WildNeighbour

App Information Privacy Policy Tutorial Reporting Features Download on Google Play

App Information

WildNeighbour is a community-oriented mobile application that enables users to report baboon sightings in domestic areas. Real-time notifications alert nearby residents, helping communities stay informed and safe, and providing this data to local municipalities and environmental groups for reporting purposes.

Tutorial

Tutorial content and detailed user guides will be available here soon.

Reporting Features

Details about how to log and submit wildlife reports will be available here soon.

Privacy Policy

Last Updated: 16 April 2026

WildNeighbour is a community app for reporting and tracking baboon sightings in the Cape Peninsula. It is operated by LekaDev ("we", "us", "our").

We take your privacy seriously. This policy explains what personal information we collect, why we collect it, how it is protected, and what rights you have under:

  • South Africa's Protection of Personal Information Act, 2013 (POPIA)
  • The European Union's General Data Protection Regulation (GDPR), which applies to any users in the European Economic Area (EEA) who access the web version of the app

Where requirements differ between the two frameworks, we apply the stricter standard.

1. Who This Policy Applies To

This policy applies to everyone who uses the WildNeighbour app, including:

  • Registered users — people who create an account with an email address
  • Guest / anonymous users — people who use the app without registering (limited functionality; see section 3)
  • Admin and municipality users — accounts with elevated roles granted by the operator

Data controller / Information Officer:
LekaDev — support@lekadev.co.za

2. The Information We Collect

2.1 Account Information

When you register, we collect:

  • Your email address
  • A password (stored as a one-way cryptographic hash via Firebase Authentication — we never store your plain-text password)
  • An internal account identifier (Firebase UID) assigned when you register
  • Email verification status — whether you have confirmed your email address

2.2 Location Information

We collect location data in two contexts:

Monitoring location — You may set a location and radius to receive notifications when baboons are reported nearby. This stores the GPS latitude and longitude of your chosen monitoring point and your preferred notification radius (in kilometres). This location is set manually by you; the app does not automatically detect your device's GPS position.

Sighting locations — When you submit a baboon sighting, we store the GPS coordinates of the sighting, along with the time and a count of baboons observed.

Bin report locations — When you report an unsecured bin, we store the GPS coordinates of the bin and the street address obtained via reverse geocoding.

2.3 Reports and Descriptions

  • Sighting reports: The number of baboons, an optional movement direction, and an optional free-text description you write
  • Bin reports: A street address and a free-text description of the problem (minimum 10 characters, maximum 500 characters)

2.4 Notification Token

If you enable push notifications, we store a Firebase Cloud Messaging (FCM) token — a device-level identifier used solely to deliver alerts to your device. This token is automatically refreshed by the app and updated in our database.

2.5 App Preferences

We store your in-app preferences, including whether notifications are enabled, your preferred sighting expiry time, and your theme preference (light/dark).

2.6 Password Security Records

To protect against password reuse, we retain cryptographic hashes of your last five passwords. These hashes are stored in a Firestore collection that is inaccessible from the app — only our server-side Cloud Functions can read or write them.

2.7 Temporary Security Data

During the password reset flow, we temporarily store a hashed one-time passcode (OTP) valid for 10 minutes, rate-limiting records to prevent abuse (reset after one hour), and lockout records if too many failed attempts occur (reset after one hour). All of this data is deleted automatically once the reset is complete or the window expires.

2.8 User Role

Each account has a role field (user, admin, or municipality). Roles are assigned by the operator and cannot be changed by users themselves.

3. Guest / Anonymous Users

You can browse the app and receive notifications without creating an account. In this case:

  • No email address or password is collected
  • Firebase assigns an anonymous session identifier, which is not linked to any personal information
  • Your monitoring location and FCM token are stored under this anonymous identifier

If you later create an account, your anonymous session data is not automatically merged with your new account.

