Legal
Privacy Policy.
Gardn
Last updated: 2026-06-04
Version 2.1
At a glance
- Gardn is built by Gardn Labs Limited (UK). You must be 18 or over to use it.
- What we collect: your email, name and date of birth (to confirm you are 18+), your postcode and — with your permission — your precise location, used for local weather, maps and the nearby-gardeners feed; the garden you build (plants, photos, care notes); wildlife sightings; community posts and messages; and, only while you use Bird "Listen", short microphone recordings to identify birds.
- Who we share it with: trusted providers who run the app and its AI features — our database and hosting, plant and bird identification, image generation, the app stores for payments, and crash diagnostics. We do not sell your personal data.
- Your choices: you can access, correct or delete your data, withdraw camera, location or microphone permissions at any time, and delete your account from within the app.
This summary is for convenience only. The full Privacy Policy below is what legally applies.
1. Who we are
Gardn is a garden intelligence app operated by Gardn Labs Limited, a company registered in England and Wales.
Data controller: Gardn Labs Limited
Company number: 17195491
Registered address: 124-128 City Road, London, United Kingdom, EC1V 2NX
Privacy contact: privacy@gardn.world
We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What this policy covers
This Privacy Policy explains what personal data we collect when you use the Gardn mobile app (available on the Apple App Store and Google Play) and our website at gardn.world, why we collect it, how we use it, who we share it with, and what rights you have over it.
Please read this policy carefully. By using Gardn, you confirm that you have read and understood it.
3. Service area
Gardn is offered in the United Kingdom and is expanding to other markets where it is made available. Certain features — including region detection, frost and heat alerts, weather and climate data, and the local community feed — adapt to your country and location. Where you use Gardn from a country in which it is made available, this policy and the international-transfer protections described in section 7 apply to you. UK statutory data-protection rights are described throughout; equivalent local rights apply where required by the law of your market.
4. Age
Gardn is for adults. You must be at least 18 years old to create an account or use Gardn. Gardn is not directed at children or anyone under 18, and we do not knowingly collect personal data from anyone under 18.
By registering, you confirm that you are aged 18 or over. If we become aware that an account has been created by someone under 18, we will close it and delete the associated personal data. If you believe a person under 18 has created an account, please contact us at privacy@gardn.world and we will act promptly.
We collect your date of birth at sign-up for the sole purpose of confirming that you meet this 18+ eligibility requirement (see section 5a).
5. What data we collect and why
5a. Data you give us directly
| Category | Source | Purpose | Lawful basis |
|---|---|---|---|
| Email address | Sign-up | Account creation, password reset, transactional communications | Contract |
| Display name | Sign-up | Public-facing identifier in community features | Contract |
| Date of birth | Sign-up | Confirming you meet the 18+ eligibility requirement (section 4) | Legal obligation / Legitimate interests (age eligibility and child-safety protection) |
| Postcode (full postcode, e.g. NG5 4JL) | Onboarding | Geocoding for region detection, frost/heat alerts, and community matching. Only a derived outward code (e.g. NG5) is stored on your profile; the full postcode is stored against your garden record and sent to our geocoding providers (see section 7) | Contract; Legitimate interests (region-specific care advice) |
| Precise device location (latitude/longitude coordinates) | Map onboarding / "use my location" (with your device permission) | Centring your garden map, deriving local weather and climate-zone data, and matching you to the local community radius feed. Stored against your garden record | Consent (device location permission); Contract (delivery of location-dependent features) |
| Garden description (free text) | Onboarding | AI personalisation of care advice | Consent |
| Garden geometry (drawn polygons on map) | Map onboarding | Personalised plant recommendations | Contract |
| Plant entries (species, dates, notes) | Plant add flow | Core product function | Contract |
| Plant photos | Plant detail screen | User reference; AI health analysis (with separate consent) | Contract; Consent (for AI analysis) |
| Border-scan photos | Onboarding / Border Scan | Vision AI to detect and identify plants in your garden | Consent |
