Privacy Policy · Seeded

This Privacy Policy explains how Seeded (“we”, “us”, “our”) collects, uses, shares, and protects personal information when you use the Seeded mobile app (the “App”), our website at seededhabits.com (the “Site”), and any related services (together, the “Services”).

If you do not agree with this Policy, please do not use the Services.

1. Who we are (Data Controller)

Seeded is operated by Seeded LTD, a company registered in England and Wales (company number 17272298). Seeded LTD is the data controller for personal data processed through the Services for the purposes of the UK GDPR, the EU GDPR, and similar laws.

You can contact us about this Policy or how we handle your data at:

Privacy matters / data-rights requests: privacy@seededhabits.com
General enquiries: hello@seededhabits.com

We have not appointed a Data Protection Officer, as we are not required to do so under the UK GDPR or EU GDPR.

2. Summary (plain English)

We built Seeded to help you track habits and journal privately. In short:

We don’t sell your data. Ever.
We don’t show ads, and we don’t share your data with advertisers. We use no advertising identifiers and no third-party advertising or tracking SDKs.
We don’t use your habits, journal entries, photos, or notes for advertising or for any third-party analytics.
You can export your data and delete your account and all your data at any time from inside the App.
We use a small number of trusted service providers (listed in Section 6) to run the Services, for things like authentication, storage, email delivery, crash reporting, and processing subscription payments.
Your content (habits, journal, photos, videos) is stored in the European Union, encrypted in transit and at rest, and is only accessible to you when signed in.

The sections below explain the details required by law.

3. Information we collect

We collect the following categories of personal information. Most of it comes directly from you; some (device and crash information) is generated automatically when you use the App.

3.1 Information you provide

Account information, when you sign in:

If you use Sign in with Apple: we receive a stable Apple user identifier, and (on your first sign-in only, and only if you choose to share it) your name and email address. Apple may provide a private-relay email address instead of your real one; if so, that is the address we hold.
If you use Sign in with Google: we receive your Google account identifier, name, email address, and profile picture URL.
A timezone, set automatically from your device, used to determine “today” for habit completions in your local time.

Content you create, everything you put into the App:

Habits you create (names, descriptions, nicknames used in reminder notifications, reminder times and days).
Habit completions (the dates you marked a habit complete).
Habit notes (free-text notes you attach to habits).
Journal entries (free-text body and date).
Media (photos and videos you choose to upload to habits or journal entries).
Profile information (display name, optional avatar image).

Communications: if you contact us by email or otherwise, we keep a record of the correspondence and any information you share with us.

3.2 Information collected automatically

Subscription and purchase information, if you purchase a subscription:

Purchase event metadata (product purchased, transaction identifier, purchase date, renewal/expiry date, trial status, and the store, Apple or Google).
A pseudonymous customer identifier maintained by our subscription provider (RevenueCat).
We do not see, store, or process your payment card or bank details. All payments are handled entirely by the Apple App Store or Google Play.

Device and diagnostic information:

Device type, operating system and version, device language, App version and build number.
Crash diagnostics and error logs (stack traces, device model, OS version, App version, and the actions immediately preceding a crash, known as “breadcrumbs”) are sent to our crash-reporting provider (Sentry, see Section 6) and used solely to identify and fix bugs. Crash reports are de-identified before they leave your device: we strip account identifiers, email, and username, and they do not include the content of your habits, journal entries, notes, photos, or videos.

We do not use third-party product-analytics tools (such as Google Analytics, Firebase Analytics, Amplitude, PostHog, Mixpanel, or Segment) to track your in-app behaviour. The “Insights” features in the App are computed on your device from your own data and are not sent to any analytics provider.

Cookies and similar technologies (Site only): see Section 12.

3.3 Information you grant via device permissions

We only access these if you explicitly grant permission, and only for the stated purpose:

Camera: to capture photos or videos you choose to attach to a habit or journal entry.
Photo library: to let you select existing photos or videos to attach.
Notifications: to send the habit reminders you have set up. Reminders are scheduled and delivered locally on your device; we do not operate remote/push notification servers.
Calendar (optional): only if you ask us to add a habit reminder to your device calendar. We do not read your existing calendar events.

You can revoke any of these permissions at any time in your device’s settings.

