Privacy Policy for Sprout

Last Updated: February 2, 2025

Introduction

Welcome to Sprout ("we," "our," or "us"). We are committed to protecting your privacy and ensuring you have a positive experience using our app. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Sprout mobile application.

By using Sprout, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our app.

1. Information We Collect

1.1 Information You Provide

Account Information:

• Email address (if you create an account)
• Password (encrypted and never stored in plain text)
• Name (optional, for personalization)
• OAuth provider information (if you sign in with Google or Apple)

App Usage Data:

• Tasks you create (title, notes, due dates, priority)
• Pet customization (pet type, name, pronouns)
• App settings and preferences
• Completion history and productivity statistics

1.2 Information Automatically Collected

Device Information:

• Device type and model
• Operating system version
• Unique device identifiers
• App version

Usage Analytics:

• App interactions and feature usage
• Session duration
• Error logs and crash reports
• Performance metrics

1.3 Information We Do NOT Collect

We do NOT:

• Track your location
• Access your contacts
• Access your camera or photos (unless you explicitly grant permission for specific features)
• Share your data with third-party advertisers
• Sell your personal information

2. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Consent: When you create an account, use AI features, or enable analytics, you provide explicit consent for data processing. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Contract: To provide services you've signed up for, including account creation, task syncing, and premium features.
• Legitimate Interest: To improve the app, prevent fraud and abuse, maintain security, and optimize performance. We ensure our legitimate interests do not override your rights and freedoms.
• Legal Obligation: To comply with laws and regulations, respond to legal requests, and enforce our Terms of Service.

3. How We Use Your Information

3.1 Provide Core Services

• Create and maintain your account
• Sync your tasks and data across devices
• Save your pet's progress and customization
• Process your subscription (if you upgrade to Premium)

3.2 Improve User Experience

• Personalize app content and features
• Remember your preferences and settings
• Provide AI-powered task recommendations (with your consent when using AI features)

3.3 Maintain App Functionality

• Monitor app performance and fix bugs
• Prevent fraud and abuse
• Respond to user support requests
• Send essential service updates

3.4 AI Features (With Your Explicit Consent)

When you actively choose to use AI-powered features (Task Breakdown, Brain Dump, "What Should I Do Now?"):

• Your task data is sent to OpenAI's API for processing
• We do not store AI-generated content longer than necessary to deliver the service
• AI processing is subject to OpenAI's privacy policy: https://openai.com/privacy
• You can choose not to use AI features at any time without affecting core app functionality

Automated Decision-Making: Our AI features provide suggestions and recommendations but do not make automated decisions that significantly affect you legally or similarly. You maintain full control over all tasks and decisions within the app.

4. How We Share Your Information

We do NOT sell your personal information. We only share data in these limited circumstances:

4.1 Service Providers (Data Processors)

We share data with trusted service providers who process data on our behalf under strict contractual obligations:

Supabase (database and authentication)

• Purpose: Stores your account and app data
• Location: AWS infrastructure, with servers in the United States
• Safeguards: Standard Contractual Clauses (SCCs), encryption, role-based access controls

OpenAI (AI features)

• Purpose: Processes task data when you use AI features (with your consent)
• Location: United States
• Safeguards: Data Processing Agreement, OpenAI's privacy commitments

RevenueCat (subscription management)

• Purpose: Processes and manages premium subscriptions
• Location: United States
• Safeguards: Data Processing Agreement, industry-standard security

Google/Apple (OAuth authentication)

• Purpose: Secure authentication when you choose to sign in with these services
• Location: Global infrastructure
• Safeguards: Subject to Google and Apple Privacy Policies

All service providers are contractually required to:

• Process data only on our instructions
• Implement appropriate security measures
• Not use your data for their own purposes
• Comply with GDPR requirements for data processors

4.2 Legal Requirements

We may disclose your information if required by law, court order, or to:

• Comply with legal processes or governmental requests
• Enforce our Terms of Service
• Protect our rights, property, or safety, or that of our users
• Prevent fraud, security threats, or illegal activities

4.3 Business Transfers

If Sprout is acquired, merged with another company, or undergoes a business restructuring, your information may be transferred as part of that transaction. You will be notified via email and/or prominent notice in the app at least 30 days before any such transfer, with an opportunity to delete your data before the transfer.

