Privacy Policy

Last updated: April 20, 2026

Rooted ("we", "us") cares about your data. This page explains what we collect, why we collect it, and the controls you have. It is written to comply with India's Digital Personal Data Protection Act, 2023 ("DPDP") and the EU General Data Protection Regulation ("GDPR") for users in those regions.

1. Who we are

Rooted is operated by Manav Jain. You can contact us at the support page any time.

2. What we collect

  • Account data: email address and an authentication token issued by Supabase Auth. Required to sign you in and associate your plants with your account.
  • Plant data: photos you upload, identification results, care-profile answers (pot material, drainage, plant size, etc.), and care-task history.
  • Approximate location: latitude and longitude (to roughly city-level precision), used solely to fetch local weather for the watering algorithm. You can revoke location access in your device settings at any time.
  • Device + diagnostic data: crash reports and performance metrics from Sentry; anonymised product-usage events from PostHog.
  • Community content: posts, comments, swap listings, and chat messages you voluntarily publish.

3. How we use it

  • To operate the app — identify plants, schedule watering, remind you to care for them.
  • To provide weather-aware watering schedules.
  • To deliver community and Plant Swap features.
  • To debug crashes and improve reliability.
  • To send transactional email (password reset, data export).

We do not sell your data. We do not use it for advertising. We do not share it with third parties except the processors listed below.

4. Third-party processors

  • Supabase — authentication, database, file storage, and server-side functions.
  • RevenueCat — subscription management (only for users who subscribe to Rooted Pro).
  • Google Play Billing and Apple App Store — subscription billing. We never see your payment card.
  • OpenWeatherMap — local weather data.
  • Plant.id, PlantNet, Perenual — third-party plant identification APIs.
  • PostHog — product analytics, with email hashed before transmission.
  • Sentry — crash reporting.
  • Resend — transactional email.

5. Your rights

Under DPDP and GDPR you have the right to:

  • Access — see the data we hold about you. Use Settings → Profile → Export my data in the app to download a JSON archive.
  • Correct — edit your profile, plants, and community content from inside the app.
  • Delete — delete your account. We remove your personal data within 30 days; anonymised statistics may be retained.
  • Port — the same export endpoint provides a portable JSON copy.
  • Withdraw consent — revoke location access or uninstall the app at any time.

Reach us via the support page with any rights request. We respond within 7 days.

6. Data retention

We retain account data while your account is active. On deletion, we remove personal identifiers within 30 days. Community posts may be retained in anonymised form for longer to preserve thread integrity.

7. Security

All data is transmitted over TLS 1.2+. Supabase Row Level Security restricts database reads and writes to authenticated owners. Billing fields on user profiles are service-role-only — no client can self-escalate their subscription state.

8. Children

Rooted is not directed at children under 13. We do not knowingly collect data from users under 13. If you believe a child has signed up, please contact us and we will delete the account.

9. International transfers

Rooted's primary database is hosted in Supabase's Singapore (ap-southeast-1) region. Weather and ID requests route to the nearest vendor region. We rely on standard contractual clauses for any cross-border transfers where required by DPDP or GDPR.

10. Changes

We will announce material changes in-app and via email to anyone on the waitlist. The "last updated" date at the top of this page always reflects the most recent revision.

11. Contact

Questions about this policy? Reach us at the support page.