Skip to content

Legal

Privacy Policy

Last updated:

Welcome to Pocket Botanist ("App", "we", "us", or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application. Please read this privacy policy carefully. IF YOU DO NOT AGREE WITH THE TERMS OF THIS PRIVACY POLICY, PLEASE DO NOT ACCESS THE APPLICATION.

1. Collection of your information

We may collect information about you in a variety of ways. The information we may collect via the Application depends on the content and materials you use, and includes:

Account & Authentication Data

When you first launch the App, an anonymous Firebase account is automatically created so you can use core features without signing in. Anonymous accounts are identified by a Firebase Installation ID for usage tracking but contain no personal information. If you choose to create a named account, we collect:

  • Email Address (Email magic-link sign-in): If you sign in by email, we collect your email address and send a one-time sign-in link to it. We do not collect or store a password. Your email address is stored with your Firebase account and associated with your scan history and usage data in the cloud.
  • Google Account Information (Google Sign-In): If you sign in with Google, we receive your Google account ID, display name, and email address from Google. We use this to create or link your account. Please refer to Google's Privacy Policy for information on how Google handles your data during authentication.
  • Apple Account Information (Sign in with Apple): On iPhone and iPad you can use Sign in with Apple. We receive an Apple user identifier and, depending on your choice, your name and an email address (which may be a private relay address that forwards to your real inbox). We use this to create or link your account. Please refer to Apple's Privacy Policy for information on how Apple handles your data during authentication.

The App does not currently support phone-number sign-in or SMS multi-factor authentication. Sensitive account actions (such as deletion) are reauthorized by repeating your existing Apple, Google, or email sign-in.

Scan History & Plant Data

When you identify a plant, the App saves a history item to your device and, if you are signed in, syncs it to the cloud (Firebase Firestore). Each history item may contain:

  • The plant identification result (name, scientific name, care information, etc.)
  • A reference to the photo, stored locally on your device and, if you save the plant to your collection while signed in, also uploaded to Firebase Storage under your account so it can sync across devices
  • The date and time of the scan
  • Your location at the time of the scan (if you have enabled location tagging; see Location Data below)
  • Any notes or garden zone labels you add
  • Care log entries, reminders, growth journal entries, and pot details you configure for that plant
  • Diagnosis results for that plant (stored under the collection item)

You can export your collection at any time as a PDF or CSV file using the in-app export feature. Exported files are shared directly from your device and are not transmitted to our servers.

Image Data

When you use the plant identification or diagnosis feature, the App resizes and compresses your photo locally on your device, then sends the image data inline to Google's Gemini AI API for processing. Identification and diagnosis photos themselves are never uploaded to a server we operate. The original copy of the photo stays on your device. Please refer to Google's Privacy Policy for information on how Google handles data processed by the Gemini API.

If you save an identified plant to your collection while signed in, the App uploads a resized copy of the photo to Firebase Storage under your account (users/{your-uid}/collection/...) so the photo can sync to your other devices. Firebase Storage access is restricted to your authenticated account. You can remove these photos by deleting the plant from your collection or by deleting your account (see Section 7).

Location Data

Location tagging is off by default. You can turn it on in the App's Settings or when prompted during onboarding. The App offers three location precision options:

  • Off: No location data is collected, used, or stored.
  • Approximate: Coordinates are rounded to one decimal place (roughly an 11 km grid) before use.
  • Precise: Coordinates are rounded to two decimal places (roughly a 1 km grid) before use.

When location tagging is enabled, location data is used to:

  • Provide location-aware context to the Gemini AI when identifying plants. We send a city-and-country label (e.g. "approximate place: London, United Kingdom") where available, or rounded coordinates otherwise. Raw GPS readings are never sent to Gemini.
  • Derive your USDA hardiness zone for region-aware care advice on Premium.
  • Store the location of a scan with your collection items (locally and, if signed in, in the cloud).
  • Display a map of your plant discoveries within the App.
  • Fetch local weather from Open-Meteo for weather-based care tips (see Weather Data below).

Your current location is cached locally on your device for up to 30 minutes to reduce unnecessary GPS lookups. We do not use your location for advertising purposes.

