Privacy Policy | Swarmed

Last updated: May 13, 2026

This Privacy Policy explains how Swarmed ("Swarmed", "we", "us", or "our") collects, uses, shares, and protects personal information when you use the website at beeswarmed.org and any related services, features, or applications we provide (collectively, the "Service"). It applies to visitors, registered users, beekeepers, association members, and anyone who submits or interacts with a swarm report.

This policy is designed to comply with the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable privacy laws.

1. Who We Are (Data Controller)

The Service is operated by two affiliated entities, both trading as "Swarmed":

Swarmed LLC — a Wyoming, USA limited liability company with its principal office at 30 N Gould St, Sheridan, WY 82801, USA. Swarmed LLC is the data controller for users in the United States and for users outside the European Economic Area, United Kingdom, and Switzerland.
Swarmed — a Netherlands-based sole proprietorship (KvK 96813733), with its registered address at Anna Paulownastraat 9 B, 2518BA The Hague, the Netherlands. This entity is the data controller and EU establishment for users located in the European Economic Area, the United Kingdom, and Switzerland.

Contact for either entity: info@beeswarmed.org
Website: beeswarmed.org

If you have any questions about this policy or how your personal data is handled, please contact us at the email above.

2. Personal Data We Collect

We collect the following categories of personal data:

Account data. Name, email address, password (stored hashed), profile photo, language preference, and role (e.g. citizen, beekeeper, association member).
Beekeeper and association data. Service area, contact phone number, association affiliation, and any credentials or descriptions you choose to share on your profile.
Swarm report data. Photos, descriptions, swarm location (approximate coordinates and/or address), contact details for the reporter, and status updates on the report.
Communications. Messages, support requests, and feedback you send to us or to other users through the Service.
Technical and usage data. IP address, browser type and version, device identifiers, operating system, language settings, referring URLs, pages viewed, actions taken, and timestamps.
Cookies and similar technologies. See Section 8.
Third-party sign-in. If you sign in through a third-party provider, we receive basic profile information (such as name and email) from that provider as permitted by your settings with them.

You are not legally required to provide personal data, but some data (such as your email and password) is necessary to create an account or submit a swarm report. If you do not provide required data, we may be unable to deliver the relevant feature.

3. How We Use Personal Data and Legal Bases (GDPR Art. 6)

We process personal data for the purposes and on the legal bases below.

To provide the Service (account creation, authentication, routing swarm reports to nearby beekeepers, dashboards, messaging) — performance of a contract (Art. 6(1)(b)).
To send service-related communications (transactional emails, security notices, changes to terms) — performance of a contract and legitimate interests (Art. 6(1)(b) and (f)).
To keep the Service secure (fraud prevention, abuse detection, rate limiting, audit logs) — legitimate interests (Art. 6(1)(f)) in protecting the Service and users.
To analyze and improve the Service (aggregate analytics, feature usage, performance) — legitimate interests (Art. 6(1)(f)) or, where required, consent (Art. 6(1)(a)).
To send marketing or newsletter emails — consent (Art. 6(1)(a)); you can withdraw consent at any time.
To set non-essential cookies — consent (Art. 6(1)(a)) where required by law.
To comply with legal obligations (tax, accounting, lawful requests from authorities) — legal obligation (Art. 6(1)(c)).
To establish, exercise, or defend legal claims — legitimate interests (Art. 6(1)(f)).

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms and concluded that the processing is necessary and proportionate. You may object to processing based on legitimate interests as explained in Section 9.

