you perform a scan: Your image is securely sent to the AI system The model analyzes the image A result is returned to the App Relevant results may be stored in your scan history or collections The AI service does not train on your data. Outputs may be inaccurate or incomplete. The App is not intended for safety-critical decisions. Images may be temporarily cached during processing by the AI service, but the AI service does not store them long-term or use them for training. If you choose a photo from your gallery for scanning, the app must access that image to process it. To use the scanning feature, the App will request permission to access your device's camera and/or photo gallery. This permission is required to capture or select an image for analysis and is not used for any other purpose. 5. Image Storage and Scan History Uploaded images are stored in Firebase Storage. Scan records stored in Firestore may include image storage references (such as file paths or download URLs), timestamps, and the associated AI-generated results/summary text. Scan results and AI-generated summaries are stored in Firestore until: You delete them manually, or You delete your account HerpID+ does not automatically delete user data on a schedule. Data remains until you delete it manually or delete your account. 5A. Retention of Limit-Tracking Data HerpID+ stores limit-tracking and abuse-prevention records in Firebase Firestore to enforce free-tier limits and Premium fair-use limits (including counters for scans, eggs, care guides, and collection actions). These records are associated with an anonymous device identifier (Firebase Installations ID, “FID”) and do not contain personal identity information. These enforcement records are retained after account deletion and are not reset by uninstalling the App. 5B. Local Notifications and Timezone Data To provide accurate scheduling for local notifications, such as plant care reminders, we access your device's local timezone. This information is used solely for scheduling and is not stored or shared for any other purpose. All notifications are stored and triggered locally on your device. 6. How We Share Information HerpID+ shares information only with essential service providers: Firebase Authentication Firebase Firestore Firebase Storage Firebase Analytics Firebase Crashlytics Firebase Performance Monitoring Firebase App Check Google's cloud artificial intelligence services Google Play Billing / Google Play Developer API and Real-time Developer Notifications (RTDN via Google Cloud Pub/Sub) for subscription verification and automated entitlement updates We do not share your data with advertisers, data brokers, or marketing organizations. We may share information if required: To comply with legal obligations To respond to law enforcement To protect user safety or App integrity 7. Your Rights and Choices You may: Delete individual scans Remove uploaded images Edit or delete collections Remove AI-generated content Delete your account Deleting your account removes your in-app profile and content, but does not cancel a Google Play subscription. 7A. Website deletion code(backup option) and in app deletion If you cannot access the app, you may delete your account using our website deletion page and your deletion code. The deletion code is shown inside the app after you create or sign into your account. For security, we do not store deletion codes in plain text. Rate limiting & security logs (website deletion). To prevent abuse of the website deletion page, we process limited technical data such as your IP address (stored as a one-way hashed value), request timestamps, and basic request metadata. This data is used only for security, fraud/abuse prevention, and rate limiting, and is retained for a short period and deleted after expiry (typically within about 24 hours). You are responsible for securely storing your website deletion code. If you lose this code after uninstalling the app, we may not be able to process a deletion request, as we may have no way to verify your identity. When you delete your account in app or from our website: Your Firebase Auth account is deleted Your account data stored under your user profile in Firestore is deleted (such as scans, collections, eggs, and saved AI-generated content) Images stored under your user folder in Firebase Storage are deleted Certain integrity and abuse-prevention records are retained after account deletion to prevent fraud, enforce limits, and maintain subscription verification (for example, FID-based limit counters and subscription token-mapping/verification records). Account deletion does not reset these records. Deletion is permanent and cannot be undone. Deletion-token records are removed after account deletion. 8. Data Security We use reasonable and industry-standard safeguards, including: Encryption in transit (HTTPS) Encryption at rest Secure authentication Firestore security rules Firebase App Check for device verification Subscription Verification Security: Premium subscription status is verified server-side with Google Play. To support verification, entitlement updates, and fraud/abuse prevention, HerpID+ retains subscription verification records in Firestore that can include a purchase token, token-mapping/verification metadata, and non-financial entitlement fields (such as Premium status, packageName/productId, UID at time of verification, and verification timestamps such as updatedAt). These verification records are retained after account deletion. HerpID+ does not store credit card numbers, billing addresses, or payment methods. All billing and payment processing is handled exclusively by Google Play. We periodically verify authentication status to prevent access after account deletion. 9. Children’s Privacy HerpID+ is intended for users age 18 and older. We do not knowingly collect, use, or solicit personal information from anyone under the age of 18. If we learn that we have inadvertently collected personal information from an individual under 18, we will take all reasonable steps to delete that information as quickly as possible. 10. Third-Party Services HerpID+ uses: Firebase Authentication Firebase Firestore Firebase Storage Firebase Analytics Firebase Crashlytics Firebase Performance Monitoring Firebase App Check Google's cloud artificial intelligence services Google Play Billing / Google Play Developer API / Real-time Developer Notifications (RTDN via Pub/Sub) for subscription verification and automated subscription status updates. Google Play may send real-time subscription status notifications to HerpID+ (via Google Cloud Pub/Sub) to keep Premium access accurate (e.g., renewals, cancellations, refunds/voided purchases). The App contains no external links except its Terms of Service and this Privacy Policy. Subscription management (including cancellation) is handled through your Google Play account settings. 11. Changes to This Privacy Policy We may update this Privacy Policy at any time. Significant changes may be communicated in-app or through the Google Play listing. 12. Contact For privacy concerns, questions, or requests, contact: botakibapps@gmail.com