This Privacy Policy explains how Cat Barn LLC ("Company," "we," "us," "our"), an Idaho limited liability company, collects, uses, stores, and protects your personal information when you use the Verdica application ("App").
By using the App, you consent to the collection and use of information as described in this Privacy Policy. This Policy should be read alongside our Terms of Service.
Data Controller: Cat Barn LLC, Boise, Idaho, United States. Contact: [email protected].
EU/EEA Users: Verdica is operated from the United States, offered in English with U.S.-dollar pricing, and is not marketed, advertised, or specifically directed to users in the European Union or the EEA. If you are an EU/EEA resident with a privacy question, you may contact [email protected].
| Data | Source | Encrypted | Purpose |
|---|---|---|---|
| Email address | Google OAuth 2.0 | No | Account identification, communications |
| Display name | Google OAuth 2.0 | No | UI personalization |
| Google subject ID | Google OAuth 2.0 | No | Authentication token binding |
| Data | Encrypted | Shared | Retention |
|---|---|---|---|
| Substance/drug names | On-device only — never sent to or stored on our servers | Never (stored only on your device) | Until you delete on your device |
| Substance dosage, frequency, notes | On-device only — never sent to or stored on our servers | Never (stored only on your device) | Until you delete on your device |
| Garden plant nicknames | ✓ AES-256-GCM | Never | Until you delete |
| Light Scout spot names | ✓ AES-256-GCM | Never | Until you delete |
| Light Scout lux readings | No (numeric only) | Never | Until you delete |
| Chat messages (AI Garden Chat) | ✓ AES-256-GCM (at rest) | Google Gemini API (decrypted for processing; see §5) | Until account deletion |
| Scan feedback notes | ✓ AES-256-GCM | Never | Until account deletion |
| Scan history (species IDs, identification results) | No | Never | Until account deletion |
| Bug reports / feedback | No (admin-readable) | Never | 3 years or on request |
| Data | Sent To | Our Retention |
|---|---|---|
| Scan photographs | Plant.id, Google Gemini (cloud identification only) | Retained for your scan history; deleted on account deletion |
| GPS coordinates (optional, user-controlled) | Plant.id (if enabled) | Stored with the scan when location is granted (see §2.4) |
| Purchase tokens | Google Play Billing | Not retained |
If you grant the App location permission when you take a scan, the approximate location (latitude and longitude) of that scan is stored alongside the scan record so we can provide location-aware features such as the foraging map and regional frost and weather context. This is optional: if you deny or revoke location permission, no coordinates are captured or stored, and the App continues to work for identification. Stored scan coordinates are retained with the scan until you delete the scan or your account.
The App can submit crash and diagnostic reports to us to help us find and fix bugs. These reports are limited to technical error information — an error message, the error type, the source location and line number, a stack trace, the in-app screen (URL fragment), and a timestamp. They are not intended to contain your substance/drug names, garden notes, or chat content, and we do not collect those intentionally; however, because an error message can occasionally include surrounding text, please avoid entering sensitive personal data into free-text fields. We use crash and diagnostic reports solely to diagnose and fix problems, not for advertising, profiling, or analytics.
We use your data solely for the following purposes:
| Purpose | Legal Basis (GDPR) | Data Used |
|---|---|---|
| Provide the App's core features | Performance of contract (Art. 6(1)(b)) | Account data, scan data, garden data |
| Authenticate your identity | Performance of contract (Art. 6(1)(b)) | Google OAuth tokens |
| Process your one-time app purchase and any Leaf credit (token) purchases | Performance of contract (Art. 6(1)(b)) | Google Play purchase tokens |
| Display herb-drug interaction educational references | Explicit consent (Art. 9(2)(a)) | Substance names (stored only on your device) |
| Provide AI Garden Chat responses | Performance of contract (Art. 6(1)(b)) | Chat messages (sent to Gemini API) |
| Respond to support requests | Legitimate interest (Art. 6(1)(f)) | Email, bug reports |
| Legal compliance (waiver proof, identity verification) | Legal obligation (Art. 6(1)(c)); Art. 17(3)(e) | Email address, IP address, acceptance timestamp, content hash |
The App integrates with the following third-party services. Your saved substance/drug list is stored only on your device and is never transmitted to us or any third party. NOTE: text you type into AI Garden Chat is processed by Google Gemini — do not enter substance, drug, or health details into chat.
| Service | Provider | Data Shared | Their Retention | Their Privacy Policy |
|---|---|---|---|---|
| Plant.id | Kindwise s.r.o. (Czech Republic) | Scan photos, optional GPS | ~30 days | Link |
| Google Gemini API | Google LLC (USA) | AI chat messages and plant context; and scan photos (cloud identification) | Up to 30 days | Link |
| Google Vertex AI (imagen) | Google LLC (USA) | Garden Designer yard, calibration, and render photos (used to generate your garden visualization) | Up to 30 days | Link |
| Google OAuth 2.0 | Google LLC (USA) | Authentication tokens | Per Google terms | Link |
| Google Play Billing | Google LLC (USA) | Purchase tokens only | Per Google terms | Link |
| OpenWeatherMap | OpenWeather Ltd (UK) | Approximate location coordinates, only for weather and frost context | Per OpenWeather terms | Link |
| Cloudflare CDN / WAF | Cloudflare, Inc. (USA) | Network traffic transits Cloudflare for TLS termination, CDN delivery, and DDoS/WAF protection (no application content is shared for any other purpose) | Per Cloudflare terms | Link |
| Proprietary Vision AI (self-hosted) | Cat Barn LLC (self-hosted) | Scan photos (stays on our server) | Not retained | This policy |
We do not control the data practices of third-party providers. We encourage you to review their privacy policies.
