Privacy Policy

Effective Date: June 6, 2026

The short version

Project Kestrel is built to work without sending your photos or your personal data anywhere. The desktop app analyzes your photos on your own computer, and unless you choose otherwise, that is where they stay.

We collect a small amount of anonymous usage data to keep the app working and to know if it's crashing. We use a randomly-generated machine identifier — not your hardware serial, not your name, not your email — so we can count active users without knowing who they are.

If you choose to use Perch (our photo-sharing site) or Cloud Compute (our optional paid GPU service), then we do collect more, because we have to: we need an account so you can sign in, and we need to receive your photos so we can host or process them. Those services are opt-in. You do not need to create an account to use the desktop app, and the desktop app will never silently upload your photos to either of them.

This document explains exactly what we collect, exactly what we don't, and exactly how long we keep it.

1. Who we are

Project Kestrel is a free, open-source desktop application licensed under AGPLv3. It is built and operated by Project Kestrel LLC ("we", "us"). The desktop app's source code is public. The cloud services (Perch and Cloud Compute) are operated by us as hosted services and are not themselves open-source at this time.

For any privacy-related question or request, contact us at support@projectkestrel.org.

2. The three components of Project Kestrel

Project Kestrel has three parts. Each one has different privacy implications, so we describe them separately throughout this policy.

• Desktop app — Free, open-source, runs on your Windows or macOS computer. Analyzes your photos locally. This is what most people use, and most people stop here.
• Perch — An optional sharing platform at perch.projectkestrel.org that lets you upload entire timelines of your birding outings and send them to others. You explicitly choose which photos to upload. Perch is free at launch (with 2 GB storage limits per account).
• Cloud Compute — Optional paid service that offloads photo analysis to GPU servers, for users with very large libraries or slow computers. We process your photos, send you the results, and then delete your data.

A Project Kestrel account is required to use Perch or Cloud Compute. It is not required to use the desktop app.

3. What we collect — Desktop app

The desktop app is the most privacy-sensitive component because it has direct access to your photo library. Here is everything it sends to us.

Always sent (not optional)

When the app starts up and once per day while running, the app sends a small ping containing:

• A machine UUID — a random identifier generated the first time the app runs. It is stored in your app config file and is not derived from any hardware ID, MAC address, or serial number. You can reset it by deleting the config file.
• The operating system name and version (e.g. "Windows 11", "macOS 14.4").
• The app version (e.g. "1.2.0").
• A daily-active-user pulse — basically a heartbeat so we can count how many installations are alive on a given day.

When an analysis run completes, the app sends:

• The count of images that were just analyzed (a number, e.g. 1,427).
• Analysis speed statistics (how long each stage took).

That is the entirety of the non-optional telemetry. We do not see filenames, folder paths, image content, EXIF data, GPS coordinates, your IP-bound identity, or any species/quality results from the analysis.

Opt-in (off by default unless you explicitly turn it on)

If you turn on "detailed analytics" in settings, the app additionally sends:

• File sizes of the analyzed images.
• File formats used (e.g. JPEG, CR3, NEF).

Still no filenames. Still no image content.

Crash reports (Default Opt-in)

If the app crashes, by default it sends a crash report containing:

• A stack trace.
• The last few sessions of the app's internal log file.

Internal log files include the filenames and folder paths you analyzed. We keep this on purpose: most crashes are file-format-specific, and the library names in the stack trace (e.g. Python\packages\tensorflow\...) are exactly what we need to identify and fix the bug.

We do redact your username from paths before transmission. A path like C:\Users\johndoe\photos\trip.CR3 becomes C:\Users\<user>\photos\trip.CR3. So we can see the file structure without seeing who you are at the OS level.

You can disable crash reporting entirely in settings. You can also choose to attach the last three runtime sessions' logs when you submit feedback by ticking the "include recent analysis logs" box — that box is opt-in per-submission and is off by default.

Things the desktop app NEVER collects

• Your name, email, or any contact information.
• Your IP address as a stored record (it appears in transient web-server logs at our hosting provider, retained no longer than 30 days; we do not associate it with you).
• The contents of your photos.
• EXIF metadata (camera model, lens, GPS, timestamps) from your photos.
• Species, quality scores, or any output of the analysis.
• Bird names, location names, or anything derived from the image content.
• Files you did not analyze.
• Any directory listing of your computer.

