Privacy Policy

Effective Date: May 16, 2026

The short version

Project Kestrel is built to work without sending your photos or your personal data anywhere. The desktop app analyzes your photos on your own computer, and unless you choose otherwise, that is where they stay.

We collect a small amount of anonymous usage data to keep the app working and to know if it's crashing. We use a randomly-generated machine identifier — not your hardware serial, not your name, not your email — so we can count active users without knowing who they are.

If you choose to use Perch (our photo-sharing site) or Cloud Compute (our optional paid GPU service), then we do collect more, because we have to: we need an account so you can sign in, and we need to receive your photos so we can host or process them. Those services are opt-in. You do not need to create an account to use the desktop app, and the desktop app will never silently upload your photos to either of them.

This document explains exactly what we collect, exactly what we don't, and exactly how long we keep it.

1. Who we are

Project Kestrel is a free, open-source desktop application licensed under AGPLv3. It is built and operated by Project Kestrel LLC ("we", "us"). The desktop app's source code is public. The cloud services (Perch and Cloud Compute) are operated by us as hosted services and are not themselves open-source at this time.

For any privacy-related question or request, contact us at support@projectkestrel.org.

2. The three components, and which one this section applies to

Project Kestrel has three parts. Each one has different privacy implications, so we describe them separately throughout this policy.

• Desktop app — Free, open-source, runs on your Windows or macOS computer. Analyzes your photos locally. This is what most people use, and most people stop here.
• Perch — Optional photo-sharing website at perch.projectkestrel.org. You explicitly choose which photos to upload. Free at launch (2 GB total).
• Cloud Compute — Optional paid service that offloads photo analysis to GPU servers, for users with very large libraries. Photos you submit are processed and then deleted.

A Project Kestrel account is required to use Perch or Cloud Compute. It is not required to use the desktop app.

3. What we collect — Desktop app

The desktop app is the most privacy-sensitive component because it has direct access to your photo library. Here is everything it sends to us.

Always sent (not optional)

When the app starts up and once per day while running, the app sends a small ping to api.projectkestrel.org containing:

• A machine UUID — a random identifier generated the first time the app runs. It is stored in your app config file and is not derived from any hardware ID, MAC address, or serial number. You can reset it by deleting the config file.
• The operating system name and version (e.g. "Windows 11", "macOS 14.4").
• The app version (e.g. "1.2.0").
• A daily-active-user pulse — basically a heartbeat so we can count how many installations are alive on a given day.

When an analysis run completes, the app sends:

• The count of images that were just analyzed (a number, e.g. 1,427).
• Analysis speed statistics (how long each stage took).

That is the entirety of the non-optional telemetry. We do not see filenames, folder paths, image content, EXIF data, GPS coordinates, your IP-bound identity, or any species/quality results from the analysis.

Opt-in (off by default unless you explicitly turn it on)

If you turn on "detailed analytics" in settings, the app additionally sends:

• File sizes of the analyzed images.
• File formats used (e.g. JPEG, CR3, NEF).

Still no filenames. Still no image content.

Crash reports (default-on, but explained)

If the app crashes, by default it sends a crash report containing:

• A stack trace.
• The last few sessions of the app's internal log file.

Internal log files include the filenames and folder paths you analyzed. We keep this on purpose: most crashes are file-format-specific, and the library names in the stack trace (e.g. Python\packages\tensorflow\...) are exactly what we need to identify and fix the bug.

We do redact your username from paths before transmission. A path like C:\Users\sanjaysoni\photos\trip.CR3 becomes C:\Users\<user>\photos\trip.CR3. So we can see the file structure without seeing who you are at the OS level.

You can disable crash reporting entirely in settings. You can also choose to attach the last three runtime sessions' logs when you submit feedback by ticking the "include recent analysis logs" box — that box is opt-in per-submission and is off by default.

Things the desktop app NEVER collects

• Your name, email, or any contact information.
• Your IP address as a stored record (it appears in transient web-server logs at our hosting provider, retained no longer than 30 days; we do not associate it with you).
• The contents of your photos.
• EXIF metadata (camera model, lens, GPS, timestamps) from your photos.
• Species, quality scores, or any output of the analysis.
• Bird names, location names, or anything derived from the image content.
• Files you did not analyze.
• Any directory listing of your computer.

4. What we collect — Project Kestrel account

You only have an account if you signed up. Sign-up happens when you choose to use Perch or Cloud Compute, never silently.

We use Clerk as our identity provider. Clerk handles sign-up, password storage, OAuth (Google, etc.), and session tokens. Information you give Clerk:

• Email address (required).
• Password (hashed by Clerk; we never see it).
• Optionally: a display name, a profile image, and a connected OAuth provider account.

We mirror a small subset of your Clerk profile into our own database so our services can show your username and avatar without calling Clerk on every request:

• User ID, username, first name, last name, display name, profile image URL.
• Account creation timestamp.

This mirror is refreshed lazily, on demand. When an authenticated request arrives and the cached row is older than 7 days, we re-fetch the current values from Clerk before serving the request. If you've been inactive longer than that, the mirror can be older than 7 days — the refresh fires on your next request, not on a schedule.

We also keep a short username history (so people who shared with @you last week don't get confused), capped at 3 username changes per 30 days.

Beyond what Clerk owns, we also store your profile visibility preference — a setting you control from your account settings that determines whether other Perch users can see your profile. The default is not visible.