4. Why We Collect This Information (Lawful Basis)

We only process personal information when there is a clear, lawful reason to do so. Under both POPIA and GDPR, the following bases apply:

Data Lawful Basis Purpose
Email address, password Performance of a contract — necessary to create and maintain your account Account creation, login, password resets
Monitoring location, FCM token Consent — you actively choose to enable notifications and set a monitoring area Delivering nearby-sighting alerts
Sighting reports Legitimate interest — community safety; users expect their reports to appear on the shared map Displaying sightings to all users
Bin reports Legitimate interest / consent — you choose to report an unsecured bin, understanding it will be reviewed by admins Alerting admins to bin hazards
Password history hashes Legitimate interest — security hardening to protect your account Preventing password reuse
OTP and rate-limit data Legitimate interest — security Securing the password reset process

You may withdraw consent for notifications at any time by disabling them in app settings or your device's notification settings. Withdrawing consent will not affect the lawfulness of processing that occurred before withdrawal, but we will stop sending notifications and will no longer need to retain your FCM token.

We do not use your data for advertising, and we do not sell or rent your data to any third party.

5. Who Can See Your Data

5.1 All authenticated users

Sightings on the map — every sighting's location, time, baboon count, movement direction, and description is visible to all registered users. Sightings are not attributed to you by name in the app interface, but your user ID is stored against each sighting internally.

5.2 Admin and municipality users only

  • Bin reports — the full details of every bin report (location, address, description, who reported it, and resolution status) are visible only to users with an admin or municipality role.
  • User statistics — admins can view a table showing registered users' email addresses, join dates, roles, sighting counts, and bin report counts.
  • Monitoring coverage — admins and municipality users can view an anonymised overlay of monitoring locations (latitude, longitude, and radius only — no names or UIDs are shown).

5.3 The operator

As the operator, we have access to all data in the Firebase project, including data not surfaced in the app UI.

6. Third-Party Services

We use the following external services. Each processes some of your data under its own privacy policy.

6.1 Google Firebase (Google LLC)

We use Firebase for:

  • Firebase Authentication — handling account creation, login, and session management
  • Cloud Firestore — our database, hosted in the africa-south1 (Johannesburg) region
  • Firebase Cloud Messaging — delivering push notifications to your device
  • Cloud Functions — server-side processing (notifications, password resets, admin queries)

Data location: Our primary Firebase project is configured with the africa-south1 (Johannesburg) region. However, some Firebase infrastructure (such as authentication services) may involve Google servers in other regions, including outside South Africa and the EEA. Google processes data under its Data Processing Terms, which include Standard Contractual Clauses for international transfers.

GDPR note: For EEA users, transfers to Google servers outside the EEA are covered by Google's Standard Contractual Clauses.

Google Privacy Policy: https://policies.google.com/privacy

6.2 OpenStreetMap / Nominatim (OpenStreetMap Foundation)

When you search for a location in the app (e.g., to set your monitoring area), your search text is sent to the Nominatim geocoding API (nominatim.openstreetmap.org). Nominatim is also used to convert GPS coordinates into a street address for bin reports.

These requests are made from your device and include a User-Agent header identifying the app as BaboonWatch/1.0. Your IP address is visible to Nominatim's servers as part of the standard HTTP request. We do not send your account details or UID to Nominatim.

OpenStreetMap Privacy Policy: https://wiki.osmfoundation.org/wiki/Privacy_Policy

6.3 OpenStreetMap Tile Servers

Map tiles (the background map imagery) are fetched from tile.openstreetmap.org. Your IP address is visible to OpenStreetMap's tile servers. Tiles are cached locally on your device to reduce repeated requests.

6.4 Email Provider (Password Resets)

When you request a password reset, a one-time passcode is emailed to you via an SMTP email service. Your email address and the OTP are transmitted to the email provider for delivery purposes only.

