PRIVACY POLICY
Beeology Labs Field — iOS & iPadOS App
Apple App Store privacy notice for the Beeology Labs Field iOS / iPadOS application, its App Clip surface and its External Viewer Share Tokens.
Field / Value
DOCUMENT: Beeology Labs Field — Privacy Policy
APPLICATION: Beeology Labs Field (iOS / iPadOS) · App Clip · External Viewer Share Tokens
ISSUING CONTROLLER: ML Consulting MB · legal entity code 306991112
VERSION: 1.0
EFFECTIVE FROM: 1 June 2026
LAST UPDATED: 19 May 2026
PRIVACY CONTACT: support+beeology@mlconsulting.lt
LEAD SUPERVISORY AUTHORITY: Valstybinė duomenų apsaugos inspekcija (VDAI), Vilnius
BACKEND DATA RESIDENCY: European Union (EU-Central region)
DISTRIBUTION: Apple App Store
USER PROFILE: Business User (B2B) — sideline & commercial beekeepers, co-operatives, queen breeders
Read together with the Beeology Labs Terms and Conditions (Master Terms + Schedule A) published by ML Consulting MB.
AT A GLANCE
What you should know in 60 seconds.
· We do not sell your personal data and we never will.
· Beeology Labs Field is offline-first: inspections, treatments, queen records, harvest batches and captured media are stored on your iPhone or iPad and synced to our EU-resident backend when connectivity returns.
· The Beeology Labs backend is hosted in the European Union (EU-Central region). Personal data is encrypted in transit and at rest.
· We do not run advertising in the App, and we do not embed third-party advertising or tracking SDKs. The App is declared “Data Not Used to Track You” in the App Store.
· Commercial-Lite and Pro are billed under a written Order Form (Direct Channel). The Sideline tier may optionally be sold through an Apple App Store In-App Purchase — where used, Apple is the merchant of record and we never see your payment-card data.
· On-device CoreML helpers (queen-marking colour, brood-pattern density, post-MVP varroa-board count) run locally on your device and never leave it. Backend AI (Whisper voice refinement and Claude-class narrative drafts) is opt-in by a Workspace admin, never autonomous, raw input is always retained, and inputs and outputs are never used to train any third-party model.
· Location is captured event-based — GPS is stamped only on inspections, treatments and harvest batches when you save them. Continuous background GPS is not used.
· External Viewer Share Tokens give vets, brokers and co-operative auditors a scoped, read-only, time-limited view of your records via a browser. GPS coordinates are excluded by default.
· You can exercise the full set of EU GDPR rights at any time by writing to support+beeology@mlconsulting.lt.
· Our lead supervisory authority is the Lithuanian State Data Protection Inspectorate (VDAI) in Vilnius.
· Beeology Labs Field is intended for business users only (B2B).
1. About this Privacy Policy
ML Consulting MB (“ML Consulting”, “we”, “us”, “our”) is the publisher of the Beeology Labs Field iOS / iPadOS application (the “App”), distributed through the Apple App Store. This Privacy Policy explains what personal data the App and its related surfaces (the App Clip surface invoked via Yard QR code, and the browser-accessible External Viewer Share Tokens that the App generates) process when you download, install, sign in to, open an App Clip session, open a Share Token link, subscribe to or otherwise use the App, why we process it, the legal bases on which we rely, with whom we share it, for how long we keep it, and the rights you have under the GDPR and other applicable privacy laws.
This Policy is written to satisfy Articles 12 to 14 of Regulation (EU) 2016/679 (the “GDPR”) and the Lithuanian Law on Legal Protection of Personal Data of the Republic of Lithuania, which implements the GDPR in Lithuania. It is also designed to be consistent with the App Privacy details (the App Store privacy “nutrition label”) and the Privacy Manifest (PrivacyInfo.xcprivacy) published with the Beeology Labs Field App.
Beeology Labs Field is enterprise software intended for business users (B2B) — sideline and small-commercial beekeepers, co-operatives, queen breeders and the field workers, vets, brokers and auditors they invite. This Policy should be read together with the Beeology Labs Terms and Conditions (Master Terms + Schedule A) and, where ML Consulting acts as processor, the Master Data Processing Agreement (“Master DPA”) concluded with the Workspace Owner.
2. Controller identification
We are the data controller for the processing described as “we act as controller” in section 4 of this Policy. Our identification details are set out below.
Field / Value
LEGAL NAME: ML Consulting MB
LEGAL FORM: Mažoji bendrija (small partnership) governed by the law of the Republic of Lithuania
LEGAL ENTITY CODE: 306991112 (Centre of Registers of the Republic of Lithuania)
WEBSITE: https://mlconsulting.lt
PRIVACY CONTACT: support+beeology@mlconsulting.lt
ML Consulting MB has not designated a Data Protection Officer because its current processing does not meet the criteria in Article 37(1) GDPR. The privacy contact above handles all data-protection enquiries. If our processing activities change such that a DPO becomes mandatory, we will appoint one and publish their contact details in this Policy.
Our lead supervisory authority for the purposes of the GDPR’s one-stop-shop mechanism (Article 56 GDPR) is the Lithuanian State Data Protection Inspectorate — Valstybinė duomenų apsaugos inspekcija (“VDAI”) — at L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania, telephone +370 5 271 2804, email ada@ada.lt, website vdai.lrv.lt.
3. Scope of this Policy
This Privacy Policy applies to:
· the Beeology Labs Field iOS / iPadOS application published by ML Consulting MB on the Apple App Store;
· the App Clip surface invoked by casual workers via the Yard QR code, where casual workers complete inspections and treatments for the duration of a yard visit without installing the full App;
· the browser-accessible External Viewer Share Tokens that the App generates for vets, brokers, co-operative auditors and other third-party recipients;
· user accounts, Workspaces, subscriptions, trials, onboarding sessions, support channels, billing operations and authentication services that we operate in connection with the App;
· the App’s landing pages, help articles and documentation hosted on mlconsulting.lt that describe Beeology Labs Field; and
· email, in-application and other communications you exchange with us about the App.
Where Apple Inc. or its subsidiaries, or any other independent third party, processes personal data on its own account in connection with the App — for example, the Apple App Store, Sign in with Apple, App Clip experience hosting, WeatherKit, APNs push, iCloud or a payment-card network — that party acts as a separate controller and its own privacy policy applies in addition to this Policy.
