PRIVACY POLICY
Privacy Policy
Effective
Data stewardship
Your botanical archive, your control
The Conservatory is a local-first plant care app. Most collection data lives on your device first. When you sign in and enable cloud features, selected data may sync to our backend so you can restore it across sessions or devices.
WHO WE ARE
Controller and contact
The Conservatory is a plant care journal published by Northfold studio.
This Privacy Policy describes how we handle information when you use The Conservatory mobile app and this website.
Privacy questions and data rights requests: privacy@theconservatory.garden.
DATA WE COLLECT
Information you provide
Account information such as email address, display name, and profile photo when you create or update an account.
Collection content you enter or upload, including plant names, species, locations, care logs, notes, reminders, memorial and graveyard entries, specimen tags, and photos.
Preferences such as theme, timezone, default watering hour, reminder settings, and auto-sync preferences.
AUTOMATIC DATA
Technical and usage information
Device platform (iOS, Android, or web), app interactions needed to operate core features, sync queue status, and diagnostic information when something fails.
In production builds where configured, we use PostHog to collect product analytics events such as onboarding steps, subscription actions, and feature usage. Analytics are tied to your account identifier when you are signed in.
We do not collect precise GPS location in the app. Plant location fields are free-text labels you choose to enter.
SUBSCRIPTION DATA
Billing and entitlement information
Subscription purchases are processed by Apple or Google. RevenueCat helps us validate Premium entitlement status, renewal dates, and restore purchases. We do not receive or store your full payment card number.
We may store subscription tier, verification timestamps, and cached entitlement state on your device to keep Premium features available offline.
PHOTOS AND MEDIA
Local files and cloud backup
Plant photos and progress images are stored in the app sandbox on your device. Other apps cannot access these files without device-level compromise.
Premium subscribers may upload photos to Supabase Storage when sync runs successfully. Free accounts may keep photos on device only.
Backup and sync status in the app reflects actual outcomes—we do not claim cloud backup completeness when uploads are deferred, offline, or unavailable.
AI PROCESSING
Automated outputs and limitations
The app may provide plant health insights, dashboard editorials, journal summaries, archive curation suggestions, species identification suggestions, care log refinements, and reminder optimization.
Many AI features run locally on your device from your care history. When Premium and cloud AI are enabled, selected plant metadata, care notes, photo references, and locally generated summaries may be sent to our Supabase edge functions for processing.
The app does not currently send your data to third-party large language model providers such as OpenAI or Anthropic. Cloud AI responses may use prepared fallbacks or server-side logic configured for the service.
AI outputs may be inaccurate, incomplete, or unsuitable for your plant or environment. They are informational only—not professional horticultural, agricultural, medical, or legal advice.
WHY WE USE DATA
Purposes of processing
Provide account access, collection management, reminders, exports, imports, memorial features, and Premium capabilities you choose to use.
Sync and back up collection data when cloud services are enabled.
Validate subscriptions, enforce usage limits, maintain security, troubleshoot errors, and improve reliability.
Comply with law, respond to lawful requests, and enforce our terms.
LEGAL BASES
GDPR and UK GDPR
Where GDPR or UK GDPR applies, we rely on: (1) performance of a contract to provide the app and Premium features you request; (2) legitimate interests in securing, improving, and operating the service, balanced against your rights; (3) consent where required for optional permissions such as camera, photo library, or notifications; and (4) legal obligation where we must retain or disclose information.
You may withdraw consent for optional permissions in device settings. Withdrawal does not affect processing already performed.
STORAGE
Where data is kept
On device: SQLite database (primary local store), AsyncStorage (drafts, caches, onboarding flags), SecureStore (session tokens), and local photo files.
In cloud (when configured and enabled): Supabase PostgreSQL for synced collection tables, Supabase Storage for Premium photo backup, and Supabase Auth for account credentials.
Analytics events may be processed by PostHog in the United States or the region configured for your PostHog project.
SHARING
Subprocessors and disclosures
We do not sell your personal information. We share information only with service providers that help us operate the app, with platform stores for billing, or when required by law.
Current subprocessors include, where configured: Supabase (authentication, database, storage, edge functions), RevenueCat (subscription management), PostHog (analytics), Expo/React Native platform services, and Apple App Store or Google Play for payments.
INTERNATIONAL TRANSFERS
Cross-border processing
If you use the app outside the United States, your information may be processed in the United States or other countries where our providers operate. We rely on appropriate safeguards such as standard contractual clauses where required.
LOCAL STORAGE
SQLite and on-device files
Plant records, care logs, reminders, photos metadata, and related tables are stored in a local SQLite database on your device.
Photo files and export files are stored in the app sandbox on your device. Other apps cannot access this data without device-level compromise.
AUTHENTICATION
Sessions and credentials
When cloud sign-in is enabled, Supabase Auth manages your account credentials. Session tokens are stored using Expo SecureStore, not plain AsyncStorage.
Local development builds without Supabase may use local-only credentials stored in SQLite for testing; those builds are not intended for production release.
SECURITY
How we protect information
Communication with Supabase, RevenueCat, and analytics services uses encrypted HTTPS/TLS.
Device storage benefits from operating-system protections available on your phone or tablet. We do not implement a separate user-managed encryption passphrase for your collection.
No security program prevents all unauthorized access, device loss, or user error. Protect your device passcode, store account credentials, and maintain your own export copies for important records.
SYNC
Cloud sync and queue integrity
When auto-sync is enabled, local changes are written to a sync queue and replayed to Supabase when online. The local database remains the source of truth during normal operation.
Sync diagnostics in Backup Details show queue status honestly, including deferred or abandoned items when applicable.