3.4 Sensitive information you may include

Seeded is a general habit and journaling tool. We do not ask for, and do not intentionally collect, “special category” data (such as data about your health, religion, sex life, or political views). However, free-text fields such as journal entries and notes are yours to write as you wish, and you may choose to include such information. If you do, you provide it voluntarily and consent to our storing it as part of providing the Service. Please avoid entering information you would not want stored.

3.5 Information we do not collect

Precise GPS location.
Contacts.
Microphone audio (other than the audio track of a video you choose to record and attach).
Health data from Apple Health or Google Fit.
Advertising identifiers (IDFA / Google Advertising ID). We do not show ads or share data with advertisers, so we do not request App Tracking Transparency permission.

4. How we use your information

Purpose	Examples
Providing the Services	Authenticating you, storing and syncing your habits and journal, storing media, scheduling local reminders.
Operating subscriptions	Verifying purchases, granting access to paid features, processing free trials, renewals, and refunds.
Communicating with you	Sending service messages (e.g. subscription confirmations, security alerts, data-export emails, policy updates) and responding to your support requests.
Maintaining and improving the Services	Diagnosing crashes and fixing bugs using crash-report data.
Security and abuse prevention	Detecting suspicious activity, protecting against abuse, enforcing our terms.
Legal compliance	Meeting our obligations under applicable laws and responding to lawful requests from authorities.

5. Legal bases for processing (UK / EU GDPR)

If you are in the UK or EEA, we rely on the following legal bases under the UK GDPR and EU GDPR:

Processing	Legal basis
Creating your account; storing your habits, journal, and media; syncing across devices	Contract (Art. 6(1)(b)), necessary to provide the Service you signed up for.
Processing subscription payments and entitlements	Contract (Art. 6(1)(b)).
Sending service-related emails	Contract (Art. 6(1)(b)) and/or Legitimate interests (Art. 6(1)(f)).
Crash reporting and diagnostics	Legitimate interests (Art. 6(1)(f)), to keep the App stable and fix bugs.
Security and abuse prevention	Legitimate interests (Art. 6(1)(f)).
Responding to your data-rights requests	Legal obligation (Art. 6(1)(c)).
Any marketing emails (only if we ever introduce them)	Consent (Art. 6(1)(a)), opt-in, withdrawable at any time.

Where we rely on legitimate interests, we have carried out a balancing test and concluded that our interests do not override your rights and freedoms. You can contact us to ask for details of that assessment.

6. Who we share your information with

We share personal information only with the categories of recipients listed below, and only as needed for the purposes described. Each processor acts on our behalf under a written data-processing agreement.

6.1 Processors acting on our behalf

These companies process personal information on our behalf, under our instructions and a written data-processing agreement:

Provider	Purpose	Data processed	Where data is stored
Supabase Inc.	Authentication, database, and file storage (your habits, journal entries, media, profile).	Account identifier, email, timezone, all content you create, uploaded media.	European Union, Frankfurt, Germany (eu-central-1).
Resend (Resend, Inc.)	Transactional email delivery (e.g. your data-export download link).	Your email address and the contents of the message sent to you.	European Union (EU region).
Functional Software, Inc. (Sentry)	Crash reporting and error monitoring.	App version, device model, OS version, stack traces, breadcrumbs (recent in-app actions). No account identifier, and no habit, journal, or media content.	European Union (Sentry EU region).
RevenueCat, Inc.	Subscription management and entitlement checking.	Pseudonymous user identifier, purchase events, subscription status, device platform.	United States.
Sanity.io	Content delivery for the “Learning” articles in the App.	Only anonymous read requests for published articles. We do not send your account information to Sanity.	Global CDN.
Expo (650 Industries, Inc.) / EAS	App build, distribution, and over-the-air updates.	App version metadata only. No user content.	United States.

6.2 Other third parties (independent controllers)

When you sign in with Apple or Google, or when you buy a subscription through the Apple App Store or Google Play, Apple Inc. and Google LLC process your information as independent data controllers under their own privacy policies, not as our processors. We receive only limited information from them (see Section 3), and we have no control over how they otherwise use the data they collect directly from you.

