PRIVACY POLICY
AquaBio Control — iOS, iPadOS & watchOS
Apple App Store privacy notice for the AquaBio Control iOS / iPadOS / watchOS application, its App Clip government-inspector / veterinary / retailer-auditor / certification-auditor surface and the web-link Counterparty Portals.
Document: AquaBio Control — Privacy Policy
Application: AquaBio Control (iOS / iPadOS / watchOS) · App Clip · Counterparty Portals
Issuing controller: ML Consulting MB · legal entity code 306991112
Version: 1.0
Effective from: 1 September 2026
Last updated: 20 May 2026
Privacy contact: support+aquabio@mlconsulting.lt
Lead supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), Vilnius
Backend data residency: European Union
Distribution: Apple App Store
Subscriber profile: Business User (B2B) — salmon, trout, carp and equivalent aquaculture sites, hatcheries, premium stocked fisheries, multi-site aquaculture groups, major salmon producer head offices (Mowi / Bakkafrost / Cooke / Scottish Sea Farms / Cermaq / Lerøy / SalMar / Grieg / Tassal / Huon / Multiexport / AquaChile / Camanchaca-tier), and contracted counterparties (aquaculture insurance underwriters, government aquaculture inspectorates, major retailer procurement desks, ASC / BAP / GlobalG.A.P. / RSPCA Assured certification bodies, aquaculture veterinary authorities)
BIOSECURITY, VETERINARY & NOTIFIABLE-DISEASE DISCLAIMER — READ FIRST AquaBio Control is an operational biosecurity execution-proof, mortality-escalation and stock-risk traceability tool. It is NOT a veterinary diagnostic, sampling, screening, identification, characterisation, sequencing or notification authority for any pathogen (including Infectious Salmon Anaemia virus / ISAv, Pancreas Disease virus / PDV, Salmon Rickettsial Septicaemia / SRS, Infectious Pancreatic Necrosis virus / IPNv, Infectious Haematopoietic Necrosis virus / IHNv, Bacterial Kidney Disease / BKD, sea-lice Lepeophtheirus salmonis / Caligus elongatus / Caligus rogercresseyi or any other agent); NOT a water-quality / dissolved-oxygen / temperature / salinity / pH / ammonia / nitrite / nitrate / turbidity / chlorophyll-a / harmful-algal-bloom measurement instrument; NOT a veterinary medicinal product administration, residue / withdrawal-period, prescribing, off-label or cascade authority under Regulation (EU) 2019/6 or equivalents; NOT a Regulation (EU) 2016/429 (Animal Health Law) or Commission Delegated Regulation (EU) 2020/689 filing; NOT a WOAH (formerly OIE), Marine Scotland, DEFRA / Cefas Fish Health Inspectorate, Mattilsynet, Heilsufrøðiliga starvsstovan, SERNAPESCA, DFO, Irish Marine Institute or Tasmanian DPIPWE filing or notification; NOT an ASC / BAP / GlobalG.A.P. / Friend of the Sea / Soil Association / RSPCA Assured certification or audit decision; NOT a major retailer (Tesco, Sainsbury’s, Marks & Spencer, Waitrose, Lidl, Aldi, Walmart, Kroger, Whole Foods, Costco and equivalents) procurement approval; NOT an aquaculture insurance underwriting or claims decision; NOT a 911 / 999 / 112 emergency-services dispatch; and NOT a marine-rescue, man-overboard, mass-mortality or environmental-incident dispatch service. Sea-cage / pond / tank / hatchery alerts, biosecurity-zone breach pulses, mortality-escalation alerts, Site-Lock countdown ClockKit complications, ActivityKit Live Activities, Dynamic Island indicators, APNs Time-Sensitive notifications, CoreNFC zone-tag / boot-bath / equipment-tag scan matches and Vision-framework dead-fish-counting outputs are operational notifications only — ADVISORY ONLY. CALLING 911 / 999 / 112 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER REMAINS MANDATORY whenever any person is in apparent danger of death or serious harm (including man-overboard, cold-water immersion, working-at-water fall, vessel collision, hatchery oxygen failure or worker injury). Veterinary authority remains with qualified fish-health veterinarians; notifiable-disease authority remains with the competent veterinary authority (DEFRA / Cefas Fish Health Inspectorate, Marine Scotland, Mattilsynet, Heilsufrøðiliga starvsstovan, SERNAPESCA, DFO, Irish Marine Institute, Tasmanian DPIPWE and equivalents); biosecurity-execution authority remains with the Subscribing Customer’s qualified site personnel and biosecurity lead; certification authority remains with the ASC / BAP / GlobalG.A.P. / RSPCA Assured certifier; and retailer-approval authority remains with the retailer’s procurement function — in each case independently of the App.
Read together with the AquaBio Control Terms and Conditions (Master Terms + Schedule A) published by ML Consulting MB.
AT A GLANCE What you should know in 60 seconds. We do not sell your personal data and we never will. We do not use Subscriber Data — including AVFoundation mortality / welfare / biosecurity-zone photographs, Vision-framework dead-fish-counting outputs, PencilKit site-map markup, voice memos, CoreNFC scan records, biosecurity-strategy details, mortality data, certification audit findings or retailer-allocation arrangements — to train or fine-tune any general-purpose, veterinary, welfare-scoring, mortality-attribution, escape-attribution, certification or counterparty-risk machine-learning model. AquaBio Control is offline-aware: biosecurity execution acknowledgements, mortality-pick records, Site-Lock acknowledgements, AVFoundation photos, Vision OCR / counting outputs, voice memos, CoreNFC scans and Face ID-signed acknowledgements are stored on your iPhone, iPad or Apple Watch and synced to our EU-resident backend when connectivity returns — including from offshore sea cages, fjord sites, rural hatcheries and stocked fisheries with patchy carrier coverage. The AquaBio Control backend is hosted in the European Union. Personal data is encrypted in transit and at rest. We do not run advertising in the App, and we do not embed third-party advertising or tracking SDKs. The App is declared “Data Not Used to Track You” in the App Store. AquaBio Control is sold exclusively under a written Order Form (Direct Channel), with billing processed via Stripe, invoice or bank transfer. No App Store auto-renewable subscription is offered by default; payment never flows through Apple’s In-App Purchase system. The App is NOT a veterinary diagnostic, NOT a notifiable-disease pre-notification authority, NOT a water-quality measurement instrument, NOT a veterinary-medicines administration / residue / withdrawal authority, NOT an Animal Health Law (Regulation (EU) 2016/429) or Delegated Regulation (EU) 2020/689 filing, NOT a WOAH / Marine Scotland / DEFRA / Cefas / Mattilsynet / Heilsufrøðiliga starvsstovan / SERNAPESCA / DFO / Irish Marine Institute / Tasmanian DPIPWE submission, NOT an ASC / BAP / GlobalG.A.P. / FOS / Soil Association / RSPCA Assured certification, NOT a major-retailer procurement approval, NOT an aquaculture insurance underwriting decision, NOT a marine-rescue or man-overboard service, and NOT a 911 / 999 / 112 emergency dispatch. Audit Defence Packs, Site-Lock Evidence Packs, Mortality Escalation Packs, Notifiable-Disease Pre-Notification Packs and Counterparty Packs are operational records — they are NOT licences, certifications, regulatory submissions, court orders or insurance attestations. Face ID-signed task-execution acknowledgements, PencilKit site-map markup, Apple Watch-initiated Site-Lock signatures, AVFoundation mortality / welfare / biosecurity-zone photos, Vision-framework dead-fish-counting outputs, CoreNFC zone-tag / boot-bath / equipment-tag scans and shared-device PINs are operational acknowledgements only — they are NOT Qualified or Advanced Electronic Signatures under eIDAS Regulation (EU) 910/2014, and acknowledgement of any biosecurity, mortality-pick, sampling, treatment-administration or Site-Lock step does not constitute a veterinary diagnosis, a notifiable-disease report, a certification decision or a regulatory submission. Site, biosecurity-zone, sea-cage, hatchery, mortality, sea-lice, water-quality (where entered by you), veterinary, certification, retailer-allocation, producer-HQ and counterparty data belongs to the Subscribing Customer. We do not share or sell this data with any third party for advertising or commercial-intelligence purposes, and we do not disclose Subscriber Data to any third-party machine-learning provider without the express written consent of the Subscribing Customer. AquaBio Control deliberately does NOT offer AI veterinary diagnosis or notifiable-disease determination; AI welfare-scoring of any fish, mollusc, crustacean or other aquatic animal; AI mortality-cause attribution or escape-cause attribution; AI water-quality / dissolved-oxygen / sea-lice / harmful-algal-bloom determination; AI Site Lock or biosecurity-zone authorisation; AI veterinary-medicine prescribing, residue or withdrawal-period decisions; AI ASC / BAP / GlobalG.A.P. / FOS / RSPCA Assured certification decisions; AI major-retailer procurement decisions; AI aquaculture insurance underwriting or claims decisions; or AI behavioural / ranking / employability profiles of any worker, inspector, retailer representative, certifier representative or counterparty representative. The AI helpers we do offer (on-device Speech, on-device CoreML voice transcription, on-device Vision-framework dead-fish counting and label OCR, backend Whisper voice transcription, backend Claude-class Audit Defence Pack / Pack narrative drafts) are opt-in, off by default, never autonomous, raw input always retained, with a “Draft — review before sharing” watermark on AI-drafted narratives. References in the App to major salmon producers (Mowi, Bakkafrost, Cooke, Scottish Sea Farms, Cermaq, Lerøy, SalMar, Grieg, Tassal, Huon, Multiexport, AquaChile, Camanchaca), aquaculture authorities (DEFRA / Cefas Fish Health Inspectorate, Marine Scotland, Mattilsynet, Heilsufrøðiliga starvsstovan, SERNAPESCA, DFO, Irish Marine Institute, Tasmanian DPIPWE), the WOAH (formerly OIE) Aquatic Animal Health Code, certification bodies (ASC, BAP / Global Seafood Alliance, GlobalG.A.P. Aquaculture, Friend of the Sea, Soil Association Salmon, RSPCA Assured), retailers (Tesco, Sainsbury’s, Marks & Spencer, Waitrose, Lidl, Aldi, Walmart, Kroger, Whole Foods, Costco and equivalents) and aquaculture insurers are descriptive only. None of those bodies endorses or warrants the App. You can exercise the full set of EU GDPR rights at any time by writing to support+aquabio@mlconsulting.lt. Our lead supervisory authority is the Lithuanian State Data Protection Inspectorate (VDAI) in Vilnius. AquaBio Control is intended for business users only (B2B). Workers using biosecurity, treatment-administration or Site-Lock surfaces must hold the relevant biosecurity training, veterinary-medicine handling competency, manual-handling, working-at-water, lone-working, cold-water immersion and Maritime and Coastguard Agency / Sjøfartsdirektoratet / equivalent maritime-safety training before being granted access.
1. About this Privacy Policy
ML Consulting MB (“ML Consulting”, “we”, “us”, “our”) is the publisher of the AquaBio Control iOS / iPadOS / watchOS application (the “App”), distributed through the Apple App Store. This Privacy Policy explains what personal data the App and its related surfaces — the watchOS companion that runs on the site manager’s, biosecurity lead’s and senior worker’s Apple Watch (sea-cage and hatchery wrist haptic), the App Clip surface used by visiting government inspectors, visiting veterinary authorities, visiting retailer auditors and visiting certification auditors, and the six browser-accessible Counterparty Portals (Major Salmon Producer HQ Portal, Aquaculture Insurance Underwriter Risk Desk, Government Aquaculture Inspector Portal, Major Retailer Procurement Portal, ASC / BAP / GlobalG.A.P. / RSPCA Assured Certification Body Portal and Aquaculture Veterinary Authority Portal), together with the separate Pre-Stocking Stand-by Service line — process when you download, install, sign in to, subscribe to, capture a biosecurity execution acknowledgement, mark a site map with PencilKit, scan a zone / boot-bath / equipment tag with CoreNFC, capture an AVFoundation mortality / welfare / biosecurity-zone photograph, run a Vision-framework dead-fish counting or label OCR, sign with Face ID, initiate an Apple-Watch Site Lock, open an App Clip session, open a Counterparty Portal share link or otherwise use the App, why we process it, the legal bases on which we rely, with whom we share it, for how long we keep it, and the rights you have under the GDPR and other applicable privacy laws.
