home

Privacy & data

Your data, your rules.

Who we are / Data controller

MB Augalistas (registration number 307961595, registered address Girulių g. 10-201, Vilnius, LT-12112, Lithuania) is the data controller responsible for the personal data processed through Planthead.

Contact us at marius@planthead.app.

Legal basis for processing

We process personal data under the following legal bases (Art. 6 GDPR):

  • Consent — when you explicitly agree (e.g., push notifications, optional profile fields, marketing if any).
  • Contract — processing necessary to provide the Service (account creation, plant tracking, social features, Premium subscriptions).
  • Legitimate interests — fraud prevention, spam filtering, analytics, platform security, and improving the app (balanced against your rights).
  • Legal obligation — where required by applicable law (e.g., tax/accounting records, lawful data-retention statutes).

[Lawyer note: confirm bases and add any additional ones specific to Lithuanian/EU law.]

Data categories we collect

We collect only what is needed to run Planthead. The categories include:

  • Account data — email address, authentication credentials (handled by Supabase Auth), account creation date.
  • Profile data — display name, handle, bio, avatar image, privacy setting, optional birthday.
  • Plant & care data — plant names, species, photos, care logs (watering, fertilizing, repotting), reminders, moods, growth notes.
  • Social data — follows, follow requests, blocks, posts, comments, reactions, badges, messages (if applicable).
  • Usage & device data — IP address, browser/app version, device type, push tokens, approximate location (derived from IP for analytics/security), feature usage.
  • Payment data — handled by our payment processor; we do not store full card numbers.

[Lawyer note: verify completeness and add specific data fields if required.]

Third-party processors

We use carefully selected service providers to host and operate Planthead. They process data only on our behalf and under contract:

  • Supabase — cloud hosting, database, authentication, and storage. Data is stored in the EU region.
  • Lovable — platform infrastructure and deployment.
  • Payment providers — e.g., Paddle, Apple App Store, Google Play (for Premium subscriptions; they handle billing data).
  • AI providers — plant identification and care suggestions may be processed via third-party AI APIs; image data is sent for analysis only when you explicitly request identification.

[Lawyer note: list exact subprocessors, DPA/Standard Contractual Clauses status, and any non-EU transfers.]

AI processing of your photos & content

Planthead uses artificial intelligence to help you identify plants, suggest care routines, and power features like growth insights. To do this, some of your content is processed by AI models — either ones we operate or ones provided by trusted third-party AI providers (e.g., Google Gemini, OpenAI, Anthropic, and the Lovable AI Gateway).

What gets sent to AI providers, and when:

  • Plant photos — when you tap "Identify" or use an AI feature, the photo you submit is sent to an AI provider for analysis. We do not pre-scan your private gallery or photos you only save to your collection.
  • Text you submit to AI features — plant nicknames, notes, or questions you type into AI-powered prompts are sent along with the request so the model can answer.
  • Minimal metadata — technical info needed to route the request (e.g., the type of feature you used). We do not send your email, handle, location, contacts, or other profile data with the AI request.

How the data is handled:

  • Requests are sent over encrypted connections (TLS) to the AI provider.
  • Our AI providers act as data processors under contract and are not permitted to use your submitted content to train their public foundation models.
  • AI providers may retain submitted content for a short period (typically up to 30 days) for abuse monitoring and safety, after which it is deleted from their systems.
  • Some AI providers are based outside the EEA (e.g., the United States). Transfers are protected by the EU Standard Contractual Clauses and additional safeguards.
  • AI output is informational, may be inaccurate, and should not be treated as expert botanical, medical, or veterinary advice.

Your choice: AI features are optional. You don't have to use Identify or AI suggestions to use Planthead, and you can choose not to upload photos you'd rather keep off third-party AI services.

Cookies, local storage & analytics

We use a small number of cookies and similar technologies (local storage, push tokens) to keep you signed in, remember your preferences, and understand how the app is used.

