Skip to content
PlantbookOS
← Home

Privacy Policy

Last updated: May 20, 2026

PlantBookOS is built in the EU and follows GDPR by default. This is a draft — the final version will be reviewed by counsel before public launch.

What we collect

  • Account: email, display name, locale, country, authentication provider (email/password or Google).
  • Plant data you enter (species, photos, care logs) — Phase B onwards.
  • Device location, optional, only with permission, used for local weather — Phase C onwards.
  • Usage counters (per-endpoint, per-day) for cost guardrails. No content tracking.
  • Diagnostics: crash reports and error traces, no user content attached.

What we don't do

  • We do not sell your data.
  • We do not show ads.
  • We do not use your photos to train third-party models without explicit consent.
  • We do not use tracking identifiers across apps or sites.

Sub-processors

  • Lovable Cloud (Supabase), eu-central-1 (Frankfurt) — database, auth, file storage.
  • Google — only if you sign in with Google (OAuth identity).
  • Cloudflare — application hosting and edge runtime (EU regions).

Your rights (GDPR)

You can access, correct, export, or delete your account and all associated data at any time from your settings page. Your data export covers every table where you own rows (profile, plants, photos metadata, care logs, journal, sits, listings, notifications, and more) and is delivered as a single JSON file with a 1-hour signed download URL. Account deletion runs immediately on confirmation: your auth account is removed and personal information across all 15+ personal-data tables is nulled or deleted in the same transaction (phone, email, address, IP, location, SMS history, voice logs, etc.). Audit log entries are anonymized (actor ID set to NULL) but the action records are retained for forensic and security purposes.

Right to lodge a complaint: contact your national data protection authority. Right of portability: use the in-app export, or email privacy@plantbookos.com for a machine-readable export.

California rights (CCPA / CPRA)

California residents have the right to know, access, correct, and delete their personal information, and to opt out of any sale or sharing for cross-context behavioral advertising. PlantBookOS does not sell or share personal information — see Do Not Sell or Share My Personal Information.

Cookies

We use essential cookies only by default. Analytics cookies are opt-in via the consent banner. Details: Cookie Policy.

Data residency

All personal data is stored in the European Union (Frankfurt region).

Retention

Account data is kept while your account is active. On deletion, removal is immediate as described above. Backups roll off within 7 days (point-in-time recovery window).

Contact

Questions: privacy@plantbookos.com. We will respond within 30 days as required by GDPR (45 days for CCPA requests).