This Policy is written to satisfy Articles 12 to 14 of Regulation (EU) 2016/679 (the “GDPR”), the Lithuanian Law on Legal Protection of Personal Data of the Republic of Lithuania, Article 88 GDPR (processing in the context of employment) and Regulation (EU) 910/2014 (“eIDAS”) where electronic-signature claims are concerned. It is also designed to be consistent with the App Privacy details (the App Store privacy “nutrition label”) and the Privacy Manifest (PrivacyInfo.xcprivacy) published with the AquaBio Control App.
AquaBio Control is premium enterprise software intended for business users (B2B) — salmon, trout, carp and equivalent aquaculture sites, hatcheries, premium stocked fisheries, multi-site aquaculture groups, major salmon producer head offices, aquaculture insurance underwriters, government aquaculture inspectorates, major retailer procurement desks, ASC / BAP / GlobalG.A.P. / RSPCA Assured certification bodies and aquaculture veterinary authorities. This Policy should be read together with the AquaBio Control Terms and Conditions (Master Terms + Schedule A) and, where ML Consulting acts as processor, the Master Data Processing Agreement (“Master DPA”) concluded with the Subscribing Customer.
1.1 Critical biosecurity, veterinary, notifiable-disease and life-safety reminder
CALL 911 / 999 / 112 FIRST — VETERINARY AND BIOSECURITY AUTHORITY STAYS WITH QUALIFIED PEOPLE AquaBio Control — including the Apple Watch Surface, the Vision-framework dead-fish-counting layer and the CoreNFC zone-tag / boot-bath / equipment-tag layer — is an operational biosecurity execution-proof, mortality-escalation and stock-risk traceability tool. It is NOT a veterinary diagnostic, sampling, screening, identification, characterisation, sequencing, surveillance or notification authority for any pathogen (Infectious Salmon Anaemia virus / ISAv, Pancreas Disease virus / PDV, Salmon Rickettsial Septicaemia / SRS, Infectious Pancreatic Necrosis virus / IPNv, Infectious Haematopoietic Necrosis virus / IHNv, Bacterial Kidney Disease / BKD, sea-lice Lepeophtheirus salmonis / Caligus elongatus / Caligus rogercresseyi or any other agent); NOT a calibrated water-quality, dissolved-oxygen, temperature, salinity, pH, ammonia, nitrite, nitrate, turbidity, chlorophyll-a or harmful-algal-bloom instrument; NOT a veterinary medicinal product administration, residue / withdrawal-period, prescribing, off-label or cascade authority under Regulation (EU) 2019/6 or equivalents; NOT a Regulation (EU) 2016/429 (Animal Health Law) / Commission Delegated Regulation (EU) 2020/689 / WOAH (OIE) Aquatic Animal Health Code / DEFRA Cefas Fish Health Inspectorate / Marine Scotland / Mattilsynet / Heilsufrøðiliga starvsstovan / SERNAPESCA / DFO / Irish Marine Institute / Tasmanian DPIPWE filing or notification; NOT an ASC / BAP / GlobalG.A.P. / Friend of the Sea / Soil Association / RSPCA Assured certification or audit authority; NOT a major-retailer (Tesco, Sainsbury’s, Marks & Spencer, Waitrose, Lidl, Aldi, Walmart, Kroger, Whole Foods, Costco and equivalents) procurement approval; NOT an aquaculture insurance underwriting / claims authority; NOT a marine-rescue, man-overboard, mass-mortality or environmental-incident dispatch service; and NOT a 911 / 999 / 112 emergency-services dispatch. Sea-cage / pond / tank / hatchery wrist haptics, biosecurity-zone breach pulses, mortality-escalation alerts, Site-Lock countdown ClockKit complications, exception-escalation pulses, APNs Time-Sensitive notifications, ActivityKit Live Activities, Dynamic Island indicators, CoreNFC zone-tag / boot-bath / equipment-tag scan matches and Vision-framework dead-fish-counting outputs are operational notifications only — ADVISORY ONLY. CALLING 911 / 999 / 112 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER REMAINS MANDATORY whenever any person is in apparent danger of death or serious harm (including suspected man-overboard, cold-water immersion, working-at-water fall, vessel collision, mooring failure, oxygen failure in a hatchery, lone-worker incident or any other serious harm). Veterinary authority remains with qualified fish-health veterinarians; notifiable-disease authority remains with the competent veterinary authority of each jurisdiction; biosecurity-execution authority remains with the Subscribing Customer’s qualified site personnel and biosecurity lead; certification authority remains with the ASC / BAP / GlobalG.A.P. / RSPCA Assured certifier; retailer-approval authority remains with the retailer’s procurement function — in each case independently of the App. The Subscribing Customer remains the aquaculture producer, the food-business operator and the legal employer of site personnel at all times.
2. Controller identification
We are the data controller for the processing described as “we act as controller” in section 4 of this Policy. Our identification details are set out below.
Legal name: ML Consulting MB
Legal form: Mažoji bendrija (small partnership) governed by the law of the Republic of Lithuania
Legal entity code: 306991112 (Centre of Registers of the Republic of Lithuania)
Website: https://mlconsulting.lt
Privacy contact: support+aquabio@mlconsulting.lt
ML Consulting MB has not designated a Data Protection Officer because its current processing does not meet the criteria in Article 37(1) GDPR. The privacy contact above handles all data-protection enquiries. If our processing activities change such that a DPO becomes mandatory, we will appoint one and publish their contact details in this Policy.
Our lead supervisory authority for the purposes of the GDPR’s one-stop-shop mechanism (Article 56 GDPR) is the Lithuanian State Data Protection Inspectorate — Valstybinė duomenų apsaugos inspekcija (“VDAI”) — at L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania, telephone +370 5 271 2804, email ada@ada.lt, website vdai.lrv.lt.
3. Scope of this Policy
This Privacy Policy applies to:
the AquaBio Control iOS / iPadOS / watchOS application published by ML Consulting MB on the Apple App Store, including the watchOS companion that runs on the site manager’s, biosecurity lead’s and senior worker’s Apple Watch;
the App Clip surface used by visiting government inspectors, visiting veterinary authorities, visiting retailer auditors and visiting certification auditors who scan a QR code at the site office, hatchery control room, biosecurity-zone gate or quayside induction point;
the six browser-accessible Counterparty Portals — Major Salmon Producer HQ Portal, Aquaculture Insurance Underwriter Risk Desk, Government Aquaculture Inspector Portal, Major Retailer Procurement Portal, ASC / BAP / GlobalG.A.P. / RSPCA Assured Certification Body Portal and Aquaculture Veterinary Authority Portal;
the Pre-Stocking Stand-by Service line (separate professional-service engagement — operational concierge only; not an emergency-dispatch, veterinary, marine-rescue or mass-mortality service);
user accounts, Sites, Workspaces, subscriptions, trials, pilots, onboarding sessions, support channels, billing operations and authentication services that we operate in connection with the App;
the App’s landing pages, help articles and documentation hosted on mlconsulting.lt that describe AquaBio Control; and
email, in-application and other communications you exchange with us about the App.
Where Apple Inc. or its subsidiaries, or any other independent third party, processes personal data on its own account in connection with the App — for example, the Apple App Store, Sign in with Apple, App Clip experience hosting, APNs push, ActivityKit, ClockKit, CoreNFC, Vision framework, iCloud, or a payment-card network — that party acts as a separate controller and its own privacy policy applies in addition to this Policy.
4. Our two privacy roles — controller and processor
4.1 We act as controller
We determine the purposes and means of processing for the following categories, which is why this Policy applies to them directly:
account and authentication data we collect to identify you and operate your user account;
device, technical, telemetry and security-event data the App generates during normal use;
communications and support correspondence about the App;
billing and payment data we collect from Direct-Channel Subscribing Customers (all paid AquaBio Control tiers, Counterparty Portal seats and the Pre-Stocking Stand-by Service line); and
Pre-Stocking Stand-by Service engagement records (separate professional-service line).
4.2 We act as processor
AquaBio Control operates on a Site / Workspace model. The Subscribing Customer — a salmon, trout, carp or equivalent aquaculture producer, hatchery operator, premium stocked-fishery operator, multi-site aquaculture group, aquaculture insurance underwriter, government aquaculture inspectorate, major retailer procurement desk, certification body or aquaculture veterinary authority — is the aquaculture producer, the food-business operator and the legal employer of site personnel (as applicable), the controller of biosecurity, mortality, veterinary and certification records, and the contracting party with the producer HQ, veterinary authority, certifier, retailer, insurer and venue. The Subscribing Customer uses the App to manage Sites, biosecurity zones, mortality picks, sea-lice counts, Site Locks and Counterparty Portal seats. For that Customer Data — including site-manager, biosecurity-lead, hatchery-technician, fish-farm-worker, supervisor, operations-manager, bailiff, App Clip user and counterparty-representative personal data; AVFoundation mortality / welfare / biosecurity-zone photographs, Vision-framework dead-fish-counting outputs, PencilKit site-map markup, voice memos, CoreNFC scan records, Face ID-signed task-execution acknowledgements and Apple Watch-initiated Site-Lock signatures within the meaning of Schedule A of the Terms and Conditions — the Subscribing Customer is the data controller and ML Consulting acts as a processor under the Master DPA, which meets the requirements of Article 28 GDPR.
In that role we process Customer Data only on the documented instructions of the Subscribing Customer, except where we are required to act otherwise by EU or Lithuanian law. If you are a site manager, biosecurity lead, hatchery technician, fish-farm worker, supervisor, operations manager, bailiff, App Clip user (visiting government inspector, veterinary authority, retailer auditor or certification auditor), Counterparty Portal recipient or other individual whose personal data has been uploaded to AquaBio Control by a Subscribing Customer, that organisation is the controller and you should approach it first with any data-protection request. We will redirect any request we receive on its behalf without undue delay (see section 17.4). For the avoidance of doubt, ML Consulting does not use Subscriber Data — including AVFoundation mortality / welfare / biosecurity-zone photographs, Vision-framework dead-fish-counting outputs, PencilKit site-map markup, voice memos, CoreNFC scans, biosecurity strategy, mortality data, certification audit findings or retailer-allocation arrangements — to train, fine-tune, evaluate or benchmark any general-purpose, veterinary, welfare-scoring, mortality-attribution, escape-attribution, certification or counterparty-risk machine-learning model, and does not disclose Subscriber Data to any third-party model provider without the express written consent of the Subscribing Customer.
5. Apple App Store, iOS, watchOS, Vision and CoreNFC platform context
Because the App is delivered through the Apple App Store and runs on Apple’s iOS, iPadOS and watchOS platforms, several aspects of how your personal data is handled are inherited from Apple’s platform. This section makes the most relevant ones explicit, including the Vision-framework and CoreNFC surfaces.
5.1 App Privacy details on the App Store
Apple requires every application on the App Store to publish a structured summary of the data it collects (the “App Privacy details”, commonly described as the App Store privacy “nutrition label”). The App Privacy details for AquaBio Control are kept consistent with this Policy. Indicatively, they declare Contact Info (the email addresses of Counterparty Portal recipients, App Clip government inspector / veterinary / retailer / certification users and your own account email), User Content (Site / biosecurity-zone / mortality / sea-lice / sample / treatment / Site-Lock records, AVFoundation photos, Vision-framework dead-fish-counting outputs and label-OCR outputs, voice memos, PencilKit site-map markup, Face ID-signed acknowledgements, CoreNFC scan records, Apple Watch interaction events and watermarked Pack PDFs) and, where opted-in, Diagnostics and anonymous Usage Data. Tracking is declared as None.
5.2 App Tracking Transparency
AquaBio Control does not track you across other companies’ applications and websites within the meaning of Apple’s App Tracking Transparency framework. We do not request the App Tracking Transparency permission and we do not use the iOS Identifier for Advertisers (IDFA). The App’s App Store declaration is set to “Data Not Used to Track You”. Consistent with the explicit prohibition in clauses A8.3 and A13 of Schedule A, we never apply behavioural, ranking, employability, blacklist or counterparty-risk profiling to any worker, inspector, retailer representative, certifier representative or counterparty representative.
5.3 Privacy Manifest
AquaBio Control ships an Apple-required Privacy Manifest (PrivacyInfo.xcprivacy) declaring the data categories the App collects, the reasons for any use of “required reason” iOS APIs (including the camera, microphone, photo library, location, NFC, Vision and Speech-recognition APIs) and the third-party SDKs the App depends on. The Privacy Manifest is the machine-readable counterpart of this Policy.