4. Our two privacy roles — controller and processor
4.1 We act as controller
We determine the purposes and means of processing for the following categories, which is why this Policy applies to them directly:
· account and authentication data we collect to identify you and operate your user account;
· device, technical, telemetry and security-event data the App generates during normal use;
· communications and support correspondence about the App;
· billing and payment data we collect from directly-invoiced Workspace Owners (Direct Channel — Commercial-Lite and Pro);
· Apple App Store transaction metadata where the Sideline tier is purchased through App Store In-App Purchase.
4.2 We act as processor
Beeology Labs Field operates on a workspace model. The business customer (the “Workspace Owner” — typically a beekeeper, co-operative or queen breeder) uses the App to manage information about its own field workers, casual workers (App Clip), queens, colonies, treatments, harvests, customers, vets, brokers and co-operative auditors. For that Customer Data — including field-worker personal data, App Clip session data, vet / broker / auditor contact data and External Viewer Share Token recipient data within the meaning of Schedule A of the Terms and Conditions — the Workspace Owner is the controller and ML Consulting acts as a processor under the Master DPA, which meets the requirements of Article 28 GDPR.
In that role we process Customer Data only on the documented instructions of the Workspace Owner, except where we are required to act otherwise by EU or Lithuanian law. If you are a field worker, casual worker, vet, broker, auditor or other individual whose personal data has been uploaded to Beeology Labs Field by a Workspace Owner, that organisation is the controller and you should approach it first with any data-protection request. We will redirect any request we receive on its behalf without undue delay (see section 17.4).
5. Apple App Store and iOS platform context
Because the App is delivered through the Apple App Store and runs on Apple’s iOS / iPadOS platform, several aspects of how your personal data is handled are inherited from Apple’s platform. This section makes the most relevant ones explicit.
5.1 App Privacy details on the App Store
Apple requires every application on the App Store to publish a structured summary of the data it collects (the “App Privacy details”, commonly described as the App Store privacy “nutrition label”). The App Privacy details for Beeology Labs Field are kept consistent with this Policy. Indicatively, they declare Contact Info (the email addresses of vet inspectors, brokers and co-operative auditors you invite, and your own account email), User Content (the inspections, treatments, queen records, harvest batches, photographs, voice memos and PDF exports you create) and, where opted-in, Diagnostics and anonymous Usage Data. Tracking is declared as None.
5.2 App Tracking Transparency
Beeology Labs Field does not track you across other companies’ applications and websites within the meaning of Apple’s App Tracking Transparency framework. We do not request the App Tracking Transparency permission and we do not use the iOS Identifier for Advertisers (IDFA). The App’s App Store declaration is set to “Data Not Used to Track You”.
5.3 Privacy Manifest
Beeology Labs Field ships an Apple-required Privacy Manifest (PrivacyInfo.xcprivacy) declaring the data categories the App collects, the reasons for any use of “required reason” iOS APIs and the third-party SDKs the App depends on. The Privacy Manifest is the machine-readable counterpart of this Policy.
5.4 iOS sandbox and Data Protection
On-device application data is held inside the iOS application sandbox and benefits from Apple’s default Data Protection (typically the “Complete Until First User Authentication” class), which encrypts that data at rest using a key derived from your device passcode. Where the App needs to retain a small secret value (for example, a session token), we use Apple’s Keychain Services rather than handling secrets ourselves.
5.5 Sign in with Apple and email magic-link
The App offers Sign in with Apple in line with Apple’s App Store Review Guidelines § 4.8. When you choose this option, Apple supplies us with a stable Apple Account identifier and either your real email address or an Apple-generated relay address (“Hide My Email”). The App also supports email magic-link authentication: you receive a one-time signed link by email, and we never store a password. We never receive your Apple Account password.
5.6 Biometric gates (Face ID / Touch ID)
High-consequence operations — generating a Treatment Evidence Pack, issuing an External Viewer Share Token, exporting an audit log — can be gated by Face ID / Touch ID through Apple’s LocalAuthentication framework. Biometric data never leaves the device; Apple does not provide us with your biometric template.
5.7 App Clip (casual workers)
Beeology Labs Field uses Apple’s App Clip framework. A casual worker invited via the Yard QR code may open the App Clip and capture inspections and treatments for the duration of a yard visit, without installing the full App. App Clip code, App Clip experience hosting and the App Clip lifecycle (including the iOS-enforced 10 MB binary cap and limited entitlements) are governed by Apple’s App Clip platform. App Clip sessions are scoped to a single Yard and are tracked under an AppClipSession record (yard, worker Apple identifier, start time, end time, inspections captured).
5.8 External Viewer Share Tokens
The App can generate signed, time-limited browser links (External Viewer Share Tokens) that deliver a scoped, read-only subset of Customer Data to a vet inspector, broker or co-operative auditor — without requiring them to install the App or hold an Account. Share Tokens are served by Beeology’s EU-resident backend, are scoped to records the Workspace Owner expressly selects, default to excluding GPS coordinates, expire on a deadline set by the Workspace Owner and are revocable at any time. Recipients of a Share Token are processed as Customer Data on behalf of the Workspace Owner (we act as processor).
5.9 WeatherKit, APNs, Live Activities, EventKit, iCloud
The App relies on a number of Apple frameworks and platform services, each governed by Apple’s privacy terms in addition to this Policy: WeatherKit (microclimate snapshots attached to inspections, treatments and harvest extractions on a best-effort basis); APNs (Time-Sensitive push notifications, primarily treatment follow-up Day-1 reminders); ActivityKit (Live Activity countdowns surfaced on the Dynamic Island and Lock Screen); EventKit (optional writes of treatment follow-up events to your Apple Calendar); Speech (on-device first-pass voice transcription up to 90 seconds); AVFoundation (camera and audio capture); CoreLocation (event-based GPS stamping); PencilKit (annotation on iPad); PDFKit (PDF rendering); BGTaskScheduler (background sync); StoreKit 2 (App Store IAP entitlements for the Sideline tier where used).
5.10 App Privacy Report
iOS 15.2 and later provide an in-operating-system App Privacy Report (Settings → Privacy & Security → App Privacy Report) that lets you inspect the sensors, data categories and network domains the App has accessed. Beeology Labs Field is designed so that this report shows the Apple platform domains used by the features above, plus ML Consulting’s EU-resident backend and the AI sub-processor endpoint where backend AI helpers have been enabled by the Workspace admin (see section 14).
6. Key terms used in this Policy
· Personal data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
· Processing — any operation performed on personal data, including collection, recording, organisation, storage, use, disclosure and erasure.
· Controller — the person who determines the purposes and means of processing.
· Processor — a person who processes personal data on behalf of a controller.
· Workspace Owner — the business customer (typically a beekeeper, co-operative or queen breeder) that uses Beeology Labs Field to manage information about its yards, colonies, queens, treatments, harvest batches, field workers, vets, brokers and co-operative auditors.
