Data Handling Policy

Tree Photographs: Up to three photographs per observation (full canopy, trunk detail, bark close-up). Images are stored in cloud object storage with AES-256 encryption at rest.

Geolocation: GPS coordinates captured at the moment of submission with accuracy metadata. Position is averaged from multiple GPS samples for improved precision.

Derived Data: Species identification, health classification, dimensional estimates, and confidence scores generated by our AI pipeline.

Metadata: Submission timestamp, device type, app version, and mapper ID (anonymized in municipal exports).

Submitted photographs are processed through a dual-source AI pipeline:

Pl@ntNet API: Botanical image recognition service operated by CIRAD, INRA, INRIA, and IRD. Images are sent via API for species identification and are not retained by Pl@ntNet after processing.

Multimodal LLM (Anthropic Claude): Images are analyzed by a large language model for species confirmation, health assessment, and dimensional estimation. Images are processed per Anthropic's data handling policies and are not used for model training.

Results from both sources are compared using a consensus algorithm. When sources agree on genus, the identification is marked as high-confidence.

Contracted Municipalities: Cities with active contracts can access all tree observation data within their defined contract zones, including photographs, species data, and health assessments. Mapper personal information is never included.

Urban Pulse Staff: Authorized employees access data for quality assurance, customer support, and system administration purposes only.

AI Processing Partners: Third-party AI services receive photographs for processing only. No data is retained after processing is complete.

The Public: Anonymized, aggregate statistics may be published in blog posts, case studies, or research publications. Individual tree records are never made publicly available unless released by the contracting municipality.

Tree inventory data purchased by a municipality with public funds may become public records subject to the Texas Public Information Act (Chapter 552, Texas Government Code) or federal Freedom of Information Act requests.

This means that tree locations, species identifications, health assessments, and photographs may be disclosed in response to open records requests made to the contracting city.

Mapper personal information (names, emails, payment details, device information) is classified as proprietary business information and is not included in any data deliverable to municipalities.

Active accounts: Data is retained for the duration of your account.

After account deletion: Personal information is deleted within 30 days. Anonymized tree observation data (photographs, coordinates, AI results) is retained as part of the municipal inventory.

Municipal data: Tree inventory data is retained for the duration of the city's contract plus 5 years, or until the city requests deletion.

Financial records: Payment and transaction records are retained for 7 years per IRS requirements.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Database access is restricted via role-based access control. API authentication requires signed tokens with time-limited validity.

We maintain audit logs of all data access by staff and API consumers.