Product
AnalysisFieldKit
Over onsContact
Thema
InloggenPlan een gesprek

Privacy Policy

Version 1.0 · Effective date: Apr 1, 2026 · Last updated: Apr 1, 2026

1. Who We Are

Wildflyer B.V. ("Wildflyer", "we", "us", or "our") provides a wildfire intelligence platform for fire services and emergency management organisations. Our products include Wildflyer Analyst (a web application) and Wildflyer FieldKit (a native mobile app for iOS and Android).

Data Controller:

Wildflyer B.V.

Kapteynstraat 1, Suite 140

2201 BB Noordwijk, The Netherlands

Email: daan@wildflyer.co

KvK (Chamber of Commerce): 91830192

This Privacy Policy explains how we collect, use, store, and protect personal data when you use our products or visit our website. It applies to all users of Wildflyer Analyst, Wildflyer FieldKit, and wildflyer.co.

2. What Data We Collect

2.1 Account Data

When you create an account or are invited by your organisation, we collect your name, email address, and organisation affiliation. We use email-based one-time password (OTP) authentication — we do not store traditional passwords.

2.2 Usage Data

We collect information about how you interact with our products, including pages visited, features used, and timestamps. This helps us improve the platform. Web analytics are processed using Umami, which is self-hosted on our own EU infrastructure — no data is sent to third parties for analytics purposes.

2.3 Device and Technical Data

We collect IP addresses, browser/device type, operating system, and screen resolution. On the FieldKit mobile app, we additionally collect device identifiers for push notification delivery and basic device telemetry for map rendering (via Mapbox).

2.4 Location Data

Wildflyer FieldKit may request access to your device's location. This is used to show your position on the incident map and to enable location-aware features like nearby incident alerts. Location data is shared with your team members within the app when you are on an active incident. You can disable location access in your device settings at any time.

2.5 Camera and Media

FieldKit may request access to your device's camera and photo library to allow you to capture and upload incident photos and videos. These media files may contain embedded metadata such as GPS coordinates (EXIF data) and timestamps. Uploaded media is stored on our servers and shared with members of your organisation who have access to the relevant incident.

2.6 Push Notifications

FieldKit uses push notifications to deliver incident alerts and team communications. We use Expo Push Service as a relay and Apple Push Notification service (APNs) for iOS delivery. Push notification tokens are device-level identifiers and are not linked to your personal identity by the relay services. Notification payloads are encrypted in transit. You can disable push notifications in your device settings.

2.7 Incident and Operational Data

Data you enter into the platform — incident reports, perimeter drawings, team assignments, weather observations, photos, and other operational content — is stored and processed to provide our services. This data may contain personal information about emergency personnel or members of the public involved in incidents.

2.8 Payment Data

If your organisation subscribes to a paid plan, payment processing is handled by Stripe. We store your billing contact details (name, email, billing address) but do not store or have access to credit card numbers or bank account details — these are handled entirely by Stripe.

2.9 Error and Crash Data

We use Sentry (hosted in the EU, Germany) to monitor errors and performance issues across both Analyst and FieldKit. When an error occurs, Sentry may collect your user ID, email, display name, IP address, device information, and technical stack traces. This data is used exclusively for debugging and improving platform stability.

3. Why We Process Your Data (Legal Basis)

We process personal data under the following legal bases as defined in the GDPR:

  • Performance of a contract (Art. 6(1)(b)) — to provide and maintain our platform services as agreed with your organisation
  • Legitimate interests (Art. 6(1)(f)) — to improve our products, ensure platform security, prevent fraud, and provide customer support
  • Consent (Art. 6(1)(a)) — for optional features such as push notifications and location sharing, which you can withdraw at any time through your device settings
  • Legal obligation (Art. 6(1)(c)) — where required by law, for example tax and accounting records related to billing

4. How We Use Your Data

We use the data we collect to:

  • Provide, operate, and maintain the Wildflyer platform (Analyst and FieldKit)
  • Authenticate your identity and manage your account
  • Deliver notifications, alerts, and incident communications
  • Process payments and manage subscriptions
  • Monitor and fix errors, crashes, and performance issues
  • Improve our products based on usage patterns (using self-hosted analytics)
  • Respond to your support requests
  • Comply with legal obligations

We do not sell your personal data. We do not use your data for advertising. We do not use your data to train machine learning models.

5. Who We Share Data With

We share personal data only with trusted third-party service providers (sub-processors) who help us deliver our platform. Each sub-processor is bound by a Data Processing Agreement and processes data only on our instructions.