  • Essential — authentication session, security, and core app state. These cannot be turned off without breaking the Service.
  • Analytics — we use Plausible Analytics, a privacy-friendly analytics tool that does not use tracking cookies, does not collect personal data, and does not build cross-site profiles of you.
  • Push notifications — if you opt in, a push token is stored to deliver reminders. You can revoke this anytime in your device settings or in the app.

We do not use third-party advertising cookies, ad networks, or cross-app tracking SDKs.

How we share information

We don't sell your personal data. We share information only in these limited cases:

  • With other users — content you choose to make public (profile, plants, posts, comments, reactions) is visible to other Planthead users. If your profile is private, only accepted followers see it.
  • With our processors — hosting, storage, payments, and AI providers listed above, who act on our instructions.
  • For legal reasons — to comply with law, court orders, or lawful requests; to enforce our Terms; or to protect the rights, safety, and property of Planthead, our users, or the public.
  • Business transfers — if Planthead is involved in a merger, acquisition, or asset sale, your data may be transferred under the same protections described here, and we will notify you.

International data transfers

Planthead is operated from the EU and our primary database is hosted in the EU region. Some of our processors (notably AI providers and certain analytics or push services) may process data outside the European Economic Area. Where this happens, we rely on the European Commission's Standard Contractual Clauses and supplementary technical and organisational measures to ensure your data receives an essentially equivalent level of protection.

Children

Planthead is not directed to children under 13, and in jurisdictions requiring a higher age of digital consent (including most of the EU), under 16. We do not knowingly collect personal data from children below the applicable age. If you believe a child has provided us with personal data, please contact us at marius@planthead.app and we will delete it.

Security

We use industry-standard safeguards including TLS encryption in transit, encrypted storage at rest, row-level security on our database, scoped access tokens, and regular security scans. No system is perfectly secure — please use a strong password and report any suspected vulnerability to marius@planthead.app.

Communications & marketing

We may send you transactional emails (account, security, billing) and, with your consent, occasional product updates or community digests. You can unsubscribe from non-essential emails at any time using the link in the email or by emailing us.

Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you in-app or by email before the changes take effect. The "last updated" date below always reflects the most recent version.

Last updated: 26 June 2026.

Retention periods

We keep personal data only as long as necessary:

  • Active account — profile, plants, photos, and social data are retained while your account is active.
  • Deleted account — upon deletion, personal data is erased within 2 days except where retention is required by law or for legitimate security/audit purposes.
  • Server logs — retained for 12 months for security, debugging, and abuse prevention.
  • Backups — encrypted backups may retain data for 4 weeks after deletion before being cycled out.

Your rights

Under the GDPR and applicable data-protection law, you have the following rights. You can exercise most of them directly in the app; for anything else, email us at marius@planthead.app.

  • Right of access — see what personal data we hold about you. Use the "Download my data" button below for an instant JSON export, or email us for a full copy.
  • Right to rectification — correct inaccurate or incomplete data. Edit your profile, handle, bio, or avatar directly, or change your email address below. If you can't change something yourself, email us and we'll update it promptly.
  • Right to erasure (“right to be forgotten”) — delete your account and all associated data using the "Delete your account" section below. You can also email us to request deletion.
  • Right to restrict processing — ask us to limit how we use your data in certain circumstances (for example, while a correction is being verified).
  • Right to data portability — receive your data in a structured, machine-readable format. The JSON export below is available anytime.
  • Right to object — object to processing based on legitimate interests or to direct marketing emails.
  • Right to withdraw consent — withdraw consent at any time without affecting prior lawful processing. Toggle push notifications or privacy settings below, or email us.
  • Right to lodge a complaint — you may file a complaint with your national data-protection authority or the Lithuanian State Data Protection Inspectorate.

How to contact us and response times:

  • Self-service — access, export, deletion, and most corrections are available instantly in this page.
  • Email requests — send your request to marius@planthead.app from the email address associated with your account. We will confirm receipt within 2 business days and respond fully within 30 days. If the request is complex or we receive many requests at once, this may be extended by up to 2 months, and we will let you know within the first 30 days.
  • Verification — to protect your privacy, we may ask you to verify your identity before acting on a request.
  • No charge — we do not charge for exercising your rights, unless requests are manifestly unfounded or excessive.