Privacy Policy
Effective Date: March 21, 2025
Welcome to Mali ("we," "our," or "us"). We are committed to protecting your privacy and personal data. This Privacy Policy explains what information we collect, how we use and share it, the choices you have, and your rights regarding your data when you use the Mali application ("App", "Service").
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Information You Provide Directly
| Category | Examples |
|---|
| Account Information | Username, email address (provided by your sign-in provider) |
| Profile Information | Display name, bio, profile picture, location (optional), USDA hardiness zone preference |
| Garden Data | Garden designs, layouts, plant selections, garden bed placements, furniture arrangements, environmental zone settings |
| Plant Care Data | Watering schedules, fertilizing records, harvest logs, plant growth observations, care notes |
| Photos and Images | Garden photos, plant photos submitted for AI identification, profile pictures |
| Messages and Communications | Chat messages with other users, conversations with Sidney AI assistant (text and voice) |
| Journal Entries | Plant observation notes, growth tracking data, garden journal entries |
| Preferences | Notification settings, privacy settings, display preferences |
| Support Communications | Emails, in-app support requests, feedback you send us |
1.2 Information Collected Automatically
| Category | Examples |
|---|
| Device Information | Device type, model, operating system and version, unique device identifiers |
| Usage Data | Features used, actions taken (e.g., plants planted, gardens created), time spent in app, interaction patterns |
| Location Data | GPS coordinates (only with your explicit permission) used to determine your USDA hardiness zone and provide local weather data |
| Log Data | IP address, app version, crash reports, error logs, startup performance metrics |
| Analytics Data | Aggregated usage statistics, user properties (level, total plants, app version), event data (plant planted, harvested, watered) |
| Push Notification Tokens | Firebase Cloud Messaging (FCM) tokens stored to deliver push notifications to your device |
1.3 Information from Third-Party Sources
| Source | Information |
|---|
| Authentication Providers | If you sign in with Google or Apple: name, email address, profile picture, and unique identifier from that provider |
| Payment Processors | Transaction status, subscription tier, renewal dates, and trial status from RevenueCat and app stores (we do not receive or store your payment card details) |
| Weather Services | Local weather data based on your location or hardiness zone |
1.4 Voice and Audio Data
When you use the voice conversation feature with Sidney, we collect:
- Audio recordings: Your voice input is recorded and transmitted in real-time to Google's AI services (Firebase AI / Gemini Live API) for processing
- Session metadata: Duration of voice sessions, number of sessions per day, and quota usage
- Voice audio data is streamed for real-time processing and is not permanently stored by Mali after the voice session ends
- Google's handling of audio data transmitted to their AI services is governed by Google's Privacy Policy
1.5 AI Interaction Data
When you interact with AI features (Sidney text chat, plant identification), we collect:
- Text messages and prompts you send to the AI assistant
- AI-generated responses (cached temporarily to improve performance)
- Photos submitted for plant identification
- Garden context data provided to the AI to personalize recommendations (e.g., your plants, hardiness zone, current weather)
- Usage counts for rate limiting and subscription enforcement
2. How We Use Your Information
2.1 Provide and Operate the Service
- Create and manage your account
- Save, sync, and display your garden designs across devices
- Deliver personalized plant care recommendations based on your hardiness zone, local weather, and garden composition
- Enable AI-powered features including gardening advice, plant identification, and companion planting suggestions
- Facilitate social features: messaging, garden sharing, and plant/garden trading
- Process subscriptions and manage feature access based on your plan
- Send plant care reminders, social notifications, and service-related communications via push notifications
2.2 Improve and Develop the Service
- Analyze usage patterns and feature adoption to improve the App
- Diagnose and fix bugs, crashes, and performance issues
- Develop new features and functionality
- Conduct internal research and analytics (using aggregated and/or anonymized data)
- Monitor app startup performance and optimize load times
2.3 Communicate With You
- Send service-related notifications (e.g., account verification, security alerts, subscription updates)
- Respond to your support requests and feedback
- Send gardening tips, seasonal reminders, and feature updates (with your consent, and you can opt out at any time)
2.4 Safety, Security, and Legal Compliance
- Detect and prevent fraud, abuse, and unauthorized access
- Enforce our Terms of Service and community standards
- Comply with applicable laws, regulations, and legal processes
- Protect the rights, property, and safety of Mali, our users, and the public
3. Legal Bases for Processing (EEA/UK Users)
If you are located in the European Economic Area or United Kingdom, our legal bases for processing your personal data include:
- Performance of Contract: Processing necessary to provide the Service you requested (account management, garden data storage, subscription processing)
- Legitimate Interests: Processing necessary for our legitimate interests that are not overridden by your rights (analytics, fraud prevention, service improvement, debugging)
- Consent: Where you have given explicit consent (location data, marketing communications, voice data collection, analytics tracking)
- Legal Obligation: Processing necessary to comply with our legal obligations
You may withdraw consent at any time, which will not affect the lawfulness of processing based on consent before its withdrawal.