· Customer Data — all data submitted by, or generated for, the Workspace Owner through the App, App Clip surface or External Viewer Share Tokens, including inspections, treatments, queen records, harvest batches, photographs, voice memos, GPS pin-drops, WeatherKit snapshots, AI-structured drafts, Treatment Evidence Packs, Queen Performance Reports, Harvest Batch Packs, Season Summaries, exports and append-only audit logs.
· App Clip — Apple’s lightweight surface of the App invoked by a casual worker via the Yard QR code, allowing inspections and treatments to be captured for the duration of a visit without installing the full App.
· External Viewer Share Token — a signed, time-limited browser link generated by the App that delivers a scoped, read-only subset of Customer Data to a vet inspector, broker or co-operative auditor.
· WeatherKit Snapshot — a time-stamped record of microclimate values (for example, temperature, humidity, atmospheric pressure) sourced from Apple’s WeatherKit service at the moment of capture and attached to an Inspection, Treatment or Harvest Batch for attestation purposes.
· On-device — data stored or processed locally on the user’s iPhone or iPad inside the iOS application sandbox; it does not leave the device unless this Policy says otherwise.
· Backend — Beeology Labs’ EU-resident server-side service, hosted in the European Union (EU-Central region), to which on-device records are synced and from which Share Tokens, Packs and AI narrative drafts are served.
· Sub-processor — a third-party service provider that processes personal data on our behalf or that supports a feature of the App.
· EEA — the European Economic Area, comprising the EU Member States, Iceland, Liechtenstein and Norway.
· VDAI — Valstybinė duomenų apsaugos inspekcija, the Lithuanian State Data Protection Inspectorate, our lead supervisory authority.
7. Personal data we process
We collect only the data we reasonably need to operate, secure, support and improve the App. The categories below describe what Beeology Labs Field processes; not every Workspace or user account will involve every category.
CATEGORY: Account and authentication data
EXAMPLES AND NOTES: Name, email address, account identifier, authentication method (Sign in with Apple or email magic-link), Apple-issued relay address where you used “Hide My Email”, Workspace membership, role (owner, admin, manager, field worker, queen manager, compliance viewer, external viewer) and permissions. We do not store passwords; magic-link authentication uses one-time signed links.
CATEGORY: Device, technical and telemetry data
EXAMPLES AND NOTES: IP address (typically truncated for analytics), device model and operating-system version, App version, language and timezone, pseudonymised interaction events (screens viewed, features used, capture-duration metrics), crash reports, performance traces and security-relevant events such as failed log-ins and biometric gate attempts.
CATEGORY: Communications and support data
EXAMPLES AND NOTES: The content and metadata of any email, support ticket, in-app help message, demo request, onboarding call note or other correspondence with us, including any attachments you choose to send.
CATEGORY: Billing and payment data (Direct Channel — Commercial-Lite and Pro)
EXAMPLES AND NOTES: For Workspace Owners invoiced directly by ML Consulting: invoicing entity name, registered address, VAT identifier, signatory contact, Order Form record (Plan, term, fees, user / yard / colony limits), payment-status data, bank-transfer reference and the last four digits of the payment card where card payment is used. We do not store full payment-card numbers.
CATEGORY: Apple App Store transaction metadata (Sideline tier, where the user opts into App Store IAP)
EXAMPLES AND NOTES: Where the Sideline tier is purchased through App Store In-App Purchase at Apple’s 15% small-business rate: the Apple-issued purchase identifier, the subscription tier, the entitlement state and renewal events. The contract for the purchase is concluded between you and Apple; we do not receive your Apple Account password, your full payment-card details or any other Apple-side billing information.
CATEGORY: Customer Data and operational records
EXAMPLES AND NOTES: Apiary Yards, Colonies (with Workspace-unique hive codes), Inspections, Treatments, Queens (with lineage and marking), Harvest Batches (with per-Colony contributions), Tasks, Pack PDFs, ShareToken records, capture-duration telemetry and the append-only audit log. Each Inspection may include brood-pattern, queen status, stores, varroa drop, behaviour, photographs, voice memos, raw transcripts, AI-structured drafts, GPS pin-drops, WeatherKit snapshots and CoreML classification results.
CATEGORY: Field-worker personal data
EXAMPLES AND NOTES: Where the Workspace Owner invites a field worker as an authorised user: the worker’s name, email, role, Workspace identifier, the timestamp of their acceptance of the Workspace privacy notice, and the inspection / treatment records they capture (which may include their own user identifier, GPS pin-drops at the moment of capture and any voice memo or photograph in which they are identifiable). See section 11.
CATEGORY: App Clip session data (casual workers)
EXAMPLES AND NOTES: Where a casual worker opens the App Clip via the Yard QR code: an AppClipSession record (yard, worker Apple identifier supplied by Apple’s App Clip flow, session start and end timestamps, inspections / treatments captured during the session). App Clip data is treated as Customer Data on behalf of the Workspace Owner.
CATEGORY: Recipient contact data for External Viewer Share Tokens
EXAMPLES AND NOTES: Where the Workspace Owner issues an External Viewer Share Token: the recipient’s email address or name, the scope of records the token exposes, the expiry, the activity log (when the token was opened) and the revocation state. This data is treated as Customer Data on behalf of the Workspace Owner.
CATEGORY: Camera, microphone and on-device file data
EXAMPLES AND NOTES: Inspection photographs (AVFoundation), inspection voice memos up to 90 seconds (AVFoundation + on-device Speech framework first-pass transcript), optional PencilKit annotations on iPad. Camera, photo-library, microphone and Speech recognition access are controlled by the iOS permission prompts and may be revoked at any time in iOS Settings.
CATEGORY: Location data (CoreLocation, event-based)
EXAMPLES AND NOTES: GPS coordinates captured at the moment you save an inspection, treatment or harvest batch (“When In Use” permission). Optionally, with separate “Always” permission, the App Clip flow may auto-detect Yard arrival for invited workers. The App does not perform continuous background tracking outside the App Clip auto-detection feature; you can disable Always access in iOS Settings at any time.
CATEGORY: WeatherKit microclimate data
EXAMPLES AND NOTES: Time-stamped microclimate values (typically temperature, humidity, atmospheric pressure) sourced from Apple’s WeatherKit service at the moment of capture and attached to the relevant Inspection, Treatment or Harvest Batch as a WeatherKit Snapshot. WeatherKit access is governed by Apple’s terms in addition to this Policy.
