Skip to content
FloraMind FloraMind
Top

FloraMind

Privacy Policy

Effective date:  | App version: 1.0.0

This Privacy Policy governs the collection, use, storage, and disclosure of personal information by FloraMind in connection with its iOS and Android mobile application (the “Application”). It sets out the rights available to users and the obligations we assume as data controller. We do not serve advertising within the Application, operate third-party analytics pipelines, or integrate crash-reporting services.

Introduction

FloraMind (“we”, “us”, “our”) develops and operates the FloraMind mobile application for iOS and Android. The Application enables users to track houseplants, manage care schedules, review care history, and optionally submit photographs for cloud-assisted plant identification.

This Privacy Policy applies to all users of the Application regardless of geographic location and constitutes a legally binding statement of our data-handling practices. By downloading, installing, or using the Application, you acknowledge that you have read and understood this Policy. Where your use of the Application is subject to a separate end-user licence agreement, this Policy is incorporated into and forms part of that agreement.

If you do not accept the terms of this Policy, you must discontinue use of the Application and, if you hold a registered account, exercise your right to deletion as described in Section 9 (Your Rights).

FloraMind does not sell personal information and does not disclose it to third parties for their own marketing or advertising purposes.

Data Controller

For the purposes of applicable data-protection legislation, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR, the data controller responsible for personal information processed through the Application is:

FloraMind

mariuscucereanu99@gmail.com

All privacy enquiries, data-subject requests, and security disclosures should be directed to the contact address above. We will acknowledge receipt within 5 business days.

Information We Collect

Account Data Optional — registration only

Core functionality of the Application is available without registration and operates entirely offline. Users who elect to create an account for the purpose of cross-device synchronisation provide the following information:

  • Email address — used as your primary account identifier and login credential.
  • Password — transmitted over an encrypted connection and stored exclusively as a one-way cryptographic hash using an industry-standard algorithm. We are technically unable to retrieve or reconstruct your original password.
  • Display name — a user-selected name displayed within the Application. This field is optional at registration.

Account data is transmitted to our own backend infrastructure over HTTPS. It is not disclosed to, sold to, or shared with any advertising or data-brokerage services.

Plant Library Data

The Application collects and stores the following content that you voluntarily enter into your plant collection:

  • Plant name and species
  • Room or location label
  • Notes
  • Care schedules — including watering, fertilising, and repotting intervals
  • Care history — a log of completed care actions
  • Photographs you voluntarily attach to a plant record

Plant library data is stored locally on your device. Where you have created an account, this data is synchronised to our servers solely to support multi-device access on your behalf. No synchronisation occurs without an account.

Plant Identification Data Optional — AI identification only

  • When you voluntarily submit a photograph for plant identification, that image is transmitted to our servers and processed using Google Gemini, a third-party AI service operated by Google LLC. The processing occurs server-side, not exclusively on-device.
  • We transmit your language preference setting alongside the image so that identification results are returned in your selected language. No additional device identifiers or personal data are included in this request.
  • Submitted images are not retained. Each identification image is permanently discarded upon completion of the associated request. We do not build or maintain an image dataset from user submissions.

Data Processed Exclusively On-Device

The following data is stored and processed solely on your device and is never uploaded to our servers:

  • Authentication tokens — stored within your device's platform-managed secure credential storage (iOS Keychain or Android Keystore). These tokens are accessible only by the Application.
  • User preferences — notification settings, quiet-hour configuration, onboarding completion state, language overrides, daily identification usage counters, and notification history — stored in encrypted local storage on-device.
  • Reminder schedules — implemented entirely via local on-device notifications. We do not receive push notification tokens or the content of your configured reminders.

Information We Do Not Collect

The Application does not collect, process, or transmit the following categories of information:

  • GPS location or geolocation data
  • Device advertising identifiers used for cross-app tracking
  • Contacts or address book
  • Microphone or camera access beyond photos you explicitly submit
  • Browsing history or behavioural analytics
  • Payment or financial information — handled exclusively by Apple App Store and Google Play
  • Crash reports, session recordings, or usage telemetry — no third-party analytics or crash-reporting services are integrated

How We Use Your Information

We process personal data strictly for the purposes described below. We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.

  • Application operation — authenticating registered users, synchronising plant library data across authorised devices, and delivering plant identification results.
  • Local notifications — scheduling on-device care reminders based solely on the schedules you configure. This processing occurs entirely on your device.
  • AI identification processing — transmitting identification images and language preference to Google Gemini on your behalf, receiving the result, and returning it to you. Images are discarded immediately upon response delivery.
  • User support — using information you provide in support communications solely to investigate and respond to your enquiry. Support communications are retained only as long as necessary to resolve the matter.
  • Security and integrity — detecting, investigating, and preventing abuse of our APIs and unauthorised access to accounts.
  • Legal compliance — processing data where required to fulfil a legal or regulatory obligation applicable to us.

We do not use personal data to serve targeted or behavioural advertising, build user profiles for marketing, or share data with data-brokerage services.

Data Storage and Security

On-Device Storage

Plant records, associated content, and user preferences are stored locally on your device. Preference data is held in encrypted local storage. Session authentication tokens are stored exclusively within the operating system's secure credential store (iOS Keychain or Android Keystore) and are accessible only by the Application process. No other application on your device can access this data.

Server-Side Storage

Where you have registered an account, credentials (email address and password hash) and synchronised plant library data are stored on infrastructure that we operate and control. All data in transit is protected using TLS encryption (HTTPS). Data at rest is encrypted at the storage layer using industry-standard encryption.

We do not rely on third-party “backend-as-a-service” platforms as our primary data store for account or plant library data. Server infrastructure is maintained with access controls that restrict data access to authorised personnel only.

