Privacy Policy
This Privacy Policy explains what data we collect, why we collect it, who we share it with, and what rights you have. We believe in transparency — no surprises.
1. Who We Are
Repot is a plant care application operated by Morgan Technology Holdings, LLC, a limited liability company organized under the laws of New Mexico, USA.
For the purposes of data protection law (including the GDPR), the data controller is:
- Entity: Morgan Technology Holdings, LLC
- Contact: support@repot.garden
- Jurisdiction: New Mexico, USA
When we say "we", "us", or "our", we mean Morgan Technology Holdings, LLC. When we say "you" or "your", we mean you, the user of Repot.
2. Definitions
- Personal Data means any information that relates to an identified or identifiable individual.
- Processing means any operation performed on Personal Data (collecting, storing, using, transmitting, deleting, etc.).
- Service means the Repot web application.
- Account means your registered user account on the Service.
- Household means the shared group you belong to within the Service.
- AI Features means the plant identification, health assessment, and care recommendation features powered by third-party AI models.
- Third-Party Services means external services we integrate with to deliver functionality.
3. Data We Collect
3.1 Account Data
When you create an Account, we collect:
| Data | Required? | Purpose |
|---|---|---|
| Email address | Yes | Authentication, password recovery, email notifications, data exports |
| Password | Yes | Authentication (stored as a salted hash by Supabase Auth — we never see your plaintext password) |
| Display name | No | Shown to Household members; personalizes the app |
3.2 Household & Location Data
| Data | Required? | Purpose |
|---|---|---|
| Household name | No | Display purposes within the app |
| City & country | No | Sent to AI models for seasonal and climate-aware plant care recommendations |
| Timezone | No (defaults to UTC) | Scheduling daily digest notifications at the right local time |
3.3 Plant & Care Data
| Data | Purpose |
|---|---|
| Plant photos | Identification and health assessment via AI; displayed in the app |
| Plant names & notes | Your personal records; displayed to Household members |
| Care tasks & history | Task tracking, scheduling, calendar sync, daily digests |
| Health check reports | Historical health assessments and recommendations |
| AI metadata | Raw responses from Plant.id and OpenAI, stored for reference and to improve care suggestions |
3.4 Integration Data
If you choose to enable optional integrations:
| Data | Collected When | Purpose |
|---|---|---|
| Telegram handle & chat ID | You connect Telegram | Sending daily care digest via Telegram bot |
| Google OAuth refresh token | You connect Google Calendar | Creating and updating calendar events for care tasks |
| Google Calendar event IDs | Calendar sync runs | Updating existing events rather than creating duplicates |
| Push subscription endpoint & keys | You enable push notifications | Delivering browser push notifications |
| Notification email address | You enable email digest | Sending daily care digest via email (can differ from login email) |
3.5 Purchase Data
When you purchase Credits, we collect:
| Data | Purpose |
|---|---|
| Transaction amount & currency | Record of purchase, refund processing |
| Bundle type | Credit fulfillment |
| Purchase date | Record keeping, tax compliance |
| Stripe Checkout Session ID | Payment reconciliation, support inquiries |
| Fulfillment status | Ensuring credits are delivered |
Important: Your credit card number, CVV, and full billing details are collected and processed directly by Stripe. They never reach or pass through our servers.
3.6 Usage & Technical Data
| Data | Purpose |
|---|---|
| AI usage logs | Tracks which AI operations were performed, token counts, costs, and success/failure — used for credit billing and system monitoring. Contains Household and user IDs but no image data. |
| Error events (via Sentry) | Application errors sent to Sentry for debugging. PII (email, IP address) is automatically stripped before transmission. Only your user ID and Household ID are attached as tags. |
3.7 What We Do NOT Collect
- We do not use cookies or third-party tracking scripts.
- We do not collect your IP address for analytics or profiling.
- We do not build advertising profiles or share data with ad networks.
- We do not collect precise geolocation (GPS). We may use your IP address or device settings to suggest an approximate location (city and country) at account creation to streamline setup. You can review and change this at any time in your Household settings.