BACKUP
Premium photo backup
Premium subscribers may back up plant photos to Supabase Storage when sync runs successfully. Free accounts may keep photos on device only.
Backup status reflects actual sync outcomes; the app does not claim backup completeness when uploads are deferred or unavailable.
NOTIFICATIONS
Reminders without remote push
Care reminders use local scheduled notifications on your device. The app does not register an Expo push token or send remote push campaigns in the current release.
ANALYTICS
Product analytics and diagnostics
In production builds with PostHog configured, limited product analytics may be collected to understand feature usage and reliability. Analytics do not include the contents of your care notes or photos.
Diagnostic information such as sync queue status or error summaries may be shown in the app to help you understand backup and sync outcomes.
ACTIVE ACCOUNTS
While you use the app
Collection data, preferences, reminders, and synced cloud copies are retained while your account is active and you use the service.
Cached entitlement and AI response data on your device may persist until cleared by the app, account deletion, or cache expiry.
LOCAL DATA
On your device
Local SQLite data, photos, drafts, and exports remain on your device until you delete them, delete your account through the app, or uninstall the app.
Uninstalling the app without exporting may permanently remove local-only data that was never synced.
CLOUD DATA
Supabase records
When cloud sync is enabled, collection tables and auth profile data are stored in Supabase until you delete your account or we delete data in accordance with this policy.
Premium photo objects in Supabase Storage remain until deleted through account deletion workflows or manual cleanup. Database row deletion does not automatically guarantee immediate removal of every storage object from all backup tiers.
BILLING RECORDS
Subscription history
Apple, Google, and RevenueCat retain purchase history according to their own policies. We retain entitlement verification timestamps and cached tier state as needed to provide Premium features.
ANALYTICS RETENTION
Product events
PostHog event data, when collected, is retained according to our PostHog project configuration and provider policies.
LEGAL RETENTION
When we keep data longer
We may retain limited records longer where necessary for fraud prevention, security investigations, dispute resolution, or legal compliance.
HOW TO EXPORT
In-app export flow
Go to Profile → Data & Backup → Export Collection Data, or open Export Collection Data directly from Privacy & Security.
The app generates a JSON file on your device and opens the system share sheet so you can save or send the file.
EXPORT FORMAT
JSON structure
Exports use JSON format with exportVersion 2. The file includes metadata such as export timestamp, mode, and an explicit note that authentication credentials are excluded.
You may re-import a prior export using Import Collection Data, subject to validation and confirmation in the app.
BASIC EXPORT
Free tier scope
Basic export includes plants, care logs, reminders, memorial/graveyard entries, and preferences.
Photos are represented by counts only in basic mode. Care log tags, status snapshots, specimen tags, and archive curation overrides are not included in full.
PREMIUM EXPORT
Premium tier scope
Premium export includes everything in basic export plus full photo metadata and local URIs, care log tags, plant status snapshots, specimen tags, and archive curation overrides.
EXCLUDED FROM EXPORT
What exports never include
Exports do not include passwords, authentication tokens, Supabase session material, RevenueCat receipts, or platform store billing credentials.
Exports reflect data available on your device at export time. Cloud-only copies not yet hydrated locally may be incomplete until sync completes.
HOW TO DELETE
In-app steps
Open Profile → Privacy & Security → Delete Account. You must confirm the destructive action in the dialog.
Deleting your account does not automatically cancel an active App Store or Google Play subscription. Cancel billing separately in your platform subscription settings.
CLOUD DELETION
When Supabase is configured
The app invokes our delete-account edge function, which deletes your Supabase Auth user. Database rows tied to your user ID are removed through foreign-key cascade, including plants, photos metadata, care logs, reminders, preferences, and related synced tables.
After remote deletion succeeds, the app clears local collection data and signs you out.
LOCAL DELETION
On-device wipe
The app deletes local SQLite collection tables, sync queue entries, preferences, and user profile rows stored on the device as part of account deletion.
Session tokens, plant drafts, and onboarding flags are cleared. Some non-collection caches may remain until overwritten or until you remove the app.
STORAGE FILES
Photos and backups
Local photo files in the app sandbox are removed as part of clearing local collection data where applicable.
Cloud photo objects in Supabase Storage may not be deleted instantly by the auth deletion flow alone. Residual storage objects, if any, are purged according to provider backup and lifecycle practices.
LOCAL-ONLY BUILDS
Without cloud backend
Development or offline builds without Supabase skip remote deletion and remove local account data and session state only.
DELETION TIMING
Processing window
Account deletion begins immediately when you confirm. Cloud auth deletion is typically completed within minutes, but provider backups or replication may retain deleted data for up to approximately 30 days before automatic purge.
Analytics or billing records held by Apple, Google, RevenueCat, or PostHog are governed by those providers' retention schedules.
If deletion fails or you need confirmation, contact privacy@theconservatory.garden.
YOUR RIGHTS
Access, correction, deletion, and portability
Depending on your location, you may have rights to access, correct, delete, restrict, object to, or port your personal information.
You can update profile information in the app, export collection data from Data & Backup or Privacy & Security, and delete your account from Privacy & Security.
To exercise privacy rights, contact privacy@theconservatory.garden. We may need to verify your identity before responding.
CHILDREN
Minors
The Conservatory is not directed to children under 13, and we do not knowingly collect personal information from children under 13. Contact us if you believe a child has provided personal information.
CALIFORNIA
CCPA/CPRA notice
California residents: we do not sell or share personal information for cross-context behavioral advertising. You may request access, deletion, or correction as described above.
CHANGES
Updates to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected in the app and by updating the effective date below.
Privacy questions: privacy@theconservatory.garden.