CATEGORY: Apple Calendar (EventKit) integration
EXAMPLES AND NOTES: Where the Workspace Owner enables it, the App writes treatment follow-up events to your Apple Calendar through Apple’s EventKit framework. We do not read or transmit your wider Calendar contents.
CATEGORY: Notification preferences and tokens
EXAMPLES AND NOTES: Push-notification cadence toggles (treatment follow-up Day-1, inspection-overdue, at-risk colony alerts, Pack-ready, worker activity, sync conflicts, App Clip session-too-long); iOS notification permission state; APNs device push token (used by Apple Push Notification service to deliver Time-Sensitive pushes).
CATEGORY: On-device CoreML inference outputs
EXAMPLES AND NOTES: Outputs of on-device CoreML classifiers (queen-marking colour detection from a queen photo, brood-pattern density from a brood-frame photo and — post-MVP — varroa-board count estimation), stored alongside the raw photo. CoreML inference runs locally on your device and is not transmitted to any third-party AI provider.
CATEGORY: Backend AI helper inputs and outputs (opt-in)
EXAMPLES AND NOTES: Where a Workspace admin has explicitly enabled backend AI helpers: the voice clip and structured-text inputs sent for Whisper-class voice refinement and for Claude-class narrative drafting (Treatment Evidence Pack narrative, Queen Performance Report narrative, Season Summary narrative), plus the generated draft outputs. Raw input is always retained alongside any AI-structured output; see section 14.
CATEGORY: Application-generated data
EXAMPLES AND NOTES: Outputs of the deterministic Field Engine (colony status, follow-up due dates, replacement-candidate rankings), the treatment-status state machine, Pack assembly, the audit log, capture-duration telemetry and similar computed values.
7.1 Special categories of personal data
Beeology Labs Field is not designed to collect special categories of personal data within the meaning of Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). You must not upload special-category data to the App unless it is strictly necessary for your lawful use of the App and you have a valid lawful basis under Article 9(2) GDPR. The Workspace Owner is responsible for that lawful basis. Biometric authentication is performed by Apple’s LocalAuthentication framework and biometric data never leaves the device.
7.2 What we do not collect
To remove ambiguity, Beeology Labs Field does not collect:
· the contents of your Apple Contacts, the wider Apple Calendar, your photo library beyond images you actively attach, or any HealthKit / HomeKit data;
· behavioural-advertising identifiers; we do not run advertising, do not use the IDFA and do not share data with advertising networks;
· analytics, attribution or crash-reporting data through any third-party SDK that has not been disclosed in this Policy and in the App’s Privacy Manifest;
· continuous background-location data outside the optional App Clip yard-auto-detection feature (which requires explicit “Always” location permission).
8. How we collect personal data
We collect personal data in three ways:
· Directly from you — when you create an account, complete a form, install or use the App, open an App Clip session, open an External Viewer Share Token, capture an inspection or treatment, attach a photograph or voice memo, generate a Pack, contact support or subscribe to a communication.
· Automatically through your use of the App — when the App generates technical, telemetry, security or computational data (capture-duration metrics, Field Engine outputs, audit-log entries) necessary to deliver, secure or improve the service, and when Apple platform services (WeatherKit, APNs, App Clip flow) supply data linked to your action.
· From third parties — when Apple supplies us with the result of Sign in with Apple or with App Store transaction metadata (Sideline IAP), when a Workspace administrator invites you to a Workspace, when a payment provider confirms a payment, or when an authority lawfully provides information in connection with a regulatory matter.
9. Why we process personal data and our legal bases
For each processing activity we rely on a lawful basis under Article 6(1) GDPR. The table below sets them out for the categories of processing covered by this Policy.
PURPOSE: Provide and operate the App, App Clip and External Viewer surfaces, including authentication, Workspaces, inspections, treatments, queen records, harvest batches, Packs, audit history, exports and sync.
DATA USED: Account and authentication data; device, technical and telemetry data; Customer Data and operational records; field-worker, App Clip session and Share Token recipient data (as processor).
LEGAL BASIS: Performance of a contract with you (or pre-contractual steps at your request).
GDPR REF.: Art. 6(1)(b)
PURPOSE: Process payments and manage billing for Direct-Channel Workspace Owners (Commercial-Lite, Pro, one-time Setup / Import); comply with statutory accounting and tax retention.
DATA USED: Billing and payment data; account data.
LEGAL BASIS: Performance of a contract; compliance with a legal obligation under Lithuanian accounting and tax law.
GDPR REF.: Art. 6(1)(b); Art. 6(1)(c)
PURPOSE: Operate Apple App Store entitlements for the Sideline tier via StoreKit (where the user opts into App Store IAP).
DATA USED: Apple App Store transaction metadata; account data.
LEGAL BASIS: Performance of a contract.
GDPR REF.: Art. 6(1)(b)
PURPOSE: Camera, microphone, photo and on-device Speech features (inspection capture and voice memos).
DATA USED: Camera and microphone input (in memory); captured stills and voice clips (only when you save them); on-device Speech first-pass transcript.
LEGAL BASIS: Performance of a contract; consent for camera, microphone, photo-library and Speech recognition access via the iOS prompts.
GDPR REF.: Art. 6(1)(b); Art. 6(1)(a)
PURPOSE: Event-based GPS capture on inspections, treatments and harvest batches.
DATA USED: Location data captured at the moment of save.
LEGAL BASIS: Performance of a contract; consent via the iOS “When In Use” location prompt.
GDPR REF.: Art. 6(1)(b); Art. 6(1)(a)
PURPOSE: Optional App Clip yard auto-detection for invited casual workers.
DATA USED: Location data via the iOS “Always” location permission; AppClipSession record.
LEGAL BASIS: Consent (the user must grant “Always” location and can revoke at any time in iOS Settings).
GDPR REF.: Art. 6(1)(a)
PURPOSE: WeatherKit microclimate attestation on inspections, treatments and harvest extractions.
DATA USED: WeatherKit Snapshot (temperature, humidity, pressure) at moment of capture.
LEGAL BASIS: Performance of a contract; Apple’s WeatherKit terms apply in addition.
GDPR REF.: Art. 6(1)(b)
PURPOSE: APNs Time-Sensitive push notifications, ActivityKit Live Activity countdowns and configurable notification cadence.
DATA USED: Notification preferences; APNs push token; application-generated alerts.
LEGAL BASIS: Consent (granted via the iOS notification prompt and the App’s Settings).
GDPR REF.: Art. 6(1)(a)
PURPOSE: Optional EventKit writes of treatment follow-up events to Apple Calendar.
DATA USED: Calendar event metadata for treatment follow-ups.
