Privacy Policy

We collect the following categories of information:

• Account data: Name, email, username, password hash, and profile information. You may optionally add a phone number and address to your account; these are used for account recovery, fraud prevention, and (where applicable) order delivery.
• Transaction data:Order history, payment records (processed by Stripe — we do not store full card numbers), and shipping address (recipient name, street, city, region, postal code, country) which you provide at checkout for physical-goods orders.
• Content data: Photos, short videos, listings, reviews, journal entries, private messages, and other community contributions you choose to upload. Media uploads are optional; you control what you share. The Platform may read text aloud using on-device text-to-speech for accessibility; no audio is recorded, transmitted, or stored as part of that feature.
• Usage data: Page views, in-app interactions, and analytics events collected via Google Analytics (with your consent). We also retain your in-app search queries to personalise results, surface relevant listings, and understand which species, supplies, and topics the community is looking for so we can improve coverage.
• Device, session, and security data:Browser type, operating system, IP address, and user agent — recorded in session and audit-log records for account security, abuse detection, and fraud prevention.
• Diagnostic data: Crash reports and error traces automatically collected when the Platform malfunctions. These may include your user ID, the request path, and technical context needed to reproduce the error; they do not include passwords, payment details, or message contents.
• AI interaction data: Inputs to AI features (with your consent), anonymized before processing.

• Essential: Account management, order processing, customer support, and app functionality. No consent required.
• Security & fraud prevention: Detecting abusive accounts, preventing unauthorized access, and investigating suspicious transactions. Processed under our legitimate interests; no consent required.
• Analytics: Understanding Platform usage to improve features. Requires your consent.
• Marketing: Newsletters and promotional communications. Requires your consent; all defaults are OFF.
• AI training: Improving AI features using anonymized data. Requires your explicit consent.

We share data with the following third parties as necessary to operate the Platform:

• Stripe: Payment processing and seller payouts. Receives your email, user ID, order metadata, and billing/shipping address.
• AWS (Amazon Web Services): Cloud hosting, file storage (S3), email delivery (SES).
• Prodigi & Gelato:Print-on-demand fulfillment. Receives the recipient's name and full shipping address for the specific order they fulfill.
• Google Analytics: Usage analytics (consent required).
• Error tracking (GlitchTip/Sentry):Application crash and error monitoring. Receives your user ID, request path, and technical error context; does not receive passwords, payment details, or message contents.

We do not sell your personal data to any third party.

See our Cookie Policy for full details. In summary:

• Essential cookies: Always active (session, authentication, CSRF protection).
• Analytics cookies: Require your consent.
• Marketing cookies: Require your consent.
• AI training cookies: Require your consent.

We do not use advertising trackers. We respect the Do Not Track header.

Depending on your location, you have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you.
• Portability: Export your data in a machine-readable format (GDPR Article 20). You may request one export every 7 days.
• Rectification: Correct inaccurate personal data.
• Erasure: Request deletion of your account and personal data.
• Restriction: Limit how we process your data.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Revoke any consent you have given at any time.
• Non-discrimination (CCPA): We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, visit your account settings or contact us at privacy@sprigloom.com.

You retain copyright to all images you upload. By uploading, you grant SprigLoom a license to display, resize, and distribute your images as part of Platform operations (listings, Gallery, etc.).

All EXIF metadata is stripped from processed images. Original files are retained for 90 days in cold storage, then permanently deleted. Images are not sold or used commercially outside the Platform without your Gallery consent.

The same principles apply to any videos you upload: you retain copyright, we strip metadata where practical, and media is used to operate the Platform rather than sold or licensed externally without a separate opt-in. Videos are accepted only in journals and seller listings, are capped at 60 seconds, and are scanned for prohibited content before publication.

SprigLoom complies with COPPA (Children's Online Privacy Protection Act) for users under 13. Child accounts:

• Require verifiable parental consent.
• Are managed by a parent or educator account.
• Do not have analytics or marketing tracking enabled.
• Are restricted to educational, general-rated content.
• Cannot make purchases or send direct messages.