Last updated: June 2026
The data controller within the meaning of the GDPR is:
Yorrick Dettlaff
Leostraße 13
45359 Essen
Germany
Email: yorrickdettlaff@googlemail.com
When you register, we collect your email address, a password (hashed, never stored in plain text) and an optional display name. This data is processed via Supabase Auth (Supabase Inc., 970 Trestle Glen Rd, Oakland, CA 94610, USA). Legal basis: Art. 6(1)(b) GDPR (contract performance).
Plants you create, watering logs and household data are stored in the Supabase database (region: eu-central-1, Frankfurt). Legal basis: Art. 6(1)(b) GDPR.
If you upload a profile photo, it is stored in Supabase Storage (Frankfurt). Storage is voluntary. Legal basis: Art. 6(1)(a) GDPR (consent).
If you enable push notifications, a device-specific push token is stored in our database. It is used exclusively for watering reminders and deleted immediately upon deactivation. Legal basis: Art. 6(1)(a) GDPR (consent).
If you activate the location feature in the household section, your geographic coordinates (latitude and longitude) and a place name are stored in our database. This data is used exclusively to display weather-based watering tips in the weather widget (via Open-Meteo API, no API key, your coordinates are not shared with third parties). Processing only occurs with your explicit consent by activating the feature. You can remove the location at any time in the household section. Legal basis: Art. 6(1)(a) GDPR (consent).
Plant guides are generated using the Anthropic Claude API (Anthropic PBC, USA). Only the plant name and species are transmitted – no personal data. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving app functionality).
The app is hosted via Vercel Inc. (340 Pine Street, San Francisco, CA 94104, USA). Each page request logs technical data (IP address, browser type, timestamp). These are automatically deleted after 30 days. Legal basis: Art. 6(1)(f) GDPR.
Blossomly uses only technically necessary cookies and local storage entries:
No analytics or tracking cookies are used.
Your data is not sold to third parties. Data is only shared with the following processors, with whom data processing agreements (Art. 28 GDPR) exist:
For data transfers to the USA we rely on Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR.
You have the following rights under the GDPR:
To exercise your rights, contact: yorrickdettlaff@googlemail.com
You also have the right to lodge a complaint with the competent supervisory authority.
All connections are TLS-encrypted (HTTPS). Passwords are stored exclusively as hashes (bcrypt via Supabase Auth). Database access is secured by Row-Level Security (RLS) – you can only access your own data.
Your data is stored as long as your account is active. After account deletion, all personal data is deleted immediately and permanently. Server logs are automatically purged after 30 days.
We reserve the right to update this Privacy Policy as needed. The current version is always available at /privacy. Material changes will be communicated by email.