4. How We Share Your Information
4.1 With Your Consent and Through Your Actions
- When you share gardens publicly or with specific users
- When you participate in trades with other users
- When you send messages to other users
- When you make your profile publicly visible
4.2 Service Providers
We share information with third-party service providers who perform services on our behalf:
| Provider | Purpose | Data Shared |
|---|
| Google / Firebase | Cloud infrastructure, database, file storage, authentication, analytics, AI services, push notifications | Account data, garden data, usage analytics, photos, AI conversation data, FCM tokens |
| Google Gemini AI | AI-powered gardening assistance (Sidney) and plant identification | Chat messages, voice audio (real-time), garden context, plant photos |
| RevenueCat | Subscription and in-app purchase management | User ID, subscription status, purchase history |
| Weather Providers | Local weather data for gardening recommendations | Location data (coordinates or hardiness zone) |
Our service providers are contractually obligated to use your data only for the purposes of providing their services to us and in accordance with applicable data protection laws.
4.3 Legal Requirements
We may disclose your information if required to do so by law or in good faith belief that such action is necessary to:
- Comply with a legal obligation, court order, or legal process
- Respond to lawful requests by public authorities, including national security or law enforcement
- Protect and defend our rights or property
- Prevent or investigate possible wrongdoing in connection with the Service
- Protect the personal safety of users or the public
4.4 Business Transfers
If Mali is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your personal information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.
4.5 What We Do NOT Do
- We do not sell your personal information to third parties
- We do not share your personal information for third-party advertising purposes
- We do not use your data to train AI models without your explicit consent
5. Data Storage, Security, and Retention
5.1 Storage and Infrastructure
- Your data is stored on Google Cloud Platform servers
- Primary database: Google Cloud Firestore
- File storage (photos, images): Firebase Storage
- Data may be processed and stored in multiple geographic regions as part of Google Cloud's infrastructure
5.2 Security Measures
We implement appropriate technical and organizational security measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Secure authentication via OAuth providers (Google, Apple)
- Access controls and role-based permissions for internal systems
- Regular monitoring for security vulnerabilities
- Incident response procedures
While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
5.3 Data Retention
| Data Type | Retention Period |
|---|
| Active account data | Retained while your account is active |
| Deleted account data | Deleted within 30 days of account deletion request, except as required by law |
| AI conversation cache | Temporary; cleared periodically for performance optimization |
| Plant identification photos | Retained temporarily for processing; not stored permanently after identification |
| Voice session audio | Not stored after the real-time session ends |
| Analytics data | Retained in aggregated/anonymized form; may be kept indefinitely |
| Transaction/subscription records | Retained as required by law (typically 7 years for financial records) |
| Legal compliance data | Retained as long as required by applicable law |
6. Your Rights and Choices
6.1 Account and Data Controls
- Access: You can access most of your personal data through the App (profile, gardens, messages)
- Correction: You can update your profile information, garden data, and preferences through the App at any time
- Deletion: You can delete your account through the App settings or by contacting us at support@keedastudios.com. Upon deletion, we will remove your personal data within 30 days, except where retention is required by law
- Data Portability: You can request a copy of your personal data in a structured, machine-readable format by contacting us
6.2 Communication Preferences
- You can manage push notification preferences within the App settings
- You can opt out of marketing communications at any time
- Service-related notifications (security alerts, account updates) cannot be opted out of while your account is active
6.3 Device Permission Controls
- Location: You can disable location access in your device settings at any time. The App will still function but hardiness zone and weather features will require manual input
- Camera and Photo Library: You can revoke camera or photo access in your device settings. Plant identification and photo features will be unavailable
- Microphone: You can revoke microphone access to disable voice conversations with Sidney. Text-based chat will remain available
- Notifications: You can disable push notifications in your device settings
6.4 Analytics Opt-Out
You can opt out of analytics data collection through the App settings. Opting out will not affect the core functionality of the Service.
7. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States and Canada, where our service providers operate. These countries may have different data protection laws than your jurisdiction.
When we transfer data internationally, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with our service providers
- Compliance with the EU-US Data Privacy Framework, where applicable
- Ensuring recipients maintain adequate data protection standards
8. Children's Privacy
- The Service is not directed to children under the age of 13
- We do not knowingly collect personal information from children under 13
- If we become aware that we have collected personal data from a child under 13, we will take steps to promptly delete that information
- If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at support@keedastudios.com
- Users between 13 and 18 should review this Privacy Policy with a parent or guardian
9. Cookies, Local Storage, and Tracking Technologies
9.1 Technologies We Use
- Local Storage / Shared Preferences: Used to store app preferences, cached data, and session information on your device
- Firebase Analytics SDK: Collects usage data and user properties for analytics purposes
- FCM Tokens: Unique tokens generated by Firebase Cloud Messaging to deliver push notifications to your specific device
- Local Database (Hive): Used for offline data storage and caching on your device
9.2 Web Cookies
If you access our website (trymali.web.app), we may use cookies for session management and basic analytics. You can control cookies through your browser settings.
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know: You can request that we disclose what personal information we collect, use, disclose, and sell about you
- Right to Delete: You can request deletion of your personal information, subject to certain exceptions
- Right to Correct: You can request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
- Right to Limit Use of Sensitive Personal Information: You can request that we limit the use of sensitive personal information (such as precise geolocation) to what is necessary to provide the Service
To exercise your rights, contact us at support@keedastudios.com. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.
Categories of Personal Information Collected (Past 12 Months)
| Category (per CCPA) | Collected | Sold |
|---|
| Identifiers (name, email, username) | Yes | No |
| Personal information under Cal. Civ. Code 1798.80(e) | Yes | No |
| Internet or network activity (usage data, logs) | Yes | No |
| Geolocation data | Yes (with consent) | No |
| Audio/visual information (voice, photos) | Yes (with consent) | No |
| Inferences (hardiness zone, plant preferences) | Yes | No |
| Sensitive personal information (precise geolocation) | Yes (with consent) | No |
11. European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation:
- Right of Access: Request a copy of your personal data
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restrict Processing: Request that we limit how we use your data
- Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for direct marketing
- Right Not to Be Subject to Automated Decision-Making: Request human review of significant decisions made solely by automated means
- Right to Withdraw Consent: Withdraw previously given consent at any time
To exercise your rights, contact us at support@keedastudios.com. We will respond within 30 days (extendable by up to 60 days for complex requests). If you are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.
12. Canadian Privacy Rights (PIPEDA)
If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation, including:
- The right to access your personal information held by us
- The right to challenge the accuracy and completeness of your data and have it amended
- The right to withdraw consent for the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions)
- The right to file a complaint with the Office of the Privacy Commissioner of Canada
13. Third-Party Services and Links
13.1 Integrated Third-Party Services
The Service integrates the following third-party services, each governed by their own privacy policies:
13.2 External Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the App.
14. Security Breach Notification
In the event of a data breach that affects your personal information:
- We will notify affected users without undue delay, and in any event within 72 hours of becoming aware of the breach (where required by law)
- We will notify relevant supervisory authorities as required by applicable data protection laws
- Our notification will include the nature of the breach, the data affected, measures taken to address it, and steps you can take to protect yourself
15. Changes to This Privacy Policy
- We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors
- For material changes, we will provide notice through the App, by email, or by other prominent means at least 30 days before the changes take effect
- The "Effective Date" at the top of this page indicates when this Privacy Policy was last revised
- Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes
- Previous versions of this Privacy Policy are available upon request
16. Data Protection Contact
For any privacy-related questions, concerns, or to exercise your data rights, please contact us:
We aim to respond to all privacy-related inquiries within 30 days.
By using Mali, you acknowledge that you have read and understood this Privacy Policy. We encourage you to review this policy periodically for updates.