4. What we collect — Project Kestrel account

You only have an account if you signed up. Sign-up happens when you choose to use Perch or Cloud Compute, never silently.

We use Clerk as our identity provider. Clerk handles sign-up, password storage, OAuth (Google, etc.), and session tokens. Information you give Clerk:

• Email address (required).
• Password (hashed by Clerk; we never see it).
• Optionally: a display name, a profile image, and a connected OAuth provider account.

We mirror a small subset of your Clerk profile into our own database so our services can show your username and avatar without calling Clerk on every request:

• User ID, username, first name, last name, display name, profile image URL.
• Account creation timestamp.

This mirror is refreshed lazily, on demand. When an authenticated request arrives and the cached row is older than 7 days, we re-fetch the current values from Clerk before serving the request. If you've been inactive longer than that, the mirror can be older than 7 days — the refresh fires on your next request, not on a schedule.

We also keep a short username history (so people who shared with @you last week don't get confused), capped at 3 username changes per 30 days.

Beyond what Clerk owns, we also store your profile visibility preference — a setting you control from your account settings that determines whether other Perch users can see your profile. The default is not visible.

If you subscribe to Cloud Compute, we additionally store:

• Subscription tier and status.
• Current billing period start and end.

5. What we collect — Perch

Perch only stores data when you take an explicit upload action.

For each "perch" (a shared photo set) you create, we store in our database:

• Title, description, visibility setting (draft / unlisted / restricted / public), and a public URL slug if you chose unlisted or public.
• The list of people you shared it with, if you chose restricted.
• Timestamps.
• Comments other users left on it, and photos you liked on others' perches.
• Group membership, if the perch is in a group.

For each photo asset within a perch, we store:

• The filename you uploaded.
• The file size.
• The image itself.

Every image you upload to Perch is a resized JPEG that the desktop app re-encodes from your original before upload. This re-encoding strips all EXIF metadata — including GPS coordinates, camera model, and timestamps — so that metadata never leaves your computer. This holds for everything Perch receives; your original RAW or JPEG files are never uploaded. (This applies to the official Project Kestrel app; see the Terms of Use on using only the official app.)

Default visibility for a new perch is "draft" (private) — visible only to you. You have to actively change it before anyone else can see it.

Deletion: you can delete any perch at any time, which removes its database rows and the actual images from our storage. Deleting your account deletes all your perches.

6. What we collect — Cloud Compute

Cloud Compute only stores data when you explicitly submit a job.

In our database, per job, we store:

• Job ID, your user ID, job status, image count, timestamps.
• Per-image: filename you uploaded, the location of the image in our storage, and per-image status.
• Job metadata (container info, event log) and short-lived access tokens for downloading the result.

In our storage, we keep:

• Your uploaded source images (used as input to analysis).
• The results of the analysis from our cloud computers.

Modal.com is our sub-processor for the actual GPU work. When you submit a job, your images are made available to a Modal container, which runs our analysis code and returns the results. Modal sees the image contents during processing, and the container — along with all images on it — is deleted when the job is done.

7. Image lifecycle in Cloud Compute

We deliberately added 3 layers of safeguards to ensure your photos are deleted as soon as we can.

Source images are deleted as soon as the analysis pack is returned. The three layers:

1. Primary deletion — On successful pack return, the worker hard-deletes every source image from our storage.
2. Failure sweep — If a job fails (Modal crash, network drop, container died), an automatic cleanup cron deletes every image belonging to that job within 10 minutes.
3. Storage-provider lifecycle fallback — We set up explicit policy controls within our storage provider, Cloudflare, so that even if these two layers fail, images expire and are deleted after 24 hours.

Results are deleted as soon as you download them — or after 30 days, whichever comes first. When your client successfully downloads a result, we delete it shortly afterward (we keep a brief grace window in case a download is interrupted). If you never download it, a 30-day lifecycle policy on our storage provider deletes it automatically; after that you'd need to re-run the job.

Once your images and results are gone, the only things we retain are job-level records: the job's identifiers, image counts, timestamps, and a scrubbed event history. We keep these for billing and usage analytics. We do not retain your image content, any analysis results, the filenames you uploaded, or per-image records — those are removed.

8. Kestrel is local-first

The desktop app is fully functional with no account, no internet, and no cloud services. You can install it, analyze your entire library, and never touch Perch, Cloud Compute, or a Project Kestrel account. If that is how you want to use Kestrel, nothing on this page other than the desktop-app telemetry section above applies to you.