Usage Data

We track the number of AI requests you make each day to enforce daily limits and protect the service from abuse:

  • Plant identification, plant text search, and plant diagnosis share a single daily counter: 3 per day for guests, 5 per day for free signed-in members, and a fair-use cap of 200 per day for Premium members (marketed as "unlimited" for normal personal use).
  • Plant chat and diagnosis chat are Premium features with their own daily counter (see the App for the current value).
  • A short-window burst rate limit (a small number of requests per ten seconds) applies to all tiers to prevent abuse.

For guests, usage is tracked server-side under a per-device Firebase Installation ID (a pseudonymous identifier issued by Google's Firebase Installations service). For signed-in users, usage is tracked under your Firebase account. Usage counts are used solely to operate the access-tier system and are not used for profiling or advertising.

We also collect anonymous, aggregated information about how you use the App (such as features accessed and error logs) to help us improve the App. This data does not personally identify you.

Subscription & Purchase Data (RevenueCat)

We use RevenueCat to manage in-app subscriptions and purchases. When you make a purchase or restore a purchase, RevenueCat receives:

  • A pseudonymous App User ID (your Firebase UID, which does not directly identify you).
  • Purchase receipt data and entitlement status provided by the App Store or Google Play.
  • Basic device information (platform, app version, SDK version) used for fraud prevention and analytics.

RevenueCat does not receive your name, email address, or payment card details. Those remain with the app store. RevenueCat data is used solely to verify and manage your subscription entitlements and is not used for advertising. Please refer to the RevenueCat Privacy Policy for more information.

Crash & Error Reports (Firebase Crashlytics)

We use Firebase Crashlytics for crash reporting and error monitoring. If the App crashes or encounters a non-fatal error, Crashlytics may collect information including the type of device, operating system version, app version, a stack trace of the error, and a session log of recent app events. After you sign in, Crashlytics also receives your pseudonymous Firebase user ID so we can group crashes by account. Crashlytics is part of Firebase and is governed by Google's privacy terms linked at the bottom of this section.

Crash reports are used solely to diagnose and fix bugs. We do not configure Crashlytics to collect your plant photos, the content of your scans, your chat messages, or your location. You can disable Crashlytics data collection at any time from the App's Settings.

Performance Monitoring (Firebase Performance)

We use Firebase Performance Monitoring to measure App performance (e.g., response times, screen rendering). Firebase Performance collects basic device information (device model, OS version, app version, network type) and aggregated performance traces. This data is not linked to your personal identity and is used solely to identify and improve App performance issues.

Device & Technical Information

We may collect basic device information (e.g., device type, operating system version, app version) for troubleshooting and to optimize the App experience. This information is not linked to personal identifiers.

Chat & Diagnosis Chat Data

When you use the Premium plant-chat or diagnosis-chat features, each message you send and each AI response is processed by a server-side Firebase Function that calls Google's Gemini AI API. The contents of your messages are sent to Gemini so it can generate a reply.

For signed-in users, chat sessions are stored in Firebase Firestore under your account (users/{your-uid}/chatSessions/...) so the conversation persists across devices and across app launches. Firestore access is restricted by security rules: only your authenticated account can read its own chat sessions, and only the server-side chat function can write them. You can delete individual chat sessions from within the App, or remove all chat data by deleting your account.

Care Logs, Reminders, and Streak Data

When you log a care action (watering, fertilizing, repotting, pruning, misting), set a care reminder, or schedule a notice, this information is stored locally on your device and, if you are signed in, mirrored to your Firestore account (users/{your-uid}/streaks/... and on the related collection item). We use this data to power the care streak counter, achievement progress, and reminder notifications. It is not used for advertising or shared with third parties beyond Firebase.

Reference Plant Images (iNaturalist)

After a successful identification, the App may fetch a public reference photo for the identified species from the iNaturalist API so you can compare it to your scan. The only information sent to iNaturalist is the plant's common or scientific name. We do not send your photo, your account, your location, or any other personal data to iNaturalist. Please refer to iNaturalist's privacy policy for details on how they operate.

Weather Data

The App uses the Open-Meteo API to display weather-based gardening tips and weather-aware watering suggestions. Open-Meteo receives your rounded location coordinates (if location access is granted) to return relevant weather data. Open-Meteo does not require an API key and does not collect personally identifiable information. Weather responses are cached on our backend for up to a few hours per grid square to reduce upstream load. Please refer to Open-Meteo's privacy documentation for more details.