| Inspire / Garden Studio photos | Inspire and Garden Studio features | AI generation of garden design imagery and short video from your source photo and prompt | Consent |
| Microphone audio (Bird "Listen") | Bird Listen feature (with your device permission) | Live bird identification from short audio recordings | Consent |
| Care events (watering, harvesting, etc.) | Care logging | Care reminders, badge progression | Contract |
| Wildlife sightings (species, notes, photos, audio, linked garden/bed) | Wildlife logger | Wildlife planner feature; wildlife identification | Contract; Consent (for AI analysis and audio) |
| Community posts (questions, exchange offers, photos), comments and profile content | Community tab | Public community feature | Contract; Consent (for public visibility) |
| Direct messages (free-text message content) | Community messaging | Private messaging between connected users | Contract |
| Friend and group connections | Community feature | Social graph for community | Contract |
Note on photos: Photos you submit are processed by third-party AI services (see section 7). Depending on the feature, photos may be sent to Anthropic (Border Scan, health analysis, Ask Gardn vision), Plant.id and/or Google (plant identification), Google (Inspire imagery), and Replicate (Garden Studio image and video generation). Please do not include images of people — and in particular, never images of children — in photos you submit to Gardn.
Note on precise location: With your device permission, the "use my location" feature captures your precise device coordinates and stores them against your garden record. We use these coordinates to centre your garden map, to derive local weather and climate-zone data, and to match you to the local community radius feed. We share precise coordinates with the providers needed to deliver these features (Open-Meteo for weather, Mapbox for map tiles, and our climate-zone service — see section 7). You can decline or revoke location permission at any time in your device settings; some location-dependent features may then be unavailable.
Note on microphone audio (Bird "Listen"): When you use the Bird "Listen" feature, and only while you have granted microphone permission and are actively using the feature, Gardn captures short recordings of ambient audio (a few seconds at a time) and processes them to identify birds. Identification runs on your device first; where the on-device model cannot return a confident result, the audio window is sent to our bird-recognition provider (Google Perch, hosted on Fly.io in London) for a server-side identification (see section 7). Because the microphone captures ambient sound, recordings may incidentally capture nearby sounds and voices. We use this audio only for bird identification. Audio recordings you save against a wildlife sighting are stored against your account; transient audio windows used only for identification are not retained beyond the identification request and are deleted by the inference service after processing. The lawful basis is your consent (the microphone permission and your use of the feature), which you can withdraw at any time by disabling microphone access in your device settings. You can delete saved sighting audio per record, or via full account deletion (see section 12).
Note on EXIF data: We strip EXIF metadata (including any GPS coordinates embedded by your camera) from photos on upload, and re-encode images. Raw EXIF data is not retained in uploaded photos.
5b. Data we collect automatically
| Category | Source | Purpose | Lawful basis |
|---|---|---|---|
| Device type, OS version, app version | App runtime | Compatibility and debugging | Legitimate interests |
| Crash reports | Sentry SDK | Bug fixing and service reliability | Legitimate interests |
| Product analytics events (e.g. plants added, features used, trial start/conversion) | PostHog SDK | Product improvement | Legitimate interests (with opt-out — see section 11) |
| Push notification token | Expo / EAS | Sending push notifications you have opted into | Consent |
| Subscription and entitlement events | RevenueCat (via the app store) | Managing your subscription, trial and Premium entitlement | Contract |
6. Consent stages
At certain points in using Gardn, we ask for your consent for specific uses of your data. These are managed through Settings → Privacy & Data in the app and are entirely voluntary.
Stage 1 — Anonymised aggregate use *(opt-in)*
With your consent, we use anonymised, aggregated patterns from your garden data — for example, district-level summaries such as first daffodil dates across a region — in Gardn's own marketing content and free academic data sharing. No individual records, no photos, and no identifying detail leaves the platform. You can turn this off at any time in Settings → Privacy & Data.
