Last updated: 2026-05-01
Old Bird is an Android security camera app. It is mostly local: camera, microphone, settings, recordings, and the viewer password live on the phone and never leave it. The only data Old Bird itself stores in the cloud is the cameras registry (Firebase) and the Drive backup grant — both created when you opt into the cloud features, both wipeable from inside the app.
When streaming is enabled, Old Bird captures video and audio. By default it's only reachable on your Wi-Fi. If you opt in to remote viewing, the same media is relayed through an outbound tunnel (see below). Old Bird never uploads camera or microphone content to its own servers.
Each feature below is opt-in. The app works fully without any of them.
Credential Manager provides Old Bird with your Google account ID, email, and display name, used to link cameras to your account. Authentication runs through Firebase Authentication.
When you sign in, Old Bird writes a small record per camera: name, current public URL (when remote viewing is on), device model, app version, last-seen timestamp, and an end-to-end-encrypted copy of the viewer password. The encryption key is derived from a master passphrase that lives only on your devices — the Old Bird operator cannot decrypt it.
An outbound SSH tunnel to a third-party tunnel provider exposes the camera over the internet. The tunnel forwards already-encrypted HTTPS traffic, so neither the provider nor Old Bird can read the video, audio, or credentials. The tunnel provider sees source IP and bandwidth metadata.
Recorded MP4 segments can be uploaded to a WebDAV server you supply, or to your own Google Drive (using the drive.file scope, which only accesses files Old Bird creates). The destination is yours; Old Bird's servers never see the segments.
If you configure a motion-alert webhook (Generic, ntfy, Slack, Discord, Telegram, or a custom URL), Old Bird POSTs a small JSON event to the address you chose when motion is detected. The body contains the camera name, IP, and timestamp — no media. Old Bird's servers are not involved.
Pro subscriptions are processed by Google Play Billing. Old Bird never sees your payment information; it only receives the subscription state (active / pending / cancelled) from Play.
If the app crashes, Firebase Crashlytics receives the stack trace and device/OS/app-version metadata, plus a short trail of internal lifecycle events ("camera started", "settings updated") — never the values of fields you typed, IP addresses, file names, or passwords. Firebase Analytics logs anonymous feature-usage events (which screens open, which lens is selected). Neither stream contains your Google account or camera content. Crashlytics retains up to 90 days; Analytics up to 14 months.
Each request to Firebase carries an anonymous Play Integrity attestation token proving the request came from a genuine Old Bird install. The token contains no personal information.
Old Bird is not directed at children under 13 and does not knowingly collect their data.
To delete the cameras registry, profile, and Drive grant tied to your Google account, open the app and tap Settings → Internet access → Delete cloud data. See the deletion guide for what's removed. For sooner deletion of crash/analytics data, email the address below.