5.4 iOS sandbox and Data Protection
On-device application data is held inside the iOS application sandbox and benefits from Apple’s default Data Protection (typically the “Complete Until First User Authentication” class), which encrypts that data at rest using a key derived from your device passcode. Where the App needs to retain a small secret value (for example, a session token or a worker PIN hash), we use Apple’s Keychain Services rather than handling secrets ourselves. PINs used to authenticate workers on the shared iPad cockpit at the site office or hatchery control room are stored as salted hashes only — never as plain-text.
5.5 Sign in with Apple, email magic-link and shared-device PIN
The App offers Sign in with Apple for site managers, biosecurity leads and administrator-level accounts, in line with Apple’s App Store Review Guidelines § 4.8. When you choose this option, Apple supplies us with a stable Apple Account identifier and either your real email address or an Apple-generated relay address (“Hide My Email”). The App also supports email magic-link authentication: you receive a one-time signed link by email, and we never store a password. We never receive your Apple Account password. Hatchery technicians, fish-farm workers, supervisors and bailiffs using the shared iPad cockpit and waterproof iPhone case authenticate with a personal PIN (stored as a salted hash) and may complete Face ID-signed task-execution acknowledgements and Site-Lock acknowledgements. The Subscribing Customer is responsible for ensuring every User meets the relevant biosecurity, veterinary-medicine handling, manual-handling, working-at-water, lone-working, cold-water immersion and Maritime and Coastguard Agency / Sjøfartsdirektoratet / equivalent maritime-safety training requirements before being granted access.
5.6 Face ID, PencilKit, Apple Watch Site-Lock, Vision dead-fish counting, CoreNFC — not eIDAS, not veterinary authority
High-consequence operations — Face ID-signed task-execution acknowledgements, PencilKit site-map markup (typically captured on iPad with Apple Pencil Pro at the site office and hatchery control room), Apple Watch-initiated Site-Lock signatures, AVFoundation mortality / welfare / biosecurity-zone photographs, Vision-framework dead-fish-counting and label-OCR outputs, CoreNFC zone / boot-bath / equipment tag scans, Audit Defence Pack and Pack assembly, Counterparty Portal seat issuance and audit-log access — can be gated by Face ID / Touch ID through Apple’s LocalAuthentication framework. Biometric data never leaves the device; Apple does not provide us with your biometric template. The App stores only the verified / not-verified outcome and the authentication-type metadata. PencilKit markup uses Apple’s PencilKit framework. CoreNFC tokens are short, scoped per-Site / per-zone / per-equipment identifiers — they do not embed worker, inspector, retailer, certifier or counterparty personal information.
As clauses A5 and A13 of Schedule A make clear, Face ID-signed acknowledgements, PencilKit site-map markup, Apple Watch-initiated Site-Lock signatures, AVFoundation photographs, Vision-framework dead-fish-counting outputs, CoreNFC scans and PIN entries captured in AquaBio Control are operational acknowledgements that an authorised User took a specified biosecurity, mortality-pick, sampling, treatment-administration or Site-Lock action at a specified time. They are NOT Qualified Electronic Signatures, Advanced Electronic Signatures or any other formally defined electronic signature under Regulation (EU) 910/2014 (eIDAS); they are NOT a veterinary diagnostic, sampling, screening, identification, characterisation, sequencing or notification authority; NOT a Regulation (EU) 2016/429 / Delegated Regulation (EU) 2020/689 / Regulation (EU) 2019/6 / WOAH / Marine Scotland / DEFRA Cefas / Mattilsynet / Heilsufrøðiliga starvsstovan / SERNAPESCA / DFO / Irish Marine Institute / Tasmanian DPIPWE filing; NOT an ASC / BAP / GlobalG.A.P. / FOS / Soil Association / RSPCA Assured certification; NOT a major-retailer procurement approval; NOT an aquaculture insurance underwriting decision; NOT a 911 / 999 / 112 dispatch; and NOT a regulatory submission to any authority.
5.7 Apple Watch (watchOS) companion — site manager, biosecurity lead, senior worker wrist on site
The watchOS companion hosts glanceable, time-critical operational interactions for the site manager, biosecurity lead and senior worker on site: sea-cage / pond / tank / hatchery wrist haptics, biosecurity-zone breach pulses, mortality-escalation alerts, Site-Lock countdown ClockKit complications, exception-escalation pulses, Pre-Stocking Stand-by Service incident acknowledgement and Apple Watch-initiated Site Lock. It uses standard Apple frameworks (watchOS, ActivityKit, ClockKit, BGTaskScheduler) and stores its operational data on-device through the watchOS sandbox until the iPhone synchronises. The Apple Watch is a productivity companion — not a calibrated water-quality / dissolved-oxygen / temperature / salinity instrument, not a veterinary diagnostic, not a notifiable-disease pre-notification authority, not an ASC / BAP / GlobalG.A.P. / RSPCA Assured certification authority, not a major-retailer procurement authority, not a 911 / 999 / 112 button, not a marine-rescue or man-overboard service, and not a fire / gas / evacuation alarm.
5.8 Vision framework — on-device dead-fish counting and label OCR
AquaBio Control uses Apple’s Vision framework to perform on-device dead-fish counting on AVFoundation mortality-pick captures and on-device label OCR for biosecurity zone tags, treatment labels and equipment tags. Vision-framework outputs are processed locally on your iPhone or iPad and used as advisory suggestions against the Subscribing Customer’s mortality-tracking workflow. Outputs are advisory only — they are NOT a veterinary diagnostic, NOT a mortality-cause attribution, NOT a welfare assessment, NOT a notifiable-disease detection and NOT a calibrated metrology. Below a confidence threshold, the App surfaces a “needs review” badge and does not auto-publish a count or match.
5.9 CoreNFC — zone tags, boot baths and equipment tags
AquaBio Control uses Apple’s CoreNFC framework to read NFC tags affixed to biosecurity zones, boot-bath stations, equipment, mortality bins, cold-storage rooms and quarantine entry / exit points. CoreNFC tokens are short, scoped per-Site / per-zone / per-equipment identifiers issued by the Subscribing Customer’s admin. They do not embed worker, inspector, retailer, certifier or counterparty personal data — they identify the physical zone, boot bath or equipment only, and the relationship between a token and any biosecurity-execution step is held in the Subscribing Customer’s Workspace inside the App. CoreNFC scans are processed locally on the device and the resulting acknowledgement is synced to the backend as a Workspace audit-log entry.
5.10 App Clip — visiting government inspectors, veterinary authorities, retailer auditors, certification auditors
AquaBio Control uses Apple’s App Clip framework. A visiting government inspector, visiting veterinary authority, visiting retailer auditor or visiting certification auditor may scan an App Clip QR code at the site office, hatchery control room, biosecurity-zone gate or quayside induction point and open the App Clip for a single Site / engagement window without installing the full App. App Clip code, App Clip experience hosting and the App Clip lifecycle (including the iOS-enforced binary cap and limited entitlements) are governed by Apple’s App Clip platform. App Clip sessions are scoped to a single Site and a single engagement window and are tracked under an AppClipSession record (Site, App Clip user role, Apple identifier supplied by Apple’s App Clip flow, session start and end timestamps, captures and acknowledgements performed). App Clip access does not entitle any user to producer-HQ commercial information, biosecurity strategy, mortality data, certification audit findings or retailer-allocation arrangements outside the scope expressly configured by the Subscribing Customer.
5.11 Counterparty Portals
The App can issue scoped read-only seats to six browser-accessible Counterparty Portals — Major Salmon Producer HQ Portal, Aquaculture Insurance Underwriter Risk Desk, Government Aquaculture Inspector Portal, Major Retailer Procurement Portal, ASC / BAP / GlobalG.A.P. / RSPCA Assured Certification Body Portal and Aquaculture Veterinary Authority Portal — each governed by a separate Order Form. Counterparty Portals are served by AquaBio Control’s EU-resident backend, are scoped to records the Subscribing Customer expressly selects under the underlying contract (Sites, biosecurity zones, mortality windows, sea-lice counts, sampling events, production cycles), respect producer-HQ / insurer / inspector / retailer / certifier / veterinary-authority confidentiality metadata configured by the Subscribing Customer, default to pseudonymising worker identifiers and excluding commercial allocation information where exposure is not necessary, expire on a deadline set by the Subscribing Customer and are revocable at any time. Counterparty Portal recipients are processed as Customer Data on behalf of the Subscribing Customer (we act as processor).
5.12 AVFoundation, PencilKit, Speech, ActivityKit, ClockKit, APNs and EventKit
AquaBio Control relies on a number of Apple frameworks and platform services, each governed by Apple’s privacy terms in addition to this Policy: AVFoundation (camera and microphone capture for mortality, welfare and biosecurity-zone photographs and brief voice memos in waterproof case at sea cage and hatchery); PencilKit (PencilKit + Apple Pencil Pro site-map markup on iPad — the marquee site-manager / biosecurity-lead surface); Speech framework (on-device first-pass hands-free dictation at the cage edge and at the hatchery); APNs Time-Sensitive (biosecurity-zone breach, mortality-escalation, Site-Lock countdown, exception-escalation, Pre-Stocking Stand-by Service incident, sync-conflict notifications — operational, not emergency dispatch, not veterinary, not notifiable-disease, not certification, not retailer-approval); ActivityKit Live Activities (current Site-Lock state on the Dynamic Island and Lock Screen); ClockKit (Apple Watch complication — Site-Lock countdown and site-manager Smart Stack pulse); EventKit (optional writes of biosecurity / vaccination / sampling / harvest follow-ups to Apple Calendar); BGTaskScheduler (background sync from offshore sea cages, fjord sites, rural hatcheries and stocked fisheries); StoreKit 2 (preserved for any future App Store IAP path — currently not the default channel).
5.13 App Privacy Report
iOS 15.2 and later provide an in-operating-system App Privacy Report (Settings → Privacy & Security → App Privacy Report) that lets you inspect the sensors, data categories and network domains the App has accessed. AquaBio Control is designed so that this report shows the Apple platform domains used by the features above, plus ML Consulting’s EU-resident backend, the payment-processor endpoint (Stripe) and the AI sub-processor endpoint where the backend AI add-on has been enabled by the Subscribing Customer (see section 14).
6. Key terms used in this Policy
Personal data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
Processing — any operation performed on personal data, including collection, recording, organisation, storage, use, disclosure and erasure.
Controller — the person who determines the purposes and means of processing.
Processor — a person who processes personal data on behalf of a controller.
Subscribing Customer — the business customer (a salmon, trout, carp or equivalent aquaculture producer, hatchery operator, premium stocked-fishery operator, multi-site aquaculture group, aquaculture insurance underwriter, government aquaculture inspectorate, major retailer procurement desk, certification body or aquaculture veterinary authority) that signed the Order Form.
Site — a single discrete aquaculture site or hatchery managed as a Workspace in AquaBio Control, including its sea cages, pens, ponds, tanks, raceways, quarantine zones, biosecurity zones, boot-bath stations, cold-storage rooms, processing lines and adjacent water column / seabed lease area.
Production Cycle — a defined stocking / production window from stocking through grow-out to harvest.
Biosecurity Zone — a logically defined zone within a Site within which biosecurity execution (boot-bath crossings, equipment use, personal-protective-equipment changes, lone-working access) is controlled and recorded.
Site Lock — the moment at which the site manager or biosecurity lead locks the site-state plan for a Production Cycle phase, captured by a Face ID-signed (and optionally Apple-Watch-initiated) acknowledgement.
Customer Data — all data submitted by, or generated for, the Subscribing Customer through the App, App Clip surface, watchOS companion, Counterparty Portals or share links, including Site / biosecurity-zone / mortality / sea-lice / sampling / treatment / Site-Lock records, AVFoundation photos, Vision-framework outputs, voice memos, PencilKit site-map markup, Face ID-signed acknowledgements, CoreNFC scan records, Apple Watch interaction events and watermarked Pack PDFs.