Stage 2 — Research partnerships *(opt-in)*
If you consent, anonymised data may be shared with academic or horticultural research partners — such as universities, the Royal Horticultural Society, or similar bodies — under data-sharing agreements, for purposes such as climate-resilience research and biodiversity studies.
Stage 3 — Commercial licensing *(opt-in)*
If you consent, anonymised, aggregated data may be included in commercially licensed datasets sold to partners such as seed companies or garden retailers. This data cannot be linked back to you.
Each consent is independent, unbundled, and freely given. None is required to use Gardn. You can grant or withdraw any of them at any time in Settings → Privacy & Data. Withdrawal is honoured within 30 days — the time needed for downstream partners to refresh their data extracts. Gardn never sells personal data.
These consents apply to all data classes named in this policy, including Plant lifecycle and moments data (section 8) and Wildlife and biodiversity data (section 9).
7. Third parties we share data with
By using Gardn, your data is processed by the following third-party services. Each is a data processor (or, where applicable, an independent controller for its own platform purposes) and operates under its own privacy policy. We have data processing agreements in place with each.
| Service | Purpose | Data shared | Location & transfer basis |
|---|---|---|---|
| Supabase (Supabase Inc.) | Backend database, authentication, file storage | All app data (user profile, date of birth, plants, photos, posts, direct messages, precise coordinates, etc.) | EU (Frankfurt). UK→EU under UK adequacy regulations |
| Anthropic (Anthropic PBC) | Border Scan, plant health analysis, Ask Gardn assistant | User photos (vision features), garden text descriptions, plant care queries. No email or account identifier | USA. Standard Contractual Clauses + UK IDTA |
| Plant.id (FlowerChecker s.r.o.) | Plant identification from photos | User photos. No account identifier | EU (Czech Republic). UK→EU under UK adequacy regulations |
| Google LLC (Gemini API) | Plant identification and Inspire garden-design imagery | User photos, prompts, and garden context (e.g. region, soil, country, climate band). No email | USA. Standard Contractual Clauses + UK IDTA |
| Replicate (Replicate, Inc.) | Garden Studio image and video generation | Source garden/border photos (via signed URL) and bloom stills. No email | USA. Standard Contractual Clauses + UK IDTA |
| Google Perch on Fly.io (Fly.io, Inc.) | Bird audio identification (server fallback) | Short microphone audio windows and country code. No account identifier | UK (London region). UK domestic processing |
| RevenueCat (RevenueCat, Inc.) | Subscription and entitlement management (in-app-purchase intermediary) | Subscription events keyed to your Supabase user id; purchase/trial status | USA. Standard Contractual Clauses + UK IDTA |
| Apple Inc. | App Store, App Store in-app purchases, Sign in with Apple, Push Notifications | Account, payment and device info (per Apple's own policy). Gardn never sees card data | USA. Standard Contractual Clauses + UK IDTA |
| Google LLC (Google Play & Google Sign-In) | Google Play store, Play Billing, optional Google Sign-In | Account, payment and purchase info (per Google's own policy); account email for sign-in. Gardn never sees card data | USA. Standard Contractual Clauses + UK IDTA |
| Mapbox (Mapbox, Inc.) | Satellite map tiles for garden drawing | Map tile requests centred on your garden's coordinates | USA. Standard Contractual Clauses + UK IDTA |
| Open-Meteo (Open-Meteo) | Local weather and climate data | Precise coordinates | EU (Germany). UK→EU under UK adequacy regulations |
| postcodes.io (Ideal Postcodes Ltd) | UK postcode-to-region geocoding | Full UK postcode | UK |
| Zippopotam.us | Non-UK postal-code geocoding | Postal code and country | USA. Standard Contractual Clauses + UK IDTA |
| Sentry (Functional Software, Inc.) | Crash and error diagnostics | Crash stack traces, user UUID | USA. Standard Contractual Clauses + UK IDTA |
| PostHog (PostHog Inc.) | Product analytics | Anonymised event data, user UUID (not email) | EU (eu.posthog.com). UK→EU under UK adequacy regulations |
| Expo / EAS (Expo, Inc. — 650 Industries, Inc.) | Push notifications and over-the-air updates | Push notification token, device/app metadata | USA. Standard Contractual Clauses + UK IDTA |
| Vercel (Vercel, Inc.) | Website hosting and analytics (gardn.world) | Website request data and basic analytics | USA. Standard Contractual Clauses + UK IDTA |
| Resend (Resend, Inc.) | Website newsletter email delivery | Email address and message content for newsletter sign-ups made on our website | USA. Standard Contractual Clauses + UK IDTA |
Where data is transferred outside the UK to a country that is not covered by UK adequacy regulations, we rely on the Standard Contractual Clauses (SCCs) together with the UK International Data Transfer Addendum/Agreement (IDTA), supported by a transfer risk assessment, as the legal mechanism for transfer.
