Privacy Policy

Verdica — AI Plant Intelligence Platform

Cat Barn LLC · Boise, Idaho

Last Updated: April 18, 2026 · Effective: April 18, 2026

Privacy Summary: We collect minimal data. We do NOT use analytics or advertising trackers. We use one httpOnly session cookie for authentication and a non-identifying behavioral hash for bot protection. Your sensitive data (substance names, garden notes, chat messages) is encrypted with AES-256-GCM. We never sell your data.

Table of Contents

Introduction
Data We Collect
Data We Do NOT Collect
How We Use Your Data
Third-Party Services
Data Encryption
Data Retention
Your Rights (GDPR)
Your Rights (CCPA/CPRA)
Health Data (GDPR Art. 9)
Children's Privacy
International Transfers
Data Breach Notification
Changes to This Policy
Contact

1. Introduction

This Privacy Policy explains how Cat Barn LLC ("Company," "we," "us," "our"), an Idaho limited liability company, collects, uses, stores, and protects your personal information when you use the Verdica application ("App").

By using the App, you consent to the collection and use of information as described in this Privacy Policy. This Policy should be read alongside our Terms of Service.

Data Controller: Cat Barn LLC, Boise, Idaho, United States. Contact: [email protected].

EU/EEA Users: As Cat Barn LLC does not have an establishment in the European Union, and processes data of individuals in the EU, we acknowledge the obligation under GDPR Article 27 to designate a representative in the EU. If you are an EU/EEA user and wish to exercise your data rights, contact [email protected] and we will respond within the timelines specified in this Policy.

2. Data We Collect

2.1 Account Data (from Google OAuth)

Data	Source	Encrypted	Purpose
Email address	Google OAuth 2.0	No	Account identification, communications
Display name	Google OAuth 2.0	No	UI personalization
Google subject ID	Google OAuth 2.0	No	Authentication token binding

2.2 User-Generated Data

Data	Encrypted	Shared	Retention
Substance/drug names	✓ AES-256-GCM	Never	Until you delete
Substance dosage, frequency, notes	✓ AES-256-GCM	Never	Until you delete
Garden plant nicknames	✓ AES-256-GCM	Never	Until you delete
Light Scout spot names	✓ AES-256-GCM	Never	Until you delete
Light Scout lux readings	No (numeric only)	Never	Until you delete
Chat messages (AI Garden Chat)	✓ AES-256-GCM (at rest)	Google Gemini API (decrypted for processing; see §5)	Until account deletion
Scan feedback notes	✓ AES-256-GCM	Never	Until account deletion
Scan history (species IDs, identification results)	No	Never	Until account deletion
Bug reports / feedback	No (admin-readable)	Never	3 years or on request

2.3 Transient Data (not stored by us)

Data	Sent To	Our Retention
Scan photographs	Plant.id, Google Gemini (Pro only)	Retained for your scan history; deleted on account deletion
GPS coordinates (optional, user-controlled)	Plant.id (if enabled)	Not retained
Purchase tokens	Google Play Billing	Not retained

3. Data We Do NOT Collect

Verdica does not use any tracking, analytics, or advertising technologies.

✗ No analytics — No Google Analytics, Firebase Analytics, Mixpanel, or any usage tracking
✗ No advertising SDKs — No ads, no ad networks, no ad identifiers
✗ No crash reporting — No Sentry, Crashlytics, or Bugsnag
✓ Anti-bot protection — A non-identifying session hash is generated from browser characteristics for automated access detection. No IMEI, advertising IDs, or hardware serial numbers are collected.
✓ Minimal cookies — One httpOnly, Secure session cookie for authentication only. SameSite policy is set to the most restrictive value supported by each access context (Strict for web sessions, adjusted for cross-origin authentication where required by the Android app). No tracking, analytics, or third-party cookies.
✓ Request integrity verification — API requests may include a cryptographic signature derived from the request payload and a server-side secret to verify request authenticity and prevent tampering. No personal data or device identifiers are included in this signature.
✗ No persistent location tracking — GPS is only used during a scan if you enable it, and is not stored
✗ No data sales — We do not sell, rent, lease, or trade your personal data to anyone
✗ No behavioral profiling — We do not build user profiles for marketing or advertising

4. How We Use Your Data

We use your data solely for the following purposes:

Purpose	Legal Basis (GDPR)	Data Used
Provide the App's core features	Performance of contract (Art. 6(1)(b))	Account data, scan data, garden data
Authenticate your identity	Performance of contract (Art. 6(1)(b))	Google OAuth tokens
Process subscriptions	Performance of contract (Art. 6(1)(b))	Google Play purchase tokens
Display herb-drug interaction educational references	Explicit consent (Art. 9(2)(a))	Substance names (encrypted)
Provide AI Garden Chat responses	Performance of contract (Art. 6(1)(b))	Chat messages (sent to Gemini API)
Respond to support requests	Legitimate interest (Art. 6(1)(f))	Email, bug reports
Legal compliance (waiver proof, identity verification)	Legal obligation (Art. 6(1)(c)); Art. 17(3)(e)	Email address, IP address, acceptance timestamp, content hash

5. Third-Party Services

The App integrates with the following third-party services. Your substance/drug names are encrypted and NEVER shared with any third party.

Service	Provider	Data Shared	Their Retention	Their Privacy Policy
Plant.id	Kindwise s.r.o. (Czech Republic)	Scan photos, optional GPS	~30 days	Link
Google Gemini API	Google LLC (USA)	Chat messages, plant context	Up to 30 days	Link
Google OAuth 2.0	Google LLC (USA)	Authentication tokens	Per Google terms	Link
Google Play Billing	Google LLC (USA)	Purchase tokens only	Per Google terms	Link
Proprietary Vision AI (self-hosted)	Cat Barn LLC (self-hosted)	Scan photos (stays on our server)	Not retained	This policy

We do not control the data practices of third-party providers. We encourage you to review their privacy policies.

6. Data Encryption & Security

6.1 Encryption at Rest

Field-level encryption: 10 sensitive fields across 6 database tables are encrypted with AES-256-GCM (authenticated encryption with associated data). Each field uses a unique initialization vector.
Disk encryption: The database volume is encrypted with LUKS full-disk encryption.
Encrypted fields include: substance names, dosages, frequencies, notes, garden nicknames, Light Scout spot names, chat messages, and scan feedback.

6.2 Encryption in Transit

All data transmitted between your device and our servers is encrypted via TLS 1.3 (HTTPS), managed by a dedicated reverse proxy with automatic certificate renewal.

6.3 Access Controls

Server access is restricted to the application owner only (no employee access)
Database credentials are environment-variable injected, not stored in code
Application containers run as non-root user with read-only filesystem where possible

7. Data Retention

Data Category	Retention Period	Deletion Method
Account data (email, name)	Until account deletion	Hard delete from all tables
User-generated content (gardens, scans, chat)	Until account deletion	Hard delete; encrypted keys destroyed
Substance/drug data	Until you individually delete OR account deletion	Hard delete; AES keys destroyed
Scan photographs	Retained for scan history display; deleted on account deletion	Account lifetime
Legal agreement acceptance records (Terms of Service, Privacy Policy, Health Disclaimer)	7 years from account deletion date (legal hold)	Email address, agreement version, cryptographic proof of signed text, IP, and user agent retained under GDPR Art. 17(3)(e) for defence of legal claims
Bug reports / feedback	3 years or until request for deletion	Deletion on request or scheduled purge

Legal Hold — Agreement Records: Upon account deletion, we retain the following pseudonymized data from each legal agreement you accepted (Terms of Service, Privacy Policy, Health Disclaimer) for seven (7) years from the date of account deletion, pursuant to GDPR Article 17(3)(e) (establishment, exercise, or defence of legal claims):

Your email address
An HMAC-SHA256 cryptographic hash of your email address (pseudonymized lookup key)
Acceptance timestamp
Your IP address at the time of acceptance
Your user agent (browser/device identifier) at the time of acceptance
The waiver type and version identifier
A SHA-256 hash of the exact agreement text you accepted (cryptographic proof of what you signed)

This data is stored in an append-only audit log and is used solely for the purpose of proving your consent to these agreements in legal proceedings. It is never used for marketing, profiling, or any other purpose. The legal basis for this retention is compliance with a legal obligation (GDPR Art. 6(1)(c)) and the defence of legal claims exception to the right of erasure (GDPR Art. 17(3)(e)).