Pack — a watermarked, version-stamped PDF generated by AquaBio Control, including Audit Defence Pack, Site-Lock Evidence Pack, Mortality Escalation Pack, Biosecurity Zone Pack, Notifiable-Disease Pre-Notification Pack, Major Salmon Producer HQ Pack, Aquaculture Insurance Underwriter Pack, Government Aquaculture Inspector Pack, Major Retailer Procurement Pack, ASC / BAP / GlobalG.A.P. / RSPCA Assured Certification Pack and Aquaculture Veterinary Authority Pack.
Counterparty Portal — a web-link surface offering scope-correct read-only seats to one of six counterparty types: Major Salmon Producer HQ, Aquaculture Insurance Underwriter, Government Aquaculture Inspector, Major Retailer Procurement, ASC / BAP / GlobalG.A.P. / RSPCA Assured Certification Body, Aquaculture Veterinary Authority.
App Clip — a short-lived authenticated session for a visiting government inspector, visiting veterinary authority, visiting retailer auditor or visiting certification auditor, scoped to a single Site and engagement window.
CoreNFC Token — an NFC tag affixed to a biosecurity zone, boot bath, equipment item, mortality bin, cold-storage room or quarantine entry / exit point, scoped per-Site / per-zone / per-equipment and not embedding personal data.
Apple Watch Surface — the watchOS companion that hosts the site manager’s, biosecurity lead’s and senior worker’s wrist haptic on site. A productivity companion only — not a veterinary, notifiable-disease, calibrated-instrument, certification, retailer, insurance or marine-rescue authority.
Pre-Stocking Stand-by Service — an optional, founder / partner-led operational concierge dispatch retainer for the pre-stocking window. An operational concierge only — NOT an emergency-dispatch, veterinary, notifiable-disease, marine-rescue, man-overboard, mass-mortality, certification or insurance-claim service and NOT a substitute for the Subscribing Customer’s own qualified personnel or public emergency services.
On-device — data stored or processed locally on the user’s iPhone, iPad or Apple Watch inside the iOS / watchOS application sandbox; it does not leave the device unless this Policy says otherwise.
Backend — AquaBio Control’s EU-resident server-side service, to which on-device records are synced and from which Counterparty Portals, Packs and (where enabled) AI narrative drafts are served.
Sub-processor — a third-party service provider that processes personal data on our behalf or that supports a feature of the App.
EEA — the European Economic Area, comprising the EU Member States, Iceland, Liechtenstein and Norway.
VDAI — Valstybinė duomenų apsaugos inspekcija, the Lithuanian State Data Protection Inspectorate, our lead supervisory authority.
7. Personal data we process
We collect only the data we reasonably need to operate, secure, support and improve the App. The categories below describe what AquaBio Control processes; not every Subscribing Customer, user account, Site or Production Cycle will involve every category.
Account and authentication data: Name, email address, account identifier, authentication method (Sign in with Apple, email magic-link or shared-device PIN), Apple-issued relay address where you used “Hide My Email”, Workspace membership, role (site manager, biosecurity lead, hatchery technician, fish-farm worker, supervisor, operations manager, bailiff, viewer, plus deferred role hints for producer HQ / insurance / inspector / retailer / certification / veterinary portals) and permissions. We do not store passwords; magic-link authentication uses one-time signed links and shared-device PINs are salted-hashed. The Subscribing Customer is responsible for ensuring every User meets the relevant biosecurity, veterinary-medicine handling, manual-handling, working-at-water, lone-working, cold-water immersion and maritime-safety training requirements before being granted access; the App does not verify those credentials.
Device, technical and telemetry data: IP address (typically truncated for analytics), device model and operating-system version (iOS, iPadOS, watchOS), App version, language and timezone, pseudonymised interaction events (screens viewed, features used, Site-Lock countdown metrics, Vision dead-fish-counting confidence metrics, CoreNFC scan duration), crash reports, performance traces and security-relevant events such as failed log-ins, failed PIN attempts and biometric gate attempts.
Communications and support data: The content and metadata of any email, support ticket, in-app help message, demo request, onboarding call note, Pre-Stocking Stand-by Service correspondence, mass-mortality / escape / notifiable-disease incident communication or other correspondence with us, including any attachments you choose to send.
Billing and payment data (Direct Channel — all paid tiers, Counterparty Portal seats and the Pre-Stocking Stand-by Service line): Invoicing entity name, registered address, VAT identifier, signatory contact, Order Form record (Plan — Pilot, Single Site Pro, Multi-Zone Site Pro, Multi-Site Group Pro, Salmon Producer Site, Major Salmon Producer HQ Multi-Region, Major Salmon Producer HQ Portal, Aquaculture Insurance Underwriter Risk Desk, Government Aquaculture Inspector Portal, Major Retailer Procurement Portal, ASC / BAP / GlobalG.A.P. / RSPCA Assured Certification Body Portal, Aquaculture Veterinary Authority Portal, Pre-Stocking Stand-by Service — term, fees, Site / seat / counterparty limits, add-ons), payment-status data, bank-transfer reference and the last four digits of the payment card where card payment is used through Stripe. We do not store full payment-card numbers; payment-card data is processed by Stripe.
Customer Data — Site, biosecurity-zone, mortality, sea-lice, sampling, treatment and Site-Lock records: Sites, biosecurity zones, sea cages, ponds, tanks, raceways, quarantine zones, boot-bath stations, mortality picks, sea-lice counts, sampling events (entered by the Subscribing Customer), veterinary medicinal product administrations (entered by the Subscribing Customer), water-quality readings (entered by the Subscribing Customer — the App does not measure), Site Locks, AVFoundation mortality / welfare / biosecurity-zone photographs, Vision-framework dead-fish-counting outputs and label-OCR outputs, voice memos (with on-device first-pass Speech transcript), PencilKit site-map markup, Face ID-signed task-execution acknowledgements, Apple Watch-initiated Site-Lock signatures, CoreNFC scan records, Apple Watch interaction events, Audit Defence Packs and Pack PDFs, and the append-only audit log.
Worker personal data — site managers, biosecurity leads, hatchery technicians, fish-farm workers, supervisors, operations managers, bailiffs: Where the Subscribing Customer invites site managers, biosecurity leads, hatchery technicians, fish-farm workers, supervisors, operations managers, bailiffs or other workers (employed or contractor) as authorised users: the worker’s name, email, role, Workspace identifier, the timestamp of their acknowledgment of the Workspace privacy notice, Apple Watch activity in the App and the records they capture (including Face ID-signed acknowledgements, PencilKit site-map markup, CoreNFC scans, and any voice memo or AVFoundation photograph in which they are identifiable). Where the Subscribing Customer chooses to record them, the App may also process User-claimed biosecurity, veterinary-medicine handling, manual-handling, working-at-water, lone-working, cold-water immersion and maritime-safety certificates; the App does not verify the validity of those credentials.
Producer-HQ, insurer, inspector, retailer, certifier and veterinary-authority data: Where the Subscribing Customer chooses to record them: organisation name, contact, role, scope of confidentiality undertaking, producer-HQ commercial-information reference, biosecurity-strategy reference, retailer-allocation reference, certification audit-finding reference, mortality-data reference and veterinary-authority reference. Treated as Customer Data on behalf of the Subscribing Customer.
App Clip session data — visiting government inspectors, veterinary authorities, retailer auditors, certification auditors: Where a visiting government inspector, veterinary authority, retailer auditor or certification auditor scans a QR code: an AppClipSession record (Site, App Clip user role, Apple identifier supplied by Apple’s App Clip flow, session start and end timestamps, captures and acknowledgements performed). Treated as Customer Data on behalf of the Subscribing Customer.
Counterparty Portal recipient data: Where the Subscribing Customer enables a Counterparty Portal seat: the recipient’s organisation, name, email or other contact details, role (major salmon producer HQ lead, aquaculture insurance underwriter risk-desk analyst, government aquaculture inspector, major retailer procurement lead, ASC / BAP / GlobalG.A.P. / RSPCA Assured certification body auditor, aquaculture veterinary authority), the scope of records the seat exposes (Sites, biosecurity zones, mortality windows, sea-lice counts, sampling events, production cycles), the expiry, the activity log and the revocation state. Treated as Customer Data on behalf of the Subscribing Customer.
CoreNFC token assignments: Short, scoped per-Site / per-zone / per-equipment identifiers issued by the Subscribing Customer’s admin. Tokens do not embed worker, inspector, retailer, certifier or counterparty personal data — they identify the physical zone, boot bath, equipment or storage room only.
Vision-framework dead-fish-counting and label-OCR data: On-device dead-fish-count outputs and label-OCR text for biosecurity zone tags, treatment labels and equipment tags, with confidence scores and the AVFoundation photograph reference. Used as advisory suggestions; not a veterinary diagnostic, mortality-cause attribution or welfare assessment.
Camera, microphone and on-device file data: AVFoundation mortality, welfare and biosecurity-zone photographs, voice memos (AVFoundation + on-device Speech framework first-pass transcript), PencilKit site-map markup on iPad. Camera, photo-library, microphone, NFC, Vision and Speech-recognition access are controlled by the iOS permission prompts and may be revoked at any time in iOS Settings. The Subscribing Customer is responsible for ensuring AVFoundation captures do not contravene producer-HQ commercial-information, biosecurity-strategy or retailer-allocation confidentiality undertakings.
Location data (CoreLocation, optional, event-based): Where the Subscribing Customer enables it, optional Site / sea-cage / hatchery / quayside GPS identification at the moment a User saves a record (the iOS “When In Use” permission). The App does not perform continuous background tracking.
Apple Watch (watchOS) interaction data — site manager / biosecurity lead / senior worker wrist on site: Apple Watch surface events: biosecurity-zone breach acknowledgements, mortality-escalation acknowledgements, Site-Lock countdown ClockKit complication state, exception-escalation pulses, Pre-Stocking Stand-by Service incident acknowledgements, Apple Watch-initiated Site-Lock signatures and Speech-framework dictation events. These events sync to the Workspace’s append-only audit log.
Apple Calendar (EventKit) integration: Where the Subscribing Customer enables it, the App writes biosecurity / vaccination / sampling / harvest follow-ups to the Apple Calendar of the relevant authorised user. We do not read or transmit your wider Calendar contents.
Notification preferences and tokens: Push-notification cadence toggles (biosecurity-zone breach, mortality-escalation, Site-Lock countdown, exception-escalation, Pre-Stocking Stand-by Service incident, sync-conflict); iOS notification permission state; APNs device push token; ActivityKit Live Activity state.
On-device Speech / CoreML / Vision inference outputs: Outputs of on-device Speech-framework first-pass dictation (used at the sea cage, hatchery and quayside), on-device CoreML voice-memo transcription, and on-device Vision-framework dead-fish counting and label OCR for biosecurity zones, treatment labels and equipment, stored alongside the raw input. All inference runs locally on your device.
Backend AI helper inputs and outputs (paid opt-in add-on): Where the Subscribing Customer has enabled the backend AI add-on: the audio clip sent for Whisper-class voice transcription and the structured-text input sent for Claude-class Audit Defence Pack, Site-Lock Evidence Pack, Mortality Escalation Pack, Biosecurity Zone Pack, Notifiable-Disease Pre-Notification Pack, Major Salmon Producer HQ Pack, Aquaculture Insurance Underwriter Pack, Government Aquaculture Inspector Pack, Major Retailer Procurement Pack, ASC / BAP / GlobalG.A.P. / RSPCA Assured Certification Pack or Aquaculture Veterinary Authority Pack narrative drafting, plus the generated draft outputs. Raw input is always retained alongside any AI-structured output. Producer-HQ commercial information, biosecurity strategy, retailer-allocation arrangements, certification audit findings and union-confidential material are excluded from transmission unless the Subscribing Customer expressly enables that flow. See section 14.
Application-generated data: Outputs of the deterministic biosecurity-execution engine, mortality-escalation engine, Site-Lock state machine, CoreNFC scan-matching engine, biometric-gate state machine, the audit log, capture-duration telemetry and similar computed values.
7.1 Special categories of personal data
AquaBio Control is not designed to collect special categories of personal data within the meaning of Article 9 GDPR. You must not upload special-category data to the App unless it is strictly necessary, supported by an appropriate legal basis under Articles 6 and 9 GDPR and subject to suitable safeguards. Biometric authentication (Face ID / Touch ID) is performed by Apple’s LocalAuthentication framework and biometric data never leaves the device; the App stores only the verified / not-verified outcome and the authentication-type metadata.
