Privacy & data protection

Last updated: 9 May 2026

IDent dynamics is a browser-based spectrogram viewer for sonar recordings, operated by Vixen Intelligence (“we”, “us”, “our”). This notice explains what personal data we hold, why we hold it, and the rights you have under the UK and EU General Data Protection Regulations (“UK GDPR” / “EU GDPR”).

1. Who we are & how to contact us

Vixen Intelligence is the data controller for the personal data processed through this service. For any data-protection enquiry — including subject-access, rectification, or erasure requests — contact rahul@vixenintelligence.com.

2. What we collect

Account profile: Username, email, display name, salted password hash (bcrypt), and your company affiliation. Your password is never stored in plaintext and we cannot recover it for you — only reset it.
Authentication activity: Each sign-in attempt records the timestamp, the username tried, the source IP address, and the browser’s User-Agent. This log lets us spot brute-force attacks and enforce account lockout.
Files you upload: Audio recordings (WAV / FLAC), label and decision JSON, and your company logo. Audio bytes are encrypted at rest with libsodium under a per-file key, scoped to your account.
Essential cookies: A single PHP session cookie required to keep you signed in. Marked HttpOnly, SameSite=Lax, and Secure when served over HTTPS.
Analytics cookies (consent-based): With your consent, we use Google Analytics 4 to understand how the application is used. This loads https://www.googletagmanager.com/gtag/js and sets the cookies _ga (24-month expiry) and _ga_TVSWR3BKB9 on this domain. The events we send are: page views, file loads (sample rate, duration, channel count, file format only — not filenames), panel opens, and detector-model runs. IPs are anonymised by Google before they are stored.
Analytics is off by default — the cookies are never set unless you explicitly accept them in the consent banner. You can change your decision at any time under Account → Cookies & analytics.
Operational data: Server access logs (kept by the hosting infrastructure) and per-account storage usage figures.

3. Why we process it (lawful bases)

Contract — account profile, uploaded files, and the session cookie are needed to deliver the service to you.
Legitimate interests — sign-in logging is processed to secure accounts and detect abuse. You can object to this processing, but doing so will mean we cannot maintain a sign-in history for your account.
Consent — analytics cookies (Google Analytics 4) are processed only when you have actively accepted them in the banner / Account toggle. You may withdraw consent at any time without affecting the rest of the service.
Legal obligation — where required to respond to a lawful request from a competent authority.

4. Sharing & transfers

We do not sell your data and we do not share it with data brokers. We share data only with the providers strictly required to deliver the service:

The SMTP relay used to deliver password-reset email.
The cloud hosting provider that stores the database and encrypted file blobs.
Google Ireland Limited / Google LLC (Google Analytics 4) — only when you have consented to analytics cookies. Google acts as a processor on our behalf under its Standard Contractual Clauses; data is transferred to the United States under the EU–U.S. Data Privacy Framework adequacy decision. See policies.google.com/privacy for Google's processing posture.

Where transfers leave the UK / EEA, we rely on the UK / EU Standard Contractual Clauses with the receiving party.

5. Retention

Account profile — for as long as your account is active. On closure, removed within 30 days unless we have a legal obligation to retain it longer.
Sign-in attempt log — rolling 90 days, then deleted.
Password-reset tokens — 1 hour or until used, whichever is sooner.
Uploaded files — until you delete them or close your account.
Analytics events & sessions — 14 months in Google Analytics, then automatically purged per the property’s data-retention setting.

6. Your rights

You have the right to:

request a copy of the personal data we hold about you (right of access);
have inaccurate data corrected (rectification);
request deletion of your data, subject to other legal obligations (erasure / “right to be forgotten”);
restrict or object to processing in specific circumstances;
receive your data in a portable format (data portability);
withdraw consent where consent is the lawful basis — this does not affect processing carried out before withdrawal.

To exercise any of these rights, contact rahul@vixenintelligence.com. We will respond within one calendar month. If you are not satisfied with our response, you can lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local supervisory authority.

7. Security

Connections to the service are protected with TLS. Passwords are hashed with bcrypt at a cost factor that is reviewed annually. Uploaded audio is encrypted at rest with libsodium under per-file keys. Database access is restricted to the application server.

8. Cookies in detail

Essential

IDENT_SESSION — first-party session cookie holding an opaque identifier. Marked HttpOnly, SameSite=Lax, and Secure when served over HTTPS. Deleted when you sign out or your browser session ends.

Analytics (consent-based) — only set after you accept analytics in the banner.

_ga — first-party Google Analytics client identifier. Lifetime 24 months. Used to distinguish unique browsers across sessions.
_ga_TVSWR3BKB9 — first-party session state for the IDent dynamics property. Lifetime 24 months.

Declining analytics keeps the page on the essential cookie only. Withdrawing consent later (under Account → Cookies & analytics) clears the analytics cookies on your next page load.

9. Changes to this notice

We will update this page to reflect material changes to how we process personal data. The date at the top reflects the most recent revision. Significant changes will also be announced by email to active users.

← Back to the app