Advertising Infrastructure (Not Currently Active)

The App does not currently show advertisements. The Android AD_ID permission is explicitly blocked in the app manifest, so the App cannot read your advertising identifier. If we ever enable advertising in the future, this Privacy Policy will be updated in advance.

Note on Third-Party Services:

We use third-party services that have their own privacy policies governing how they collect and use your data. We encourage you to review them:

2. Use of your information

Having accurate information permits us to provide you with a smooth, efficient, and customized experience. Specifically, we may use information collected about you via the Application to:

  • Create and manage your account (anonymous or named).
  • Provide, operate, and maintain the App, including plant identification, diagnosis, companion planting suggestions, and care information.
  • Sync your scan history and preferences across devices when you are signed in.
  • Enforce daily usage limits.
  • Send plant care reminders via push notifications (only if you have granted notification permission).
  • Provide location-aware context for more accurate plant identification results.
  • Improve, personalize, and expand the App.
  • Understand and analyze how you use the App through anonymous, aggregated usage data.
  • Diagnose and fix technical issues through crash and error reports.
  • Comply with legal obligations.

3. Disclosure of your information

We may share information we have collected about you in certain situations. Your information may be disclosed as follows:

  • By Law or to Protect Rights: If we believe the release of information about you is necessary to respond to legal process, to investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of others, we may share your information as permitted or required by any applicable law, rule, or regulation.
  • Third-Party Service Providers: We share your information with third parties that perform services for us or on our behalf, including Firebase (authentication, cloud database and storage, cloud functions, app integrity, analytics, crash reporting, performance monitoring, and remote configuration), Google Sign-In and Sign in with Apple (authentication), RevenueCat (subscription and purchase management), Open-Meteo (weather data), and iNaturalist (public plant reference photos). These providers process your data only as necessary to provide their services.
  • AI Processing (Gemini API):Photos, chat messages, and optional location context you submit for plant identification, diagnosis, text search, regional advice, or in-app chat are sent to Google's Gemini AI API for processing. This is necessary to provide the core functionality of the App.
  • Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
  • Aggregated or Anonymized Data: We may share aggregated or anonymized information, which does not directly identify you, with third parties for various purposes, including research or improving our services.

We do not sell your personal information.

4. Cookies and analytics

This website does not set advertising cookies, and it does not use cookies or other technologies that identify you or follow you across other websites. We do not run Google Analytics or any third-party advertising or analytics tags here, so there is no cookie banner to accept. The Pocket Botanist mobile app does not use cookies either.

Our mobile application stores data locally on your device using AsyncStorage (a standard React Native key-value store). This includes your scan history, settings preferences, daily usage counts, and temporary data such as a pending sign-in email address. This data remains on your device and is not shared with third parties, except where it is synced to Firebase Firestore for signed-in users as described in this policy.

We use Firebase Analytics to collect anonymous, aggregated information about how you use the App (such as which features are used and session information). This data does not personally identify you and is used solely to understand usage patterns and improve the App.

We use Firebase App Check (using Play Integrity on Android and App Attest on iOS) to verify that requests to our backend come from genuine instances of the App. This is a security measure and does not involve collecting personal information beyond device attestation tokens.

RevenueCat may use a pseudonymous device-level identifier (your Firebase UID) to associate subscription status with your account. See the Subscription & Purchase Data section above for details.

The Android AD_ID permission is explicitly blockedin the App's manifest, which means the App cannot read your advertising identifier and does not use one for any purpose.

5. Push notifications

With your permission, the App can send you local push notifications to remind you to care for your plants (e.g., watering, fertilizing, repotting). These reminders are scheduled locally on your device and are not sent via a remote push notification server. You can configure quiet hours and disable reminders in the App's Settings, or revoke notification permission through your device settings at any time.

6. Data security

We use administrative, technical, and physical security measures to help protect your information, including Firebase App Check to verify the integrity of requests to our backend services, and automatic redaction of sensitive data in crash reports. While we have taken reasonable steps to secure the information you provide to us, please be aware that despite our efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse. Therefore, we cannot guarantee complete security if you provide personal information.

