← Back to floraai.uk

Privacy Policy

Flora AI ("we", "our", "us") is committed to protecting your privacy and complying with the UK GDPR, EU GDPR, and applicable data protection laws. This policy explains what data we collect, why, and your rights over it.

1. Who We Are (Data Controller)

Flora AI is the data controller for personal data collected through this application. For privacy matters, contact us at: [email protected]

2. What We Collect and Why

We only collect data necessary to provide the service (data minimisation):

• Account data (email, encrypted password) — to identify you and secure your account. Legal basis: contract performance.
• Plant data (names, species, care notes, health records) — to provide personalised plant care. Legal basis: contract performance.
• Photos — images you take are sent over HTTPS to Anthropic's AI for real-time analysis only. Photos are NOT stored on our servers. Legal basis: contract performance.
• Usage patterns — aggregate, anonymised data on which features are used, to improve the app. Legal basis: legitimate interests.
• Subscription data — managed by RevenueCat and Apple/Google. We receive subscription status only. Legal basis: contract performance.
• Push notification tokens — to send watering reminders (only if you grant permission). Legal basis: consent.

We do NOT collect: location data, contacts, browsing history, or any data not listed above.

3. How Long We Keep Your Data

• Account and plant data: kept for as long as your account is active.
• Photos: not stored — processed in real-time and discarded immediately.
• Deleted accounts: all data is permanently deleted within 30 days of account deletion.
• Anonymised usage data: retained indefinitely as it cannot be linked to you.

4. Third Parties We Share Data With

We only share data with the following, under strict data processing agreements:

• Supabase (supabase.com) — database and authentication. Servers in the EU.
• Anthropic (anthropic.com) — AI plant analysis. Your photos are sent for analysis only, not stored or used to train models.
• RevenueCat (revenuecat.com) — subscription management.
• Apple App Store / Google Play — payment processing for subscriptions.

We never sell your data. We never share data with advertisers.

5. Your Rights (UK GDPR / EU GDPR)

You have the following rights, which you can exercise at any time:

• Right to access: request a copy of all data we hold about you.
• Right to rectification: correct inaccurate data (your plants are editable in the app).
• Right to erasure: delete your account and all data in Settings → Delete Account.
• Right to data portability: request an export of your plant data.
• Right to restrict processing: contact us to limit how we use your data.
• Right to object: object to processing based on legitimate interests.
• Right to withdraw consent: turn off push notifications in your device Settings at any time.

To exercise any right, email: [email protected]

We will respond within 30 days. If you are unhappy with our response, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.

6. California Residents (CCPA)

If you are a California resident, you have additional rights under CCPA:

• Right to know what personal information is collected and how it is used.
• Right to delete personal information (via Settings → Delete Account).
• Right to opt-out of sale of personal information. Note: we do NOT sell personal information.
• Right to non-discrimination for exercising your privacy rights.

To submit a CCPA request, email: [email protected]

7. Data Security

• All data is encrypted in transit using HTTPS/TLS.
• Data at rest is encrypted on Supabase servers.
• Row-level security ensures you can only access your own plant data.
• Your AI API key (Anthropic) is stored only on our servers — never in the app.
• Passwords are hashed and never stored in plaintext.

8. Cookies and Tracking

Flora AI is a mobile app and does not use browser cookies. We do not use third-party tracking SDKs, advertising networks, or cross-app tracking.

9. Children's Privacy

Flora AI is not directed at children under 13 (under 16 in the EU/UK). We do not knowingly collect personal data from children. If you believe a child has created an account, contact us immediately and we will delete it.

10. International Transfers

Your data may be processed in countries outside the UK/EU (including the USA, where Anthropic and RevenueCat are based). We ensure appropriate safeguards are in place, including Standard Contractual Clauses where required.

11. Changes to This Policy

We will notify you of material changes within the app at least 14 days before they take effect. Continued use of Flora AI after that date constitutes acceptance.

12. Contact

For privacy questions or to exercise your rights:

[email protected]

To complain to the UK regulator: ico.org.uk/make-a-complaint