Privacy Policy
Summary
Shrimp Farm is offline-first. Your farm data — ponds, cycles, water readings, feed, harvests, costs — lives on your device by default and is never sent to us unless you turn on account sync (a separate opt-in feature). If you enable account sync, those records are uploaded to your account so you can use them across devices and, if you choose, share them with an organization you authorize — and that upload includes farm and pond precise locations (GPS coordinates) you enter, select or explicitly capture, unless you turn off sync for a pond location, and farm identifiers you enter. With sync off, we collect nothing.
Separately, you can opt in to anonymous, privacy-friendly telemetry to help improve the app. Telemetry carries no personal data and no farm data, you can turn it off at any time, and you can delete it.
This website
This website uses cookieless, privacy-friendly analytics (page views only) that load only after you accept the consent banner. No cookies, no personal data, no cross-site tracking. If you decline, no analytics run.
Early-access waitlist
If you submit your email to join the Android beta waitlist, we store only that email address, your language, and the fact that it came from this site — solely to invite you when the beta opens. We keep it for up to 180 days, we never sell or share it, and you can ask us to delete it at any time at privacy@shrimpfarm.app.
What we collect (only with your opt-in)
- Anonymous analytics — only if you enable it: which screens/actions are used (from a fixed, published event whitelist), app version, OS (platform name only, not the version), coarse device class where the platform reports it (e.g. not on Android), and locale. Purpose: understand usage and improve the app.
- Crash reports — only if you enable them: error type and a scrubbed message/stack (emails, file paths, URLs, quoted values and long numbers are removed on-device before sending), app version, OS.
- Feedback — only when you send it: your message, app version, coarse device class where available, and — only if you type it — a contact email; optional diagnostics (only app version, OS, device class and locale — never your events or error logs) if you toggle them on.
Every telemetry item — analytics, crash and feedback — also carries an anonymous install id: an app-generated identifier (a ULID) that encodes only the moment it was created — nothing about your device or who you are — used only as a handle so you can delete your data. You can reset it at any time (which unlinks future data from past data) or delete it.
What account sync sends (only if you enable it)
Account sync is off by default and separate from telemetry. When you turn it on, the records you create are uploaded to your account: your farm & production records (ponds, cycles, water, feed, harvests, costs, samplings, shrimp disease observations/treatment records you enter, including any withdrawal period/source you record, and a farm presentation role used to keep pond-first, multi-site and removable demo grouping consistent); farm and pond precise locations (GPS latitude/longitude) when you enter, select or explicitly capture them, except pond locations for which you turn sync off; and farm identifiers (a registration/licence id and the farm's timezone). This is your data under your account — retained while your account exists, sent over TLS, and shared with a third party only when you grant an organization access (revocable). It is never advertising data and never sold.
Shrimp disease and treatment entries concern farm animals and farm operations, not your human health. The app does not infer a diagnosis or recommend a product, dose or withdrawal period; account sync stores only what you enter.
If a signed-in owner explicitly creates a demo workspace, we generate a separate synthetic account with sample farms, histories, image-log metadata and fictional team names and roles. It is linked to the signed-in user only so they can open, reset and remove it, and it is not mixed with their real account or used for analytics. A partner can likewise create a four-farmer synthetic cohort for an approved organization; normal grants, projection and access-audit controls still apply. Records or photos a user adds inside a demo follow the normal storage rules and are removed with that demo workspace.
Pond images
On Android, photos added to a pond log are privacy-normalized (including removal of EXIF location metadata) and stored in the app's private storage. The image and thumbnail stay on that device by default. Ordinary account metadata sync does not upload them. If account sync is enabled, only the record metadata — pond, date/time, your comment and a selected historical measurement snapshot — is uploaded as farm data. Another device may therefore show the record with a “file only on the original device” placeholder.
Sync photo files is a separate, versioned choice and is off by default. If you enable it, the privacy-normalized photo and thumbnail are uploaded over TLS to private, access-controlled object storage, with Wi-Fi/Ethernet-only transfers by default. Signed-in devices and the web app use short-lived private links; there are no permanent public photo links or storage credentials in the app. Turning the switch off stops new transfers but keeps existing private copies until you delete/exclude them or erase the account. “Never sync this photo file” cancels transfers and removes that photo's cloud copy while its image-log metadata may still sync.
An organization can preview photos only if you separately grant its approved members the Images data block. Every preview is checked and audited. Organization membership or payment alone never grants photo access.
