Privacy Policy
Effective Date: December 15, 2025
Last Updated: December 15, 2025
Introduction
Social Garden ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, and protect your data.
By using the app, you agree to this Privacy Policy.
1. Information We Collect
What You Provide
- Account: Email, name, profile picture (via Google OAuth)
- Contacts: Names, birthdays, phone numbers, relationships, personal notes
- Important Dates: Anniversaries and special occasions
- Interactions (sensitive data): Notes, photos, location data (optional), sentiment responses, mood ratings, relationship health metrics
- Settings: Timezone, language, notification preferences
Automatically Collected
- Device: Push notification tokens (stored until you revoke/uninstall), platform (iOS/Android), app version
- Usage: Feature usage, notification engagement
- Subscription: Premium status, purchase receipts, expiration dates
Note: Relationship notes, moods, and sentiment data are considered sensitive personal information and receive enhanced security protections.
2. How We Use Your Data
We process your data based on the following legal grounds (GDPR):
- Core Features: Manage contacts, send reminders, track important dates
Legal basis: Contract performance, Consent - AI Suggestions: Generate personalized interaction ideas via OpenAI
What we send: Anonymized relationship context (interests, preferences, relationship type) - NO names, phone numbers, or identifying information
Legal basis: Consent, Legitimate interest - Gamification: Track relationship health (XP and mood)
Legal basis: Consent - Subscriptions: Manage Premium access and billing
Legal basis: Contract performance - Improvements: Analytics, bug fixes, feature development
Legal basis: Legitimate interest
3. How We Share Your Data
We DO NOT sell your data. We only share with:
- Supabase: Database and authentication
- OpenAI: AI suggestions (anonymized data only)
- Google: OAuth authentication
- RevenueCat: Subscription management
- Apple/Google: Payment processing
- Expo: Push notifications
We may disclose data if required by law or to protect our rights.
4. Data Storage & Security
- Storage: Supabase cloud (secure data centers with physical and digital controls)
- Encryption: HTTPS/TLS in transit, encryption at rest (sensitive data including photos)
- Authentication: Secure OAuth 2.0 with tokens stored in iOS Keychain/Android Keystore
- Access Control: Row Level Security (RLS) - you can only access your own data
- Photo Storage:
- - Stored in private Supabase buckets (not publicly accessible)
- - Encrypted at rest
- - Access requires authentication
- - Accessible only by you via signed URLs (expire after use)
- Backups: Automated daily backups retained for disaster recovery
- Soft-delete period: When you delete items in-app, they're marked inactive for 30 days before permanent deletion (allows recovery). Delete your account for immediate permanent removal.
5. Your Rights
You can:
- Access your data anytime
- Correct information in the app
- Delete your account and all data (within 30 days)
- Export your data in machine-readable format
- Opt-out of notifications
- Withdraw consent by deleting your account
To exercise rights: Use app settings or email manabyte.apps@gmail.com
6. Third-Party Services
OpenAI
- - Generates suggestions using anonymized, non-identifying context
- - We send: Relationship type (e.g., "friend"), interests list (e.g., "hiking, coffee"), personality traits (e.g., "humorous")
- - We DO NOT send: Names, phone numbers, exact birthdates, photos, or any personally identifiable information
- - OpenAI does not train on your data (per OpenAI API policy)
Google OAuth
Basic profile only (no access to contacts/calendar)
RevenueCat
Manages subscriptions (privacy: https://www.revenuecat.com/privacy)
Expo
- - Delivers push notifications via device tokens
- - Tokens stored until app uninstall or you disable notifications
- - Tokens automatically invalidated when you sign out
7. Data Retention
- Account data: Until you delete your account
- Deleted accounts: Permanently removed within 30 days
- Subscription receipts: 7 years (legal requirement)
- Analytics: Aggregated data indefinitely
8. Children's Privacy
Social Garden is not for users under 13. If we learn a child has provided data, we'll delete it immediately.
9. International Transfers
Your data may be processed outside the EU/EEA:
- Supabase: May process data in various regions (uses Standard Contractual Clauses)
- OpenAI: Processes data in the US (GDPR-compliant with appropriate safeguards)
- RevenueCat: Processes data in the US (GDPR-compliant)
We ensure all transfers comply with GDPR via:
- - Standard Contractual Clauses (SCCs)
- - Data Processing Agreements (DPAs) with all processors
- - Ongoing monitoring of third-party compliance
10. Your Legal Rights
- GDPR (EU/UK): Access, rectification, erasure, portability, objection
- CCPA (California): Know, delete, opt-out of sales (we don't sell data)
Contact: manabyte.apps@gmail.com | Response time: 30 days
11. Changes to This Policy
We'll notify you of material changes via email or in-app notification. Continued use means you accept the changes.
12. Contact Us
Email: manabyte.apps@gmail.com
Response Time: 30 days
Data Summary
| Data | Purpose | Retention |
|---|---|---|
| Authentication | Login | Account lifetime |
| Contacts/Relationships | Relationship management | Until deleted |
| Photos | Memory journaling | Until deleted |
| Device tokens | Push notifications | Device lifetime |
| Subscriptions | Premium access | 1 year after cancellation |
| Purchase receipts | Tax/legal | 7 years |
| AI suggestions | Recommendations | 7 days or until used |
Last updated: December 15, 2025 | Version: 1.0