Privacy Policy
Last updated: 29 May 2026
Kultivar is built around a single principle: your grow data lives on your device by default. We don't have an account system, we don't build profiles, and we don't sell anything to advertisers. This document explains exactly what data the app touches, where it goes, and what control you have over it.
What we collect — and where it lives
Data that stays on your device
Everything you log inside Kultivar — plants, grow spaces, photos, notes, watering schedules, environment readings, harvest weights, expenses, training records — is stored locally on your device only in an encrypted Hive database.
We do not have a copy of this data. We can't see it, can't recover it if your device is lost, and can't share it with anyone.
Optional anonymous community data
If you opt into the community benchmark feature (Settings → Community → Share anonymous grow data), Kultivar uploads the following to our community database (Supabase):
- Strain name (normalised — lowercase, trimmed)
- Dry weight in grams
- Total grow days, vegetative days, flowering days
- Whether the plant was an autoflower or a clone
- Optional growing medium / light type / training techniques
- App version (for sample bucketing)
We do not upload:
- Your name, email, or any account identifier (we have none)
- Photos
- Notes
- Personal observations
- IP address (Supabase logs request IPs at the infrastructure layer
but Kultivar's application code does not store or correlate them with submissions)
- Device identifiers
Each submission is independent. There is no link between two submissions from the same device. You can switch the opt-in off at any time; we have no way of identifying your past submissions to delete them on request because they aren't tied to you.
Subscription data (RevenueCat)
If you purchase Kultivar Pro Cloud or Lifetime Local, the App Store / Play Store handles the transaction. Kultivar uses RevenueCat — a subscription infrastructure provider — to validate your entitlement on each device and to support "Restore Purchases".
RevenueCat receives:
- An anonymous device identifier generated by the store
- Your subscription product ID and renewal status
RevenueCat does not receive any of your grow data. See RevenueCat's privacy policy for how they handle the identifiers we send.
Optional crash reports (Sentry)
Production builds of Kultivar may ship with crash reporting enabled via Sentry. When the app crashes or hits an unhandled error, Sentry receives:
- The error name + stack trace
- The operation that failed (e.g.
StorageService.savePlants) - App version + OS version
- Anonymous, randomly-generated installation ID
Sentry does not receive any of your grow data, photo files, or notes.
If you'd prefer not to send crash reports at all, build Kultivar yourself from source without supplying the SENTRY_DSN build flag — see BUILD.md in the project repository.
Weather data (Open-Meteo)
When you enable the outdoor weather card for a grow space, Kultivar calls Open-Meteo — a free public weather API — with the latitude + longitude you set for that space (or that you allow the app to detect via your device's location services).
The latitude / longitude is only sent to Open-Meteo at the moment the card is being refreshed. It is not stored on any of our servers (we don't have any servers in that loop). Open-Meteo's privacy stance is documented at open-meteo.com/en/terms.
You can revoke the location permission from your operating system settings at any time; the card will fall back to showing a "Set location manually" prompt.
What we don't do
- We do not have user accounts and do not require one.
- We do not sell, rent, or trade your data with anyone.
- We do not embed third-party advertising SDKs.
- We do not track you across other apps or websites.
- We do not use cookies (Kultivar is a mobile app, not a website).
- We do not profile you for marketing.
Your rights
Because the bulk of your data lives only on your device, you control it directly:
- View your data — open the app; everything is browsable.
- Export your data — Settings → Backup → Export Backup writes
every plant, note, harvest log, and photo to an encrypted ZIP you can store wherever you like.
- Delete your data — uninstall the app, or use *Settings → Clear
all data* to wipe everything in place.
- Stop sharing community data — toggle *Settings → Community →
Share anonymous grow data* off. New submissions will not be made. Past submissions cannot be tied back to you and therefore cannot be individually deleted.
If you're a resident of the EU (GDPR) or California (CCPA), you have additional rights to data portability, correction, and deletion. The export + clear-all flows above already cover portability and deletion end-to-end for the local data. For community submissions, the anonymisation means there is no record to correct or delete against your identity.
Children's privacy
Kultivar is intended for adults legally permitted to cultivate cannabis in their jurisdiction. We do not knowingly collect data from anyone under 18 (or the local age of majority where higher). If you believe we have inadvertently collected data from a minor, contact us at the address below and we will delete it.
Security
- Local data sits in an encrypted Hive box on your device. The
encryption key is stored in the platform's secure storage (iOS Keychain, Android Keystore).
- Backup exports are wrapped in an additional AES-256-GCM envelope
with a PBKDF2-HMAC-SHA256 derived key — your backup passphrase is never stored or transmitted.
- Community submissions travel to Supabase over HTTPS.
No system is perfectly secure. We use the best practices available to the Flutter / Dart ecosystem at the time of release, and we patch identified weaknesses promptly in subsequent updates.
Changes to this policy
We may update this policy from time to time — for example, when we add a new feature that touches data. The "Last updated" date at the top will reflect the change. Material changes (anything that expands what we collect or how we use it) will be surfaced in the app on first launch after the update.
Contact
Questions about this policy, or about your data? Reach Kultivar at:
Kultivar is operated by Kultivar (Pty) Ltd, a private company registered in the Republic of South Africa under the Companies Act, 2008 (Reg: <COMPANY_REG_PLACEHOLDER>). The preflight script (tools/preflight.ps1) will flag the placeholder above as missing until you replace it with the actual CIPC-issued registration number.