7.2 What we do not collect
To remove ambiguity, AquaBio Control does not collect:
the contents of your Apple Contacts, the wider Apple Calendar, your photo library beyond images you actively attach, or any HealthKit / HomeKit data;
data from any calibrated water-quality / dissolved-oxygen / temperature / salinity / pH / ammonia / nitrite / nitrate / turbidity / chlorophyll-a / harmful-algal-bloom instrument, sea-cage net-monitoring system, ROV / drone, harvest grading / vaccination / electrocuting stunning system, slaughter / processing line, veterinary diagnostic instrument, sequencer or laboratory information management system (LIMS) — the App does not interface with any such instrument or system, except via interfaces that we expressly authorise in writing;
behavioural-advertising identifiers; we do not run advertising, do not use the IDFA and do not share data with advertising networks;
analytics, attribution or crash-reporting data through any third-party SDK that has not been disclosed in this Policy and in the App’s Privacy Manifest;
continuous background-location data; Site / sea-cage / hatchery / quayside GPS capture (where enabled) is event-based only;
any behavioural, ranking, employability, blacklist, counterparty-risk or insurance-risk profile of any worker, inspector, retailer representative, certifier representative or counterparty representative.
8. How we collect personal data
We collect personal data in three ways:
Directly from you — when you create an account, complete a form, install or use the App on iPhone, iPad or Apple Watch, open an App Clip session as a visiting government inspector / veterinary authority / retailer auditor / certification auditor, open a Counterparty Portal share link, capture a biosecurity execution acknowledgement, mark a site map with PencilKit, scan a zone / boot-bath / equipment tag with CoreNFC, capture an AVFoundation photograph or voice memo, run a Vision-framework dead-fish counting or label OCR, sign a Face ID-signed task-execution acknowledgement, initiate an Apple Watch Site Lock, generate an Audit Defence Pack or Counterparty Pack, contact support or subscribe to a communication.
Automatically through your use of the App — when the App generates technical, telemetry, security or computational data (capture-duration metrics, deterministic biosecurity-execution engine outputs, mortality-escalation engine outputs, Site-Lock countdown metrics, CoreNFC scan-matching metrics, Vision dead-fish-counting confidence metrics, Apple Watch interaction events, append-only audit-log entries) necessary to deliver, secure or improve the service, and when Apple platform services (APNs, ActivityKit, ClockKit, CoreNFC, Vision) supply data linked to your action.
From third parties — when Apple supplies us with the result of Sign in with Apple, when a Subscribing Customer administrator invites you to a Workspace or App Clip session, when Stripe confirms a payment, when a recipient opens a Counterparty Portal seat, or when an authority lawfully provides information in connection with a regulatory matter.
9. Why we process personal data and our legal bases
For each processing activity we rely on a lawful basis under Article 6(1) GDPR. The table below sets them out for the categories of processing covered by this Policy.
Purpose: Provide and operate the App, watchOS companion, App Clip and Counterparty Portal surfaces, including authentication, Sites, biosecurity zones, mortality picks, sea-lice counts, sampling, treatments, Site Locks, CoreNFC chain-of-custody, Vision-framework dead-fish counting and label OCR, Pack assembly, audit history, exports and sync. | Data used: Account and authentication data; device, technical and telemetry data; Customer Data and operational records; worker, App Clip user, producer-HQ / inspector / retailer / certifier / veterinary-authority (as processor) and Counterparty Portal recipient personal data (as processor). | Legal basis: Performance of a contract with the Subscribing Customer (or pre-contractual steps at its request). | GDPR ref.: Art. 6(1)(b)
Purpose: Process payments and manage billing for Direct-Channel Subscribing Customers via Stripe (all paid tiers, Counterparty Portal seats, Pre-Stocking Stand-by Service); comply with statutory accounting and tax retention. | Data used: Billing and payment data; account data. | Legal basis: Performance of a contract; compliance with a legal obligation under Lithuanian accounting and tax law. | GDPR ref.: Art. 6(1)(b); Art. 6(1)(c)
Purpose: Camera, microphone, AVFoundation mortality / welfare / biosecurity-zone photograph capture, on-device Speech-framework hands-free dictation. | Data used: Camera and microphone input (in memory); captured stills and voice clips (only when you save them); on-device Speech first-pass transcript. | Legal basis: Performance of a contract; consent for camera, microphone and Speech-recognition access via the iOS prompts. | GDPR ref.: Art. 6(1)(b); Art. 6(1)(a)
Purpose: Vision-framework on-device dead-fish counting and label OCR. | Data used: Bitmap regions, count outputs, OCR text and confidence scores; AVFoundation photograph reference. Inference runs locally on the device. | Legal basis: Performance of a contract. | GDPR ref.: Art. 6(1)(b)
Purpose: CoreNFC scans on biosecurity zone, boot-bath, equipment, mortality bin, cold-storage and quarantine entry / exit tokens. | Data used: Short, scoped per-Site / per-zone / per-equipment token identifiers; timestamps; reading device identifier; audit-log entry. No worker, inspector, retailer, certifier or counterparty personal data is embedded in tokens. | Legal basis: Performance of a contract; consent for NFC access via the iOS prompt where applicable. | GDPR ref.: Art. 6(1)(b); Art. 6(1)(a)
Purpose: Face ID-signed task-execution acknowledgements, PencilKit site-map markup and Apple Watch-initiated Site-Lock signatures on iPad / iPhone / Apple Watch with biometric verification. | Data used: LocalAuthentication verified / not-verified outcome and authentication-type metadata; PencilKit ink stroke; timestamp; audit-log entry. Operational acknowledgement only — not eIDAS, not veterinary authority, not notifiable-disease pre-notification, not certification, not retailer approval, not insurance underwriting. | Legal basis: Performance of a contract. | GDPR ref.: Art. 6(1)(b)
Purpose: Optional event-based Site / sea-cage / hatchery / quayside GPS identification. | Data used: Location data via the iOS “When In Use” location prompt. Not continuous tracking. | Legal basis: Consent via the iOS prompt. | GDPR ref.: Art. 6(1)(a)
Purpose: APNs Time-Sensitive push, ActivityKit Live Activity countdowns, ClockKit complications and configurable notification cadence (biosecurity-zone breach, mortality-escalation, Site-Lock countdown, exception-escalation, Pre-Stocking Stand-by Service incident, sync-conflict). | Data used: Notification preferences; APNs push token; application-generated alerts; ActivityKit Live Activity state. | Legal basis: Consent (granted via the iOS notification prompt and the App’s Settings). | GDPR ref.: Art. 6(1)(a)
Purpose: Optional EventKit writes of biosecurity / vaccination / sampling / harvest follow-ups to Apple Calendar. | Data used: Calendar event metadata. | Legal basis: Consent via the iOS Calendar prompt. | GDPR ref.: Art. 6(1)(a)
Purpose: On-device Speech-framework dictation and any on-device CoreML voice-memo transcription that we ship. | Data used: Audio attached to a record or voice memo; Speech / CoreML output stored alongside. | Legal basis: Performance of a contract. No data leaves the device. | GDPR ref.: Art. 6(1)(b)
Purpose: Backend AI helpers — Whisper-class voice transcription and Claude-class Audit Defence Pack / Pack-narrative drafts (paid opt-in add-on). | Data used: Audio clip or structured-text inputs (producer-HQ commercial information, biosecurity strategy, retailer-allocation arrangements, certification audit findings and union-confidential material excluded unless expressly enabled); generated draft outputs. | Legal basis: Performance of a contract; consent (Subscribing Customer admin add-on enablement). | GDPR ref.: Art. 6(1)(b); Art. 6(1)(a)
Purpose: Issue, serve and revoke Counterparty Portal seats and Pack share links, with producer-HQ / insurer / inspector / retailer / certifier / veterinary-authority confidentiality metadata honoured and worker pseudonymisation by default. | Data used: Recipient contact data; seat scope and expiry; activity log. | Legal basis: Performance of a contract. | GDPR ref.: Art. 6(1)(b)
Purpose: Operate the Pre-Stocking Stand-by Service line. | Data used: Account data; communications data; Stand-by engagement records. | Legal basis: Performance of a contract. | GDPR ref.: Art. 6(1)(b)
Purpose: Secure the App; prevent fraud, abuse, evidence tampering, Counterparty Portal link forging, CoreNFC token forging, signature forgery and unauthorised access — especially in respect of producer-HQ commercial-information, biosecurity-strategy, mortality-data, certification audit findings and retailer-allocation confidentiality. | Data used: Authentication data; device, technical and telemetry data; security-relevant events; append-only audit log; biometric gate state. | Legal basis: Legitimate interests in protecting the integrity, availability and confidentiality of the App, the evidentiary integrity of Audit Defence Packs and Counterparty Packs, and the biosecurity and commercial confidentiality of every Site. | GDPR ref.: Art. 6(1)(f)
Purpose: Improve the App; conduct privacy-respecting product analytics (opt-in). | Data used: Pseudonymised telemetry; aggregated usage statistics. | Legal basis: Legitimate interests in understanding how the App is used. Where required, consent. | GDPR ref.: Art. 6(1)(f); Art. 6(1)(a)
Purpose: Provide customer support and respond to enquiries. | Data used: Communications and support data; account data. | Legal basis: Performance of a contract; legitimate interests for general or pre-contractual enquiries. | GDPR ref.: Art. 6(1)(b); Art. 6(1)(f)
Purpose: Respond to data-subject requests and operate the GDPR rights workflow. | Data used: All categories relevant to the request. | Legal basis: Compliance with a legal obligation under the GDPR. | GDPR ref.: Art. 6(1)(c); Arts. 12 to 22
Purpose: Send service messages (security, billing, material change notices). | Data used: Account data; communications data. | Legal basis: Performance of a contract. | GDPR ref.: Art. 6(1)(b)
Purpose: Defend or pursue legal claims, including in respect of mass-mortality incidents, escape incidents, notifiable-disease investigations, certification audit disputes, retailer-procurement disputes, aquaculture insurance claims, environmental incidents or worker-safety incidents. | Data used: Data relevant to the claim. | Legal basis: Legitimate interests in establishing, exercising or defending legal claims. | GDPR ref.: Art. 6(1)(f)
Purpose: Comply with legal, regulatory, animal-health, veterinary, environmental, occupational-safety, tax and law-enforcement obligations and respond to lawful requests. | Data used: Data required by law (typically account, billing, audit and security logs). | Legal basis: Compliance with a legal obligation. | GDPR ref.: Art. 6(1)(c); Art. 23
Where we rely on legitimate interests under Article 6(1)(f) GDPR, we have carried out and documented a balancing assessment that concluded our interests are not overridden by your fundamental rights and freedoms — including the elevated confidentiality expectations of major producers, retailers, veterinary authorities and certification bodies. Where we rely on consent under Article 6(1)(a) GDPR, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.
10. Offline-aware architecture, on-device storage and EU-resident backend
AquaBio Control is offline-aware. Biosecurity execution acknowledgements, mortality-pick records, sea-lice counts, sampling events (entered by the Subscribing Customer), treatment administrations (entered by the Subscribing Customer), Site-Lock acknowledgements, AVFoundation mortality / welfare / biosecurity-zone photographs, Vision-framework outputs, voice memos, PencilKit site-map markup, Face ID-signed acknowledgements and CoreNFC scans are written first to on-device storage (SwiftData on iPhone and iPad, watchOS storage on Apple Watch) inside the iOS / watchOS application sandbox. Records sync to the AquaBio Control backend when connectivity returns — including from offshore sea cages, fjord sites, rural hatcheries, premium stocked fisheries and locations with patchy carrier coverage. If you delete the App, reset your device or fail to maintain a backup before sync, locally-held but unsynced data may be lost.
The backend is hosted in the European Union. Personal data is encrypted in transit (TLS 1.2 or higher) and at rest. Records and files are isolated per Workspace using row-level security and signed-URL access. Background sync uses Apple’s BGTaskScheduler when iOS schedules it; this is best-effort and depends on device state.
11. Subscribing Customers, workers, App Clip users and Counterparty Portal recipients
AquaBio Control is operated on a Site / Workspace model. The Subscribing Customer’s administrator may invite site managers, biosecurity leads, hatchery technicians, fish-farm workers, supervisors, operations managers, bailiffs and external viewers; configure roles; view activity inside the Workspace; generate Audit Defence Packs and Counterparty Packs; issue Counterparty Portal seats; and configure retention. The administrator is responsible for ensuring that invited users, App Clip users (visiting government inspectors, veterinary authorities, retailer auditors, certification auditors) and Counterparty Portal recipients receive an appropriate privacy notice and that the organisation has a valid lawful basis for processing their personal data.