- We do not access your device's contacts, camera roll, or files beyond the specific photos you choose to upload.
4. How We Use Your Data
We process your data for the following purposes:
| Purpose | Data Used |
|---|---|
| Provide the Service — authenticate you, display your plants, track tasks, manage your Household | Account data, plant data, care tasks, Household membership |
| AI plant analysis — identify plants, assess health, generate care plans | Plant photos, city/country (for seasonality), existing care history |
| Notifications — send daily care digests via your chosen channels | Email address, Telegram handle/chat ID, push subscription, task data |
| Calendar sync — create and update care task events in Google Calendar | Google OAuth token, task names, due dates, plant names |
| Credit management — track and deduct Credits for AI operations, process payments via Stripe, maintain purchase records, fulfill credit delivery | Household ID, usage counts, purchase data (see Section 3.5) |
| Data export — provide you with a copy of your data upon request | All your data (plants, tasks, health checks, AI usage) |
| Error monitoring — detect and fix bugs in the application | Error events with PII stripped (user ID and Household ID as tags) |
| Communication — respond to feedback you submit, send service-related emails (password resets, data exports) | Email address, feedback message |
We do not use your data for automated decision-making that has legal or similarly significant effects on you. AI-generated plant care recommendations are informational suggestions, not binding decisions.
5. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), UK, or Switzerland, we rely on the following legal bases under the GDPR:
| Legal Basis | Applies To |
|---|---|
| Contract performance Art. 6(1)(b) GDPR |
Account data, plant data, care tasks, Household management, credit system, AI features, payment processing and credit fulfillment — processing necessary to deliver the Service you signed up for |
| Consent Art. 6(1)(a) GDPR |
Optional integrations: Telegram notifications, Google Calendar sync, push notifications, email digest. Each requires your explicit opt-in and can be withdrawn at any time via Settings. |
| Legitimate interest Art. 6(1)(f) GDPR |
Error monitoring via Sentry (our interest: keeping the app reliable), AI usage logging (our interest: billing accuracy and abuse prevention), security measures (rate limiting, authentication) |
| Legal obligation Art. 6(1)(c) GDPR |
Retention of purchase and transaction records for tax and accounting compliance |
You can withdraw consent for optional integrations at any time by disconnecting them in the app's Settings. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
6. Third-Party Services & Data Sharing
6.1 AI Service Providers
| Provider | Data Shared | Purpose | Their Privacy Policy |
|---|---|---|---|
| Plant.id (Kindwise s.r.o., Czech Republic) | Plant photos (image file only) | Plant species identification and disease detection | Plant.id Privacy Policy |
| OpenAI (OpenAI, LLC, USA) | Plant metadata, city/country, care schedule history, health check history (no photos for identification; photos included for health checks) | Generating care plans, contextual recommendations, health analysis | OpenAI Privacy Policy |
Important: When you use AI Features, your plant photo leaves our servers and is processed by these third-party AI providers. We use OpenAI's API, which according to OpenAI's data usage policy, does not use API inputs to train their models.
AI processing is strictly plant-related. We never send your personal or identifying information to Plant.id or OpenAI. Specifically, we do not share: your name, email address, user ID, Household name, Household member information, notification preferences, Telegram handle, Google account details, or any other personal data. The only data sent is the plant photo, plant species metadata, general location (city/country for seasonal context), and care/health history for the specific plant being analyzed.
6.2 Infrastructure & Communication
| Provider | Data Shared | Purpose | Privacy Policy |
|---|---|---|---|
| Supabase (Supabase, Inc., USA — EU-hosted) | All application data (database, file storage, authentication) | Database, authentication, file storage, edge function hosting | Supabase Privacy |
| Vercel (Vercel, Inc., USA) | Static web assets; no personal data stored | Frontend hosting and content delivery | Vercel Privacy |
| Resend (Resend, Inc., USA) | Email address, email content | Delivering transactional emails (password reset, data export, feedback, daily digest) | Resend Privacy |
| Sentry (Functional Software, Inc., USA — EU data region) | Error events with PII stripped; user ID and Household ID as tags | Application error monitoring and debugging | Sentry Privacy |
6.3 Optional Integrations (User-Initiated)
| Provider | Data Shared | Triggered By | Privacy Policy |
|---|---|---|---|
| Google (Alphabet, Inc., USA) | OAuth tokens, task names, due dates, plant names | You connect Google Calendar | Google Privacy |
| Telegram (Telegram FZ-LLC, UAE) | Care task summaries, plant names | You connect Telegram | Telegram Privacy |
These integrations are entirely optional. They are not enabled by default. You initiate the connection and can disconnect at any time through Settings.