4. How We Share Personal Data

We do not sell personal information. We share it only in the following situations:

With beekeepers and associations. When you submit a swarm report, the report details (including location and contact information you provide for the swarm) are shared with beekeepers and associations who can respond.
With other users you interact with. Profile information you choose to make visible (e.g. beekeeper service area, association membership) is shown to relevant users.
With service providers (processors). We use trusted vendors that process data on our behalf under written data processing agreements — for example, cloud hosting and database (Supabase), authentication, email delivery, error monitoring, analytics, and maps. These providers may only process personal data for the purposes we specify.
With lead and outreach partners. Where you have consented, we share your contact information (such as name, email address, phone number, and information about your swarm or service request) with selected third-party partners that help connect you to professionals or that perform outreach on our behalf. These currently include Instantly (email outreach) and, for users in the United States only, Networx (home-services lead marketplace, from which Swarmed LLC may receive a referral fee). We do not share data with Networx for users located in the EEA, the United Kingdom, or Switzerland. These partners act as independent controllers for their own processing and may contact you by email, phone, or SMS, including by automated technology, in accordance with applicable law and the consent you have provided. You can withdraw consent at any time by emailing us or by following the unsubscribe / opt-out instructions in the communications you receive.
For legal reasons. We may disclose personal data if required by law, legal process, or a lawful request from a public authority, or to protect the rights, safety, or property of Swarmed, our users, or the public.
Business transfers. In connection with a merger, acquisition, financing, or sale of assets, personal data may be transferred subject to standard confidentiality protections. We will notify users if such a transfer results in a material change to this policy.

5. International Data Transfers

Swarmed operates from the United States, and some of our service providers process data outside the European Economic Area, United Kingdom, or your country of residence. Where personal data is transferred internationally, we rely on appropriate safeguards required by law, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision where one is in place. You can request a copy of these safeguards by contacting us.

6. Data Retention

We keep personal data only as long as needed for the purposes described in this policy:

Account data is retained while your account is active and for a reasonable period after closure (typically up to 24 months) to handle disputes, comply with legal obligations, and prevent abuse.
Swarm reports may be retained indefinitely in anonymized or aggregated form for research, statistics, and improving the Service. Identifiable report data is deleted on request, subject to legal retention obligations.
Server logs and security records are typically retained for up to 12 months.
Where law requires longer retention (e.g. accounting records), we keep data for the legally required period.

7. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal data — including encryption in transit (TLS), encryption at rest where supported by our providers, hashed passwords, access controls, and audit logging. No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, affected users without undue delay.

8. Cookies, Analytics, and Similar Technologies

We use cookies, local storage, pixels, tags, and similar technologies. Our cookie banner organizes them into four categories:

Strictly necessary — required for login, security, remembering your consent choice, and basic site operation. Always active because the Service cannot function without them.
Functional — remember preferences such as language and saved form drafts.
Analytics — aggregated, IP-anonymized usage statistics so we can see which pages help people report swarms.
Marketing — measurement and outreach pixels that help us understand the effectiveness of our campaigns.

Specific third-party tools currently in use:

Google Tag Manager — orchestrates the loading of measurement and marketing tags.
Google Analytics 4 (Google Ireland Ltd. / Google LLC) — to understand how the Service is used. GA may process IP addresses, device identifiers, and usage events. Learn more at policies.google.com/privacy; you can additionally opt out site-wide using the Google Analytics Opt-out Browser Add-on.
Other analytics, error-monitoring, and advertising pixels we may add from time to time. Where required by law, they are loaded only after you give consent.

How consent is enforced. If we detect that you are accessing the Service from the EEA, the United Kingdom, Switzerland, or any country we cannot reliably identify, our banner appears on your first visit and all non-essential categories are denied by default until you choose. Until you accept a category, we use Google Consent Mode v2 to signal "denied" for analytics, advertising storage, ad personalization, ad user data, functionality storage, and personalization storage — so Google tags load in a privacy-preserving mode that does not set identifying cookies. Your saved choice is stored in a first-party cookie (swarmed_cookie_consent) for up to 6 months, after which we ask again. Outside the EEA/UK/Switzerland we apply a permissive default consistent with applicable law.

Legal basis. Strictly necessary cookies are used without consent because the Service cannot function without them (legitimate interests / contract). For functional, analytics, and marketing cookies in jurisdictions that require it (e.g. EEA, UK, Switzerland), we rely on consent (Art. 6(1)(a) GDPR and the ePrivacy Directive).