5. International Data Transfers

If you use Sprout from outside the United States:

Your data may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your country of residence.

We ensure adequate protection for international transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all processors handling EU/UK personal data
• Technical and organizational security measures equivalent to GDPR standards
• Regular assessments of data transfer mechanisms to ensure compliance with EU Court of Justice rulings

Note: We do not rely on the EU-U.S. Privacy Shield, which was invalidated in 2020.

6. Data Storage and Security

6.1 Where We Store Data

• Cloud Storage: Your data is stored securely on Supabase servers (AWS infrastructure)
• Local Storage: Some data is cached locally on your device for offline access
• Server Location: Primary servers are located in the United States

6.2 How We Protect Data

We implement industry-standard security measures:

• All data is encrypted in transit (HTTPS/TLS 1.2+)
• Database is encrypted at rest (AES-256)
• Passwords are hashed using bcrypt or similar algorithms
• Regular security audits and penetration testing
• Role-based access controls (Row Level Security)
• Multi-factor authentication for administrative access
• Regular security updates and patch management
• Staff training on data protection and security

6.3 Data Retention

• Active accounts: Data retained as long as your account is active and for legitimate business purposes
• Deleted accounts: Personal data deleted within 14 days of account deletion request, unless we have a legal obligation to retain it
• Completed tasks: Free users: Auto-deleted after 7 days; Premium users: Customizable retention (up to 1 year)
• Backups: Retained for up to 90 days for disaster recovery, then permanently deleted
• Legal holds: If data is subject to legal proceedings, it may be retained beyond standard periods until the legal matter is resolved

6.4 Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms:

We will notify:

• The relevant supervisory authority within 72 hours of becoming aware of the breach
• You directly via email within 72 hours if the breach poses a high risk to you

Our notification will include:

• Nature of the breach and data affected
• Likely consequences
• Measures taken or proposed to address the breach
• Contact information for further inquiries

You can report suspected security issues to: security@sproutapp.tech

7. Your Privacy Rights

7.1 Your Rights Under GDPR (EU/UK Users)

You have the following rights regarding your personal data:

• Right of Access: You can request a copy of all personal data we hold about you
• Right to Rectification: You can correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data
• Right to Data Portability: You can receive your data in a structured, machine-readable format and transfer it to another service
• Right to Restrict Processing: You can limit how we use your data in certain circumstances
• Right to Object: You can object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: You can withdraw consent at any time without affecting prior processing
• Right Not to be Subject to Automated Decision-Making: You have rights regarding automated decisions with significant effects (our AI features do not make such decisions)
• Right to Lodge a Complaint: You can file a complaint with your local supervisory authority

7.2 How to Exercise Your Rights

In-app:

• Settings → Account → Manage Data (access, update, export data)
• Settings → Privacy → Manage Consents (withdraw specific consents)
• Settings → Account → Delete Account (complete deletion)

By Email:

• General requests: hello@sproutapp.tech
• Privacy-specific requests: dpo@sproutapp.tech
• Security concerns: security@sproutapp.tech

Response Time:

• We will respond to privacy requests within 30 days (as required by GDPR)
• We may extend this by 60 additional days for complex requests (we'll inform you within the first 30 days)
• We will verify your identity before processing requests

Free of Charge:

• The first request is free
• Excessive or repetitive requests may incur a reasonable administrative fee

7.3 Withdrawing Consent

You can withdraw consent for specific data processing activities without deleting your account:

• Analytics: Settings → Privacy → Disable Analytics
• AI Features: Simply don't use AI features; no data is sent unless you actively use them
• Marketing Communications: Unsubscribe links in emails or Settings → Notifications

Withdrawing consent does not affect:

• Processing based on other legal bases (contract, legitimate interest, legal obligation)
• The lawfulness of processing before consent was withdrawn

7.4 Supervisory Authorities

For EU Users:

You can lodge a complaint with your local Data Protection Authority. Find yours at: https://edpb.europa.eu/about-edpb/board/members_en

For UK Users:

Information Commissioner's Office (ICO)

• Website: https://ico.org.uk
• Phone: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

For California Users (CCPA):

• Right to know what data is collected
• Right to delete personal information
• Right to opt-out of data sales (we don't sell data)
• Right to non-discrimination for exercising rights

8. Children's Privacy

Sprout is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 (or under 16 for EU/UK users without parental consent).

