Privacy Policy

Last updated: 4 March 2026 Effective date: 4 March 2026

This Privacy Policy describes how CMP IT ApS ("we", "us", or "our") collects, uses, and protects your personal data when you use the Camwarden platform ("Service"). We are the data controller for personal data processed through the Service and are committed to compliance with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.

1. Who We Are

CMP IT ApS CVR: 41254041

General enquiries: [email protected] Privacy enquiries: [email protected]

For all questions relating to this Privacy Policy or the exercise of your data protection rights, please contact us at [email protected].

2. Data We Collect

2.1 Account Data

When you register, we collect your name and email address. Depending on the authentication method in use, we may authenticate you via a one-time code (OTP) sent to your email address, or via a password stored as a cryptographic hash. We do not store passwords in plain text.

If you sign in via a social login or OAuth provider (such as Google or GitHub), we may receive basic profile information from that provider — typically your name, email address, and profile picture — subject to the permissions you grant during the sign-in flow. We use this information solely to create or authenticate your account.

If you authenticate using a passkey, we store a public key credential associated with your account. The corresponding private key, and any biometric used to unlock it on your device, never leave your device and are never transmitted to or stored by us.

You may also choose to set a display name and upload a profile avatar for your personal account, and a name and avatar for any team you create or manage. These are optional and provided voluntarily. If you subscribe to a paid plan, payment is handled by our payment processor — we do not store your full card details.

2.2 Camera and Media Content

We store images and videos you upload, or that are delivered to the Service via email or MMS ingestion. Where this content contains embedded metadata (such as EXIF data including GPS coordinates or timestamps), that metadata is stored alongside the content.

2.3 Location Data

If you manually associate cameras or media with a geographic location, we store those coordinates. This data is used solely to provide the Service features you have requested.

2.4 Usage Data

We collect standard technical data necessary to operate the Service, such as IP addresses, device type, browser type, and interaction logs. This data is used for security, debugging, and service improvement. Where we use automated bot detection or CAPTCHA tools, those systems may also analyse browser and device signals (such as interaction patterns and browser characteristics) to distinguish human users from automated traffic. No additional personal data is collected beyond what is described in this section.

2.5 Communications

If you contact us by email or through the platform, we retain that correspondence for as long as is reasonably necessary to resolve your enquiry and for legitimate record-keeping purposes.

2.6 Public Share Links

You may choose to create a public share link for individual photos or media items. When you do so, you voluntarily make that content — including any embedded metadata such as GPS coordinates or timestamps — accessible to anyone who holds the link, without requiring authentication. The decision to share content publicly, including the decision to include location data, is made entirely by you.

Share links may be configured with an expiry duration at the time of creation. You may also revoke a share link at any time through your account settings. Once revoked, the link will cease to function, though copies of the content may persist temporarily in content delivery caches for a short period before being cleared. We cannot guarantee immediate removal from all caching layers following revocation.

3. How We Use Your Data

We process your personal data only for the purposes and on the legal bases set out in the table below.

4. AI Processing and Model Training

Your media content is processed by automated AI systems for species and object detection as part of delivering the Service to you. This is carried out on the legal basis of performance of contract (Art. 6(1)(b) GDPR).

Your content may also be used to improve and train our AI detection models. We carry out this processing on the basis of our legitimate interests (Art. 6(1)(f) GDPR) in improving the accuracy and quality of detection for all users of the Service.

Before activating any model training programme that uses your content, we will notify you clearly through the Service or by email. You have the right to object to this processing at any time under Art. 21 GDPR. To opt out, contact us at [email protected] and we will exclude your content from model training going forward. Your continued use of the Service after notification, without opting out, indicates that you do not object to this use.

We will never use your content for any purpose unrelated to providing or improving the Service.

5. Location and GPS Data

Location data — whether derived from EXIF metadata in uploaded files or manually associated by you — is treated with particular care. It is used only to provide the features you have requested and is never sold or shared with third parties for commercial purposes. Where location data is embedded in media uploaded to the Service, it will be retained only for as long as the media itself is retained.

If you create a public share link that includes media with embedded location data, that location information becomes accessible to anyone with the link. We strongly recommend reviewing the metadata included in any content before generating a public share link, particularly where location data could reveal sensitive information such as a property address or private land.