Google API Limited Use Disclosure: Repot's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell, share for advertising, or use Google user data beyond the calendar sync feature described above.
Google Calendar specifics: When you connect Google Calendar, Repot creates and updates calendar events for your plant care tasks (write access). We do not read or access any of your existing calendar events. The Google OAuth refresh token is stored server-side in our database and is never exposed to the browser. When you disconnect Google Calendar in Settings, your refresh token is immediately deleted from our database. Calendar events previously created by Repot will remain in your Google Calendar — you can delete them manually if desired.
6.4 Payment Processing
Credit purchases are processed by Stripe, Inc. (USA). Stripe operates in a dual role:
- As our processor: Stripe processes payments on our behalf when you purchase Credits.
- As an independent controller: Stripe independently processes certain data for its own fraud prevention, compliance, and legal obligations under the Stripe Privacy Policy.
Data shared with Stripe: email address, transaction amount, currency, payment method type, and timestamps. Your full credit card number and billing details are collected directly by Stripe and never reach our servers.
6.5 Law Enforcement
We may disclose your data if required to do so by law or in response to a valid legal request (court order, subpoena, or government demand). We will notify you of such requests unless legally prohibited from doing so.
7. International Data Transfers
Your primary application data (database, files, authentication) is hosted by Supabase in the European Union.
However, some data is transferred outside the EU when you use certain features:
| Destination | Service | Data Transferred | Safeguard |
|---|---|---|---|
| USA | OpenAI | Plant metadata, photos (health checks) | EU-US Data Privacy Framework |
| USA | Stripe | Payment and transaction data | EU-US Data Privacy Framework + Standard Contractual Clauses |
| EU | Sentry | Error events (PII stripped) | Within EEA — no additional safeguard needed |
| USA | Resend | Email address, email content | Standard Contractual Clauses |
| USA | Vercel | Static assets only (no personal data) | N/A |
| USA | Calendar data (if connected) | EU-US Data Privacy Framework | |
| Czech Republic (EU) | Plant.id | Plant photos | Within EEA — no additional safeguard needed |
| UAE | Telegram | Chat messages (if connected) | Consent (you opt in to this integration) |
For transfers to the USA, we rely on the EU-US Data Privacy Framework where the recipient is certified, or Standard Contractual Clauses (SCCs) approved by the European Commission. For Telegram (UAE), the transfer is based on your explicit consent when you connect the integration.
8. Data Retention
We retain your data for as long as your Account is active and you continue to use the Service.
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Account data | Duration of Account | Account deletion |
| Plant & care data | Duration of Account (or Household) | Account/Household deletion, or individual plant removal |
| Plant photos | Duration of Account (or Household) | Account/Household deletion (storage files deleted) |
| Health check reports | Duration of Account (or Household) | Account/Household deletion |
| Purchase records | 10 years (EU accounting/tax compliance) | Anonymized on Account deletion but retained for legal compliance |
| AI usage logs | Duration of Account | Account/Household deletion |
| Integration tokens (Google, Telegram) | Until you disconnect | Disconnection via Settings or Account deletion |
| Push subscriptions | Until you disable or unsubscribe | Disabling push, clearing browser data, or Account deletion |
| Error logs (Sentry) | 90 days (Sentry's default retention) | Automatic expiry within Sentry |
When you delete your Account, all your personal data is permanently deleted from our systems. For Household data: if you are the sole owner, all Household data is cascade-deleted. If other members remain, shared Household data persists for them (see Terms of Use, Section 4).
