Privacy Policy
Last updated: 14 May 2026 ยท Effective: 14 May 2026
Plantala ("we", "us", "the Service") is operated by [YOUR LEGAL ENTITY NAME, address]. This Privacy Policy explains what data we collect, why we collect it, and the rights you have over it under the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and the California Consumer Privacy Act (CCPA).
1. Who is the data controller
The data controller for Plantala is [YOUR LEGAL ENTITY NAME], contactable at [email protected].
2. What we collect and why
| Data | Why we need it | Legal basis |
|---|---|---|
| Email address | To create your account and sign you in | Performance of contract |
| Password hash (bcrypt) | To verify password sign-in | Performance of contract |
| Display name (optional) | To personalise emails and the UI | Performance of contract |
| Google account ID (if you sign in with Google) | To link your Plantala account to your Google identity | Performance of contract |
| Plants, watering history, photos, notes | This is the product | Performance of contract |
| Stripe customer ID + subscription state | To bill you and reflect your plan | Performance of contract + legitimate interest |
| IP address & request timestamps | Server logs for security and abuse prevention | Legitimate interest |
3. Cookies
Plantala uses one cookie:
plantala_authโ an HttpOnly, SameSite=Lax JSON Web Token that keeps you signed in. Lifetime: 30 days. We treat this as strictly necessary; it is not used for tracking, advertising, or analytics.
We do not use third-party advertising cookies or cross-site trackers.
4. Who we share data with (sub-processors)
- Stripe, Inc. โ payment processing (only for paying customers). stripe.com/privacy
- [YOUR EMAIL PROVIDER, e.g. Resend / Postmark / Mailgun] โ sends magic-link sign-in emails and daily reminder summaries.
- Google LLC โ only if you choose "Sign in with Google" (verifies your Google identity).
- [YOUR HOSTING PROVIDER, e.g. Render.com / Fly.io] โ runs the server and stores the database.
We do not sell your data and do not share it with advertisers.
5. How long we keep it
Account data: for as long as your account exists, plus a 30-day grace period after deletion for backups to expire.
Payment records: 7 years, as required by tax law in our jurisdiction.
Server logs: 30 days.
6. Your rights
Under GDPR, CCPA, and similar laws you have the right to:
- Access a copy of your data โ Settings โ Data โ "Export backup (JSON)" downloads everything.
- Delete your data โ Settings โ Danger zone โ "Delete my account" removes your account, plants, history, photos, and trophies. Active subscriptions are canceled.
- Correct or update data โ edit plant info in the app, or email us.
- Unsubscribe from emails โ click the link at the bottom of any email, or toggle reminders off in Settings.
- Object to processing or restrict it โ email us and we'll comply within 30 days.
- Lodge a complaint with your local data-protection authority if you believe we've mishandled your data.
7. International transfers
Our infrastructure may be located outside your country. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission.
8. Children
Plantala is not directed at children under 13. We do not knowingly collect data from anyone under 13.
9. Changes to this policy
We'll update the "Last updated" date at the top whenever we make material changes and email signed-in users for significant ones.
10. Contact
Privacy questions: [email protected]