CSI Ocean app icon
Citizen ScienceCSI Ocean
Trust & privacy

The promises we keep,
in language a person can read.

This page is the human-language version of how CSI Ocean is built and how your data is treated. The six commitments we keep every release, the data we do hold (and the data we deliberately don't), permissions we ask for and why, and the questions people most often ask. The formal legal version lives at /privacy-policy.

VIWhy CSI Ocean stands out

Six commitments
we keep on every release.

  1. 01Methodology-first

    Designed by the methodology, not the other way around.

    The wizard codifies how a microplastics researcher would walk through the work, sample, environment, equipment, protocol, location, so volunteer observations end up structured the way labs need them.

  2. 02Open dataset

    Open by default.

    Every observation in the public dataset is browsable, searchable, and pinnable on a global map. There is no paid tier and no premium dataset.

  3. 03Real-time inference

    Detection in seconds, not days.

    Photos are sent to a hosted machine-learning endpoint that returns annotated detections in seconds. You see suspected particles right there in the wizard.

  4. 04Field-grade

    Built for the field.

    Offline capture, cached vocabularies, and resilient sync mean the app works on a boat, in a forest, or under a snowfall, just as well as in a lab.

  5. 05Quiet by design

    No analytics. No ads. No tracking.

    No third-party analytics SDK is integrated. No advertising network is loaded. The app talks to its own backend and to a hosted detection endpoint, and that is it.

  6. 06Polished and accessible

    Native components, accessible defaults.

    Built with native iOS components and Material guidelines, with text contrast checked against WCAG AA at body sizes. Uses haptics, share sheets, and link previews to feel like a first-class platform citizen.

From the scientific advisory board
“Citizen science only matters if the data lands in a form labs can use. CSI Ocean encodes the protocol so contributions come back structured, geo-referenced, and ready to compare across sites. That is rare.”
[Pending] Scientific lead, partner institution
VIIISecurity and privacy

The scientific record is public.
Your personal information is not.

Here is exactly what the app collects, what it does not, and how we protect your account. We treat the scientific record as a public good.

01 / Stored

What we store

Account fields, plus the scientific metadata of every observation you submit.

For your account
  • Email, for sign-in and password reset
  • Name, shown on your profile and the leaderboard
  • Password, hashed on the server, never stored in plain text
  • Username, public on the leaderboard and observation feed
  • Avatar, optional
  • Phone number and date of birth, optional
  • User type chosen at signup
For each observation
  • Photos, uploaded to the project's secure cloud storage
  • Location as latitude and longitude, plus optional reverse-geocoded address
  • Sample metadata: type, depth, volume, environment, equipment, weather, contamination protocol
  • Detection results: bounding boxes and confidence scores
02 / Not collected

What we do not

The list of things this app deliberately does not include.

  • blockNo third-party analytics. No Google Analytics, Mixpanel, Segment, Amplitude, or similar SDK.
  • blockNo crash-reporting service. No Sentry or comparable telemetry.
  • blockNo advertising identifiers. The app does not request IDFA or GAID.
  • blockNo push notifications. The app does not request a push token.
  • blockNo on-device location tracking. Location is read only when you tap the location step.
  • blockNo SMS by default. Email verification is the default for password reset.
03 / Protections

How we protect your account

Concrete protections that are in place today.

  • verified_user
    Email-verification on signup
    Six-digit one-time code, expires after five minutes.
  • key
    Bearer-token authentication
    Seven-day token lifetime with a refresh endpoint.
  • lock
    Tokens in the device secure enclave
    iOS Keychain or Android Keystore via Expo SecureStore.
  • https
    TLS in transit
    Every request to the API and the detection endpoint.
  • visibility_off
    No account-existence leakage
    Signup, password-reset, and verification responses never reveal whether an email is registered.
  • report_off
    Sanitised server responses
    The API never returns raw exception text, stack traces, or database details, even on errors.
  • lock_clock
    24-hour signed photo URLs
    Every photo is served from a short-lived signed link that expires after 24 hours.
  • event_repeat
    30-day deletion grace window
    Deletions are reversible for 30 days. Sign back in from the Restore screen to undo.
  • schedule
    Automated background processing
    A daily job processes expired requests so deletions are honoured promptly and predictably.
04 / Permissions

Permissions the app asks for

Three permissions, each requested only when you actually need the feature behind it.