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Account data (email, name) | Until account deletion | Personal fields cleared and the account row deactivated as an anonymized tombstone (which holds no personal data); a plaintext copy of your email is retained for 7 years in the legal-hold acceptance records below |
| User-generated content (gardens, scans, chat) | Until account deletion | The encrypted records are permanently and irreversibly deleted (hard delete) |
| Substance/drug data | Until you delete it on your device (stored only on your device) | The records are permanently and irreversibly deleted from your device (hard delete) |
| Scan photographs | Retained for scan history display; deleted on account deletion | Account lifetime |
| Legal agreement acceptance records (Terms of Service, Privacy Policy, Health Disclaimer, and age affirmation) | 7 years from account deletion date (legal hold) | Email address, agreement version, cryptographic proof of signed text, IP, and user agent retained under GDPR Art. 17(3)(e) for defence of legal claims |
| Bug reports / feedback | 3 years or until request for deletion | Deletion on request or scheduled purge |
Legal Hold — Agreement Records: Upon account deletion, we retain the following data from each legal agreement you accepted (Terms of Service, Privacy Policy, Health Disclaimer) and your age affirmation (that you confirmed you are 13+) for seven (7) years from the date of account deletion, pursuant to GDPR Article 17(3)(e) (establishment, exercise, or defence of legal claims):
This data is stored in an append-only audit log and is used solely for the purpose of proving your consent to these agreements in legal proceedings. It is never used for marketing, profiling, or any other purpose. The legal basis for this retention is compliance with a legal obligation (GDPR Art. 6(1)(c)) and the defence of legal claims exception to the right of erasure (GDPR Art. 17(3)(e)).
Why seven (7) years. The App is intended for users 13 years of age and older. Under Idaho Code §5-230, a minor's limitations clock is tolled during minority (subject to a six-year cap), so a personal-injury claim with a two-year limitations period (Idaho Code §5-219) brought by a user who was 13 at the time can be asserted up to approximately seven years after the event. Retaining proof of your acceptance for seven years is therefore necessary and proportionate to the establishment, exercise, or defence of legal claims (GDPR Art. 5(1)(e) and Art. 17(3)(e)), and reflects the corresponding US litigation-hold basis.
If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you | Email [email protected] |
| Rectification (Art. 16) | Correct inaccurate personal data | Edit in-app or email us |
| Erasure (Art. 17) | Delete all your personal data | In-app: Profile → Delete Account |
| Portability (Art. 20) | Request a machine-readable copy of your personal data | Email [email protected]; we will provide it within 30 days of a verified request |
| Restriction (Art. 18) | Restrict processing of your data | Email [email protected] |
| Object (Art. 21) | Object to processing based on legitimate interest | Email [email protected] |
| Withdraw consent (Art. 7(3)) | Withdraw consent for health data processing at any time | Delete substance entries in-app |
We will respond to all GDPR requests within thirty (30) days. You also have the right to lodge a complaint with your local data protection authority.
If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with the following rights:
To exercise your rights, contact [email protected]. We will verify your identity and respond within forty-five (45) days.
We process this data only with your explicit consent (GDPR Art. 9(2)(a)), which you provide through the one-time onboarding acceptance together with the in-app confirmation shown at the point you first enter substance data. You may withdraw consent at any time by deleting your substance entries within the App.
Your substance and drug names are:
HIPAA Disclaimer: Cat Barn LLC is not a HIPAA-covered entity. The App is not a medical device or health service. Substance data is collected for educational reference purposes only.
The App is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).
If we discover that a child under 13 has created an account, we will promptly delete the account and its personal data, subject to the same limited legal-hold retention and anonymized account tombstone described in §7 (the acceptance-proof records kept for defence of legal claims, and the deactivated account row that holds no personal data). If you believe a child under 13 has provided us with personal information, please contact [email protected].
Our servers are located in the United States. If you access the App from the European Union, European Economic Area, or other regions with data protection laws, your data will be transferred to and processed in the United States.
For EU/EEA users, this transfer is based on the EU-US Data Privacy Framework:
Scan photos sent to Plant.id are processed by Kindwise s.r.o. in the Czech Republic (EU), subject to GDPR directly.
In the event of a data breach that poses a risk to your rights and freedoms:
Our internal breach response procedures are documented and tested.
We may update this Privacy Policy from time to time. Material changes will be communicated via:
Your continued use of the App after the effective date constitutes acceptance of the updated Privacy Policy. If you do not agree, you must stop using the App and delete your account.
For privacy inquiries, data requests, or complaints (response within 30 days for GDPR, 45 days for CCPA):
Cat Barn LLC
Email: [email protected]
Boise, Idaho, United States
EU residents may also contact their local data protection authority.