Manual backups and Android system backup
When you choose Back up my data, the Android app creates a versioned, unencrypted ZIP containing the farm database and pond-photo originals and thumbnails that are locally available at that time. “Never sync this photo file” controls cloud photo sync and does not exclude a file from a backup you explicitly create. Missing local files remain metadata-only placeholders. Nothing is exported until you choose a destination in Android's document picker; a third-party storage provider you select applies its own terms and privacy policy.
Shrimp Farm disables Android Auto Backup and Android device-to-device transfer for its private database and files. The supported local-only phone migration path is the explicit ZIP backup and restore flow.
AI sampling photos and optional model download
On supported Android devices, the optional AI sampling flow creates a privacy-normalized temporary copy of the photo and analyzes it on that device. The photo, masks and unconfirmed result are not uploaded, synced, sent to telemetry or retained when you leave the flow. Only count and total sample weight that you review and save become an ordinary farm sampling record.
If you explicitly download the optional ONNX model, the app fetches only that model package over HTTPS, verifies its app-pinned size and SHA-256 hash, and stores it privately. The request contains no photo, farm identifier or sampling result. The production model host may receive ordinary connection data such as IP address and request time; its provider and retention terms will be confirmed before release.
Voice logging and microphone access
On Android, you can tap the optional Voice logging control to enter short English commands. Before first use, the app explains the microphone use and then requests Android permission. The microphone is read only while the app is in the foreground and the control visibly says Listening; Stop, Cancel, app backgrounding or the short utterance limit closes it.
Microphone audio and partial or final transcripts are processed on the device and are not saved, uploaded, synchronized, sent to telemetry or written to diagnostic logs. After a visible review and a separate OK/OKAY, only the resulting ordinary farm log may be saved; it follows the account-sync rules above. The audio and transcript do not. Release 1 has no wake-word, continuous/background microphone or microphone foreground service.
The optional English voice model is downloaded only when you choose it, from our first-party HTTPS model channel, and is verified by pinned size and SHA-256. That request contains no audio, transcript, farm identifier or logged value. Standard hosting connection data such as IP address and request time may still be processed by the hosting provider.
Pond location and device permission
On Android, Use current location can request foreground (“while in use”) location access and obtain one device position for a pond. The app asks only after you tap that action. It does not monitor location in the background, keep a location stream, or request background location permission. You can instead choose a point in the configured in-app map or enter coordinates manually. Reverse-geocoded addresses are approximate labels.
With account sync off, the pond point stays on your device. With account sync on, a new pond location is included by default; you can turn off Sync this pond location before saving or later. That pond's location then stays local while its other records continue to sync. Location is never included in anonymous telemetry.
What we do NOT collect
- No third-party analytics SaaS (no Firebase/Sentry-type processors). Data goes only to our own servers.
- No advertising id and no
AD_IDpermission; no contacts. - Voice-command microphone audio and transcripts never leave the device and are not retained; no Audio files or Voice recordings are collected.
- In telemetry specifically — no personal identifiers, no precise location, and no farm or financial data. Analytics/crash/feedback parameters are restricted to a fixed whitelist; anything else is dropped before it is stored. (Account sync, above, is the separate opt-in path that does upload farm records including precise location — telemetry never does.)
Legal basis and consent
Analytics and crash reporting are off by default. In the app, a single optional choice at first run — unticked by default — turns them on together; afterwards you can turn each of them on or off independently at any time in Settings → Privacy & data. On the web, the consent banner controls analytics. We always ask before anything is sent, and you can withdraw consent at any time; withdrawal stops new data and discards anything still queued on the device.
Photo-file sync has its own disclosure and switch, off by default. Withdrawing it stops and cancels new transfers. Individual “Never sync” controls remove selected cloud copies.
How long we keep it (retention)
- Analytics events: 90 days
- Crash reports: 30 days
- Feedback: 180 days
- Account records and opted-in pond photos: while the account exists, unless deleted sooner
Data is deleted automatically after these windows.
Your rights and controls
In Settings → Privacy & data you can:
- Turn analytics and crash reporting on or off independently, at any time.
- Reset your anonymous id — future data will not be linkable to past data.
- Delete my data — permanently removes all anonymous analytics, crash and feedback data linked to your install from our servers (you get a deletion receipt id).
Data transfer and security
All telemetry is sent over TLS to our own infrastructure. Anonymous endpoints are rate-limited and protected by a non-user application key (anti-abuse only, not an identifier). Access to the internal analytics database is read-only and restricted to our operators.
Children
The app is not directed to children and we do not knowingly collect data from children.
Changes
We may update this policy; material changes will be reflected here with a new date and, where appropriate, surfaced in the app.
Who we are & contact
Shrimp Farm is built independently by Zykov Dmitrii. It is not owned by any feed company, lender or marketplace. Questions or data requests: privacy@shrimpfarm.app.