  • my_location
    Location (when in use)
    So observations can be pinned and the explore map can centre on you. Never read in the background.
  • photo_camera
    Camera
    So you can photograph your sample.
  • photo_library
    Photo library
    So you can attach existing images to an observation.

You can decline any of these and still browse the feed, the leaderboard, and other people's observations. Camera or photo-library access is required to submit a new observation.

05 / Account control

You stay in control of your account

Every account-state change is self-serve from inside the app.

  • Edit your profile and avatar at any time
  • Sign out at any time, your local cache clears when you do
  • Delete observations you own with explicit confirmation
  • Delete your account from inside the app, choosing keep-anonymous or remove-everything
  • Restore a deleted account within 30 days from the Restore screen using the same email and password

Account deletion does not require contacting support. The Restore screen handles 30-day reversals using the same email and password.

Read the documentsPrivacy Policyarrow_outwardTerms of Servicearrow_outward
IXFrequently asked questions

Honest answers,
no marketing-speak.

  • Yes. There is no paid tier, no premium dataset, and no advertising. The project is funded by Nat Geo, so the app can stay free for the people doing the work.

  • No. The capture wizard is designed for first-time observers. You'll be guided through every step, with optional advanced fields you can skip until you want them. If you have scientific training, the metadata is rich enough for research-grade observations.

  • The detection model flags suspected microplastic particles and assigns a confidence band: high, medium, or low. It is intended as a screening aid, not a substitute for laboratory confirmation. Researchers using observations for analysis can filter by confidence and by data-quality tag (Casual, Needs ID, Research).

  • Yes. The full capture wizard works offline. Observations queue locally with a visible status indicator and sync automatically when you reconnect. Every scientific lookup the wizard needs (sample types, environments, equipment, contamination protocols) is cached on first launch.

  • Photos are uploaded to the project's secure cloud storage and stored privately. They appear in the public dataset attached to your observation, with detection bounding boxes drawn over them. The image URLs you see are signed and short-lived, they expire after 24 hours, so a leaked link cannot be reshared indefinitely. If you delete the observation, the photos are removed from public view.

  • You can export individual observations as polished PDFs from the observation detail screen, including cover page, metadata, and image pages with detection overlays.

  • By default, every approved observation appears in the public feed and on the explore map. Your username, sample photo, location, sample type, and detection count are public. Your private profile fields (email, phone, date of birth) are not.

  • Not yet. The app currently ships in English only.

  • Tap Forgot password on the sign-in screen, enter your email, and we send a six-digit code valid for five minutes. Enter the code in the app and choose a new password. We never send password resets by SMS, and the response you see is the same whether or not your email is on file, so a stranger cannot probe whether you have an account.

  • Open Profile, then Settings, then Delete account. You'll be asked to confirm with your password and pick what happens to your contributions: keep them in the dataset anonymously, or remove everything you ever submitted (including the photos). We email you to confirm the request, and your account is scheduled for permanent removal 30 days later. If you change your mind, sign back in within those 30 days from the Restore account screen and we put everything back.

  • You choose at the time you request deletion. If you pick keep my contributions anonymously, your observations stay in the public dataset, but your name, email, photo, and contact details are scrubbed from your profile. If you pick delete everything, your observations and all uploaded images are permanently removed from the dataset and from cloud storage during the final processing step. Either way, you get an email when the deletion is finalised.

  • Observation media is stored on Amazon S3. Database records are stored on the project's primary cloud-hosted database.

Still have a question? Email the team: see the contact details in the footer below.

Free, on iOS and Android

Get CSI Ocean.
Submit your first observation today.

Free on iOS and Android. Twenty minutes from a curious walk to a peer-reviewable record. Every observation contributes to a shared scientific dataset.

Launches 1 July 2026
App Storearrow_forwardGoogle Play

No ads · No tracking · No premium tier