8. Your Rights Under GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation:

Right	Description	How to Exercise
Access (Art. 15)	Request a copy of all personal data we hold about you	Email [email protected]
Rectification (Art. 16)	Correct inaccurate personal data	Edit in-app or email us
Erasure (Art. 17)	Delete all your personal data	In-app: Profile → Delete Account
Portability (Art. 20)	Receive your data in machine-readable format (JSON)	Email [email protected]
Restriction (Art. 18)	Restrict processing of your data	Email [email protected]
Object (Art. 21)	Object to processing based on legitimate interest	Email [email protected]
Withdraw consent (Art. 7(3))	Withdraw consent for health data processing at any time	Delete substance entries in-app

We will respond to all GDPR requests within thirty (30) days. You also have the right to lodge a complaint with your local data protection authority.

9. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with the following rights:

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Delete: You may request deletion of your personal information.
Right to Opt-Out of Sale: We do NOT sell your personal information. We do not share personal information for cross-context behavioral advertising. Therefore, no opt-out is required.
Right to Correct: You may request correction of inaccurate personal information (CPRA addition).
Right to Limit Use of Sensitive Personal Information: Your substance/drug names are encrypted and used solely for displaying interaction references. We do not use sensitive PI for purposes beyond providing the service.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Do Not Sell or Share: Cat Barn LLC does NOT sell, share, or trade your personal information to any third party for monetary or other valuable consideration. Period.

To exercise your rights, contact [email protected]. We will verify your identity and respond within forty-five (45) days.

10. Health Data & Special Category Data (GDPR Article 9)

Important: If you use the herb-drug interaction educational reference feature, the substance/drug names you enter are classified as special category data (health data) under GDPR Article 9.

We process this data only with your explicit consent (GDPR Art. 9(2)(a)), which you provide when you first access the interaction reference feature. You may withdraw consent at any time by deleting your substance entries within the App.

Your substance and drug names are:

Encrypted with AES-256-GCM at rest — we cannot read them in plaintext without your session key
Never shared with any third-party service (including Plant.id, Google Gemini, or Google Play)
Never used for advertising, profiling, or any purpose other than displaying interaction educational references to you
Permanently destroyed upon account deletion (encryption keys discarded)

HIPAA Disclaimer: Cat Barn LLC is not a HIPAA-covered entity. The App is not a medical device or health service. Substance data is collected for educational reference purposes only.

11. Children's Privacy

The App is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).

If we discover that a child under 13 has created an account, we will immediately delete the account and all associated data. If you believe a child under 13 has provided us with personal information, please contact [email protected].

12. International Data Transfers

Our servers are located in the United States. If you access the App from the European Union, European Economic Area, or other regions with data protection laws, your data will be transferred to and processed in the United States.

For EU/EEA users, this transfer is based on:

Your explicit consent (GDPR Art. 49(1)(a)) — you are informed of the risks of transfer to the United States (which lacks an EU adequacy decision for general data processing) and consent when you create an account
Performance of contract (GDPR Art. 49(1)(b)) — necessary to provide the service

Scan photos sent to Plant.id are processed by Kindwise s.r.o. in the Czech Republic (EU), subject to GDPR directly.

13. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

We will notify affected users via email within 72 hours of becoming aware of the breach (GDPR Art. 33)
We will notify the relevant data protection authority within 72 hours
We will notify the FTC as required under the Health Breach Notification Rule (16 CFR Part 318) if health data is involved
We will notify the Idaho Attorney General as required under Idaho Code §28-51-105

Our internal breach response procedures are documented and tested.

Liability Limitation for Security Incidents: Cat Barn LLC implements industry-standard security measures including AES-256-GCM field encryption, LUKS volume encryption, TLS 1.3, and non-root containerized deployment. Despite these measures, no system is immune to unauthorized access. To the maximum extent permitted by law, Cat Barn LLC shall not be liable for damages arising from unauthorized access to, alteration of, or destruction of your data by third parties (hackers, state actors, or other malicious agents) where we have implemented reasonable security measures. This limitation does not apply where the breach resulted from Cat Barn LLC's gross negligence or willful misconduct. See our Terms of Service §15 for complete limitation of liability.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

A prominent in-app notification requiring acknowledgment
Email to your registered Google account address
At least thirty (30) days before the changes take effect

Your continued use of the App after the effective date constitutes acceptance of the updated Privacy Policy. If you do not agree, you must stop using the App and delete your account.

15. Contact

For privacy inquiries, data requests, or complaints (response within 30 days for GDPR, 45 days for CCPA):

Cat Barn LLC
Email: [email protected]
Boise, Idaho, United States

EU residents may also contact their local data protection authority.