If you believe we have collected data from a child under the applicable age:

• Email us immediately at: hello@sproutapp.tech
• We will delete the data within 48 hours

Parents/Guardians: If you want to review or delete your child's data, contact us with verification of guardianship.

9. Third-Party Services

9.1 Authentication Providers

• Google Sign-In: Subject to Google Privacy Policy
• Apple Sign-In: Subject to Apple Privacy Policy

When you use these services, they may collect data according to their own policies. We only receive the information necessary for authentication.

9.2 AI Services

• OpenAI API: Processes task data when you actively use AI features (with your consent)
• We send only the minimal data necessary for AI functionality
• OpenAI's privacy policy: https://openai.com/privacy
• You control whether to use AI features

9.3 Payment Processing

• Apple App Store: Processes iOS in-app purchases
• Google Play Store: Processes Android in-app purchases
• RevenueCat: Manages subscription status

We do NOT store your payment information (credit cards, billing details, etc.). All payment processing is handled directly by Apple, Google, or their authorized processors.

10. Cookies and Tracking

10.1 What We Use

• Local Storage: To save your settings and preferences on your device
• Authentication Tokens: To keep you logged in securely
• Analytics Cookies (with consent): To understand how features are used (anonymized)

10.2 What We Don't Use

We do NOT use:

• Advertising cookies
• Cross-site tracking
• Third-party advertising networks
• Tracking pixels for marketing

10.3 Your Control

You can manage cookie preferences in Settings → Privacy. Note that disabling certain cookies may affect app functionality.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements.

How we notify you of significant changes:

• In-app notification with summary of changes
• Email notification to registered users at least 30 days before changes take effect
• Updated "Last Updated" date at the top of this policy

What constitutes a significant change:

• Changes to data collection practices
• New data sharing arrangements
• Changes to your rights or how to exercise them
• Material changes to data retention or security

Your options:

• Review changes and continue using Sprout (constitutes acceptance)
• Contact us with questions or concerns
• Exercise your right to delete your account if you disagree with changes

For non-significant changes: We will update the policy and date without advance notice.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy:

General Inquiries:

• Email: hello@sproutapp.tech
• Response Time: Within 48 hours

Privacy & Data Protection:

• Email: dpo@sproutapp.tech
• Response Time: Within 30 days (complex requests may take up to 90 days with notice)

Security Issues:

• Email: security@sproutapp.tech
• Response Time: Within 24 hours

Mail:

Sprout App
2 Foster Close
Derby, DE3 0BF
United Kingdom

Data Protection Officer

For EU/UK users, you can contact our Data Protection Officer:
Email: dpo@sproutapp.tech
The DPO is responsible for overseeing our data protection strategy and GDPR compliance

Summary

• What we collect: Email, tasks, pet data, usage analytics (with consent)
• Why we collect it: To provide the app, sync across devices, improve features
• Who we share with: Only essential service providers (Supabase, OpenAI for AI features, payment processors) under strict contractual protections
• Your rights: Access, update, export, delete your data, withdraw consent, object to processing, lodge complaints
• Our commitment: We never sell your data, never show you ads, and protect your privacy with strong security measures
• Legal basis: Consent, contract performance, legitimate interests, and legal obligations
• Your control: You can withdraw consent, delete your account, or exercise any GDPR right at any time

Effective Date

This Privacy Policy is effective as of February 2, 2025 and applies to all users of the Sprout mobile application.

Thank you for trusting Sprout with your data. Your privacy matters to us.

Version History

• v2.0 (February 2, 2025): Updated for full GDPR compliance, removed Privacy Shield reference, added data breach notification procedures, clarified consent withdrawal mechanisms, added supervisory authority details
• v1.0 (Initial version): Original privacy policy