Third party	Interaction	Data they handle	Governed by
Apple Inc.	Sign in with Apple; App Store purchase processing.	Apple ID identifier, name (first sign-in only), email or private-relay email, transaction information.	Apple’s Privacy Policy.
Google LLC	Sign in with Google; Google Play purchase processing (Android).	Google account identifier, email, name, profile picture URL, transaction information.	Google’s Privacy Policy.

6.3 Legal and safety

We may disclose information if required by law, regulation, legal process, or a binding governmental request, for example in response to a court order or subpoena. We may also disclose information where we believe in good faith it is necessary to protect our rights, property, or safety, or those of our users or the public, or to investigate fraud or abuse. Where lawful, we will notify you before disclosure.

6.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, personal information may be transferred to the relevant party as part of that transaction. We will provide notice in the App or by email before your information becomes subject to a different privacy policy.

6.5 We do not sell or “share” your data

We do not sell personal information, and we do not “share” personal information for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA). We have not done so in the preceding 12 months. We do not show advertising in the App or on the Site, and we do not provide your data to advertisers, ad networks, or data brokers.

7. International data transfers

Your account, habits, journal entries, profile, and uploaded media are stored on servers in the European Union (Frankfurt, Germany) via our infrastructure provider, Supabase. Our email provider (Resend) and our crash-reporting provider (Sentry) are likewise configured to use their EU regions.

Some of our service providers are located outside the UK and EEA, principally in the United States. These currently include:

RevenueCat (subscription management): United States.
Apple and Google (Sign-In and store-payment processing): United States.
Expo / EAS (build and update distribution): United States.

When personal information is transferred outside the UK / EEA, we rely on one or more of the following safeguards:

An adequacy decision by the UK Government or European Commission, where one exists for the destination country (for example, the UK Extension to the EU–US Data Privacy Framework, where the recipient is certified).
Standard Contractual Clauses approved by the European Commission (for EU/EEA transfers), together with, where applicable, the UK International Data Transfer Addendum or the UK International Data Transfer Agreement (IDTA) (for UK transfers).
Other safeguards permitted under UK GDPR / EU GDPR Articles 46–49.

You can request more information about the safeguards in place for a specific transfer by emailing privacy@seededhabits.com.

8. Your privacy rights

Depending on where you live, you have some or all of the following rights regarding your personal information:

Access: request a copy of the personal information we hold about you.
Rectification: ask us to correct inaccurate or incomplete information.
Erasure (“right to be forgotten”): ask us to delete your personal information.
Restriction: ask us to limit how we process your information.
Portability: receive your information in a structured, commonly used, machine-readable format.
Objection: object to processing based on legitimate interests.
Withdraw consent: where we rely on consent, you can withdraw it at any time without affecting prior processing.
Not be subject to automated decision-making: we do not carry out automated decision-making that produces legal or similarly significant effects.

How to exercise your rights:

Export your data: open the App and go to Profile → Settings → Account → Export data. We will email a download link for a machine-readable copy of your data to the address on your account.
Delete your account and data: open the App and go to Profile → Settings → Delete account (see Section 9).
Any other request, including access, correction, or restriction: email privacy@seededhabits.com.

We will respond within one month (extendable by two further months for complex requests, as permitted by law). We may need to verify your identity before acting on a request.

8.1 UK and EEA users

If you believe we have not handled your information lawfully, you have the right to complain to a supervisory authority:

UK: the Information Commissioner’s Office (ICO), ico.org.uk/make-a-complaint.
EEA: your local data protection authority. A list is available at edpb.europa.eu.

We would, however, appreciate the chance to address your concerns first. Please contact privacy@seededhabits.com before filing a complaint.

8.2 California residents (CCPA / CPRA)

In addition to the rights above, you have the right to know what personal information we collect, use, and disclose; to delete it; to correct it; to opt out of the sale or sharing of personal information (we do not sell or share, so there is nothing to opt out of); to limit the use of sensitive personal information; and to non-discrimination for exercising your rights. To exercise these rights, email privacy@seededhabits.com. You may designate an authorised agent, subject to identity verification.

This Policy, together with the categories of information described in Section 3 and the purposes in Section 4, serves as our “Notice at Collection” under the CCPA/CPRA.