A complete, up-to-date list of our sub-processors — including what data each processes, their legal entity, and their data residency location — is maintained in our List of Data Processors.

Key sub-processors include:

  • Hetzner (Germany) — infrastructure hosting and data storage
  • Vercel (global CDN) — static web app delivery
  • Stripe (US/EU) — payment processing
  • Brevo (France) — transactional email delivery
  • Sentry (Germany) — error tracking and performance monitoring
  • Mapbox (US) — native map rendering in FieldKit
  • MapTiler (Switzerland) — map tiles and geocoding in Analyst
  • Expo (US) — mobile app infrastructure and push notification relay
  • Bunny.net (Slovenia/EU) — video streaming and CDN

We may also share data if required by law, regulation, or court order.

6. Where We Store Your Data

Your data is primarily stored and processed within the European Union, specifically in Germany (Hetzner data centers in Falkenstein and Nuremberg).

Some sub-processors are based in the United States (Stripe, Mapbox, Expo, Vercel). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place as required by GDPR, including the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or adequacy decisions.

For details on each sub-processor's data residency, see our List of Data Processors.

7. How We Protect Your Data

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access control and multi-factor authentication
  • Regular security assessments and vulnerability testing
  • ISO 27001-certified data centres (Hetzner)
  • Daily encrypted backups with 90-day retention
  • 24/7 system monitoring and alerting
  • Employee training on data protection

For full details, see the Technical and Organisational Measures appendix in our Data Processing Agreement.

8. How Long We Keep Your Data

We retain your personal data for as long as your account or your organisation's subscription is active. When an account or subscription is terminated:

  • Your organisation has 60 days to export all data
  • After the export period, personal data is deleted from active systems
  • Backup copies are deleted or anonymised within 90 days
  • Billing records may be retained for up to 7 years as required by Dutch tax law

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — ask us to delete your personal data (subject to legal retention requirements)
  • Restriction — ask us to limit how we process your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — for processing based on consent, such as push notifications or location sharing

To exercise any of these rights, contact us at daan@wildflyer.co. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

10. Cookies and Tracking

Our website and web application use minimal cookies required for functionality:

  • Session cookies — to keep you logged in during your session
  • Security cookies — for CSRF protection and rate limiting

We do not use third-party advertising cookies or tracking pixels. Our web analytics (Umami) are self-hosted and do not use cookies — they collect anonymous, aggregated usage data only.

11. FieldKit Mobile App — Additional Disclosures

This section provides additional information specific to the Wildflyer FieldKit mobile app, as required by Apple and Google's app store policies.

11.1 Data Collected by FieldKit

Data TypePurposeShared with Third Parties?Optional?
Name and emailAccount authentication, team identificationBrevo (email delivery), Sentry (error context)Required
Precise locationShow position on incident map, location-aware alertsMapbox (map tile requests contain approximate location)Optional (device permission)
Photos and videosIncident documentationHetzner Object Storage (hosting)Optional (device permission)
Push notification tokensDelivering incident alertsExpo Push Service, Apple APNsOptional (device permission)
Device info, IP addressError tracking, performance monitoringSentry (EU, Germany)Required
Device telemetryMap renderingMapboxRequired for map features

11.2 Offline Data Storage

FieldKit stores some data locally on your device for offline functionality. This includes cached incident data, map tiles, and queued actions that sync when connectivity is restored. This local data is protected by your device's native security (passcode, biometrics) and is cleared when you log out of the app.

11.3 Third-Party SDKs

FieldKit includes the following third-party SDKs:

  • Mapbox Maps SDK — for 3D map rendering and terrain visualisation. Mapbox may collect anonymised telemetry data (which can be disabled). See Mapbox Privacy Policy.
  • Sentry SDK — for crash reporting and error tracking. Data is sent to Sentry's EU (Germany) data centre. See Sentry Privacy Policy.
  • Expo SDK — for push notifications and over-the-air updates. See Expo Privacy Policy.

12. Children's Privacy

Wildflyer is a professional tool designed for fire services and emergency management organisations. Our products are not directed at children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our products, practices, or legal requirements. When we make material changes, we will notify affected users by email and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact:

Wildflyer B.V.

Kapteynstraat 1, Suite 140

2201 BB Noordwijk, The Netherlands

Email: daan@wildflyer.co

Phone: +31 6 460 710 67

Related Documents

Version 1.0 — April 2026