Privacy policy

Last updated: 16 May 2026

Plain English. Fancy Planties is a plant-care app. It collects what it needs to sign you in, store your plants, and send care reminders. It does not track you across other apps or sites, sell data, or run third-party analytics. To delete your account, email support@fancy-planties.com.

Who this applies to

This policy covers the iOS app Fancy Planties and the web app at fancy-planties.com. Both the iOS app and the web app share the same backend; everything in this policy applies equally to both. Fancy Planties is operated as a sole proprietorship by Stefan Bekker. Privacy questions and data-rights requests go to support@fancy-planties.com.

What we collect

This list mirrors the privacy manifest shipped with the iOS app.

Account data

Email address. Collected at sign-up via email and password. Sign in with Apple will be available in a future update; when you use it, Apple may issue a private relay address instead of your real email, and we will collect whichever address Apple provides. Used to identify your account and to send verification and password-reset emails.
Display name. A name you choose at sign-up — not a real-name field. Shown on your profile screen.
User ID and session token. An internal integer we assign to your account and a Lucia v3 session token stored in a cookie (web) or Keychain (iOS). Used to authenticate every request.

Plant and care data

Plant nicknames, room and location labels, care notes. Free-text strings you enter, such as a nickname for a plant or a label like "Living Room". These are not GPS coordinates. Stored on our server and cached locally on your device.
Care history. Dates and notes for fertilizing, repotting, flushing, and cleaning events you log.
Propagation records. Status, dates, and notes for cuttings you track.
Photos. Plant photos you upload. Uploaded directly to Amazon S3 via a pre-signed URL and served via CloudFront. Linked to your plant records.

Diagnostics

Crash and performance data (iOS). Collected by the system via MetricKit (MXDiagnosticPayload and MXMetricPayload). Payloads are aggregated by the OS and are not linked to your identity. Not forwarded to any third-party service.

What we don't collect

No advertising identifier (IDFA or IDFV).
No third-party analytics, telemetry, or tracking SDKs.
No precise or background location. The location fields in plant and propagation records are free-text labels you type; we never request GPS coordinates.
No contacts, calendar, microphone, or health data.
No selling of personal data, no sharing for advertising.

How we use it

To sign you in and keep your session active.
To store your plants, care records, and propagations.
To send care reminders via push notification (iOS) or in-app alerts.
To send transactional emails (account verification, password reset) via Resend.
To prevent abuse and rate-limit requests.
To respond to support requests you send us.

We do not use your data for advertising, profiling, or training third-party AI models.

Who else sees it

Fancy Planties relies on the service providers below. There are no other SDKs and no other third parties.

Amazon Web Services / CloudFront. Photos you upload are stored in an S3 bucket and served via CloudFront. Both are operated by Amazon Web Services in the United States.
Resend. Transactional email delivery (account verification and password reset). Resend receives your email address solely to deliver these messages.
Apple. MetricKit for system-aggregated crash and performance diagnostics. Sign in with Apple will be available in a future update; when it is and you choose it, Apple handles the authentication token and, if you use the "Hide My Email" relay, the address we receive is an @privaterelay.appleid.com address — we do not see your real email.
Our hosting provider. The Fancy Planties server (Next.js 15, PostgreSQL) is hosted in the United States. Server infrastructure logs IP addresses and request metadata for security and rate-limiting under their own policies; we do not use IP addresses for any product feature.

We do not sell your personal data and do not share it with advertisers.

Cookies and local storage

The web app sets one first-party session cookie (a Lucia v3 session token) when you sign in. This cookie is necessary to keep you signed in; the service does not work without it. There are no third-party cookies and no tracking pixels.

The iOS app stores its session token in the iOS Keychain and uses NSUserDefaults for cache schema versioning, notification preferences, and recent search queries — all within the app's own container.

How long we keep it

Account data, plants, care history, and photos: until you delete your account.
Session tokens: until they expire or you sign out.
Email verification and password-reset tokens: they expire within a short time window (minutes to hours) and are deleted on use.
Server logs: a short rolling window, measured in days.

Deleting your account

Account deletion is not yet available from within the app. To delete your account and all associated data, email support@fancy-planties.com from the address on your account. We will delete your profile, plants, care history, propagations, and photos within 30 days. This action is permanent.

Your rights

You can exercise any of the rights below by emailing support@fancy-planties.com from the address on your account. We respond within 30 days.

Access. Ask for a copy of the personal data we hold about you.
Correction. Update your display name or email from the Profile screen, or ask us to correct other data.
Erasure. Ask us to delete your account and data as described above.
Restriction and objection. Ask us to pause processing or object to a specific use.
Portability. Ask for your data in a portable, machine-readable format.
Withdraw consent. Revoke push-notification permission in iOS Settings → Fancy Planties.

Children

Fancy Planties is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has created an account, email support@fancy-planties.com and we will delete the account and its data.

Security

Traffic between the app and our servers is encrypted with TLS. Passwords are hashed server-side; we never see them in plaintext. Photos are stored in private S3 buckets accessible only to your account. No system is perfectly secure, but we apply reasonable controls.

Changes

If this policy changes in a way that affects what we collect or how we use it, we will update the "last updated" date above and, for material changes, surface a notice in the app before the change takes effect.

Contact

Privacy questions and data-rights requests: support@fancy-planties.com.