If you subscribe to Cloud Compute, we additionally store:

• Subscription tier and status.
• Current billing period start and end.

5. What we collect — Perch

Perch only stores data when you take an explicit upload action.

For each "perch" (a shared photo set) you create, we store in our database:

• Title, description, visibility setting (draft / unlisted / restricted / public), and a public URL slug if you chose unlisted or public.
• The list of people you shared it with, if you chose restricted.
• Timestamps.
• Comments other users left on it, and photos you liked on others' perches.
• Group membership, if the perch is in a group.

For each photo asset within a perch, we store:

• The filename you uploaded.
• The file size.
• The image itself.
• Kind (export, crop, thumbnail, note).

Thumbnails are pre-resized to 1200 pixels by the desktop pipeline before upload, and EXIF metadata is stripped during that resize, so GPS coordinates and camera metadata do not travel with thumbnails. Full-resolution exports do retain their EXIF unless you've stripped it on your end.

Default visibility for a new perch is "draft" (private) — visible only to you. You have to actively change it before anyone else can see it.

Deletion: you can delete any perch at any time, which removes its database rows and the actual images from our storage. Deleting your account deletes all your perches.

6. What we collect — Cloud Compute

Cloud Compute only stores data when you explicitly submit a job.

In our database, per job, we store:

• Job ID, your user ID, job status, image count, timestamps.
• Per-image: filename you uploaded, the location of the image in our storage, and per-image status.
• Job metadata (container info, event log) and short-lived access tokens for downloading the result.

In our storage, we keep:

• Your uploaded source images (used as input to analysis).
• The results of the analysis from our cloud computers.

Modal.com is our sub-processor for the actual GPU work. When you submit a job, your images are made available to a Modal container, which runs our analysis code and returns the results. Modal sees the image contents during processing, and the container — along with all images on it — is deleted when the job is done.

7. Image lifecycle in Cloud Compute

We deliberately added 3 layers of safeguards to ensure your photos are deleted as soon as we can.

Source images are deleted as soon as the analysis pack is returned. The three layers:

1. Primary deletion — On successful pack return, the worker hard-deletes every source image from our storage.
2. Failure sweep — If a job fails (Modal crash, network drop, container died), an automatic cleanup cron deletes every image belonging to that job within 10 minutes.
3. Storage-provider lifecycle fallback — We set up explicit policy controls within our storage provider, Cloudflare, so that even if these two layers fail, images expire and are deleted after 24 hours.

Result packs are kept for 30 days. A 30-day expiration policy is set on the analysis result files. This gives you time to download your results; after that you'd need to re-run the job. Database rows describing the job (image count, status, timestamps — not image content or analysis results) may persist longer for usage analytics, but the image data itself is gone.

8. Kestrel is local-first

The desktop app is fully functional with no account, no internet, and no cloud services. You can install it, analyze your entire library, and never touch Perch, Cloud Compute, or a Project Kestrel account. If that is how you want to use Kestrel, nothing on this page other than the desktop-app telemetry section above applies to you.

9. Cookies and similar technologies

The marketing site at projectkestrel.org and the apps myaccount.projectkestrel.org and perch.projectkestrel.org use:

• Essential cookies — Clerk session cookies for sign-in. These are required for the site to work when you are signed in. They are not used for advertising or tracking across sites.
• Microsoft Clarity — We use Microsoft Clarity on our marketing site to understand how visitors navigate the page (heatmaps, scroll depth). You can opt out by using the cookie-preferences link in our site footer, or by enabling a browser-level Do Not Track preference.

The desktop app does not use cookies.

10. Third parties who process data on our behalf

• Clerk — Identity, authentication, sessions, and billing (Clerk Billing, when active). Receives: your email, password, profile info, sign-in events, and (for Cloud Compute subscribers) the payment information you provide at checkout.
• Cloudflare — Hosting, CDN, Workers, database, object storage. Receives: everything stored on our services, in the course of operating them.
• Modal.com — GPU sub-processor for Cloud Compute. Receives: the source images of any Cloud Compute job you submit, during processing.
• Resend — Transactional email delivery. Receives: recipient email addresses for share invites and DMCA-form delivery. We do not use Resend for marketing email.

We do not sell your data, and we do not share it with anyone other than the processors above and as required by law.

11. Your rights

You can:

• See what we have about you — the MyAccount dashboard at myaccount.projectkestrel.org shows your profile, your perches, and your job history.
• Correct it — edit your profile, your perches, etc.
• Delete it — the "Delete account" action removes your account, your perches, and your Cloud Compute job history.
• Export it — request a copy of your account data at support@projectkestrel.org.
• Opt out of telemetry — the desktop app has explicit controls.
• Withdraw consent — you can stop using the cloud services at any time.

If you are in the EU/UK, you have additional rights under the GDPR (access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your supervisory authority). Contact support@projectkestrel.org to exercise them.

12. Children

Project Kestrel is not directed at children. You must be at least 18 years old to create an account. If you believe a child has created an account, contact support@projectkestrel.org and we will remove it.

13. Changes to this policy

When we change this policy, we update the Effective Date at the top and at legal.json. If you have an account, we will require you to review and accept the new policy before you can perform a new upload to Perch or submit a new Cloud Compute job. You will not be locked out of viewing or deleting data you already have.

14. Contact

support@projectkestrel.org