Introduction

This Privacy Policy describes how GrowDo ("we", "us", or "our") collects, uses, and protects your personal information when you use our gardening planning application.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data We Collect

1.1 Account Information

Email address
Display name
Password (encrypted)
Account creation date
Subscription status and tier

1.2 Garden Data

Planting plans and schedules
Crop varieties and custom crops
Seed inventory
Garden tasks and notes
Harvest records
Location (city for weather data)

1.3 Usage Data

Feature usage statistics
Session data
Device type and browser information
IP address (anonymized for analytics)

1.4 Communication Data

Support tickets and correspondence
Email preferences
Notification settings

2. How We Use Your Data

2.1 Service Delivery

Provide and maintain the gardening planning service
Generate personalized planting schedules
Send task reminders and notifications
Provide weather-based recommendations

2.2 Communication

Send service-related emails (critical only, no opt-out)
Respond to support requests
Send marketing emails (only with consent)
Notify about product updates (only with consent)

2.3 Improvement and Analytics

Analyze usage patterns to improve features
Debug technical issues
Understand which features are most valuable

2.4 Legal Basis for Processing (GDPR)

Contract: Processing necessary to provide the service
Consent: Marketing emails, analytics cookies, optional features
Legitimate Interest: Service improvement, fraud prevention
Legal Obligation: Tax records, legal compliance

3. Data Storage and Retention

3.1 Storage Location

Your data is stored securely using Supabase infrastructure, with servers located in the United States and Europe. All data is encrypted in transit (HTTPS) and at rest.

3.2 Retention Periods

Active accounts: Data retained while account is active
Deleted accounts: Immediately removed upon deletion request
Unverified accounts: Deleted after 30 days of inactivity
Analytics logs: Retained for 12 months, then deleted
Support tickets: Retained for 3 years for legal compliance
Financial records: Retained for 7 years (legal requirement)

4. Data Sharing and Third Parties

We do not sell your personal data. We share data only with trusted service providers necessary to operate the service:

Supabase: Database and authentication
Stripe: Payment processing (if using paid features)
Email service provider: Transactional and marketing emails (with consent)
Weather API: Location-based weather data
Analytics provider: Anonymized usage statistics (with consent)

All third-party providers are GDPR-compliant and bound by data processing agreements.

5. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right to Access

Request a copy of all data we hold about you. Use the "Download My Data" feature in Settings → Privacy.

Right to Rectification

Correct any inaccurate data through your profile settings or contact support.

Right to Erasure

Delete your account and all associated data at any time via Settings → Privacy → Delete Account.

Right to Data Portability

Export your data in JSON format for use with other services.

Right to Object

Object to processing based on legitimate interests. Manage in Settings → Privacy.

Right to Withdraw Consent

Withdraw consent for marketing, analytics, or optional features at any time.

Right to Restriction

Request temporary restriction of data processing while we resolve disputes.

6. Cookies and Tracking

We use cookies and similar technologies to provide and improve our service:

6.1 Essential Cookies (Always Active)

Authentication and session management
Security and fraud prevention
User preferences and settings

6.2 Analytics Cookies (Opt-In Required)

Usage statistics and feature popularity
Performance monitoring
Error tracking for debugging

6.3 Marketing Cookies (Opt-In Required)

Personalized content recommendations
Marketing campaign effectiveness

You can manage cookie preferences at any time through the cookie banner or Settings → Privacy.

7. Data Security

We implement industry-standard security measures:

All data transmitted over HTTPS (SSL/TLS encryption)
Passwords hashed using bcrypt with salt
Regular security audits and updates
Secure session management with automatic expiry
Database encryption at rest
Access controls and authentication for all APIs
Regular backups with encryption

While we strive to protect your data, no method of transmission over the internet is 100% secure. Please use strong passwords and enable two-factor authentication when available.

8. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the EU Commission
Data processing agreements with all service providers
Compliance with GDPR requirements for international transfers

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or prominent notice in the app. Continued use after changes constitutes acceptance of the updated policy.

11. Contact Us

For questions about this Privacy Policy, to exercise your rights, or to submit a data request:

Data Protection Officer

Email: privacy@growdo.app

We will respond to all requests within 30 days as required by GDPR.

12. Supervisory Authority

If you are not satisfied with our response to your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

Privacy Policy