8.3 Other US states

If you reside in a US state with a comprehensive privacy law (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others), you may have similar rights. We will honour valid requests under those laws, email privacy@seededhabits.com.

9. Account deletion and data retention

9.1 How to delete your account

You can delete your account at any time:

Open the App and go to Profile → Settings → Delete account, or
Email privacy@seededhabits.com from the address associated with your account.

When you delete your account:

All your habits, habit completions, habit notes, journal entries, photos, videos, and profile information are permanently deleted from our production systems.
Your subscription record in our system is removed.
If you signed in with Apple, we revoke the Sign in with Apple tokens associated with your account.
Important, store subscriptions: deleting your account does not cancel an active App Store or Google Play subscription. You must cancel separately through your Apple ID Subscriptions or Google Play settings to stop being billed. We surface this reminder in the App at the time of deletion, and the App also provides a Manage Subscription option.

Some information may remain in encrypted, access-restricted backups for up to 30 days before being overwritten in the normal course of backup rotation. During this period it is not used for ongoing operations.

9.2 Retention periods

We keep personal information only for as long as necessary for the purposes set out in this Policy:

Category	Retention
Account information	While your account is active; deleted on account deletion (plus backup rotation as above).
Habits, journal, media	While your account is active; deleted on account deletion.
Subscription / purchase records	For the period required for accounting and tax records (typically 6 years in the UK), after which deleted or anonymised.
Data-export files	The download link expires after 72 hours, after which the exported file is deleted from storage.
Support communications	Up to 24 months after the last interaction.
Crash diagnostics	Up to 90 days.

10. Security

We use industry-standard measures to protect your information, including:

Encryption in transit (TLS) for all communications between the App, the Site, and our servers.
Encryption at rest for databases and storage.
Row-level security: your data is logically isolated by user identifier at the database level, so one user cannot access another’s data.
Private storage with signed URLs: your photos and videos are not publicly accessible; access requires a time-limited link generated only for your authenticated session.
Native authentication: Sign in with Apple handles your credentials; we never see your Apple password.
Least privilege: secret keys are stored only on our servers and never embedded in the App.
Authenticated webhooks between our backend and third-party services.
Regular updates: dependencies are kept patched and we monitor for security advisories.

No system is perfectly secure. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required, and notify affected users without undue delay where required by law.

11. Children’s privacy

You must be at least 13 years old to use Seeded. The Services are not directed to, and we do not knowingly collect personal information from, children under 13.

If you are under the age of 18 (or the age of majority where you live), you may use Seeded only with the consent and involvement of a parent or guardian. Some EEA countries set the age of digital consent higher than 13 (up to 16); if you live in one of those countries and are under that age, you confirm that a parent or guardian has consented to your use of Seeded.

If you are a parent or guardian and believe a child has provided us with personal information without your consent, please contact privacy@seededhabits.com and we will delete it.

12. Cookies and similar technologies (Site)

Our website at seededhabits.com is a simple landing page that links to the App in the Apple App Store and Google Play, and hosts this Privacy Policy at seededhabits.com/privacy.

The Site uses only strictly necessary cookies (for example, basic security and to keep the site functioning). Under the Privacy and Electronic Communications Regulations (PECR), strictly necessary cookies do not require consent. We do not use analytics cookies, advertising pixels, social-media trackers, or session-recording tools on the Site, and we do not ask Site visitors to provide any personal information.

The App itself does not use cookies; it uses secure on-device storage to keep you signed in.

13. Third-party links

The Site or App may contain links to third-party websites or services that we do not operate (for example, the App Store, Google Play, or articles referenced in the Learning section). This Policy does not apply to those third parties. We encourage you to read their privacy policies.

14. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will:

Update the “Last updated” date at the top, and
Notify you in the App and/or by email before significant changes take effect.

Your continued use of the Services after the effective date constitutes acceptance of the updated Policy. A history of previous versions is available on request to privacy@seededhabits.com.

15. How to contact us

If you have questions, concerns, or requests regarding this Policy or your personal information, please contact:

Seeded

Privacy and data-rights requests: privacy@seededhabits.com
General enquiries: hello@seededhabits.com

We aim to respond to general enquiries within 5 business days, and to formal data-rights requests within the timeframe required by applicable law (one month under UK / EU GDPR).

Document version: 1.0