Privacy Policy

Last updated: 5 May 2026

This Privacy Policy explains how Scouty ("Scouty", "we", "us", or "our") collects, uses, and protects personal information when you use our iOS app, Android app, or web application at scouty-app.com (together, the "Service"). It applies to adult leaders who sign in to the Service and — separately — to information that those leaders enter about youth members of their scouting groups.

Plain-English summary. Scouty is a tool that lets adult scouting leaders plan meetings, organise camps, and track badges. We store your account data and your group's data on Google Cloud servers in the European Union. We don't sell your data, we don't track you across other websites, and we never collect data directly from children — only the information that leaders enter about participants.

1. Who we are

The Service is operated by Rick van Weersel ("the Operator"). You can contact us about this Privacy Policy at support@scouty-app.com.

2. The two kinds of people in this Privacy Policy

Scouty handles personal data in two distinct ways. It is important to understand which category applies to you:

  • Adult leaders who sign in to the Service. We are the controller of your data: you give us your information, you have rights against us directly.
  • Youth members and other participants whose information is entered into Scouty by an adult leader. For this data the leader's organisation is the controller and Scouty acts as a processor on the organisation's behalf. The organisation is responsible for the lawful basis (typically parental consent under GDPR Article 8) and for telling participants and their parents what is being stored.

3. What we collect — adult leaders

When you sign in or create an organisation in Scouty we collect the following information about you:

  • Account profile. First name, last name, and email address. An optional avatar (either a built-in icon or an image you upload).
  • Authentication data. Your Firebase Authentication user ID, the timestamp of your last sign-in, and a temporary copy of the email address you typed in while we send you a sign-in link (stored locally on your device — see Section 9).
  • Membership data. The organisations you belong to, your role in each (Owner, Board Member, Group Leader, or Leader), the sections you are assigned to, any board title (Chair, Secretary, Treasurer), and the date you joined.
  • Content you create. Activities, meetings, camps, reminders, badge plans, attachments, notes, and other content you enter into the Service.

4. What we collect — youth members and participants

When an adult leader registers a participant for an activity, the leader may enter the following information about that participant:

  • The participant's full name.
  • A free-text "notes" field that may contain medical, dietary, or behavioural information (for example: allergies, prescribed medication, things to be aware of during camp).
  • An optional emergency contact phone number.
  • Whether they have paid for the activity.

We never collect this information directly from children. Children do not have Scouty accounts and cannot sign in to the Service. The leader's organisation is responsible for obtaining the lawful basis to enter this information into Scouty — typically written parental consent under GDPR Article 8 (or the equivalent law in the organisation's country). Scouty processes this data only on the organisation's instructions.

5. What we collect — your organisation

  • The organisation's name and (optionally) a street address or coordinates.
  • An optional logo image.
  • The list of sections within the organisation, their meeting times, and the leaders assigned to each.
  • The list of pending invitations the organisation has issued.

6. Photos and other files you upload

Scouty lets leaders attach photos, PDFs, and other documents to activities, badges, and the organisation profile. When you upload a photo:

  • The image is uploaded to Google Cloud Storage and automatically scanned by Google Cloud Vision SafeSearch for adult, violence, or racy content. Images that fail the check are deleted and never become part of your activity.
  • A 200×200 thumbnail is generated server-side. The original image and the thumbnail are stored in Google Cloud Storage in the European Union (region europe-west4).
  • We currently do not strip EXIF metadata from uploaded images. If your camera embeds GPS coordinates or timestamps in the photo, those are stored alongside the image. We plan to add EXIF stripping in a future release; in the meantime, please be mindful when uploading photos taken with location services enabled.
  • The link to the file is stored in the activity record, visible to other members of your organisation according to their permissions.

7. Authentication and biometrics

Scouty uses passwordless email-link sign-in. We send you an email containing a one-time sign-in link; clicking the link signs you in. We do not store your password (because there isn't one).

On iOS, you can optionally enable Face ID or Touch ID to unlock the app. The biometric check happens entirely on your device — biometric data never leaves your device and is never sent to our servers.

8. Where your data is stored

Scouty's backend runs on Google Firebase. The Firebase project is scouty-b94de. Cloud Functions run in europe-west4 (Belgium). Cloud Firestore and Cloud Storage are configured in EU regions, so under normal operation your data is processed and stored in the European Union.

Google may replicate data to other regions for resilience and disaster recovery in accordance with their Firebase Privacy and Security commitments and the EU Standard Contractual Clauses.