LEGAL BASIS: Consent via the iOS Calendar prompt.
GDPR REF.: Art. 6(1)(a)
PURPOSE: On-device CoreML classification (queen marking, brood pattern, post-MVP varroa count).
DATA USED: Photograph attached to an Inspection or Queen record; CoreML output stored alongside.
LEGAL BASIS: Performance of a contract. No data leaves the device.
GDPR REF.: Art. 6(1)(b)
PURPOSE: Backend AI helpers — Whisper voice refinement and Claude-class narrative drafts (opt-in).
DATA USED: Voice clip or structured-text inputs; generated draft outputs.
LEGAL BASIS: Performance of a contract; consent (admin enablement in Settings).
GDPR REF.: Art. 6(1)(b); Art. 6(1)(a)
PURPOSE: Secure the App; prevent fraud, abuse, evidence tampering, Share Token forging and unauthorised access.
DATA USED: Authentication data; device, technical and telemetry data; security-relevant events; append-only audit log; biometric gate state.
LEGAL BASIS: Legitimate interests in protecting the integrity, availability and confidentiality of the App and the evidentiary integrity of Packs.
GDPR REF.: Art. 6(1)(f)
PURPOSE: Improve the App; conduct privacy-respecting product analytics (opt-in).
DATA USED: Pseudonymised telemetry; aggregated usage statistics.
LEGAL BASIS: Legitimate interests in understanding how the App is used. Where required, consent.
GDPR REF.: Art. 6(1)(f); Art. 6(1)(a)
PURPOSE: Provide customer support and respond to enquiries.
DATA USED: Communications and support data; account data.
LEGAL BASIS: Performance of a contract; legitimate interests for general or pre-contractual enquiries.
GDPR REF.: Art. 6(1)(b); Art. 6(1)(f)
PURPOSE: Respond to data-subject requests and operate the GDPR rights workflow.
DATA USED: All categories relevant to the request.
LEGAL BASIS: Compliance with a legal obligation under the GDPR.
GDPR REF.: Art. 6(1)(c); Arts. 12 to 22
PURPOSE: Send service messages (security, billing, material change notices).
DATA USED: Account data; communications data.
LEGAL BASIS: Performance of a contract.
GDPR REF.: Art. 6(1)(b)
PURPOSE: Defend or pursue legal claims.
DATA USED: Data relevant to the claim.
LEGAL BASIS: Legitimate interests in establishing, exercising or defending legal claims.
GDPR REF.: Art. 6(1)(f)
PURPOSE: Comply with legal, regulatory and tax obligations and respond to lawful requests.
DATA USED: Data required by law (typically account, billing, audit and security logs).
LEGAL BASIS: Compliance with a legal obligation.
GDPR REF.: Art. 6(1)(c); Art. 23
Where we rely on legitimate interests under Article 6(1)(f) GDPR, we have carried out and documented a balancing assessment that concluded our interests are not overridden by your fundamental rights and freedoms. Where we rely on consent under Article 6(1)(a) GDPR, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal — through iOS Settings, the relevant in-app toggle, the unsubscribe link in any marketing email or by writing to us.
10. Offline-first architecture, on-device storage and EU-resident backend
Beeology Labs Field is offline-first. Inspections, treatments, queen records, harvest batches, captured photographs and voice memos are written first to on-device storage (SwiftData) inside the iOS application sandbox. Records sync to the Beeology Labs backend when connectivity returns. If you delete the App, reset your device or fail to maintain a backup before sync, locally-held but unsynced data may be lost.
The backend is hosted in the European Union (EU-Central region). Personal data is encrypted in transit (TLS 1.2 or higher) and at rest. Records and files are isolated per Workspace using row-level security and signed-URL access. Background sync uses Apple’s BGTaskScheduler when iOS schedules it; this is best-effort and depends on device state.
11. Workspace Owners, field workers, casual workers and Share Token recipients
Beeology Labs Field is operated on a workspace model. The Workspace Owner’s administrator may invite owners, admins, managers, field workers, queen managers and compliance viewers; configure roles; view activity inside the Workspace; generate Packs; issue External Viewer Share Tokens; and configure retention. The administrator is responsible for ensuring that invited users and Share Token recipients receive an appropriate privacy notice and that the organisation has a valid lawful basis for processing the personal data of its field workers, vets, brokers and co-operative auditors.
For these features we act as processor of Customer Data on behalf of the Workspace Owner under the Master DPA. Workspace Owners must rely on their own privacy notice for the substantive obligation under Articles 13 to 14 GDPR; this Policy applies in addition to that notice in respect of data we process as controller (account, telemetry, support, billing and similar data).
11.1 Field workers and Article 88 GDPR
Because field-worker evidence capture and event-based GPS stamping constitute employee monitoring in many EU jurisdictions, the Workspace Owner is responsible — under clause A4 of Schedule A of the Terms and Conditions — for satisfying the worker-monitoring obligations of the country where the worker normally works, including any required works-council, agricultural-labour or co-operative consultation under the law of that EU Member State.
Before granting any field worker access, the Workspace Owner must provide the worker with a privacy notice meeting Articles 13 to 14 GDPR and the national worker-information rules implementing Article 88 GDPR, consult representatives where required, establish and document an appropriate lawful basis under Article 6(1) GDPR, and use monitoring features (event-based GPS pin-drops, photos, voice memos) proportionately and only for the legitimate operational purposes described in the worker privacy notice. The App is not designed for, and must not be used for, covert worker surveillance.
11.2 Casual workers via App Clip
Where a casual worker opens the App Clip via the Yard QR code, the Workspace Owner is responsible for providing — on or before the first App Clip session — the privacy notice required by clause A4 of Schedule A (adapted to App Clip scope) and any wage, fee, contract, social-security or tax arrangement. Use of the App Clip surface does not create any agency, employment or service relationship between ML Consulting and the casual worker.
11.3 External Viewer Share Token recipients
Where the Workspace Owner issues an External Viewer Share Token to a vet inspector, broker or co-operative auditor, the Workspace Owner is responsible for: limiting the token scope to records the recipient actually needs; setting an appropriate expiry; keeping GPS coordinates excluded by default (the App offers this as the default setting); and informing the recipient that the Token delivers an operational record only, not a regulatory certification or veterinary advice.
12. Recipients of personal data
We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purpose. We do not sell personal data, and we do not “share” personal data for cross-context behavioural advertising as that term is defined under California law.
RECIPIENT CATEGORY: Apple Inc. and Apple Distribution International Limited
PURPOSE: App Store distribution, Sideline-tier App Store In-App Purchases via StoreKit (where used), Sign in with Apple, App Clip experience hosting, APNs push delivery, WeatherKit microclimate, iCloud and related Apple platform services.