7. Data retention

We will retain your information only for as long as is necessary for the purposes set out in this privacy policy:

  • Anonymous accounts:Anonymous Firebase accounts and any associated data may be deleted if they remain inactive for an extended period, in accordance with Firebase's data retention practices.
  • Scan history (cloud): If you are signed in, your scan history is stored in Firebase Firestore until you delete individual items or request account deletion.
  • Local data:Data stored in AsyncStorage on your device (including scan history, settings, and usage counts) persists until you uninstall the App or clear the App's data through your device settings.
  • Crash reports:Crash report data retained by Crashlytics is subject to Crashlytics's own data retention policies.

To request deletion of your account and associated cloud data, please contact us using the details in Section 11.

8. Children's privacy

Our App is not intended for use by children under the age of 13 (or a higher age threshold if required by applicable law, e.g., 16 in some EU countries under GDPR). We do not knowingly collect personally identifiable information from children under these ages. If we become aware that we have collected personal information from a child under the relevant age without verification of parental consent, we will take steps to remove that information from our servers. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us.

9. Your data protection rights (e.g., GDPR/CCPA)

Depending on your location and applicable laws, you may have certain rights regarding your personal information. These may include the right to:

  • Access the personal information we hold about you.
  • Request that we correct any inaccurate personal information.
  • Request that we delete your personal information.
  • Object to or restrict our processing of your personal information.
  • Request the transfer of your personal information to another party (data portability).
  • Withdraw consent at any time (if processing is based on consent).

If you wish to exercise any of these rights, please contact us at the email address provided below. We will respond to your request within the timeframes required by applicable law. You may also have the right to lodge a complaint with a data protection authority.

For European Union (EU) and United Kingdom (UK) Residents (GDPR):

If you are a resident of the European Economic Area (EEA) or the UK, you have certain data protection rights. We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

Legal Basis for Processing Personal Data under GDPR:

  • Consent: Where you have given your consent, such as granting camera, location, or notification permissions, or choosing to sign in and sync your data to the cloud.
  • Performance of a contract: Processing necessary to deliver the core service you have requested, such as sending your plant images to the Gemini API for identification.
  • Legitimate interests: Processing necessary for our legitimate interests in operating, improving, and securing the App (e.g., crash reporting, anonymous usage analytics, App Check integrity verification), where those interests are not overridden by your rights and freedoms.
  • Legal obligations: Processing necessary for compliance with a legal obligation to which we are subject.

If your data is transferred outside of the EEA or UK (e.g., to Google's servers for Firebase and Gemini API processing), appropriate safeguards are in place as managed by Google, including Standard Contractual Clauses or reliance on adequacy decisions.

For California Residents (CCPA):

This section supplements the information contained in our Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California.

Categories of Personal Information Collected: In the preceding twelve (12) months, we have collected the following categories of personal information:

  • Identifiers (e.g., Firebase user ID, email address if you sign in).
  • Internet or other similar network activity (e.g., usage data, feature access, error logs).
  • Geolocation data (if you grant location permission: city and country level, or GPS coordinates stored with scan history items).
  • Visual information (e.g., images you submit for plant identification or diagnosis, processed locally and sent to the Gemini API).

Business or Commercial Purposes:We collect personal information for the business purposes described in Section 2 "USE OF YOUR INFORMATION."

Sharing Personal Information: We may disclose your personal information to third-party service providers for business purposes as described in Section 3 (e.g., to Google for Firebase and Gemini API services, and to Crashlytics for crash reporting).

"Do Not Sell My Personal Information": We do not sell your personal information. Advertisements are not currently served in the App. If advertising is activated in the future, this policy will be updated and appropriate opt-out mechanisms will be provided.

Your Rights Under CCPA: California residents have the right to:

  • Request that we disclose certain information about our collection and use of your personal information over the past 12 months (the "right to know").
  • Request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the "right to delete").
  • Not be discriminated against for exercising any of your CCPA rights.

To exercise these rights, please contact us using the contact information provided below.

10. Changes to this privacy policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page. Significant changes may also be communicated through the App or via email if we have your contact information.

11. Contact us

If you have any questions or suggestions about our Privacy Policy, or to exercise your data rights, do not hesitate to contact us.

Email: hello@pocketbotanist.app