Changing your choice. You can re-open the banner and update or revoke your choices at any time using the "Cookie settings" link in the footer. Revoking analytics or marketing also clears Google, Meta, Microsoft, and Hotjar tracking cookies from your browser on the next page load.

9. Telephone and SMS Communications (U.S. TCPA Notice)

If you provide a phone number and consent to be contacted by phone or SMS, you expressly authorize Swarmed and our lead and outreach partners — including Instantly and Networx — to contact you at that number for purposes related to your swarm report, service request, or matching with a beekeeper or service professional. These contacts may be made using an automatic telephone dialing system, artificial or prerecorded voice, or SMS / text messages, in accordance with the U.S. Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, and applicable state laws.

Your consent is not a condition of purchasing any goods or services.
Standard message and data rates may apply for SMS.
Message frequency varies.
You can revoke consent at any time by replying STOP to any text message, by asking the caller to stop contacting you, or by emailing info@beeswarmed.org.
For help, reply HELP to any text message or contact us at the email above.

Revoking consent for telephone or SMS communications will not affect lawful processing carried out before the revocation and will not prevent us from sending you transactional or service-related communications that are not subject to TCPA consent requirements.

10. Your Rights

Depending on where you live, you have some or all of the following rights:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — ask us to delete your personal data, subject to legal exceptions.
Restriction — ask us to limit how we process your data in certain circumstances.
Portability — receive your data in a structured, commonly used, machine-readable format, or have it transmitted to another controller where technically feasible.
Objection — object to processing based on legitimate interests, or to direct marketing at any time.
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Lodge a complaint — with your local data protection authority. Because our EU establishment is in the Netherlands, the Autoriteit Persoonsgegevens (AP) (autoriteitpersoonsgegevens.nl) acts as our lead supervisory authority for the EU. EEA residents may also contact their local authority (directory at edpb.europa.eu); UK residents can contact the ICO at ico.org.uk.

To exercise any of these rights, email info@beeswarmed.org. We will respond within the timeframes required by law (generally within one month under the GDPR). We may need to verify your identity before acting on your request.

11. California Privacy Rights (CCPA/CPRA)

California residents have the right to know what personal information we collect, use, disclose, and (if applicable) sell or share; to delete personal information; to correct inaccurate personal information; to opt out of any "sale" or "sharing" of personal information; and to limit the use of sensitive personal information. We do not sell personal information and do not share it for cross-context behavioral advertising. We will not discriminate against you for exercising your rights. To submit a request, email info@beeswarmed.org.

12. Automated Decision-Making

We do not use personal data to make decisions that produce legal or similarly significant effects about you solely through automated means, and we do not engage in profiling of that kind.

13. Children's Privacy

The Service is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us and we will delete it.

14. Third-Party Links

The Service may link to third-party websites or services that we do not control. This Privacy Policy does not apply to those third parties. We encourage you to review their privacy notices before sharing personal data with them.

15. EU / UK Users

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the GDPR (or UK GDPR / Swiss FADP) applies to the processing of your personal data, and the rights described in Section 10 apply to you. The legal bases on which we rely are set out in Section 3.

Our Dutch sole proprietorship (KvK 96813733, Anna Paulownastraat 9 B, 2518BA The Hague) is our EU establishment for GDPR purposes. As a result, our lead supervisory authority is the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), and an Article 27 EU representative is not required. UK users may lodge complaints with the ICO (ico.org.uk).

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will revise the "Last updated" date above and, for material changes, provide additional notice (e.g. in-app message or email). Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

17. Contact Us

For questions, complaints, or requests relating to your personal data, contact us at info@beeswarmed.org, or by post at either:

Swarmed LLC, 30 N Gould St, Sheridan, WY 82801, USA — for US and rest-of-world matters.
Swarmed, Anna Paulownastraat 9 B, 2518BA The Hague, the Netherlands — for EU/UK/Swiss data-protection matters.