Security Measures

  • All communication between the Application and our servers uses TLS-encrypted connections (HTTPS).
  • Passwords are protected using a one-way cryptographic hashing algorithm; plaintext passwords are never stored or accessible to us.
  • Access to systems that hold personal data is restricted to authorised personnel on a need-to-know basis.
  • Plant identification images are permanently discarded upon completion of each identification request and are not stored in any log or backup.

No method of electronic transmission or storage is entirely secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security. To report a potential security vulnerability, please contact us at: mariuscucereanu99@gmail.com.

Data Retention

We retain account credentials and synchronised plant library data for the duration of your account. Upon deletion of your account — whether initiated by you via the Application or through a written request to us — we permanently delete all associated personal data from our servers within 30 days of the deletion request, except where applicable law requires us to retain certain records for a longer period, in which case access to such records will be restricted pending their lawful deletion. Uninstalling the Application removes all locally stored data from that device.

International Data Transfers

When you submit a photograph for plant identification, that image is processed by Google Gemini, a service operated by Google LLC, which may process data on servers located in the United States or other jurisdictions outside the European Economic Area (“EEA”) or the United Kingdom.

Where such transfers occur, we ensure that appropriate safeguards are in place as required by applicable data-protection law. In respect of transfers to the United States, Google LLC participates in and is certified under the EU–US Data Privacy Framework and the UK Extension thereto. You may review Google's data-processing terms and transfer mechanisms at policies.google.com/privacy.

Our own server infrastructure is located in the United States. If this changes in a way that affects data-subject rights, we will update this section and notify registered users in advance.

Data Sharing and Third Parties

We disclose personal data only to the extent strictly necessary to operate the Application or as required by applicable law. We do not rent, sell, or trade your personal data.

Third-party services, their role, and categories of data involved
Service Purpose Data involved
Google Gemini (Google LLC) Server-side plant identification processing Identification image and language preference setting. Image is discarded by us upon response; Google's handling is governed by its own data-processing terms.
Apple App Store (Apple Inc.) Application distribution and in-app purchase processing Governed entirely by Apple's Privacy Policy. We do not receive payment card data.
Google Play (Google LLC) Application distribution and Play billing Governed entirely by Google's Privacy Policy. We do not receive payment card data.

Legal and regulatory disclosure. We may disclose personal data to competent authorities, courts, or other bodies where we are required to do so by applicable law, a court order, or enforceable governmental request. Where legally permitted, we will endeavour to notify you before complying with such a request.

Business transfers. In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, personal data held by us may be transferred to the successor entity. We will provide registered users with at least 30 days’ advance notice — via in-app notification and the email address associated with their account — before any such transfer takes effect and before their data becomes subject to a materially different privacy policy. If you do not accept the new policy, you may exercise your right to delete your account prior to the transfer.

Your Rights

Subject to applicable law and verification of your identity, you are entitled to exercise the following rights in respect of your personal data. To make a request, email mariuscucereanu99@gmail.com with the subject line “Data Subject Request”. We will respond within 30 days; if we need longer we will inform you of the reason and the expected completion date.

Access

Request a copy of all personal data we hold about you in a structured, intelligible format.

Rectification

Request correction of inaccurate or incomplete personal data without undue delay.

Erasure

Request deletion of your account and all associated server-side data. We process such requests within 30 days of verification.

Portability

Receive your plant library data in a structured, commonly used, machine-readable format, where technically feasible.

Restriction

Request that we restrict further processing of your data while a dispute or objection is under review.

Objection

Object at any time to processing of your personal data where we rely on legitimate interests as our legal basis.

In-app account deletion. You may delete your account at any time via Settings → Account → Delete Account. Deletion takes immediate effect; access is revoked and server-side data deletion is queued as described in Section 6.

Right to lodge a complaint. If you are located in the EEA or United Kingdom and believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local supervisory authority. In the EU, the relevant authority is the data protection authority of your country of residence or establishment. In the UK, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk.

Exercising any of the above rights will not result in you being penalised or disadvantaged in your use of the Application.

Children's Privacy

The Application is not directed at, and is not intended for use by, children. For the purposes of this Policy:

  • In the United States, we do not knowingly collect personal information from children under the age of 13, consistent with the Children's Online Privacy Protection Act (COPPA).
  • In the European Economic Area and the United Kingdom, we do not knowingly collect personal information from children below the applicable age of digital consent in their country of residence, which is 16 years in most EU member states unless a lower age (minimum 13) has been set by national law.
  • In all other jurisdictions, we apply the higher of the locally applicable minimum age for online consent or 13 years.

If you are a parent or legal guardian and believe that a child under the applicable age has provided us with personal information without your consent, please contact us at mariuscucereanu99@gmail.com. Upon verification, we will promptly delete such information from our systems.

Changes to This Policy

We reserve the right to amend this Privacy Policy at any time. The effective date displayed at the top of this page will be updated to reflect the date on which any revision takes effect. The current version of the Policy will always be available within the Application and at this URL.

For amendments that materially affect the way we collect, use, or share your personal data — including any change to the legal basis for processing or to data-sharing arrangements — we will provide at least 14 days’ advance notice through an in-app notification and, where you have a registered account, by email to the address on file. This notice period provides you with sufficient time to review the changes or to exercise your right to delete your account before they take effect.

Your continued use of the Application after the revised Policy takes effect constitutes acceptance of those changes to the extent permitted by applicable law. Where applicable law requires explicit consent for a particular change, we will seek that consent separately and will not treat continued use alone as sufficient.

Contact Us

All privacy enquiries, data-subject access and deletion requests, and responsible security disclosures should be directed to us at the address below. Please include “Privacy Request” or “Security Disclosure” in the subject line as appropriate.

FloraMind

mariuscucereanu99@gmail.com
Acknowledged within 5 business days
Resolved within 30 days