Data that has already been transmitted to third-party services (e.g., plant photos processed by Plant.id or OpenAI) is subject to those services' own retention policies.
9. Your Rights
9.1 Rights Under the GDPR (EEA, UK, Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access Art. 15 |
Obtain a copy of the Personal Data we hold about you | Use the "Export my data" feature in Settings, or email us |
| Rectification Art. 16 |
Correct inaccurate or incomplete data | Edit your profile, Household settings, or plant data directly in the app |
| Erasure Art. 17 |
Request deletion of your Personal Data | Use the "Delete my account" feature in Settings (immediate, permanent deletion) |
| Data Portability Art. 20 |
Receive your data in a structured, machine-readable format (JSON) | Use the "Export my data" feature in Settings — a JSON file is emailed to you |
| Restriction Art. 18 |
Request that we limit how we process your data | Email us at the contact address below |
| Objection Art. 21 |
Object to processing based on legitimate interest | Email us — we will cease processing unless we have compelling legitimate grounds |
| Withdraw Consent Art. 7(3) |
Withdraw consent for optional processing (notifications, integrations) | Toggle off any integration in Settings — takes effect immediately |
You also have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu.
We respond to all rights requests within 30 days. If a request is complex, we will notify you and may extend this by up to 60 additional days.
9.2 Rights Under US State Privacy Laws
If you are a resident of California (CCPA/CPRA), Colorado, Connecticut, Virginia, or another US state with privacy legislation, you may have additional rights including:
- The right to know what personal information we collect, use, and share.
- The right to delete your personal information.
- The right to opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information for advertising purposes.
- The right to non-discrimination for exercising your privacy rights.
To exercise any of these rights, contact us at the email address below or use the in-app data export and account deletion features.
10. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect Personal Data from anyone under 16. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from a child under 16 without parental consent, we will take steps to delete that information promptly.
11. Security
We take the security of your data seriously and implement appropriate technical and organizational measures, including:
- Encryption in transit: All connections to the Service use HTTPS/TLS encryption.
- Password security: Passwords are salted and hashed by Supabase Auth (bcrypt). We never store or see plaintext passwords. Minimum 8-character requirement enforced.
- Row-Level Security (RLS): Database access controls ensure you can only access data belonging to your Household. Enforced at the database level by Supabase.
- PII scrubbing: Error reports sent to Sentry have email addresses, usernames, and IP addresses automatically removed before transmission.
- Rate limiting: AI features are rate-limited (3 calls per minute per user) to prevent abuse.
- Internal authentication: Edge functions verify both a shared secret and your user session before processing any request.
- OAuth token handling: Google refresh tokens are stored server-side in the database, never exposed to the browser.
- Payment security: All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Credit card numbers, CVVs, and full billing details never reach or pass through our servers.
No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you discover a security vulnerability, please report it to us responsibly at the contact email below.
12. Cookies & Local Storage
Cookies
Repot does not use cookies. We do not set first-party cookies, and we do not use third-party cookies or tracking pixels. There is no cookie banner because there are no cookies to consent to.
Local Storage
The Service uses your browser's localStorage to store small amounts of non-personal preference data:
- Whether you have completed the onboarding carousel.
- Whether you have dismissed the setup checklist.
- Pending invite codes (so they survive browser restarts).
This data stays on your device, is not transmitted to our servers, and can be cleared at any time through your browser settings.
Supabase Auth Session
Your authentication session is managed by Supabase Auth, which stores a session token in your browser's localStorage. This is necessary to keep you signed in and is not used for tracking.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify you via email or through a prominent notice within the Service on the day the changes take effect.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes take effect constitutes your acceptance of the revised policy.
14. Contact Us
If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your data, please contact us:
- Email: support@repot.garden
- Entity: Morgan Technology Holdings, LLC
- Jurisdiction: New Mexico, USA
- Mailing address: 1430 Honeysuckle Dr. NE, Albuquerque, NM 87122, USA
We aim to respond to all inquiries within 30 days.