Privacy policy
Last updated: March 2026
1. Data controller
The controller of your personal data is the site publisher, as identified in the legal notice.
Contact: [email protected]
2. Data collected
When you use the SPRAIA app and the spraia.app website, we collect the following data:
Account data
- Email address
- Password (encrypted, never stored in plain text)
- Usage preferences
Plant data
- Plant photos
- Names and descriptions
- Growing conditions (location, exposure)
- Care history
Connected sensor data (upcoming feature)
- Soil humidity
- Ambient light
- Temperature
Usage data
- Visited pages and used features (anonymised)
- Device type and operating system
3. Processing purposes
Your data is used to:
- Provide the service: plant identification, diagnosis, watering reminders, personalised advice
- Improve our algorithms: training and improvement of our AI models (anonymised data)
- Communicate: service notifications, important updates
- Measure audience: anonymised traffic statistics (with your consent)
4. Legal basis
Processing of your data is based on:
- Contract performance (GDPR article 6.1.b): providing the SPRAIA service
- Your consent (GDPR article 6.1.a): analytics cookies, marketing notifications
- Legitimate interest (GDPR article 6.1.f): service improvement, security
5. Retention period
- Active account: your data is kept as long as your account is active
- Account deletion: your data is deleted within 30 days
- Billing data: kept 10 years (legal obligation)
- Analytics cookies: 13 months maximum (CNIL recommendation)
6. Your rights (GDPR)
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access: obtain a copy of your personal data
- Right of rectification: correct inaccurate data
- Right of erasure: request deletion of your data
- Right of portability: receive your data in a structured format
- Right of objection: object to the processing of your data
- Right of restriction: request suspension of processing
To exercise your rights, you can:
- Use the account settings in the app
- Contact us by email: [email protected]
We commit to answer your request within 30 days. In case of difficulty, you can lodge a complaint with the French CNIL or your local data protection authority: European DPA list.
7. Data security
We implement the following technical and organisational measures to protect your data:
- At-rest encryption: AES-256
- In-transit encryption: HTTPS / TLS 1.3
- Restricted access: strict access controls to data
- Passwords: irreversible hashing (bcrypt)
8. Cookies and trackers
What is a cookie?
A cookie is a small text file placed on your device (computer, smartphone, tablet) when you visit a website. It allows the site to remember information about your visit.
Cookies used on spraia.app
| Name | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
spraia_cookie_consent | SPRAIA | Stores your cookie consent preferences | 13 months | Essential (localStorage) |
spraia_locale | SPRAIA | Stores your language choice | Permanent | Essential (localStorage) |
_ga | Google Analytics | Anonymised unique identifier to distinguish users | 2 years | Analytics |
_ga_<ID> | Google Analytics | Maintains session state | 2 years | Analytics |
Consent mechanism
On your first visit, a banner offers three choices:
- Accept all — enables analytics cookies
- Reject — no analytics cookie is set
- Customise — you choose category by category
You can change your preferences at any time via the "Manage cookies" link in the site footer.
Google Analytics 4 and Consent Mode v2
We use Google Analytics 4 (GA4) for anonymised audience measurement. GA4 is configured with Google's Consent Mode v2:
- When you reject analytics cookies, GA4 loads but writes no cookie (
_ga,_ga_*are not created). Only anonymous pings are sent for statistical modelling. - When you accept, GA4 cookies are enabled for more accurate audience measurement.
IP anonymisation is enabled by default. No personally identifiable data is transmitted to Google.
You can also opt out of Google Analytics on all sites via the Google Analytics opt-out add-on.
9. Data transfers
Some data may be transferred to subprocessors located outside the European Union (notably Cloudflare and Google in the United States). These transfers are governed by standard contractual clauses approved by the European Commission, in accordance with GDPR article 46.
10. Contact
For any question regarding the protection of your personal data:
- By email: [email protected]
- Via our contact page
You can also lodge a complaint with the French Commission Nationale de l'Informatique et des Libertés (CNIL): www.cnil.fr, or your local data protection authority.