8. Plant lifecycle and moments data
What: Observations you log about your plants — first bud, first flower, first frost, first harvest, and similar plant-led moments. These are recorded as plant_lifecycle_events in our database (displayed in the app as "Moments"), with the date observed, any notes you add, and any photo you attach.
Why: To power Gardn's year-on-year memory features (such as showing you when a plant flowered last year), to refine our seasonal calendar with real observation data from gardens, and — only with your explicit consent under the Stage consent flags above — to contribute to anonymised aggregate datasets on phenology patterns.
Legal basis: Contract for the core memory features; Consent (Stage 1, 2, and 3 flags) for any aggregate, research, or commercial use.
Your control: Each record is stored with a snapshot of your consent flag settings at the time it was created. Withdrawing consent excludes future use of that record in any extract — this has effect on future processing of all prior records. Revoking a consent flag excludes photos from future extracts but does not delete them from your in-app timeline; photo deletion is a separate action available per-record in the plant detail screen, or via full account deletion. You can withdraw consent or delete individual records at any time in Settings → Privacy & Data and the plant detail screen.
9. Wildlife and biodiversity data
What: Species you log in the wildlife planner, goals you set, photos you submit for wildlife identification, and any audio you record for bird identification. Sightings are linked to your garden and bed, which carry your garden's precise location, and may include an audio recording.
Why: To power the wildlife planner feature, provide AI-powered wildlife and bird identification (audio is processed as described in section 5a's microphone note, including the server fallback to Google Perch on Fly.io), and — only with your explicit consent under the Stage consent flags above — to contribute to anonymised aggregate data on biodiversity patterns in gardens.
Legal basis: Contract for the core wildlife planner feature; Consent for AI analysis and audio capture; Consent (Stage 1, 2, and 3 flags) for any aggregate, research, or commercial use.
10. Data we do not collect or share
- We never sell personal data
- No advertising IDs, IDFA, or Apple AdAttributionKit
- No biometric data — bird audio is processed for species identification only and is not used to identify or profile any person; we do not create voiceprints
- No payment card numbers (all billing is handled by the app stores; we never see card data)
- No user contact lists
- No keystroke logging, session replay, or heatmap tracking
- No data sale, ever — including when Stage 3 commercial licensing is enabled. Only anonymised, aggregated, non-identifiable data is licensed commercially.
11. Your controls
Analytics opt-out: You can opt out of PostHog product analytics at any time in Settings → Privacy & Data. Opting out stops new event collection immediately.
Location: You can grant, decline or revoke precise-location access at any time in your device settings. Some location-dependent features may be unavailable without it.
Microphone: You can grant or revoke microphone access for Bird "Listen" at any time in your device settings. Without it, the listen feature will not function.
Push notifications: You can manage notification preferences in Settings → Notifications, or through your device's notification settings.