6. Data Sharing

We do not sell your personal data. We share data only with third-party processors in the following categories, each engaged under written data processing agreements that comply with GDPR requirements:

• Cloud infrastructure and storage providers — database hosting and file storage
• Cloud compute providers — backend processing, including AI inference and email/MMS ingestion pipelines
• Payment processors — billing and subscription management
• CDN and security providers — content delivery, DDoS protection, and network security
• Email and messaging providers — transactional email delivery and MMS ingestion routing

The specific processors we engage within these categories may change over time. Where we change a processor, we will ensure the replacement meets equivalent data protection standards and update our records accordingly. All processors are contractually obligated to handle your data in accordance with GDPR and solely on our instructions. You may request details of our current processors by contacting us at [email protected].

We may also disclose personal data where required by law, court order, or to protect our legal rights and the safety of others.

7. International Transfers

Some of our processors may be located or store data in countries outside the European Economic Area (EEA). Where such transfers occur, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards as recognised under GDPR Chapter V. You may request a copy of the relevant safeguards by contacting us at [email protected].

8. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide the Service to you. If you delete your account, we will delete your personal data within 30 days of that request, except where we are required to retain it for legal or financial compliance purposes (for example, billing records may be retained for up to five years under Danish bookkeeping law).

Inactive Accounts

If your account has had no login activity for 24 consecutive months, we will send a notice to your registered email address. If you do not log in or respond within 30 days of that notice, we may delete your account and all associated data. We will not delete your account without this prior notification. You may request reactivation at any time before deletion occurs.

Media Retention

Camera media (images and videos) is retained in accordance with your subscription plan. Media associated with a deleted account is removed within 30 days of account deletion, subject to any applicable legal retention obligations.

9. Business Transactions

If CMP IT ApS is involved in a merger, acquisition, asset sale, restructuring, or insolvency proceedings, your personal data may be transferred as part of that transaction. In such circumstances, we will take reasonable steps to ensure that the receiving party is bound by obligations consistent with this Privacy Policy. To the extent required by applicable law, we will notify you before your data is transferred and becomes subject to a different privacy policy.

10. Automated Decision-Making

The Service uses automated processing of your media content to perform species and object detection. This processing does not produce legal effects or similarly significantly affect you within the meaning of Article 22 GDPR. AI detection results are provided as an assistive feature only and are not used to make binding decisions about you.

If you have concerns about an automated detection result, or wish to request a correction to classifications associated with your account, please contact us at [email protected]. We will review your request and respond within 30 days.

11. Your Rights

Under GDPR, you have the following rights in relation to your personal data:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of your data (the "right to be forgotten"), subject to applicable legal retention obligations
• Portability — receive your data in a structured, commonly used, machine-readable format
• Restriction — request that we limit our processing of your data in certain circumstances
• Objection — object to processing based on legitimate interests
• Withdrawal of consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
• Not to be subject to solely automated decisions — where automated processing produces significant legal or similar effects, request human review

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. There is no charge for making a request, and we will not discriminate against you for exercising your rights.

Right to Lodge a Complaint

You have the right to lodge a complaint with the data protection supervisory authority in your EU member state of habitual residence, place of work, or the place of the alleged infringement.

In Denmark, the relevant authority is the Danish Data Protection Authority (Datatilsynet): www.datatilsynet.dk

If you are located in another EU member state, you may instead contact your local supervisory authority. A full list of EU supervisory authorities is available from the European Data Protection Board: https://edpb.europa.eu/about-edpb/about-edpb/members_en

12. Children's Privacy

The Service is not directed at children under 16. Users under 16 must have obtained verifiable parental or guardian consent prior to using the Service. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If you believe a child has provided us with personal data without appropriate consent, please contact us at [email protected] and we will delete it promptly.

13. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include encrypted storage, access controls enforced on a least-privilege basis, secure data transmission (TLS), and automated bot detection and CAPTCHA systems to prevent abuse and spam. We regularly review our security practices and update them as necessary.

No system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, inform you directly without undue delay.

14. Cookies

We use only technically necessary cookies required to operate the Service, such as session management cookies. We do not currently use tracking, advertising, or analytics cookies. If this changes, we will update this Policy and obtain appropriate consent before placing any non-essential cookies on your device.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice within the Service at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this Policy periodically.

16. Contact

For any privacy-related questions, to exercise your rights, or to raise a concern about how we handle your personal data, please contact:

CMP IT ApS CVR: 41254041 [email protected]

We aim to respond to all legitimate enquiries within 30 days.