Privacy Policy

The controller responsible for the processing of your personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Dennis van den Brock
Josef-Wolter-Weg 2
41569 Rommerskirchen
Germany
dennisvandenbrock54@gmail.com

Account data: Email address, display name, and a hashed password when you create an account.

Plant data: Plant names, species, photos you upload, care notes, journal entries, measurements, and care history.

Household & location data: Household names and room/location names you create. Members of a shared household can see each other's plants. If you invite others, their email address is processed to send the invitation.

Geographic location (optional): If you grant location permission, the app reads your device's GPS coordinates once per household setup. These coordinates are stored with your household and used exclusively to fetch local weather data and adjust plant care intervals accordingly (e.g. watering more often during heat waves). We do not track your movement or share coordinates with third parties.

Device & diagnostic data: Push notification token (if you grant permission). Crash reports, stack traces, and anonymised session replays are collected via Sentry to detect and fix bugs (see §4).

Usage data: Basic server logs (IP address, timestamp, HTTP method/path) retained for up to 30 days for security and debugging.

Payment data: If you subscribe to Plantly Premium, payment is processed by Stripe. We receive only a subscription status — no card data ever touches our servers.

We use your data exclusively to provide and improve the Plantly service:

• Authenticate your account and keep it secure.
• Store and sync your plant collection across devices.
• Fetch local weather data using your household's coordinates and adapt care schedules accordingly.
• Send care reminders via push notification (only if you opt in).
• Process your subscription via Stripe.
• Identify plants using the PlantNet API (see §4).
• Detect and fix crashes using Sentry (see §4).

We do not sell your data. We do not use your data for advertising.

PlantNet (plantnet.org) — When you use the plant scanner, the photo is sent to PlantNet's API for species identification. PlantNet processes the image on their servers. See PlantNet's privacy policy.

Stripe — Premium subscription payments are handled by Stripe, Inc. Stripe is PCI DSS compliant. See Stripe's privacy policy.

Expo (push notifications & updates) — Push notification tokens are routed through Expo's notification service. The app also uses Expo's over-the-air update system to deliver minor updates. See Expo's privacy policy.

Sentry (crash reporting) — We use Sentry to capture crash reports, error stack traces, and session replays. Session replays are recorded at a 10 % sampling rate and at 100 % when an error occurs. Sentry may receive your IP address and basic device information. We have enabled Sentry's default PII collection — if you would like your Sentry data deleted, contact us and we will submit a deletion request on your behalf. See Sentry's privacy policy.

• Art. 6(1)(b) — Contract performance: account data, plant data, household data, and payment processing.
• Art. 6(1)(f) — Legitimate interests: server logs and Sentry crash reporting for security and service stability.
• Art. 6(1)(a) — Consent: location access for weather-based care adjustments, and push notifications. Both can be withdrawn at any time in your device settings; withdrawing location permission disables weather-based care adjustments.

Your data is retained for as long as your account is active. When you delete your account, all personal data (account, plants, photos, household memberships) is deleted within 30 days, except where we are required to retain it by law (e.g. billing records for 10 years under German commercial law).

Under the GDPR you have the right to:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data ("right to be forgotten").
• Restriction — request that we limit processing.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.

To exercise any of these rights, email dennisvandenbrock54@gmail.com. We will respond within 30 days.

You have the right to lodge a complaint with a supervisory authority. The competent authority for Germany is the data protection commissioner of the state in which we are located. A list of all German DPAs is available at bfdi.bund.de.

We use industry-standard measures to protect your data: HTTPS everywhere, hashed passwords (bcrypt), JWT tokens with short expiry, and access-controlled infrastructure. No method of transmission over the internet is 100% secure — we cannot guarantee absolute security, but we take it seriously.

Plantly is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this policy from time to time. We will notify you of significant changes via email or an in-app notice. The date at the top of this page always reflects the latest version.