GrowCopilot AI AI plant doctor Join Beta

Privacy Policy

Last updated: April 15, 2026. This policy covers the GrowCopilot AI website, waitlist, and early-access application.
(Datenschutzerklärung gemäß Art. 13/14 DSGVO)

1. Controller

Responsible for data processing pursuant to Art. 4(7) GDPR:
Nicolas Preußmann
Fichtestraße 23
69126 Heidelberg
Germany
Email: contact@growcopilot.ai

2. Overview of data processing

We process personal data only when necessary for operating our website and providing our services. The collection and use of personal data occurs in compliance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

3. Hosting

The application infrastructure is hosted on servers provided by:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

When you access this website, the hosting server automatically records the following data in server log files:

  • IP address of the requesting device
  • Date and time of the request
  • Browser type and version
  • Operating system
  • Referrer URL

This data is necessary for the technical provision and security of the website. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation).

4. Cloudflare

This website uses Cloudflare as a DNS, CDN, and security service.

Provider:
Cloudflare Inc.
101 Townsend St.
San Francisco, CA 94107, USA

Cloudflare may process data such as IP addresses to defend against attacks and deliver the website. Cloudflare is certified under the EU-US Data Privacy Framework.

More information: https://www.cloudflare.com/privacypolicy/

5. What we collect

5.1 Waitlist

When you join the waitlist we collect your email address, preferred hardware setup, grow type, biggest growing challenge, and referral information. Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (pre-contractual measures).

5.2 Account & profile

When you activate your account we store your email address, display name, and a securely hashed password. If you sign in with Google, we also receive and store your Google account identifier. Legal basis: Art. 6(1)(b) GDPR (contract performance).

5.3 Plant photos, grow data & Grow Record

When you use the application we collect the plant photos you upload, along with metadata you provide: plant names, cultivars, grow space descriptions, grow cycle stages, harvest logs, diary entries, and quick actions (such as watering or pruning records).

We also maintain a Grow Record for each grow cycle. This is a persistent, structured summary that includes: rolling analysis summaries, open problem tracking, action history (what you did and when), sensor data trends (temperature, humidity, VPD), and observations the AI is monitoring. The Grow Record is generated automatically from your data and AI analysis results (diagnosis, severity, confidence, summary, and care advice). Legal basis: Art. 6(1)(b) GDPR (contract performance).

5.4 Device & notification data

If you register a device (e.g. a Raspberry Pi) we store a hashed device token and its name. If you enable push notifications we store the browser push subscription endpoint and encryption keys required to deliver notifications. Legal basis: Art. 6(1)(a) GDPR (consent for notifications), Art. 6(1)(b) GDPR (contract for device functionality).

5.5 Cookies

We use a single session cookie (growcopilot_session) to keep you signed in. It is HTTP-only, secure, and expires after seven days. We do not use analytics cookies, advertising cookies, or third-party tracking scripts. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in session management).

6. How we use your data

  • Manage the waitlist, send beta invitations and product updates
  • Provide plant health analysis by processing your photos with AI
  • Send email and push notifications about analysis results and health alerts
  • Authenticate your sessions and secure your account
  • Track usage for subscription tier limits (number of analyses and chat messages)
  • Enable optional features such as timelapse sharing

7. AI processing & third-party sub-processors

7.1 Anthropic (AI analysis)

Plant photos you upload are sent to Anthropic (San Francisco, USA) for AI-powered health analysis via their Claude API. Images are resized before transmission and are sent together with your Grow Record context (plant name, cultivar, cycle stage, grow space type, open problems, action history, sensor trends, and prior analysis summaries) to produce an accurate, context-aware analysis.

The Service uses different analysis tiers (full visual analysis, sensor-only checks, and weekly reports) that vary in the amount of data sent. Prompt caching may be used to reduce processing costs; cached data is ephemeral and handled entirely within Anthropic’s API infrastructure. Anthropic processes this data as a sub-processor under their API terms and does not use your data to train their models.

Transfer basis: EU Standard Contractual Clauses (SCCs) and Anthropic’s data processing agreement.

7.2 Resend (email delivery)

Transactional emails (verification, beta invitations, analysis notifications, magic-link sign-ins) are sent through Resend, which processes your email address and message content as a sub-processor.

7.3 Google Fonts

This website loads fonts from Google Fonts, a service by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). When you visit the site, your browser establishes a connection to Google servers and transmits your IP address. Google is certified under the EU-US Data Privacy Framework.

More information: https://policies.google.com/privacy

8. Data transfers outside the EU

Some of our sub-processors are located in the United States (Anthropic, Cloudflare, Google). Transfers are safeguarded by the EU-US Data Privacy Framework, Standard Contractual Clauses, or both. No data is shared with advertising or data-broker services.

9. Timelapse sharing

You may create public share links that grant anyone with the link access to a selected set of your plant photos for a defined date range. Sharing requires your explicit opt-in and can be revoked at any time.

10. Storage and retention

Your data is stored in PostgreSQL databases and self-hosted object storage on infrastructure located in Germany (Hetzner). We retain your data for as long as your account is active or as needed to provide the service.

You can delete your account at any time from the Settings page in the application. Account deletion permanently removes all your personal data, plant photos, grow spaces, plants, diary entries, and analysis results within minutes. Waitlist data is deleted when it is no longer needed or upon a valid deletion request.

11. Data security

Passwords are hashed with bcrypt. Sessions are HMAC-signed and transmitted via HTTP-only secure cookies. Device tokens are stored as hashes, not in plain text. All connections use TLS encryption in transit. Images are stored with server-side encryption at rest (AES-256 via MinIO SSE-S3).

Administrative access to grower data is logged in an audit trail recording the action, the administrator, and the timestamp. You may request a copy of audit records related to your data by contacting us.

12. Your rights

Under the GDPR you have the right to:

  • Access (Art. 15 GDPR) — obtain a copy of your personal data
  • Rectification (Art. 16 GDPR) — correct inaccurate data
  • Erasure (Art. 17 GDPR) — request deletion of your data
  • Restriction (Art. 18 GDPR) — restrict processing under certain conditions
  • Data portability (Art. 20 GDPR) — receive your data in a machine-readable format
  • Object (Art. 21 GDPR) — object to processing based on legitimate interest
  • Withdraw consent (Art. 7(3) GDPR) — withdraw consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at contact@growcopilot.ai. We will respond within 30 days.

13. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for our business is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart
Germany
https://www.baden-wuerttemberg.datenschutz.de

14. AI-generated content

All AI analysis, health reports, and chat responses provided by the Service are for informational purposes only and do not constitute professional agricultural advice. For full details, see Section 5 of our Terms of Service.

15. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated via email to registered users. The “last updated” date at the top reflects the most recent revision.