STATUS: Independent controller for App Store-side and Apple-platform-side processing.
RECIPIENT CATEGORY: EU-resident backend hosting provider (Supabase / Postgres in eu-central-1)
PURPOSE: Host the Beeology Labs backend, including encrypted record storage, signed-URL file storage, row-level security per Workspace, scheduled jobs and Share Token serving.
STATUS: Sub-processor under written terms; data hosted in the European Union.
RECIPIENT CATEGORY: Workflow orchestration provider (server-side cron and event jobs)
PURPOSE: Advance the treatment-status state machine, trigger Day-1 follow-up reminders and run scheduled aggregations.
STATUS: Sub-processor under written terms.
RECIPIENT CATEGORY: Email-delivery and support provider
PURPOSE: Send service messages, magic-link authentication emails, password-less sign-in, support replies and onboarding communications.
STATUS: Sub-processor under written terms.
RECIPIENT CATEGORY: Anonymised product-analytics, monitoring and crash-reporting providers
PURPOSE: Privacy-respecting product analytics, performance monitoring and bug diagnostics; pseudonymised where feasible; opt-in for Diagnostics and Usage Data in the App Privacy details.
STATUS: Sub-processors under written terms; used only after consent where required.
RECIPIENT CATEGORY: Payment and invoicing provider (Direct Channel)
PURPOSE: Process payments, invoices, refunds, taxes and reconciliation for Commercial-Lite, Pro and Setup / Import customers.
STATUS: Independent controller or sub-processor depending on the provider.
RECIPIENT CATEGORY: Voice-transcription provider (backend Whisper-class, opt-in)
PURPOSE: Refine on-device first-pass transcripts of inspection voice memos. Activated only when an admin of the Workspace Owner enables backend AI features.
STATUS: Sub-processor under written terms; inputs and outputs are not used to train any third-party model.
RECIPIENT CATEGORY: Language-model provider (Anthropic — Claude-class narrative drafts, opt-in)
PURPOSE: Generate narrative drafts for Treatment Evidence Packs, Season Summaries and Queen Performance Reports. Activated only when an admin enables backend AI features. Customer-identifying free text is minimised before transmission.
STATUS: Sub-processor under written terms; inputs and outputs are not used to train any third-party model.
RECIPIENT CATEGORY: Professional advisers (lawyers, accountants, auditors, insurers)
PURPOSE: Legal, tax, audit, insurance and compliance advice on a need-to-know basis.
STATUS: Independent controllers under their own duties of confidence.
RECIPIENT CATEGORY: Authorities, courts and regulators
PURPOSE: Where we are required by law, court order or a binding regulatory request, including the Lithuanian State Data Protection Inspectorate (VDAI) and the Lithuanian State Tax Inspectorate (VMI) where applicable.
STATUS: Independent controllers acting under their statutory powers.
RECIPIENT CATEGORY: Successor entity
PURPOSE: In the context of a merger, acquisition, restructuring or sale of assets, subject to confidentiality safeguards and to the buyer continuing to honour the commitments in this Policy.
STATUS: Independent controller after the transaction closes.
A current list of our sub-processors, together with the country in which each provider operates, is published at mlconsulting.lt/legal/sub-processors and is updated when the list changes. Each sub-processor we engage is bound by a written contract that imposes the data-protection obligations required by Article 28 GDPR (or, where ML Consulting is the controller, equivalent contractual safeguards).
13. International data transfers
ML Consulting MB is established in Lithuania and hosts the Beeology Labs backend in the European Union (EU-Central region). Personal data is encrypted in transit and at rest, and we aim to keep personal data within the European Economic Area by default. Some of our sub-processors and the global infrastructure of Apple Inc. (App Store, App Clip hosting, APNs, WeatherKit) and of the language-model and voice-transcription providers may process data in the United States or other regions where they operate.
Where personal data is transferred outside the EEA or the United Kingdom to a country that has not been the subject of an adequacy decision under Article 45 GDPR, we rely on one or more of the safeguards required by Chapter V GDPR, in particular:
· European Commission adequacy decisions, including the EU-US Data Privacy Framework where the recipient is certified under it;
· the European Commission’s Standard Contractual Clauses (Module Two — controller to processor — and Module Three — processor to sub-processor — as applicable), with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement for transfers from the United Kingdom;
· additional technical measures including TLS 1.2 or higher for data in transit and encryption at rest, as well as contractual and organisational measures appropriate to the risk; and
· any other lawful transfer mechanism under Articles 46 to 49 GDPR.
14. Automated decision-making, on-device CoreML and backend AI
14.1 No solely-automated decisions with legal or similarly significant effects
We do not subject you to decisions producing legal effects concerning you or similarly significantly affecting you that are based solely on automated processing within the meaning of Article 22 GDPR. Where any aspect of a decision affecting you is informed by automated logic, a human is meaningfully involved in the outcome.
14.2 On-device CoreML
The App may include on-device CoreML helpers — queen-marking colour detection from a queen photograph, brood-pattern density classification from a brood-frame photograph and (post-MVP) varroa-board count estimation. These classifiers run locally on your iPhone or iPad and the photograph is not transmitted to any third-party AI provider as a result of this feature. Outputs are advisory; below a confidence threshold of 70%, the App surfaces a “needs review” badge. You can always override the suggestion before saving.
14.3 Backend AI helpers — opt-in, never autonomous
The App may include opt-in backend AI helpers — Whisper-class voice refinement of inspection voice memos and Claude-class narrative drafts for Treatment Evidence Packs, Season Summaries and Queen Performance Reports. These features are off by default and are activated only when an admin of the Workspace Owner explicitly enables them in Settings.
Where backend AI helpers are enabled:
· AI output is editable text only and requires explicit human confirmation before save or export;
· raw input (audio, photos, free-text, original CoreML inputs) is always retained alongside any AI-structured output, so you can audit and override;
· AI never auto-publishes an Inspection, Treatment, Queen record, Harvest Batch or Pack, never changes treatment status, never changes Pack export state, never changes billing state and never changes audit-log state;
· inputs and outputs are not used by ML Consulting or by any sub-processor to train any third-party model;
· customer-identifying free text and third-party personal data are minimised before transmission to the sub-processor;
· AI usage is metered per tier; above-cap usage is paused and manual flows remain primary;
· the Workspace Owner may disable AI features globally in Settings at any time.
14.4 Third-party AI sub-processors
Backend Whisper-class voice refinement and Claude-class narrative drafting are performed by sub-processors disclosed in section 12 and in our sub-processor list, under written agreements that prohibit the use of inputs or outputs to train any third-party model.