7. Data Storage and Security

  • Encryption in transit: All communication with Firebase and OpenStreetMap uses HTTPS/TLS.
  • Encryption at rest: Firebase encrypts all data at rest by default.
  • Firestore security rules: Database access is enforced at the server level. Users can only read and write their own settings document. Sensitive collections (password history, OTPs, rate limits) are inaccessible to the app — only our Cloud Functions can access them. Bin reports are restricted to admin and municipality roles.
  • Local device storage: The app caches sighting data and map tiles locally on your device using Hive and Firestore's offline persistence. This data is stored in the app's private storage directory and is not accessible to other apps.
  • Password security: Passwords are hashed by Firebase Authentication. Historical password hashes are stored using bcrypt (10 rounds). OTP codes are hashed before storage and expire automatically.
  • Background processing: The app periodically checks for new sightings in the background (approximately every 15 minutes) to support local notifications. This requires a network connection and uses your stored monitoring location.
  • Role-based access control: Admin and municipality features are enforced both in Firestore security rules and in our Cloud Functions. Users cannot escalate their own role.

Despite these measures, no system is completely secure. We recommend using a unique, strong password for your account.

8. Data Retention

Data Retained For
Account, settings, and role Until you request deletion
Sighting reports Indefinitely — sightings contribute to the community safety record
Bin reports Until resolved or until you request deletion
Password history hashes Until you request deletion
FCM notification token Until you disable notifications or request deletion
OTP codes 10 minutes (automatically deleted)
Rate-limit / lockout records 1 hour (automatically deleted)

We retain personal information only for as long as is necessary for the purposes described in this policy. When you request deletion of your account, we will delete your personal data within 30 days. Sighting reports you have submitted will be anonymised (your user ID removed) rather than deleted, as they form part of the community safety record.

We do not currently have an in-app account deletion feature. To request deletion, please contact us at the address in section 14.

9. Data Breach Notification

If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Information Regulator of South Africa within 72 hours of becoming aware (POPIA requirement)
  • For GDPR purposes, notify the relevant supervisory authority in the EEA within 72 hours
  • Notify affected users as soon as reasonably practicable where the breach is likely to result in a high risk to them

10. Children's Privacy

WildNeighbour is not intended for children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Your Rights

11.1 Rights under POPIA (South African residents)

Under the Protection of Personal Information Act, 2013, you have the right to:

  • Access — request a copy of the personal information we hold about you
  • Correction — request that inaccurate, irrelevant, or outdated information be corrected or updated
  • Deletion — request that your personal information be deleted, subject to our legal obligations to retain certain records
  • Objection — object to the processing of your personal information where we rely on legitimate interest as our lawful basis
  • Complaint — lodge a complaint with the Information Regulator of South Africa if you believe we have violated your rights under POPIA

11.2 Rights under GDPR (EEA residents)

If you are in the European Economic Area, you have the right to:

  • Access — obtain a copy of your personal data
  • Rectification — have inaccurate data corrected
  • Erasure ("right to be forgotten") — request deletion of your data where there is no compelling reason to continue processing it
  • Restriction — request that we limit our processing of your data in certain circumstances
  • Data portability — receive your data in a structured, commonly used, machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent (e.g., notifications), withdraw consent at any time without affecting the lawfulness of prior processing
  • Complaint — lodge a complaint with the supervisory authority in your EU member state

To exercise any of these rights, contact us using the details in section 14. We will respond within 30 days.

12. Supervisory Authorities

South Africa — Information Regulator

Website: https://inforegulator.org.za

Email: inforeg@justice.gov.za

EU/EEA users may contact the data protection authority in their country of residence.

A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

13. Changes to This Policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this document. For significant changes, we will notify registered users via email at least 14 days before the changes take effect. Continued use of the app after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

If you have any questions about this policy, wish to exercise your rights, want to report a privacy concern, or wish to request deletion of your data, please contact:

Information Officer / Data Controller

LekaDev

Email: support@lekadev.co.za

Website: lekadev.co.za

We aim to respond to all privacy-related inquiries within 30 days.