Privacy Policy

Introduction

Welcome to YoiBonsai (“we,” “our,” or “us”). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the “App”).

Please read this privacy policy carefully. By using YoiBonsai, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Personal Information You Provide

We collect personal information that you voluntarily provide when registering for an account or using our services:

• Account Information: Email address, username, name (first and last), and profile photo (if provided)
• How you sign in: You can sign in with Google or with an email and password on the Android app or the website. The Android app also has a guest mode that lets you try the app without creating a full account; you can upgrade a guest account to a permanent one at any time. We never see or store your password — sign-in is handled by Google.
• Bonsai Tree Data: Information about your bonsai trees including names, photos, care notes, and maintenance schedules
• Subscription Information: Purchase history and subscription status (processed through Google Play)
• Direct Messages: When you message another user (sharing a tree, replying to a marketplace listing, or in a regular conversation), the messages are stored on our server and delivered in real time. Only you and the recipient can read them.
• Marketplace Listings: If you list a tree on Ichiba (our marketplace), the listing title, description, price, photos, and any location text you choose to enter are stored on our server and visible to other users browsing the marketplace.

Information Automatically Collected

We do not include analytics or crash-reporting tools, and we do not collect device identifiers, advertising IDs, or activity statistics about how you use the App. The only information we automatically capture is what is needed to actually run the service:

• Request logs: When the App contacts our servers, we keep a short-lived log of each request (your IP address, a timestamp, and what was requested) so we can detect abuse and debug problems. These logs are deleted after 30 days.
• Subscription status: When you subscribe through Google Play, we store a record of your subscription so the App knows whether you have Premium access.

Information from Third Parties

• Google Sign-In: If you choose to sign in with Google, we receive your Google account name, email, and profile picture
• Google Play: Subscription and payment verification information (we do not receive credit card details)

How We Use Your Information

We use the collected information for the following purposes:

• To provide and maintain our App services
• To create and manage your account
• To store and sync your bonsai tree data across devices
• To process subscriptions and verify payment status
• To send you reminders about tree care (if enabled)
• To provide customer support and respond to inquiries
• To improve the App based on user feedback we receive directly
• To detect and prevent fraud or abuse
• To comply with legal obligations

Data Storage and Security

Here is where your data lives:

• Sign-in: Sign-in is handled by Google. We never see or store your password.
• Your account and content: Your account profile, trees, posts, reminders, marketplace listings, and messages are kept in a private database we operate in the United States (Oregon). The database is not directly reachable from the public internet — every read and write goes through an authenticated request from the App.
• Photos: Photos you upload are stored on Cloudflare's secure object storage and served through Cloudflare's content delivery network.
• Real-time messaging: Messages are delivered in real time through a messaging server we operate. Message contents are stored in our database; the messaging server itself does not retain message contents beyond delivery.
• On your device: Some data may be cached on your device for offline access.

We use reasonable technical and organizational security measures to protect your personal information. No method of electronic storage is 100% secure, and we cannot guarantee absolute security.

Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following situations:

• Infrastructure providers: With trusted infrastructure providers that help us run the service (sign-in, payments, hosting, content delivery). These providers process data on our behalf and do not use it for their own purposes.
• Legal Requirements: If required by law or to respond to legal process
• Protection of Rights: To protect our rights, privacy, safety, or property, and/or that of our users
• Business Transfers: In connection with a merger, sale, or acquisition of all or a portion of our assets

Your Data Rights

You have the following rights regarding your personal information:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and associated data
• Portability: Request a copy of your data in a portable format
• Withdrawal of Consent: Withdraw consent for data processing where applicable

To exercise these rights, please contact us using the information provided below.

Account & Data Deletion

You can delete your account and the associated data at any time:

• While signed in (web): visit your account page and use the “Delete Account” option in the Danger Zone, or use the form at /data-deletion.
• While signed in (Android app): use the “Delete Account” option in the app settings.
• Without signing in: submit your email at /data-deletion. We process those requests within 30 days.

When your account is deleted: trees you own are archived; active marketplace listings are unlisted (other users in those threads receive a system message); draft listings, owned reminders, and incoming shares are removed; your profile fields and username are cleared (your username is released so a future signup can claim it). Messages you sent stay in the threads of the people you talked to but display as “Deleted user.” Encrypted backups roll off on a 30-day daily / 12-month monthly cadence and are not deleted on demand.

Children's Privacy

YoiBonsai is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from those in your country. By using our App, you consent to such transfers.

Third-Party Services

Our App may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

Third-party services we use:

• Google: Sign-in (Firebase Authentication) and subscription payments (Google Play).
• Cloudflare: Photo storage and content delivery.
• Groq: AI-assisted writing for marketplace listings, used only when you tap the “Write with AI” button on an Ichiba listing.

Data Retention

We retain your personal information for as long as necessary to provide our services and fulfill the purposes outlined in this Privacy Policy. When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is necessary for legal obligations or legitimate business purposes.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by updating the “Effective Date” at the top of this Privacy Policy and, for significant changes, may provide additional notice through the App or via email.

California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your information, and the right to opt-out of the sale of personal information (which we do not do).

European Privacy Rights

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object to processing.