14.5 EU AI Act readiness
We design and operate AI features to be compatible with applicable obligations under Regulation (EU) 2024/1689 (the Artificial Intelligence Act), including transparency, logging and human-oversight requirements appropriate to the risk classification of the relevant feature. None of our current AI features is, or is held out as, a high-risk AI system within the meaning of Annex III of the AI Act.
15. How long we keep personal data
We keep personal data only for as long as we need it for the purpose for which it was collected, or as required by applicable law. The retention periods below are indicative; the actual period for any item of personal data is the longest of the periods that apply to the purposes for which we use it.
CATEGORY: Account and authentication data
RETENTION PERIOD: Lifetime of the account; in any case deleted or anonymised within 24 months of complete inactivity, save where statutory retention applies.
TRIGGER FOR DELETION OR ANONYMISATION: Account deletion, 24-month inactivity sweep or end of statutory retention.
CATEGORY: On-device application data
RETENTION PERIOD: Held on your device for as long as you keep it; included in iCloud Backup if you have it enabled. Removed by the operating system on App deletion.
TRIGGER FOR DELETION OR ANONYMISATION: You delete the data, the App or your account.
CATEGORY: Telemetry, capture-duration and service-operation data
RETENTION PERIOD: Pseudonymised at collection where feasible; retained in identifiable form for a maximum of 13 months; aggregated or anonymised data may be retained indefinitely.
TRIGGER FOR DELETION OR ANONYMISATION: Time-based deletion or aggregation.
CATEGORY: Communications and support data
RETENTION PERIOD: Up to 24 months from the close of the last related correspondence; longer where the matter relates to a complaint, dispute, regulatory request or legal claim, until the matter is resolved plus the applicable limitation period.
TRIGGER FOR DELETION OR ANONYMISATION: Time-based deletion or matter closure.
CATEGORY: Billing, accounting and tax records
RETENTION PERIOD: Up to 10 years from the end of the relevant accounting period, in line with the Lithuanian Law on Financial Accounting and the Lithuanian Law on Tax Administration.
TRIGGER FOR DELETION OR ANONYMISATION: Expiry of the statutory retention period.
CATEGORY: Apple App Store transaction metadata (Sideline IAP, where used)
RETENTION PERIOD: For the lifetime of the entitlement plus the period required to handle refunds, disputes and statutory accounting; aligned with the billing-records period above.
TRIGGER FOR DELETION OR ANONYMISATION: Expiry of the statutory retention period.
CATEGORY: Customer Data within Workspaces (we are processor)
RETENTION PERIOD: Governed by the Master DPA: a 30-day data-export window in read-only mode after termination, followed by deletion or anonymisation within a further 60 days, save for records the Workspace Owner is required by law to retain.
TRIGGER FOR DELETION OR ANONYMISATION: Termination of the customer agreement, plus the period set in the Master DPA.
CATEGORY: Append-only audit log
RETENTION PERIOD: Retained alongside the underlying Workspace records for the period governed by the Master DPA; preserved through capture, edit, status change, snapshot freeze, Pack export and Share Token issuance.
TRIGGER FOR DELETION OR ANONYMISATION: End of the Master DPA retention period.
CATEGORY: App Clip session records
RETENTION PERIOD: Retained while the parent Inspection or Treatment records exist; otherwise no longer than 12 months from the session end, save where part of a regulatory or contractual matter.
TRIGGER FOR DELETION OR ANONYMISATION: Deletion of the parent records or time-based deletion.
CATEGORY: External Viewer Share Tokens
RETENTION PERIOD: Active until expiry or revocation; activity log retained for up to 12 months from token expiry for audit purposes.
TRIGGER FOR DELETION OR ANONYMISATION: Token expiry, revocation or time-based deletion.
CATEGORY: Security and platform audit logs
RETENTION PERIOD: Up to 24 months, or longer where necessary for security, fraud-prevention or legal-claim purposes.
TRIGGER FOR DELETION OR ANONYMISATION: Time-based deletion.
CATEGORY: Backups
RETENTION PERIOD: Standard backup-rotation cycles (typically up to 30 days). Backups are not used to restore deleted accounts and are themselves overwritten on the rotation cycle.
TRIGGER FOR DELETION OR ANONYMISATION: Backup-rotation cycle.
16. Security and personal-data breaches
16.1 Article 32 measures
We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration or disclosure, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to your rights and freedoms (Article 32 GDPR). For Beeology Labs Field specifically, these measures include: EU-resident backend hosting with encryption in transit (TLS 1.2 or higher) and at rest; row-level security per Workspace identifier in the Postgres database; signed-URL access to evidence files with short time-to-live; optional Face ID / Touch ID biometric gating of high-consequence operations (Pack generation, Share Token issuance, audit-log export); watermarking and audit-trail blocks on every Pack; an append-only audit log of capture, edit, status change, snapshot freeze, Pack export and Share Token events; and time-limited, scope-restricted External Viewer Share Tokens.
16.2 Notification of personal-data breaches
If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach (Article 33 GDPR). Where the breach is likely to result in a high risk, we will notify the affected data subjects without undue delay (Article 34 GDPR). Where ML Consulting is acting as processor on behalf of a Workspace Owner, we will notify the Workspace Owner without undue delay in accordance with Article 33(2) GDPR and the Master DPA.
16.3 Reporting a suspected breach to us
If you suspect a security incident or unauthorised access affecting your account, device, App Clip session or External Viewer Share Token, please notify us at support+beeology@mlconsulting.lt without undue delay. Provide as much detail as you can; do not include passwords or other secrets in the email.
17. Your rights as a data subject
Subject to the conditions set out in the GDPR, you have the rights below. These rights are not absolute and may be restricted by law.
Right of access (Article 15). Confirm whether we process personal data about you and obtain a copy together with the information set out in Article 15.
Right to rectification (Article 16). Have inaccurate personal data corrected and incomplete data completed.
Right to erasure (Article 17). Have personal data erased where the conditions in Article 17 apply, including where the data is no longer necessary or where you withdraw consent and there is no other legal basis. The App offers an in-app “Delete account” control.
Right to restriction of processing (Article 18). Restrict our processing while we verify the accuracy of contested data, while we deal with an objection or in the other circumstances set out in Article 18.
Right to data portability (Article 20). Where processing is based on consent or contract performance and is carried out by automated means, receive the data you provided in a structured, commonly-used and machine-readable format. The App provides in-app CSV exports and watermarked PDF Packs.
