Privacy Policy

Bare Root is a garden planning tool. We collect the data you give us (your account info, the gardens and plants you track, and any photos or notes you add) plus the minimum operational data needed to run the service. We don't sell your data, we don't use it for advertising, and we share it with third parties only when they help us run the service (payments, email, hosting).

If you have questions or want your data removed, email hello@bareroot.garden.

Bare Root is operated by Celtic Winter, an independent software developer based in the United States. References to "we", "us", and "Bare Root" in this policy mean the same.

We collect three categories of data:

Account data

• Email address (required, used for sign-in and notifications)
• Display name (optional)
• Profile picture (optional, only if you upload one to Clerk)
• Password (stored and verified entirely by our authentication provider Clerk, and we never see it)

Garden data (everything you enter)

• Garden name, description, and dimensions
• Location: ZIP code (used to look up your USDA hardiness zone and frost dates). We do not collect your precise address.
• Bed names, dimensions, and positions; cell sun levels
• Plantings: which plant, when, current status, variety, notes, rating
• Harvest logs, growth notes, and photos you upload
• Seed inventory you choose to track
• Collaborator invitations you send (email addresses)

Operational data

• Subscription tier and Stripe customer ID (for Pro users)
• Notification preferences and push subscription endpoints
• Timezone (used to send reminders at the right time)
• Standard server logs (IP, user agent, timestamp) retained for security and debugging, typically 30 days

• To provide the service: showing your garden, suggesting planting dates, generating reminders, sending notifications
• To process payments if you upgrade to Pro
• To respond to your support requests
• To detect and prevent abuse, fraud, or security incidents
• To improve the product (aggregate, non-identifying analysis only)

We do not use your garden data, photos, or notes for advertising, and we do not sell or rent it to anyone.

Bare Root runs on top of these third-party processors. Each only sees what they need to do their job:

• Clerk: authentication and password storage
• Stripe: payment processing (only Pro upgrades; we never store your card data ourselves)
• Vercel: hosting, database (Postgres), and file storage (your uploaded photos)
• Resend: transactional email (reminders, invitations)
• Web push services (Apple, Google, Mozilla): delivering push notifications you opt in to
• Perenual / Wikipedia: public plant data we look up. We do NOT share your data with them; we only fetch plant info.

We may also disclose data if compelled by law (subpoena, court order) or to protect our rights or others' safety. We'll push back on overly broad requests and notify you when legally permitted.

Photos you upload are stored privately and are only accessible to you and the collaborators you invite to that garden. We do not look at your photos, scan them, or train any model on them.

When you invite someone to a garden, they receive an email with an invite link. Once they accept, they can see (and, if you grant editor access, modify) data in that garden. They cannot see data from your other gardens.

• Access: request a copy of your data
• Correct: fix anything inaccurate (most fields are editable in the app)
• Delete: delete your account and all associated data
• Export: get your data in a portable format

To exercise any of these, email hello@bareroot.garden. We'll respond within 30 days.

We keep your data as long as your account exists. If you delete your account, we delete your garden data within 30 days. Backups are purged within 90 days. We may retain limited records (e.g. payment history) longer where required by law.

Data is encrypted in transit (HTTPS everywhere) and at rest. We use reputable infrastructure providers (Vercel, Clerk, Stripe) with strong security track records. No system is bulletproof, but if we ever experience a breach affecting your data we'll notify you promptly.

Bare Root is not directed at children under 13 and we do not knowingly collect their data. If you believe a child has signed up, email us and we'll delete the account.

Bare Root's servers are located in the United States. If you use the service from outside the US, you consent to your data being transferred and processed in the US. Many planning features (growing zones, frost dates) currently only work for US ZIP codes.

We'll update this page if our practices change. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced via email or in-app notice before they take effect.

Questions, complaints, or data requests: hello@bareroot.garden.