Privacy Policy

Garden Kinship is operated from Sweden. The data controller is Wiktor Ohman (contact: hello@gardenkinship.com).

• Account: email address, hashed password (Supabase Auth), display name and handle you choose.
• Profile: language preference, unit system, interests, optional location coordinates and hardiness zone.
• Garden data: gardens, beds, plantings, care events, photos you upload.
• Social: follows, posts, comments, likes, direct messages, marketplace listings and trade history, ratings you give and receive.
• Operational: server logs (IP address, user agent) for security and debugging.

Garden Kinship is a social platform. By default the following are visible to other signed-in members:

• Your handle, display name, avatar, optional hardiness zone, and rough distance from them (computed in their browser; we do not share your exact coordinates).
• Your posts, marketplace listings, follower counts, and aggregate trade ratings.
• Gardens you explicitly mark public. Gardens stay private by default.

Direct messages are visible only to the sender and recipient. Email address is never shown publicly; we only use it to send platform notifications.

No advertising trackers. No cross-site tracking. Photo EXIF location data is not used.

• Application data: Supabase Postgres (EU region, eu-west-1).
• Photos: Supabase Storage (EU region).
• Real-time messaging: Supabase Realtime (EU region).
• Outbound email: Resend (US — see their privacy policy). Used for transactional emails: digest, marketplace contact, direct message alerts, trade confirmations.
• Hosting: Vercel (function region: Frankfurt, EU).
• Analytics: Google Analytics 4 (US — only loaded if you consent via the cookie banner; IP anonymisation enabled) and Vercel Analytics / Speed Insights (EU edge, no cookies, aggregated pageview and performance data only).
• Plant identification: Plant.id by Kindwise (EU) — photos you submit for plant identification are sent to their API and processed under their terms.
• Map tiles: OpenStreetMap.
• Frost/climate data: Open-Meteo.
• External photo sources (admin-curated catalog only): Unsplash, Pexels.

Messages are stored in our Postgres database and visible only to you and the recipient. They are not encrypted end-to-end. Both parties can delete messages they sent or received. Deleting your account permanently removes all your sent and received messages within 30 days. We send an email notification when you receive your first message in a conversation; subsequent messages within an hour are bundled to avoid email spam.

We surface other gardeners on the People page using non-sensitive signals: shared interests (chosen during onboarding), approximate distance (if both parties have set a location), recent post count, and join date. Distance is rounded to whole kilometres and exact coordinates are never exposed to other users. You can leave the interests/location fields blank in Settings to opt out of those signals.

You have the right to:

• Access — download a JSON export of your data from Settings.
• Erasure — delete your account from Settings. All garden data and photos are removed within 30 days. Server logs are deleted within 90 days.
• Rectification — edit any field from Settings.
• Complaint — file with the Swedish data protection authority (Integritetsskyddsmyndigheten, IMY) if you disagree with our handling.

• Contract — operating your account, displaying your content to people you chose to share with, delivering messages you sent, processing trades you started.
• Legitimate interest — security logs, abuse prevention, rate limiting, backups.
• Consent — daily email digest (toggleable in Settings → Notifications).

• Account + content: kept until you delete your account.
• On account deletion: profile, gardens, photos, posts, comments, listings, transactions, messages, ratings — all removed within 30 days.
• Server logs: rotated within 90 days.
• Email delivery logs (Resend): retained per Resend's policy.

Functional (always active): a session cookie from Supabase Auth and a language preference cookie from next-intl. These are necessary for the service to work.

Analytics (consent required): if you accept the cookie banner, Google Analytics 4 sets cookies to count visits and measure usage patterns (no ads, no cross-site tracking). You can withdraw consent at any time by clicking the button below.

Garden Kinship operates a Facebook Page (facebook.com/gardenkinship) where we publish gardening content. This is a one-way broadcast: we post to the Page using the Facebook Graph API with a Page Access Token tied to our own Page. We do not use Facebook Login, we do not collect any data from Facebook users, and we do not receive or store any information about people who view or interact with our Facebook Page. The Page is governed by Facebook's Privacy Policy.

We will update this page when material changes happen. The "last updated" date at the top reflects the most recent revision.