9. Cookies and similar technologies

The marketing site at projectkestrel.org and the apps myaccount.projectkestrel.org and perch.projectkestrel.org use:

• Essential cookies — Clerk session cookies for sign-in. These are required for the site to work when you are signed in. They are not used for advertising or tracking across sites.
• Microsoft Clarity — We use Microsoft Clarity on our marketing site to understand how visitors navigate the page (heatmaps, scroll depth). You can opt out by using the cookie-preferences link in our site footer, or by enabling a browser-level Do Not Track preference.

The desktop app does not use cookies.

10. Third parties who process data on our behalf

• Clerk — Identity, authentication, sessions, and billing (Clerk Billing, when active). Receives: your email, password, profile info, sign-in events, and (for Cloud Compute subscribers) the payment information you provide at checkout.
• Cloudflare — Hosting, CDN, Workers, database, object storage. Receives: everything stored on our services, in the course of operating them.
• Modal.com — GPU sub-processor for Cloud Compute. Receives: the source images of any Cloud Compute job you submit, during processing.
• Resend — Transactional email delivery. Receives: recipient email addresses for share invites and DMCA-form delivery. We do not use Resend for marketing email.
• Microsoft Clarity — Privacy-focused analytics on our marketing site only (heatmaps, scroll depth). Receives: anonymized site-interaction data from visitors to projectkestrel.org. You can opt out via the cookie-preferences link in our footer. Not used on the desktop app, Perch, or Cloud Compute.

We do not sell your personal information to anyone whatsoever. We share data only with the processors above and as required by law. California residents have the right to know, delete, and correct their personal information, and not to be discriminated against for exercising these rights; contact support@projectkestrel.org.

International data transfers. We and our processors are based in the United States, so if you are in the EU or UK your personal data is transferred to and processed in the US. Where required, these transfers rely on appropriate safeguards such as the Standard Contractual Clauses (or our processors' equivalent transfer mechanisms).

Changes to our processors. We may add or replace the processors listed above as our services evolve. When we add a processor that will handle your personal data in a materially new way, we will update this Policy, revise the Effective Date, and — for account holders — note the change in an in-product or email notice before that processor begins handling your data.

11. Your rights

You can:

• See what we have about you — the MyAccount dashboard at myaccount.projectkestrel.org shows your profile, your perches, and your job history.
• Correct it — edit your profile, your perches, etc.
• Delete it — the "Delete account" action removes your account, your perches, and your Cloud Compute job history.
• Export it — request a copy of your account data at support@projectkestrel.org.
• Opt out of telemetry — the desktop app has explicit controls.
• Withdraw consent — you can stop using the cloud services at any time.

If you are in the EU/UK, you have additional rights under the GDPR (access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your supervisory authority).

Controller and lawful basis (EU/UK). Project Kestrel LLC is the data controller for personal data processed through the hosted services. We rely on: performance of our contract with you (to provide your account, Perch, and Cloud Compute); your consent (for opt-in detailed analytics and for analytics cookies); and our legitimate interests (to keep the service secure, prevent abuse, and understand basic usage), balanced against your rights.

12. Data retention and security incidents

How long we keep your data. We keep your account and your Perch content for as long as your account is active. When you delete your account, we remove your profile and your perches promptly, subject only to routine backups, which are purged within 30 days. Cloud Compute image content and analysis results are deleted on the schedule in Section 7. We retain some job-level records about your cloud compute jobs (job identifiers, image counts, timestamps, and a scrubbed event history — never filenames, per-image records, image content, or results) for billing, tax, and usage-analysis purposes. We keep these job records for as long as we reasonably need them to meet our legal, accounting, and tax obligations and to resolve any billing disputes, and we delete them once they are no longer needed for those purposes. Desktop telemetry is anonymous and is not tied to you.

If there's a security incident. If we become aware of a breach affecting your personal data, we will notify affected users and any authorities required by law without undue delay, and tell you what happened and what we are doing about it.

13. Children

Project Kestrel is not directed at children. You must be at least 18 years old to create an account. If you believe a child has created an account, contact support@projectkestrel.org and we will remove it.

14. Changes to this policy

When we change this policy, we update the Effective Date at the top and at legal.json. If you have an account, we will require you to review and accept the new policy before you can perform a new upload to Perch or submit a new Cloud Compute job. You will not be locked out of viewing or deleting data you already have.

15. Contact

support@projectkestrel.org