Consent flags: All three consent stages (section 6) are independently controllable in Settings → Privacy & Data.
Report and block: In community features you can report content and block other users at any time (see our Terms of Service).
12. How long we keep your data
| Data type | Retention period |
|---|---|
| Account data (email, profile, date of birth) | Duration of account + 30 days post-deletion |
| Plant, garden, care event and precise-location data | Duration of account + 30 days post-deletion |
| Photos | Duration of account + 30 days post-deletion |
| Saved audio recordings (wildlife sighting audio) | Duration of account + 30 days post-deletion |
| Transient Bird "Listen" audio windows (identification only) | Not retained beyond the identification request; deleted by the inference service after processing |
| Direct message content | Duration of account + 30 days post-deletion (hidden messages retained for the same period for safety/abuse records) |
| Community posts and comments | Duration of account + 30 days post-deletion |
| PostHog analytics events | 12 months rolling |
| Sentry crash logs | 90 days rolling |
| Resend email logs (website newsletter) | 30 days rolling |
| Backups | 30 days rolling |
| Subscription records | 7 years (legal and accounting requirement) |
| AI-processor processing logs (Anthropic, Plant.id, Google, Replicate, Perch) | Per their own retention policies (Anthropic: 30 days; others: per their respective policies) |
When you delete your account, all personal data is queued for deletion within 30 days. Anonymised, aggregated data already included in research or commercial datasets (where you had consented) is not recalled, as it cannot be linked back to you.
13. Your rights under UK GDPR
You have the following rights over your personal data:
Right of access — request a copy of the data we hold about you.
Right to rectification — ask us to correct inaccurate data.
Right to erasure — ask us to delete your data. You can also delete your account directly in Settings → Account → Delete Account.
Right to data portability — export your garden data in JSON format at any time from Settings → Privacy & Data → Export Data.
Right to restrict processing — ask us to limit how we use your data in certain circumstances.
Right to object — object to processing based on legitimate interests.
Right to withdraw consent — where processing is based on consent (precise device location, microphone audio for Bird "Listen", garden description AI personalisation, photo AI analysis, Border Scan, Inspire/Garden Studio, community posts, and the three Stage consent flags), you can withdraw at any time in Settings → Privacy & Data or your device settings.
Right not to be subject to automated decision-making — Gardn does not make legally significant automated decisions about you.
To exercise any of these rights, email privacy@gardn.world. We will respond within one calendar month. Where you use Gardn in a market outside the UK, equivalent local data-protection rights apply where the law of that market requires.
14. Right to complain
If you believe we are not handling your data lawfully, you have the right to complain to the UK's Information Commissioner's Office (ICO):
Website: ico.org.uk
Helpline: 0303 123 1113
If you are in a market outside the UK, you may also have the right to complain to your local data-protection authority. We would always prefer the opportunity to resolve concerns directly first — please contact privacy@gardn.world before escalating.
15. Cookies and tracking
The Gardn mobile app does not use cookies. Our website at gardn.world may use essential cookies for basic site functionality and uses Vercel for hosting and basic, privacy-respecting analytics. We do not use advertising or tracking cookies.
PostHog, our analytics provider, uses device identifiers (not cookies) within the app to associate events with a session. These identifiers are pseudonymous and not linked to your email address. You can opt out at any time (see section 11).
16. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this document. For material changes, we will notify you via an in-app notice or email before the change takes effect. Continued use of Gardn after notification constitutes acceptance of the updated policy.
Previous versions of this policy are available on request at privacy@gardn.world.
17. Contact us
Email: privacy@gardn.world
Post: Gardn Labs Limited, 124-128 City Road, London, United Kingdom, EC1V 2NX
For urgent data breach concerns, mark your email "URGENT: Data Breach". We will acknowledge within 24 hours and respond fully within 72 hours in accordance with our ICO notification obligations.
*Gardn Privacy Policy v2.1*
*Gardn Labs Limited — Company No. 17195491*