This Privacy Policy describes how GrowDo ("we", "us", or "our") collects, uses, and protects your personal information when you use our gardening planning application.
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Data We Collect
1.1 Account Information
Email address
Display name
Password (encrypted)
Account creation date
Subscription status and tier
1.2 Garden Data
Planting plans and schedules
Crop varieties and custom crops
Seed inventory
Garden tasks and notes
Harvest records
Location (city for weather data)
1.3 Usage Data
Feature usage statistics
Session data
Device type and browser information
IP address (anonymized for analytics)
1.4 Communication Data
Support tickets and correspondence
Email preferences
Notification settings
2. How We Use Your Data
2.1 Service Delivery
Provide and maintain the gardening planning service
Generate personalized planting schedules
Send task reminders and notifications
Provide weather-based recommendations
2.2 Communication
Send service-related emails (critical only, no opt-out)
Respond to support requests
Send marketing emails (only with consent)
Notify about product updates (only with consent)
2.3 Improvement and Analytics
Analyze usage patterns to improve features
Debug technical issues
Understand which features are most valuable
2.4 Legal Basis for Processing (GDPR)
Contract: Processing necessary to provide the service
Consent: Marketing emails, analytics cookies, optional features
Legitimate Interest: Service improvement, fraud prevention
Legal Obligation: Tax records, legal compliance
3. Data Storage and Retention
3.1 Storage Location
Your data is stored securely using Supabase infrastructure, with servers located in the United States and Europe. All data is encrypted in transit (HTTPS) and at rest.
3.2 Retention Periods
Active accounts: Data retained while account is active
Deleted accounts: Immediately removed upon deletion request
Unverified accounts: Deleted after 30 days of inactivity
Analytics logs: Retained for 12 months, then deleted
Support tickets: Retained for 3 years for legal compliance
Financial records: Retained for 7 years (legal requirement)
4. Data Sharing and Third Parties
We do not sell your personal data. We share data only with trusted service providers necessary to operate the service:
Supabase: Database and authentication
Stripe: Payment processing (if using paid features)
Email service provider: Transactional and marketing emails (with consent)
All third-party providers are GDPR-compliant and bound by data processing agreements.
5. Your Rights Under GDPR
You have the following rights regarding your personal data:
Right to Access
Request a copy of all data we hold about you. Use the "Download My Data" feature in Settings → Privacy.
Right to Rectification
Correct any inaccurate data through your profile settings or contact support.
Right to Erasure
Delete your account and all associated data at any time via Settings → Privacy → Delete Account.
Right to Data Portability
Export your data in JSON format for use with other services.
Right to Object
Object to processing based on legitimate interests. Manage in Settings → Privacy.
Right to Withdraw Consent
Withdraw consent for marketing, analytics, or optional features at any time.
Right to Restriction
Request temporary restriction of data processing while we resolve disputes.
6. Cookies and Tracking
We use cookies and similar technologies to provide and improve our service:
6.1 Essential Cookies (Always Active)
Authentication and session management
Security and fraud prevention
User preferences and settings
6.2 Analytics Cookies (Opt-In Required)
Usage statistics and feature popularity
Performance monitoring
Error tracking for debugging
6.3 Marketing Cookies (Opt-In Required)
Personalized content recommendations
Marketing campaign effectiveness
You can manage cookie preferences at any time through the cookie banner or Settings → Privacy.
7. Data Security
We implement industry-standard security measures:
All data transmitted over HTTPS (SSL/TLS encryption)
Passwords hashed using bcrypt with salt
Regular security audits and updates
Secure session management with automatic expiry
Database encryption at rest
Access controls and authentication for all APIs
Regular backups with encryption
While we strive to protect your data, no method of transmission over the internet is 100% secure. Please use strong passwords and enable two-factor authentication when available.
8. Children's Privacy
Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
9. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs) approved by the EU Commission
Data processing agreements with all service providers
Compliance with GDPR requirements for international transfers
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or prominent notice in the app. Continued use after changes constitutes acceptance of the updated policy.
11. Contact Us
For questions about this Privacy Policy, to exercise your rights, or to submit a data request:
We will respond to all requests within 30 days as required by GDPR.
12. Supervisory Authority
If you are not satisfied with our response to your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
This Privacy Policy is effective as of 4/20/2026 and applies to all users of GrowDo.