Privacy Policy

This Privacy Policy explains how Grow Ventures Pty Ltd (ABN 41 697 105 801) trading as My Veggie Patch (“we”, “us”, “our”) collects, uses, discloses, and protects your personal information when you use the My Veggie Patch application and related services (“the Platform”).

We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For users associated with school or educational programs, we apply additional protections consistent with our Child Safety Policy.

By creating an account or using the Platform, you agree to the collection and use of your information as described in this Policy.

Grow Ventures Pty Ltd trading as My Veggie Patch is registered in Victoria, Australia. You can contact us about privacy matters at:

Email: privacy@myveggiepatch.com.au

3.1 Account information

When you create an account, we collect:

• Display name
• Email address
• Password (stored as a one-way cryptographic hash – we cannot read your password)
• Authentication provider details if you sign in with Google or Apple
• Suburb or postcode (to determine your climate zone and provide localised planting guidance)

3.2 Garden and planting data

Information you enter about your kitchen garden, including:

• Bed dimensions, layout, and configuration
• Plants sown, planted, or planned
• Observations, journal entries, and notes
• Photos you upload (stored securely; EXIF location metadata is stripped before storage – avatar photos are processed in your browser via canvas re-encoding; garden journal photos are processed server-side)

3.3 Usage and technical data

We record your interactions with the Platform to improve service quality and diagnose technical issues. This includes:

• Features used and screens visited
• Actions taken (e.g. plants added, beds created, notifications enabled)
• Device type, operating system, and browser version
• IP address (used for security and fraud prevention; not used for advertising)

All usage data is stored within your own account record in our database. We use PostHog for product analytics, hosted in the EU. PostHog does not share your data with advertising networks and is used solely to improve the Platform.

3.4 Communications

• Notification preferences you set (push and email)
• Support enquiries and correspondence you send us

3.5 School and student accounts

Where the Platform is used in a school context under a school subscription:

• School administrators provide school name, state, and contact details
• Teachers provide their name and school email address
• Students access the Platform using a class access code. We collect only a display name chosen by the student – no email address, date of birth, or other personal information is required for student accounts
• All student-generated content (observations, photos, sandpit plans) is associated with the school’s account and is accessible to the supervising teacher

We collect personal information:

• Directly from you when you create an account, enter garden data, or contact us
• Automatically when you use the Platform (usage and technical data)
• From your school or teacher if you are a student accessing the Platform under a school subscription

We collect and use your information to:

• Provide and operate the Platform, including personalised planting guidance based on your climate zone
• Process your subscription and manage your account
• Send you notifications you have opted into (frost alerts, watering reminders, harvest nudges, seasonal planting guidance)
• Improve and develop the Platform based on how it is used
• Detect and prevent fraud, abuse, and security incidents
• Comply with our legal obligations
• Respond to your support enquiries

We do not use your personal information for advertising purposes, and we do not sell or rent your information to third parties.

Where you have separately provided your prior express consent, we may use photos and commentary you have uploaded to the Platform in our marketing and promotional materials. You may withdraw this consent at any time by contacting us at privacy@myveggiepatch.com.au. We will never use content associated with student or school accounts for marketing or promotional purposes, regardless of any consent provided.

6.1 Service providers

We share limited personal information with the following third-party service providers who assist us in operating the Platform. Each is engaged under a data processing agreement consistent with Australian privacy law:

• Supabase Inc – database hosting and authentication. Your data is stored in the ap-southeast-2 (Sydney) AWS region.
• Anthropic PBC – AI guidance features (plant advice, pest identification). Data submitted via the Anthropic API is not used for model training. API inputs and outputs may be temporarily logged by Anthropic for safety and abuse-prevention purposes consistent with their commercial API terms.
• OpenWeatherMap – weather data. We submit your suburb/postcode coordinates to retrieve local forecasts. No personal identifiers are included in these requests.
• OneSignal Inc – push notification delivery. If you enable push notifications, a device token is shared with OneSignal. OneSignal’s Privacy Policy governs their handling of this token.
• Resend Inc – transactional email delivery. Email address and notification content are shared only when sending emails you have opted into.
• Stripe Inc – subscription billing. Payment card details are collected and stored exclusively by Stripe. We do not hold or see your full card number.

6.2 Other disclosures

We may also disclose your personal information:

• Where required by law, court order, or regulatory authority
• To protect the safety of any person, including in response to a credible threat
• To a successor entity in the event of a business sale or merger, subject to the acquirer agreeing to be bound by equivalent privacy obligations

We take the privacy of children and young people seriously. The following additional protections apply to any user under 18 years of age:

• Student accounts created via school access codes require no email address, date of birth, or contact information
• Student-generated content is only accessible to the student and their supervising teacher
• We do not use student data for advertising, profiling, or AI model training
• Photos uploaded by students have EXIF metadata (including device location) stripped before storage – processed server-side for garden journal photos and in the browser for profile photos
• We do not permit students to publish content visible to the general public without teacher approval
• Parents or guardians of students may request access to, or deletion of, their child’s information by contacting us at privacy@myveggiepatch.com.au

For school subscriptions in Victoria, our data handling practices are designed to be consistent with the Department of Education’s Cloud Computing Policy and the requirements of the Education and Training Reform Act 2006 (Vic).

Your personal information is stored on servers located in Australia (Sydney region). We implement the following security measures:

• All data in transit is encrypted using TLS 1.2 or higher
• Passwords are hashed using bcrypt and are never stored in plaintext
• Database access is restricted to authenticated server-side processes via Row Level Security policies
• Photos are stored in access-controlled cloud storage with signed URLs
• We conduct regular security reviews and apply security patches promptly

No method of transmission over the internet or electronic storage is 100% secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security.

We retain your personal information for as long as your account is active. If you delete your account:

• Your account and garden data are soft-deleted immediately (hidden from all views)
• Permanent deletion of your account data occurs within a reasonable period following the soft-deletion date
• Residual copies in encrypted backups may persist for a period following deletion, consistent with our cloud infrastructure provider’s backup retention schedules
• Audit logs may retain anonymised records of account-level events for up to 7 years

Under the Australian Privacy Principles, you have the right to:

• Request access to the personal information we hold about you
• Request correction of inaccurate, out-of-date, or incomplete information
• Request deletion of your information (subject to our legal retention obligations)
• Opt out of non-essential communications

To exercise any of these rights, contact us at privacy@myveggiepatch.com.au. We will respond within 30 days.

The Platform uses strictly necessary session cookies to maintain your authenticated session. We also use PostHog analytics cookies to understand how the Platform is used and improve it over time. PostHog does not use your data for advertising purposes. We do not use advertising cookies or cross-site tracking cookies.

We may update this Policy from time to time. Where changes are material, we will notify you by email or in-app notification before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

If you believe we have handled your personal information in a way that does not comply with the Privacy Act 1988, please contact us first at privacy@myveggiepatch.com.au. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.