Right to object (Article 21). Object to processing based on legitimate interests on grounds relating to your particular situation, and at any time to direct marketing.
Rights related to automated decision-making (Article 22). Not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects, and obtain human intervention, express your point of view and contest the decision where the right applies. See section 14.
Right to withdraw consent (Article 7(3)). Where we rely on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint (Article 77). Complain to our lead supervisory authority — the VDAI in Vilnius — or to the supervisory authority of the EU Member State where you habitually reside, where you work or where the alleged infringement took place. We would, however, appreciate the opportunity to address your concern directly first.
17.1 How to exercise your rights
You can exercise the rights above by sending an email to support+beeology@mlconsulting.lt with the words “Privacy request — Beeology Labs Field” in the subject line.
We will respond to verifiable requests without undue delay and in any event within one month of receipt under Article 12(3) GDPR. We may extend that period by up to a further two months for complex or numerous requests, in which case we will inform you of the extension and the reason within the first month. We may need to verify your identity (typically by asking you to authenticate to the relevant account or to provide proof of identity proportionate to the request and the data concerned). The service is free of charge unless your request is manifestly unfounded or excessive (Article 12(5) GDPR).
17.2 Workspace-controlled data
For Customer Data that we process as processor on behalf of a Workspace Owner — including data about field workers, App Clip session participants and External Viewer Share Token recipients — please direct your request to the Workspace Owner first; if you cannot identify the Workspace Owner, contact us at support+beeology@mlconsulting.lt and we will redirect your request without undue delay.
18. Regional rights notices
18.1 United Kingdom
If you are in the United Kingdom, the UK General Data Protection Regulation and the UK Data Protection Act 2018 apply to processing within their territorial scope. The rights set out in section 17 apply equivalently. The UK supervisory authority is the Information Commissioner’s Office (ICO).
18.2 Switzerland
If you are in Switzerland, the Swiss Federal Act on Data Protection (revFADP) applies to processing within its territorial scope. The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC). Where we transfer data to Switzerland, we apply the Swiss addendum to the Standard Contractual Clauses where required.
18.3 California, United States
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA / CPRA”), gives you the right to (i) know the categories and specific pieces of personal information we collect, (ii) request deletion, (iii) request correction, (iv) limit the use and disclosure of sensitive personal information, and (v) opt out of any “sale” or “sharing” of personal information. We do not sell personal information and we do not “share” personal information for cross-context behavioural advertising. We will not discriminate against you for exercising any of these rights.
18.4 Other US states
Similar rights are available to residents of Colorado, Connecticut, Virginia, Utah, Texas and other US states with comprehensive privacy laws. To exercise any state-law right, write to support+beeology@mlconsulting.lt.
18.5 Global Privacy Control
On the App’s landing pages, we honour the Global Privacy Control signal where technically feasible, treating it as an objection to non-essential cookies and a request to opt out of any “sale” or “sharing” of personal information.
19. Children
Beeology Labs Field is intended for business users (B2B) only and is not designed for use by minors as the contracting party. Where a minor is invited as a field worker — for example, in a family beekeeping operation — the Workspace Owner is responsible for obtaining parental or guardian consent and for complying with national child-labour, agricultural-labour, seasonal-worker and youth-work rules. Apple’s App Store age rating reflects the relevant minimum age for the App. If we become aware that we have collected personal data from a child without the appropriate authorisation, we will delete it without undue delay. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at support+beeology@mlconsulting.lt.
20. Cookies and similar technologies
The Beeology Labs Field iOS / iPadOS App and its App Clip surface do not use analytics, advertising, profiling or marketing cookies. The App and App Clip use on-device storage (the iOS application sandbox, the Keychain, SwiftData, UserDefaults) to deliver their features. This is not “cookies” within the meaning of the ePrivacy Directive 2002/58/EC and is governed by this Policy rather than by this section.
The External Viewer Share Token web pages and the App’s landing pages on mlconsulting.lt use only strictly-necessary cookies (for example, a signed session cookie to honour the token scope). No analytics or advertising cookies are set.
21. Communications
21.1 Service messages
We send transactional service messages (security alerts, billing notices, magic-link authentication emails, support replies, material change notices) on the basis of contract performance under Article 6(1)(b) GDPR. Service messages are not commercial marketing and cannot be opted out of without ceasing to use the App.
21.2 Direct marketing
Where we send commercial marketing emails about Beeology Labs Field — product updates, launch announcements, educational materials or event invitations — we rely either on (i) your prior consent under Article 6(1)(a) GDPR and Article 13 of the ePrivacy Directive, or (ii) the “soft opt-in” under Article 13(2) of the ePrivacy Directive (existing customer relationship, similar products or services, with a clear opt-out at the point of collection and in every message). You may opt out at any time by clicking the unsubscribe link in any marketing email, by emailing support+beeology@mlconsulting.lt or by updating your preferences in your account where applicable.
21.3 Operational notifications
APNs Time-Sensitive notifications, ActivityKit Live Activities and EventKit calendar writes are operational reminders configured by you in iOS Settings and in the App’s Settings. They are best-effort and depend on Apple’s platform services. The Workspace Owner remains responsible for performing the underlying operational action regardless of the presence or absence of a notification.
22. Changes to this Policy
22.1 Routine updates
We may update this Policy from time to time, for example to reflect new features, regulatory developments, sub-processor changes or operational changes. The latest version is always published on the App’s App Store listing and at mlconsulting.lt/beeology/privacy.
22.2 Material changes
Where a change is material and adversely affects your rights or expectations, we will give reasonable advance notice — typically at least 30 days, unless a shorter period is required by law — by in-app notice and, where we have your email address, by email. Non-material changes (typographical fixes, clarifications, contact-detail updates, sub-processor list updates) take effect on posting.
22.3 Versioning
Each version of this Policy is dated and archived. The version in force at the time of the relevant processing governs that processing.
23. Contact us
For any question, request or complaint about this Policy or about how we process your personal data, please contact us using the details below.
Field / Value
CONTROLLER: ML Consulting MB
ADDRESS: Vilnius, Republic of Lithuania
LEGAL ENTITY CODE: 306991112
PRIVACY CONTACT (EMAIL): support+beeology@mlconsulting.lt
WEBSITE: https://mlconsulting.lt
LEAD SUPERVISORY AUTHORITY: Valstybinė duomenų apsaugos inspekcija (VDAI), L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania · +370 5 271 2804 · ada@ada.lt · vdai.lrv.lt
Document end · Version 1.0 · Effective 1 June 2026 · Beeology Labs Field — Privacy Policy · © 2026 ML Consulting MB
© 2026. All rights reserved.
