Last updated: July 14, 2026
This page describes how Wildways handles your data and how to report a security problem. It is written to be accurate about what the app actually does — if you find something here that doesn't match reality, that itself is worth reporting.
Reporting a vulnerability
Email wildways@biotamfg.co with "SECURITY" in the subject line.
Please include what you found, where, and the steps to reproduce it. We will acknowledge your report within 3 business days and keep you updated while we work on a fix.
We will not pursue legal action against researchers who:
- act in good faith and report promptly,
- do not access, modify, or delete other people's data beyond the minimum needed to demonstrate the issue,
- do not degrade or disrupt the service, and
- give us a reasonable opportunity to fix the issue before disclosing it publicly.
We do not currently run a paid bug-bounty programme, but we're glad to credit you.
How your data is protected
Accounts. Authentication is handled by Supabase. We never see or store your password. Session tokens are held in the device's secure keychain (iOS Keychain / Android Keystore), not in plain storage.
In transit. All traffic between the app and our services uses HTTPS/TLS.
At rest. Data is stored in a Supabase Postgres database with row-level security enabled on every table, so one user's account cannot read or modify another user's private rows.
Photos. Community photos are resized and their EXIF metadata — including GPS coordinates — is stripped before upload, so posting a photo does not reveal where you took it. Pending photos live in a private storage bucket; only photos that pass moderation are moved to the public bucket.
Moderation. Every uploaded image and caption is automatically screened before it can appear publicly. Users can report content and block contributors from within the app.
Location. Location access is optional and used once to resolve your region. We do not store your precise GPS coordinates — only the derived region (e.g. state and hardiness zone), and that is kept on your device.
Deletion. Deleting your account in the app removes your account, your contributions, and your uploaded image files from storage — not just the database rows pointing at them.
What we don't do
- No third-party analytics, advertising, or crash-tracking SDKs.
- No cross-app or cross-site tracking; no data sold or shared with advertisers.
- No collection of precise location, contacts, health data, or browsing history.
Third parties in the chain
Supabase (hosting, authentication, database, storage), OpenAI (automated moderation of uploaded photos and captions), phzmapi.org (receives a ZIP code, returns a hardiness zone), and Wikimedia Commons (serves plant photographs). These are described in our Privacy Policy.
Honest limitations
We're a small team and we'd rather tell you where the edges are:
- We do not currently offer two-factor authentication on Wildways accounts.
- We do not yet publish a formal incident-response SLA. If a breach affects your data, we will notify affected users by email without undue delay.
- Automated moderation is good but imperfect. Report anything that slips through.
Contact
Biota LLC dba Biota Mfg — Reno, Nevada
wildways@biotamfg.co