For these features we act as processor of Customer Data on behalf of the Subscribing Customer under the Master DPA. Subscribing Customers must rely on their own privacy notice for the substantive obligation under Articles 13 to 14 GDPR; this Policy applies in addition to that notice in respect of data we process as controller (account, telemetry, support, billing and similar data).
11.1 Worker monitoring under Article 88 GDPR
Because Apple Watch interaction events, Face ID-signed task-execution acknowledgements, PencilKit site-map markup, AVFoundation photographs, Vision-framework outputs, CoreNFC scans, voice memos and audit-log entries can constitute employee monitoring in many EU jurisdictions, the Subscribing Customer is responsible — under clauses A11 and A12 of Schedule A — for satisfying the worker-monitoring obligations of every jurisdiction in which the relevant Site operates. This includes Article 88 GDPR (processing in the context of employment) and the national rules implementing it; the French Code du travail; the German Betriebsverfassungsgesetz / works-council consultations; the Italian Statuto dei lavoratori; the Norwegian Arbeidsmiljøloven; the Faroese arbeitslóggáva; the Chilean Código del Trabajo; the Canadian provincial labour codes; the Tasmanian Industrial Relations Act; and the rules of any applicable aquaculture-sector collective bargaining agreement, works-council or freelance-engagement consultation procedure.
Before granting any worker access, the Subscribing Customer must provide a privacy notice meeting Articles 13 to 14 GDPR and the national worker-information rules implementing Article 88 GDPR, consult representatives where required, establish and document an appropriate lawful basis under Article 6(1) GDPR, and use monitoring features proportionately and only for the legitimate operational purposes described in the worker privacy notice. The App is not designed for, and must not be used for, covert worker, inspector, retailer-rep, certifier-rep or counterparty surveillance, and must not be described to any such person as anything other than an operational biosecurity, mortality-escalation, stock-risk traceability and Site-Lock evidence tool.
11.2 Aquaculture animal-health law, notifiable-disease and veterinary-medicines responsibility
Under clauses A3, A9 and A13 of Schedule A, the Subscribing Customer remains the aquaculture producer, the food-business operator and (as applicable) the legal employer of site personnel. The App does not transfer any aquaculture-animal-health, notifiable-disease, veterinary-medicines or food-business obligation to ML Consulting. No App output, Audit Defence Pack, Site-Lock Evidence Pack, Mortality Escalation Pack, Biosecurity Zone Pack, Notifiable-Disease Pre-Notification Pack, Counterparty Pack, Face ID-signed acknowledgement, PencilKit site-map markup, Apple Watch acknowledgement, Vision-framework dead-fish-counting output or CoreNFC scan constitutes a Regulation (EU) 2016/429 (Animal Health Law) / Commission Delegated Regulation (EU) 2020/689 / Regulation (EU) 2019/6 (veterinary medicinal products) / WOAH Aquatic Animal Health Code / Marine Scotland / DEFRA Cefas / Mattilsynet / Heilsufrøðiliga starvsstovan / SERNAPESCA / DFO / Irish Marine Institute / Tasmanian DPIPWE filing, notification, certification, prescribing, residue / withdrawal-period or cascade decision. Veterinary authority remains with qualified fish-health veterinarians; notifiable-disease authority remains with the competent veterinary authority of each jurisdiction — in each case independently of the App.
11.3 Certification, retailer compliance and animal welfare
Under clauses A10 and A11 of Schedule A, ASC, BAP / Global Seafood Alliance, GlobalG.A.P. Aquaculture, Friend of the Sea, Soil Association Salmon and RSPCA Assured certification decisions remain with the certifier; major-retailer (Tesco, Sainsbury’s, Marks & Spencer, Waitrose, Lidl, Aldi, Walmart, Kroger, Whole Foods, Costco and equivalents) procurement-approval decisions remain with the retailer; aquaculture insurance underwriting / claims decisions remain with the carrier; and animal-welfare, containment / escape, marine-environment and worker-safety decisions remain with the Subscribing Customer’s qualified personnel — in each case independently of the App.
11.4 App Clip — visiting government inspectors, veterinary authorities, retailer auditors, certification auditors
Where a visiting government inspector, visiting veterinary authority, visiting retailer auditor or visiting certification auditor scans an App Clip QR code at the site office, hatchery control room, biosecurity-zone gate or quayside induction point and opens the App Clip surface, the Subscribing Customer is responsible for providing — on or before the first App Clip session — the privacy notice required by Articles 13 to 14 GDPR (adapted to the App Clip scope) and any contractual / confidentiality arrangement with the relevant authority, retailer or certifier. Use of the App Clip surface does not create any agency, employment, supply, regulatory, retailer-procurement or certification relationship between ML Consulting and the App Clip user or any party, and does not entitle any user to producer-HQ commercial-information, biosecurity strategy, mortality data, certification audit findings or retailer-allocation arrangements.
11.5 Counterparty Portal recipients and producer-HQ / insurer / inspector / retailer / certifier / veterinary-authority confidentiality
Where the Subscribing Customer enables a Counterparty Portal seat for a major salmon producer HQ lead, an aquaculture insurance underwriter risk-desk analyst, a government aquaculture inspector, a major retailer procurement lead, an ASC / BAP / GlobalG.A.P. / RSPCA Assured certification body auditor or an aquaculture veterinary authority, the Subscribing Customer is responsible for: limiting the seat scope to records the recipient actually needs under the underlying contract; setting an appropriate expiry; honouring the producer-HQ / insurer / inspector / retailer / certifier / veterinary-authority confidentiality metadata configured for each item; pseudonymising worker identifiers and excluding commercial allocation information where exposure is not necessary; and informing the recipient that the seat delivers a read-only operational record only — not a Regulation (EU) 2016/429 / Delegated Regulation (EU) 2020/689 / Regulation (EU) 2019/6 / WOAH / DEFRA Cefas / Marine Scotland / Mattilsynet / Heilsufrøðiliga starvsstovan / SERNAPESCA / DFO / Irish Marine Institute / Tasmanian DPIPWE filing, ASC / BAP / GlobalG.A.P. / FOS / Soil Association / RSPCA Assured certification, major-retailer procurement approval, aquaculture insurance underwriting decision or regulatory submission.
12. Recipients of personal data
We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purpose. We do not sell personal data, and we do not “share” personal data for cross-context behavioural advertising as that term is defined under California law. We do not share or sell Site, biosecurity-zone, mortality, sea-lice, sampling, veterinary, certification, retailer, producer-HQ or counterparty data with any third party for advertising or commercial-intelligence purposes, and we do not disclose Subscriber Data to any third-party machine-learning provider for training, fine-tuning, evaluation, benchmarking, veterinary, welfare-scoring, mortality-attribution, escape-attribution, certification or counterparty-risk purposes.
Recipient category | Purpose | Status
Apple Inc. and Apple Distribution International Limited | App Store distribution, Sign in with Apple, App Clip experience hosting, APNs push delivery, ActivityKit Live Activities, ClockKit (watchOS), CoreNFC and Vision-framework platform integration, iCloud where used, StoreKit 2 (preserved for any future App Store IAP path) and related Apple platform services. | Independent controller for App Store-side and Apple-platform-side processing.
EU-resident backend hosting provider (managed Postgres) | Host the AquaBio Control backend, including encrypted Site / biosecurity-zone / mortality / sea-lice / sampling / Site-Lock storage, signed-URL file storage for AVFoundation photos, row-level security per Workspace, scheduled jobs (biosecurity-zone breach, mortality-escalation, Site-Lock countdown, exception-escalation, Pre-Stocking Stand-by Service incident dispatch, sync-conflict notifications) and Counterparty Portal serving. | Sub-processor under written terms; data hosted in the European Union.
Workflow orchestration provider (server-side cron and event jobs) | Run scheduled jobs — biosecurity-zone breach dispatch, mortality-escalation dispatch, Pre-Stocking Stand-by reminders, sync-conflict notifications and Pack assembly. | Sub-processor under written terms.
Payment provider — Stripe | Process Direct-Channel payments (cards and other payment methods), invoices, refunds, taxes and reconciliation for all paid tiers, Counterparty Portal seats and the Pre-Stocking Stand-by Service line. We do not store full payment-card numbers. | Independent controller for payment-card processing; sub-processor for billing data.
Email-delivery provider | Send service messages, magic-link authentication emails, support replies, onboarding communications and Counterparty Portal share-link emails. | Sub-processor under written terms.
Anonymised product-analytics, monitoring and crash-reporting providers | Privacy-respecting product analytics, performance monitoring and bug diagnostics; pseudonymised where feasible; opt-in for Diagnostics and Usage Data in the App Privacy details; never on identifiable producer-HQ, biosecurity-strategy or retailer-allocation data. | Sub-processors under written terms; used only after consent where required.
Voice-transcription provider (backend Whisper-class, paid add-on) | Refine on-device first-pass transcripts of biosecurity / mortality / sampling / incident voice memos, where the Subscribing Customer has enabled the AI add-on. | Sub-processor under written terms; inputs and outputs are not used to train any third-party model.
Language-model provider (Anthropic — Claude-class Audit Defence Pack / Pack-narrative drafts, paid add-on) | Generate narrative drafts for Audit Defence Packs, Site-Lock Evidence Packs, Mortality Escalation Packs, Biosecurity Zone Packs, Notifiable-Disease Pre-Notification Packs, Major Salmon Producer HQ Packs, Aquaculture Insurance Underwriter Packs, Government Aquaculture Inspector Packs, Major Retailer Procurement Packs, ASC / BAP / GlobalG.A.P. / RSPCA Assured Certification Packs and Aquaculture Veterinary Authority Packs, where the Subscribing Customer has enabled the AI add-on. Producer-HQ commercial information, biosecurity strategy, retailer-allocation arrangements, certification audit findings and union-confidential material are excluded from transmission unless the Subscribing Customer expressly enables that flow. AI-drafted narratives carry a “Draft — review before sharing” watermark until an authorised user finalises. | Sub-processor under written terms; inputs and outputs are not used to train, fine-tune, evaluate or benchmark any third-party model, and are not used for veterinary, welfare-scoring, mortality-attribution, escape-attribution, certification or counterparty-risk purposes.
Professional advisers (lawyers, accountants, auditors, insurers) | Legal, tax, audit, insurance, veterinary, environmental and animal-welfare advice on a need-to-know basis. | Independent controllers under their own duties of confidence.
Public emergency services and competent veterinary / fisheries / environmental authorities | Where a Subscribing Customer’s personnel directly call 911 / 999 / 112 or contact the competent veterinary, fisheries, marine, environmental, food-safety, customs or law-enforcement authority (DEFRA Cefas Fish Health Inspectorate, Marine Scotland, Mattilsynet, Heilsufrøðiliga starvsstovan, SERNAPESCA, DFO, Irish Marine Institute, Tasmanian DPIPWE and equivalents), those bodies receive information directly from the Subscribing Customer — not from ML Consulting. We may, where lawfully required, provide records to such authorities in response to a binding request. | Independent controllers acting under their statutory powers.
Authorities, courts and regulators | Where we are required by law, court order or a binding regulatory request, including the Lithuanian State Data Protection Inspectorate (VDAI), the Lithuanian State Tax Inspectorate (VMI) where applicable and aquaculture, veterinary, fisheries, environmental and law-enforcement authorities in jurisdictions where Sites operate. | Independent controllers acting under their statutory powers.
Successor entity | In the context of a merger, acquisition, restructuring or sale of assets, subject to confidentiality safeguards, producer-HQ / insurer / inspector / retailer / certifier / veterinary-authority confidentiality safeguards and to the buyer continuing to honour the commitments in this Policy. | Independent controller after the transaction closes.
