Privacy Policy

1. Introduction

Rootnotes ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our plant care journal application ("the Service").

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy. This policy is compliant with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when using the Service:

• Account Information: Name, email address, and profile picture obtained from your Google account when you sign in via OAuth. We do not store passwords.
• Plant Data: Plant names, species, care logs, journal entries, notes, and other information you enter about your plants.
• Photos: Images you upload of your plants, stored securely via Cloudinary.
• Location Data: Optional location information you choose to associate with your plants.

2.2 Information Collected Automatically

When you access the Service, we may automatically collect:

• Device Information: Browser type, operating system, device type.
• Usage Data: Pages viewed, features used, time spent on the Service. We use Plausible Analytics, a privacy-focused analytics tool that does not use cookies and does not collect personal data.
• Log Data: Access times and referring URLs. We do not log IP addresses for analytics.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Create and manage your account
• Store and sync your plant data across devices
• Process and display your uploaded photos
• Send you push notifications (only if you opt in)
• Respond to your comments, questions, and requests
• Monitor and analyze usage patterns to improve the Service
• Detect, prevent, and address technical issues or security breaches

4. How We Share Your Information

We never sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• Service Providers: With third-party vendors who assist us in operating the Service (listed in Section 5), under strict data processing agreements.
• Legal Requirements: When required by law, regulation, or legal process.
• Protection of Rights: To protect our rights, privacy, safety, or property, and that of our users or others.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate confidentiality protections and advance notice.
• With Your Consent: When you explicitly agree to the sharing.

5. Third-Party Services

The Service integrates with the following third-party services, each with their own privacy policies:

• Google OAuth: Used for account authentication. Google receives only the authentication request; we receive your name, email, and profile picture. See Google's Privacy Policy.
• Cloudinary: Used for photo storage and processing. Photos you upload are stored on Cloudinary's servers. See Cloudinary's Privacy Policy.
• Plausible Analytics: Privacy-focused, cookie-free analytics. No personal data is collected or shared. See Plausible's Data Policy.
• Neon Database: Our PostgreSQL database provider where your plant data is stored. Data is encrypted at rest. Hosted in the EU. See Neon's Privacy Policy.
• Vercel: Our hosting provider. Serves the application and handles server-side rendering. See Vercel's Privacy Policy.

We encourage you to review the privacy policies of these third-party services.

6. Data Storage and Security

We implement appropriate technical and organizational security measures to protect your personal information:

• Encryption of all data in transit using TLS 1.3
• Encryption of data at rest in our database (Neon, hosted in the EU)
• Application hosted on Vercel with enterprise-grade security
• Regular security assessments and dependency updates
• Access controls limiting who can access your data
• JWT-based authentication with secure session management

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. You may request deletion of your account and all associated data at any time through the Service settings.

Upon account deletion, we will permanently delete all your personal information, plant data, and photos within 30 days, except where we are required to retain certain information for legal or legitimate business purposes.

8. Your Rights

Under the GDPR, if you are in the European Economic Area, you have the following rights:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information ("right to be forgotten").
• Export: Export your data in a portable format via the data export feature.
• Restriction: Request restriction of processing of your personal information.
• Objection: Object to our processing of your personal information.

Under the CCPA, if you are a California resident, you have the right to:

• Know what personal information we collect and how it is used.
• Delete your personal information.
• Opt out of the sale of personal information (note: we never sell your data).

To exercise any of these rights, please use the data export and account deletion features in your account settings, or contact us through the Service.

9. Cookies and Local Storage

The Service uses minimal cookies and local storage technologies for:

• Session authentication: A secure, HTTP-only cookie to maintain your logged-in session.
• PWA offline support: Local storage and service worker caching to enable offline functionality.
• User preferences: Language preference and theme settings stored locally.

We do not use tracking cookies or third-party advertising cookies. Plausible Analytics operates without cookies. You can control cookie settings through your browser, but disabling essential cookies may affect functionality.

10. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately so we can delete it.

11. International Data Transfers

Your data is primarily stored and processed within the European Union (Neon database in the EU, Vercel edge network). Some data may be processed in other regions through our service providers.

Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

For significant changes, we will provide a more prominent notice (such as an in-app notification or email). We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us through the feedback feature in your account settings.