9. Cookies and local storage

Scouty does not use advertising cookies and does not track you across other websites. We use a small amount of browser storage strictly to make the Service work:

  • Authentication cookies. Set by Firebase Authentication to keep you signed in.
  • Local storage. A key called emailForSignIn stores the email address you typed in while we send you a sign-in link, so we can match the click to the original session. It is removed automatically once you complete sign-in.

We do not require a cookie consent banner under ePrivacy because we do not set any non-essential cookies. If we add analytics or similar in the future we will introduce a consent banner and update this section.

10. Sub-processors and third parties

We use the following third parties to run the Service. Each is a contractually-bound sub-processor or feature provider and processes data only as needed to deliver its part of the Service:

  • Google Ireland Limited / Google LLC — Firebase Authentication, Cloud Firestore, Cloud Storage, Cloud Functions, Firebase Hosting, App Check, Cloud Vision SafeSearch.
  • Google LLC — Google Maps JavaScript API (used in the web app's discovery map).
  • Apple Inc. — WeatherKit (iOS only). When you view weather for an activity that has a location, the iOS app sends the activity's coordinates to Apple to retrieve the forecast. See Apple's privacy policy.
  • Anthropic PBC — when you use the AI-assisted creation features (generating an activity, camp, or badge from a prompt or attached file), the prompt and attachment are sent to Anthropic's Claude API for processing. We do not send information about youth members to the AI service.

We will publish material changes to this list of sub-processors at least 30 days before they take effect for existing customers.

11. How we use your information

  • To provide the Service — show you your organisation, your activities, your reminders.
  • To send you transactional email for sign-in links and (in the future) push notifications about activities you are involved in.
  • To moderate user-uploaded images using Google Cloud Vision SafeSearch.
  • To diagnose crashes and operational issues.
  • To comply with law and to protect Scouty and its users.

We do not use your data for advertising, profiling, or automated decision-making with legal effects.

12. Lawful bases under GDPR

  • Contract (Article 6(1)(b)) — providing the Service to you as an adult leader.
  • Legitimate interest (Article 6(1)(f)) — image moderation, fraud/abuse prevention, security.
  • Legal obligation (Article 6(1)(c)) — responding to lawful requests from regulators or courts.
  • Processor on behalf of the controller (Article 28) — for participant and youth-member data entered by leaders. Your organisation is responsible for the lawful basis under Article 6 and Article 8.

13. How long we keep your data

  • Account data — kept while your account is active. You can permanently delete your account at any time from Profile → Delete account in either the iOS app or the web app. The deletion removes your profile, every organisation membership you hold, and your Firebase Authentication record. If you're the sole Owner of an organisation we'll ask you to transfer ownership or delete the organisation first so your fellow leaders aren't locked out.
  • Organisation and activity data — kept while the organisation exists. When the last Owner deletes the organisation, all of its data (activities, sections, attachments, participants) is removed.
  • Demo accounts — anonymous demo sessions are short-lived and cleared when you sign out (iOS) or when you next refresh your browser session (web).
  • Backups — Google retains short-term backups of Firestore for disaster recovery; data may persist in those backups for up to 30 days after deletion.

14. Your rights under GDPR

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar data-protection law, you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • have your data deleted;
  • restrict processing in certain circumstances;
  • receive a portable copy of your data;
  • object to processing based on legitimate interest;
  • lodge a complaint with your national data-protection authority.

To exercise any of these rights, email support@scouty-app.com. For data about a youth member, please contact the leader's organisation in the first instance — the organisation is the controller of that data.

15. Children

Scouty does not knowingly collect personal data directly from children under 16. Children do not have accounts and cannot sign in. The information that adult leaders enter about youth members is processed on the leader organisation's instructions, and the organisation is responsible for obtaining parental consent in accordance with applicable law.

If you believe a child's data has been entered into Scouty without proper consent, please contact the relevant organisation, or email us at support@scouty-app.com and we will help.

16. Security

Data in transit is protected with TLS. Data at rest in Cloud Firestore and Cloud Storage is encrypted by default. Access to the production Firebase project is limited to a small number of administrators using Google Identity. Image uploads are scanned for objectionable content before being made part of an activity. We follow Firebase security best-practice; however, no system is 100% secure, and you use the Service at your own risk.

17. Changes to this policy

When we make material changes to this Privacy Policy we will update the "last updated" date at the top of the page and, where appropriate, notify you in-app or by email. We encourage you to review this page periodically.

18. Contact

Questions, requests, or complaints about this Privacy Policy: email support@scouty-app.com.