References in the App to major salmon producers (Mowi, Bakkafrost, Cooke, Scottish Sea Farms, Cermaq, Lerøy, SalMar, Grieg, Tassal, Huon, Multiexport, AquaChile, Camanchaca), aquaculture authorities (DEFRA / Cefas Fish Health Inspectorate, Marine Scotland, Mattilsynet, Heilsufrøðiliga starvsstovan, SERNAPESCA, DFO, Irish Marine Institute, Tasmanian DPIPWE), the WOAH (formerly OIE) Aquatic Animal Health Code, certification bodies (ASC, BAP / Global Seafood Alliance, GlobalG.A.P. Aquaculture, Friend of the Sea, Soil Association Salmon, RSPCA Assured), retailers (Tesco, Sainsbury’s, Marks & Spencer, Waitrose, Lidl, Aldi, Walmart, Kroger, Whole Foods, Costco and equivalents), aquaculture insurance carriers (AXA XL, Marsh, Howden, AON and equivalents) and equivalent bodies are descriptive only. None of those bodies endorses, certifies, audits, approves or warrants the App, the templates or any Pack, and none is a sub-processor, recipient or party to this Policy by virtue of being named.
A current list of our sub-processors, together with the country in which each provider operates, is published at mlconsulting.lt/legal/sub-processors and is updated when the list changes. Each sub-processor we engage is bound by a written contract that imposes the data-protection obligations required by Article 28 GDPR (or, where ML Consulting is the controller, equivalent contractual safeguards), with explicit prohibitions on the use of Subscriber Data for AI-model training, fine-tuning, evaluation or benchmarking, and explicit prohibitions on any secondary use for veterinary, welfare-scoring, mortality-attribution, escape-attribution, certification or counterparty-risk purposes.
13. International data transfers
ML Consulting MB is established in Lithuania and hosts the AquaBio Control backend in the European Union. Personal data is encrypted in transit and at rest, and we aim to keep personal data — particularly producer-HQ commercial-information, biosecurity-strategy, mortality data, certification audit findings and retailer-allocation arrangements — within the European Economic Area by default. Some of our sub-processors and the global infrastructure of Apple Inc. (App Store, App Clip hosting, APNs, ActivityKit, ClockKit, CoreNFC, Vision framework), Stripe and the language-model / voice-transcription add-on providers may process data in the United States or other regions where they operate.
Where personal data is transferred outside the EEA or the United Kingdom to a country that has not been the subject of an adequacy decision under Article 45 GDPR, we rely on one or more of the safeguards required by Chapter V GDPR, in particular:
European Commission adequacy decisions, including the EU-US Data Privacy Framework where the recipient is certified under it;
the European Commission’s Standard Contractual Clauses (Module Two — controller to processor — and Module Three — processor to sub-processor — as applicable), with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement for transfers from the United Kingdom;
additional technical measures including TLS 1.2 or higher for data in transit and encryption at rest, as well as contractual and organisational measures appropriate to the risk and to the producer-HQ / biosecurity-strategy / mortality-data confidentiality sensitivity of the data; and
any other lawful transfer mechanism under Articles 46 to 49 GDPR.
14. Automated decision-making, on-device ML and backend AI
14.1 No solely-automated decisions with legal or similarly significant effects
We do not subject you to decisions producing legal effects concerning you or similarly significantly affecting you that are based solely on automated processing within the meaning of Article 22 GDPR. Where any aspect of a decision affecting you is informed by automated logic, a human is meaningfully involved in the outcome.
14.2 Explicit AI exclusions
Consistent with the App’s evidence-only design and with clauses 13.4 and A8.2–A8.3 of Schedule A, AquaBio Control does NOT offer:
AI veterinary diagnosis, sampling, screening, pathogen identification, characterisation, sequencing or notification (including ISAv, PDV, SRS, IPNv, IHNv, BKD, sea-lice and any other agent);
AI welfare-scoring of any fish, mollusc, crustacean or other aquatic animal;
AI mortality-cause attribution or escape-cause attribution;
AI water-quality, dissolved-oxygen, temperature, salinity, pH, ammonia, nitrite, nitrate, turbidity, chlorophyll-a or harmful-algal-bloom determination;
AI Site Lock, biosecurity-zone or treatment authorisation;
AI veterinary-medicine prescribing, off-label / cascade, residue or withdrawal-period decisions;
AI ASC / BAP / GlobalG.A.P. / FOS / Soil Association / RSPCA Assured certification outcomes;
AI major-retailer procurement decisions;
AI aquaculture insurance underwriting or claims decisions;
AI behavioural, ranking, employability or blacklist profiles of any worker, inspector, retailer representative, certifier representative or counterparty representative; or
AI employment, disciplinary, scheduling or hiring decisions concerning any worker.
Any future inclusion of any such feature would require an updated Schedule A, would be subject to validation under the applicable animal-health, veterinary, environmental and certification regimes, and is not within the current scope.
14.3 On-device Speech / CoreML / Vision
The App may include on-device Speech-framework hands-free dictation (used at the cage edge, hatchery and quayside), on-device CoreML voice-memo transcription, and on-device Vision-framework dead-fish counting and label OCR. These run locally on your iPhone or iPad and the input is not transmitted to any third-party AI provider as a result of this feature. Outputs are advisory; below a confidence threshold of 70%, the App surfaces a “needs review” badge and does not auto-publish a count or classification. Any AI-assisted suggestion concerning a dead-fish count, biosecurity-zone identification or treatment-label match is advisory only — the site manager, biosecurity lead or veterinarian must always confirm before saving, and Vision outputs are NOT a veterinary diagnostic, mortality-cause attribution or welfare assessment.
14.4 Backend AI add-on — opt-in, never autonomous
The App may include an opt-in, paid backend AI add-on with two components: Whisper-class voice transcription for longer-form audio; and Claude-class narrative drafting for Audit Defence Packs and the Site-Lock, Mortality Escalation, Biosecurity Zone, Notifiable-Disease Pre-Notification, Major Salmon Producer HQ, Aquaculture Insurance Underwriter, Government Aquaculture Inspector, Major Retailer Procurement, ASC / BAP / GlobalG.A.P. / RSPCA Assured Certification and Aquaculture Veterinary Authority Packs. The add-on is off by default and is activated only when an admin of the Subscribing Customer explicitly enables it in Settings.
Where the backend AI add-on is enabled:
AI output is editable text only and requires explicit human confirmation before persistence, export or sending;
raw input (audio, free-text, original on-device outputs) is always retained alongside any AI-structured output, so you can audit and override;
AI never auto-publishes a biosecurity, mortality-pick, sea-lice-count, sampling, treatment-administration or Site-Lock acknowledgement, Face ID-signed acknowledgement, Pack export or Counterparty Portal entry, never changes safety-alert state, never changes billing state and never changes audit-log state;
AI-drafted narratives carry a “Draft — review before sharing” watermark until an authorised user explicitly finalises;
inputs and outputs are not used by ML Consulting or by any sub-processor to train, fine-tune, evaluate or benchmark any third-party model, and are not used for veterinary, welfare-scoring, mortality-attribution, escape-attribution, certification or counterparty-risk purposes;
producer-HQ commercial information, biosecurity strategy, retailer-allocation arrangements, certification audit findings and union-confidential material are excluded from transmission unless the Subscribing Customer expressly enables that flow;
the Subscribing Customer may disable the add-on at any time in Settings.
14.5 Third-party AI sub-processors
Backend Whisper-class voice transcription and Claude-class narrative drafting are performed by sub-processors disclosed in section 12 and in our sub-processor list, under written agreements that prohibit the use of inputs or outputs to train, fine-tune, evaluate or benchmark any third-party model, and that prohibit any secondary use for veterinary, welfare-scoring, mortality-attribution, escape-attribution, certification or counterparty-risk purposes.
14.6 EU AI Act readiness
We design and operate AI features to be compatible with applicable obligations under Regulation (EU) 2024/1689 (the Artificial Intelligence Act), including transparency, logging and human-oversight requirements appropriate to the risk classification of the relevant feature. None of our current AI features is, or is held out as, a high-risk AI system within the meaning of Annex III of the AI Act.
15. How long we keep personal data
We keep personal data only for as long as we need it for the purpose for which it was collected, or as required by applicable law. The retention periods below are indicative; the actual period for any item of personal data is the longest of the periods that apply to the purposes for which we use it.
Category: Account and authentication data | Retention period: Lifetime of the account; in any case deleted or anonymised within 24 months of complete inactivity, save where statutory retention applies. | Trigger for deletion or anonymisation: Account deletion, 24-month inactivity sweep or end of statutory retention.
Category: On-device application data (iPhone, iPad, Apple Watch) | Retention period: Held on your device for as long as you keep it; included in iCloud Backup if you have it enabled. Removed by the operating system on App deletion. | Trigger for deletion or anonymisation: You delete the data, the App or your account.
Category: Telemetry, capture-duration and service-operation data | Retention period: Pseudonymised at collection where feasible; retained in identifiable form for a maximum of 13 months; aggregated or anonymised data may be retained indefinitely. | Trigger for deletion or anonymisation: Time-based deletion or aggregation.
Category: Communications, support and Pre-Stocking Stand-by Service correspondence | Retention period: Up to 24 months from the close of the last related correspondence; longer where the matter relates to a complaint, dispute, mass-mortality, escape, notifiable-disease investigation, certification audit dispute, retailer-procurement dispute, aquaculture insurance claim, environmental or worker-safety incident, or legal claim, until the matter is resolved plus the applicable limitation period. | Trigger for deletion or anonymisation: Time-based deletion or matter closure.
Category: Billing, accounting and tax records | Retention period: Up to 10 years from the end of the relevant accounting period, in line with the Lithuanian Law on Financial Accounting and the Lithuanian Law on Tax Administration. | Trigger for deletion or anonymisation: Expiry of the statutory retention period.
Category: Customer Data within Workspaces — Sites, biosecurity zones, mortality / sea-lice / sampling / treatment / Site-Lock records, AVFoundation photos, Vision outputs, voice memos, signatures, CoreNFC scans, Pack PDFs and append-only audit log (we are processor) | Retention period: Governed by the Master DPA: a 30-day data-export window in read-only mode after termination, followed by deletion or anonymisation within a further 60 days, save for records the Subscribing Customer is required by law, contract, producer-HQ, certification, retailer, insurer, veterinary authority or animal-health regime to retain (in particular Regulation (EU) 2016/429, Delegated Regulation (EU) 2020/689, Regulation (EU) 2019/6, WOAH, Marine Scotland, DEFRA Cefas, Mattilsynet, SERNAPESCA, DFO, Irish Marine Institute and Tasmanian DPIPWE records). | Trigger for deletion or anonymisation: Termination of the customer agreement, plus the period set in the Master DPA.
Category: App Clip session records (visiting government inspectors, veterinary authorities, retailer auditors, certification auditors) | Retention period: Retained while the parent Site / Site-Lock record exists; otherwise no longer than 12 months from the session end, save where part of a regulatory, animal-health, certification, retailer, insurance or audit matter. | Trigger for deletion or anonymisation: Deletion of the parent records or time-based deletion.
Category: Counterparty Portal seats | Retention period: Active until expiry or revocation; activity log retained for up to 24 months from seat expiry for audit purposes (longer where the underlying counterparty contract requires). | Trigger for deletion or anonymisation: Seat expiry, revocation or time-based deletion.
Category: CoreNFC token assignments and Vision-framework outputs | Retention period: Retained while the parent Site / zone / equipment record exists; deleted with the parent record on termination of the customer agreement plus the Master DPA period. | Trigger for deletion or anonymisation: Deletion of the parent records or time-based deletion.
Category: Security and platform audit logs | Retention period: Up to 24 months, or longer where necessary for security, fraud-prevention, signature-integrity or legal-claim purposes. | Trigger for deletion or anonymisation: Time-based deletion.
Category: Backups | Retention period: Standard backup-rotation cycles (typically up to 30 days). Backups are not used to restore deleted accounts and are themselves overwritten on the rotation cycle. | Trigger for deletion or anonymisation: Backup-rotation cycle.
16. Security and personal-data breaches
16.1 Article 32 measures
We implement and maintain appropriate technical and organisational measures to protect personal data — particularly producer-HQ commercial-information, biosecurity-strategy, mortality data, certification audit findings and retailer-allocation arrangements — against unauthorised access, accidental loss, destruction, alteration or disclosure, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to your rights and freedoms (Article 32 GDPR). For AquaBio Control specifically, these measures include: EU-resident backend hosting with encryption in transit (TLS 1.2 or higher) and at rest; row-level security per Workspace identifier in the database; signed-URL access to evidence files with short time-to-live; optional Face ID / Touch ID biometric gating of high-consequence operations (task-execution acknowledgement, PencilKit site-map markup sign-off, Apple Watch-initiated Site Lock, Audit Defence Pack / Pack export, Counterparty Portal seat issuance, audit-log access); salted-hash storage of shared-device PINs; short, scoped, per-Site / per-zone / per-equipment CoreNFC tokens that do not embed personal data; watermarking, version-stamping and audit-trail blocks on every Audit Defence Pack and Pack (with the “Draft — review before sharing” watermark on AI-drafted narratives until finalised); an append-only audit log of capture, edit, status change, Pack export, Counterparty Portal seat issuance, biometric verification, CoreNFC scan event, Vision-framework event and signature event; and time-limited, scope-restricted Counterparty Portal seats with worker pseudonymisation and commercial-allocation exclusion by default.
16.2 Notification of personal-data breaches
If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons — and especially where it affects producer-HQ commercial-information, biosecurity-strategy, mortality data, certification audit findings or retailer-allocation arrangements — we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach (Article 33 GDPR). Where the breach is likely to result in a high risk, we will notify the affected data subjects without undue delay (Article 34 GDPR). Where ML Consulting is acting as processor on behalf of a Subscribing Customer, we will notify the Subscribing Customer without undue delay in accordance with Article 33(2) GDPR and the Master DPA.
16.3 Reporting a suspected breach to us
If you suspect a security incident or unauthorised access affecting your account, device, App Clip session, Counterparty Portal seat, Face ID-signed acknowledgement, PencilKit site-map markup, Apple Watch Site-Lock signature, CoreNFC token or biometric-verification metadata — including any suspected producer-HQ commercial-information, biosecurity-strategy, mortality data, certification audit finding or retailer-allocation confidentiality breach — please notify us at support+aquabio@mlconsulting.lt without undue delay. Provide as much detail as you can; do not include passwords or other secrets in the email. We prioritise security reports and incidents during an active mass-mortality, escape, notifiable-disease or Pre-Stocking Stand-by Service incident window.
17. Your rights as a data subject
Subject to the conditions set out in the GDPR, you have the rights below. These rights are not absolute and may be restricted by law.
Right of access (Article 15). Confirm whether we process personal data about you and obtain a copy together with the information set out in Article 15.
Right to rectification (Article 16). Have inaccurate personal data corrected and incomplete data completed.
Right to erasure (Article 17). Have personal data erased where the conditions in Article 17 apply, including where the data is no longer necessary or where you withdraw consent and there is no other legal basis. The App offers an in-app “Delete account” control.
Right to restriction of processing (Article 18). Restrict our processing while we verify the accuracy of contested data, while we deal with an objection or in the other circumstances set out in Article 18.
Right to data portability (Article 20). Where processing is based on consent or contract performance and is carried out by automated means, receive the data you provided in a structured, commonly-used and machine-readable format. The App provides in-app exports and watermarked PDF Audit Defence Packs and Counterparty Packs.
Right to object (Article 21). Object to processing based on legitimate interests on grounds relating to your particular situation, and at any time to direct marketing.
Rights related to automated decision-making (Article 22). Not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects, and obtain human intervention, express your point of view and contest the decision where the right applies. See section 14 and the explicit AI exclusions for veterinary diagnosis / notifiable-disease, welfare-scoring, mortality-cause / escape-cause attribution, water-quality / sea-lice / HAB determination, Site Lock / biosecurity / treatment authorisation, veterinary-medicine prescribing, ASC / BAP / GlobalG.A.P. / FOS / RSPCA Assured certification, major-retailer procurement, aquaculture insurance underwriting and worker employment / disciplinary decisions.
Right to withdraw consent (Article 7(3)). Where we rely on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint (Article 77). Complain to our lead supervisory authority — the VDAI in Vilnius — or to the supervisory authority of the EU Member State where you habitually reside, where you work or where the alleged infringement took place. We would, however, appreciate the opportunity to address your concern directly first.
17.1 How to exercise your rights
You can exercise the rights above by sending an email to support+aquabio@mlconsulting.lt with the words “Privacy request — AquaBio Control” in the subject line.
We will respond to verifiable requests without undue delay and in any event within one month of receipt under Article 12(3) GDPR. We may extend that period by up to a further two months for complex or numerous requests, in which case we will inform you of the extension and the reason within the first month. We may need to verify your identity (typically by asking you to authenticate to the relevant account or to provide proof of identity proportionate to the request and the data concerned). The service is free of charge unless your request is manifestly unfounded or excessive (Article 12(5) GDPR).
17.2 Workspace-controlled data — workers, App Clip users and counterparty representatives
For Customer Data that we process as processor on behalf of a Subscribing Customer — including data about site managers, biosecurity leads, hatchery technicians, fish-farm workers, supervisors, operations managers, bailiffs, App Clip users (visiting government inspectors, veterinary authorities, retailer auditors, certification auditors) and Counterparty Portal recipients — please direct your request to the Subscribing Customer first; if you cannot identify the Subscribing Customer, contact us at support+aquabio@mlconsulting.lt and we will redirect your request without undue delay.
18. Regional rights notices
18.1 United Kingdom — UK GDPR, DEFRA Cefas Fish Health Inspectorate and Marine Scotland
If you are in the United Kingdom, the UK General Data Protection Regulation and the UK Data Protection Act 2018 apply to processing within their territorial scope. The rights set out in section 17 apply equivalently. The UK supervisory authority is the Information Commissioner’s Office (ICO). The U.K. Aquatic Animal Health (England and Wales) Regulations 2009, the Aquaculture and Fisheries (Scotland) Acts 2007 and 2013, DEFRA / Cefas Fish Health Inspectorate guidance, Marine Scotland aquaculture licence conditions and Crown Estate Scotland seabed leases apply to UK Sites independently of the App.
18.2 Norway — Mattilsynet and Akvakulturloven
Where the Subscribing Customer operates Sites in Norway, the Norwegian Akvakulturloven and Mattilsynet rules apply independently of the App. The Datatilsynet is the Norwegian supervisory authority for data-protection purposes.
18.3 Faroe Islands — Heilsufrøðiliga starvsstovan
Where the Subscribing Customer operates Sites in the Faroe Islands, Faroese aquaculture law and the rules of the Heilsufrøðiliga starvsstovan apply independently of the App.
18.4 Chile — SERNAPESCA and Ley General de Pesca y Acuicultura
Where the Subscribing Customer operates Sites in Chile, the Ley General de Pesca y Acuicultura and SERNAPESCA rules apply independently of the App.
18.5 Canada — DFO and Fisheries Act
Where the Subscribing Customer operates Sites in Canada, the Canadian Fisheries Act and DFO aquaculture conditions apply independently of the App.
18.6 Ireland — Marine Institute
Where the Subscribing Customer operates Sites in Ireland, the Marine Institute aquaculture-licensing regime applies independently of the App.
18.7 Tasmania — Marine Farming Planning Act and DPIPWE
Where the Subscribing Customer operates Sites in Tasmania, the Marine Farming Planning Act and DPIPWE rules apply independently of the App.
18.8 Switzerland and CCPA / CPRA
If you are in Switzerland, the Swiss Federal Act on Data Protection (revFADP) applies; the Swiss supervisory authority is the FDPIC. If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA / CPRA”), gives you the right to (i) know the categories and specific pieces of personal information we collect, (ii) request deletion, (iii) request correction, (iv) limit the use and disclosure of sensitive personal information, and (v) opt out of any “sale” or “sharing” of personal information. We do not sell personal information and we do not “share” personal information for cross-context behavioural advertising.
18.9 Global Privacy Control
On the App’s landing pages, we honour the Global Privacy Control signal where technically feasible, treating it as an objection to non-essential cookies and a request to opt out of any “sale” or “sharing” of personal information.
19. Children and minor workers
AquaBio Control is intended for business users (B2B) only and is not designed for use by minors as the contracting party. Users must be at least 18 and must hold the relevant biosecurity, veterinary-medicine handling, manual-handling, working-at-water, lone-working, cold-water immersion and maritime-safety training before being granted access. Apple’s App Store age rating reflects the relevant minimum age for the App. If we become aware that we have collected personal data from a child without the appropriate authorisation, we will work with the relevant Subscribing Customer to investigate and, where appropriate, erase the data. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at support+aquabio@mlconsulting.lt.
20. Cookies and similar technologies
The AquaBio Control iOS / iPadOS / watchOS App does not use analytics, advertising, profiling or marketing cookies. The App and its App Clip surface use on-device storage (the iOS / watchOS application sandbox, the Keychain, SwiftData, UserDefaults) to deliver their features. This is not “cookies” within the meaning of the ePrivacy Directive 2002/58/EC and is governed by this Policy rather than by this section.
The Counterparty Portal web pages, the App’s landing pages on mlconsulting.lt and the Stripe billing pages use only strictly-necessary cookies (for example, a signed session cookie to honour the Counterparty Portal scope and the producer-HQ / insurer / inspector / retailer / certifier / veterinary-authority confidentiality metadata, or Stripe’s payment-flow cookies). No analytics or advertising cookies are set on the operator surface.
21. Communications
21.1 Service messages
We send transactional service messages (security alerts, billing notices via Stripe, magic-link authentication emails, support replies, Pre-Stocking Stand-by Service event communications, material change notices) on the basis of contract performance under Article 6(1)(b) GDPR. Service messages are not commercial marketing and cannot be opted out of without ceasing to use the App.
21.2 Direct marketing
Where we send commercial marketing emails about AquaBio Control — product updates, launch announcements, educational materials or event invitations — we rely either on (i) your prior consent under Article 6(1)(a) GDPR and Article 13 of the ePrivacy Directive, or (ii) the “soft opt-in” under Article 13(2) of the ePrivacy Directive (existing customer relationship, similar products or services, with a clear opt-out at the point of collection and in every message). You may opt out at any time by clicking the unsubscribe link in any marketing email, by emailing support+aquabio@mlconsulting.lt or by updating your preferences in your account where applicable.
21.3 Operational notifications — not veterinary, not notifiable-disease, not certification, not retailer authority
APNs Time-Sensitive notifications (biosecurity-zone breach, mortality-escalation, Site-Lock countdown, exception-escalation, Pre-Stocking Stand-by Service incident, sync-conflict), ActivityKit Live Activities (current Site-Lock state), ClockKit complications (Apple Watch Site-Lock countdown, site-manager Smart Stack pulse), Apple Watch haptics, CoreNFC scan matches and Vision-framework outputs are operational reminders configured by you in iOS Settings and in the App’s Settings. They are best-effort and depend on Apple’s platform services. They are NOT a veterinary diagnostic, notifiable-disease pre-notification, ASC / BAP / GlobalG.A.P. / FOS / RSPCA Assured certification, major-retailer procurement approval, aquaculture insurance underwriting decision, marine-rescue / man-overboard service, fire / gas / evacuation alarm or any regulatory submission. The Subscribing Customer remains the aquaculture producer, the food-business operator, the legal employer of site personnel and the party responsible for every veterinary, animal-health, animal-welfare, environmental, certification, retailer, insurance, biosecurity, mortality, sea-lice and stock-risk decision regardless of the presence or absence of a notification — see the reminder in section 1.1, and CALL 911 / 999 / 112 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER FIRST whenever any person is in apparent danger of death or serious harm.
22. Changes to this Policy
22.1 Routine updates
We may update this Policy from time to time, for example to reflect new features, regulatory developments, sub-processor changes or operational changes. The latest version is always published on the App’s App Store listing and at mlconsulting.lt/aquabio/privacy.
22.2 Material changes
Where a change is material and adversely affects your rights or expectations, we will give reasonable advance notice — typically at least 30 days, unless a shorter period is required by law — by in-app notice and, where we have your email address, by email. Non-material changes (typographical fixes, clarifications, contact-detail updates, sub-processor list updates) take effect on posting.
22.3 Versioning
Each version of this Policy is dated and archived. The version in force at the time of the relevant processing governs that processing.
23. Contact us
For any question, request or complaint about this Policy or about how we process your personal data, please contact us using the details below.
Controller: ML Consulting MB
Address: Vilnius, Republic of Lithuania
Legal entity code: 306991112
Privacy contact (email): support+aquabio@mlconsulting.lt
Website: https://mlconsulting.lt
Lead supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania · +370 5 271 2804 · ada@ada.lt · vdai.lrv.lt
Document end · Version 1.0 · Effective 1 September 2026 · AquaBio Control — Privacy Policy · © 2026 ML Consulting MB
© 2026. All rights reserved.
