This policy explains what data we collect, why we collect it, and what rights you have under UK GDPR. Questions? Email selfseed@polsia.app.
1. Who We Are
Selfseed is an AI-powered garden design service operated via the Polsia platform, accessible at selfseed.co.uk.
For UK data protection purposes, we are the data controller of your personal information.
Contact: selfseed@polsia.app
2. What Data We Collect
Information you provide directly
- Email address — to create your account and deliver your garden plan
- Password — stored as a one-way cryptographic hash; we cannot read it
- Garden photo(s) — photographs of your garden space
- Postcode — used to infer your local climate zone, soil data, and sunlight hours
- Garden preferences — soil type, light level, planting style, colour palette
Information collected automatically
- Usage analytics — page views and feature interactions (e.g. questionnaire steps). No third-party advertising trackers.
- Technical data — IP address, browser type, device type, referring URL. Used for security and performance.
- Session data — a session token stored in our database to keep you logged in
Cookies
| Cookie / Storage Key | Purpose | Duration |
|---|---|---|
session | Keeps you logged in | 30 days |
polsia_vid (localStorage) | Anonymous visitor ID for aggregate analytics | Persistent |
We do not use advertising cookies or share cookie data with third parties for marketing.
3. How We Use Your Data
| Purpose | Data Used | Legal Basis (UK GDPR) |
|---|---|---|
| Generate your personalised planting plan | Garden photo, postcode, preferences | Contract (Art. 6(1)(b)) |
| Create and manage your account | Email, password hash | Contract (Art. 6(1)(b)) |
| Send your completed plan by email | Email address, first name | Contract (Art. 6(1)(b)) |
| Recommend plants via affiliate links | Plan species list, postcode region | Legitimate interests (Art. 6(1)(f)) — funding the free service |
| Improve our AI and service quality | Anonymised design requests and outcomes | Legitimate interests (Art. 6(1)(f)) |
| Security and fraud prevention | IP address, technical logs | Legitimate interests (Art. 6(1)(f)) |
| Product updates (if opted in) | Email address | Consent (Art. 6(1)(a)) |
4. AI Processing
Your garden photo and preferences are submitted to Claude (by Anthropic) to generate your planting plan. Anthropic acts as a data processor under our instructions, governed by their privacy policy.
We do not use your personal garden photos to train AI models without your explicit consent.
5. Affiliate Links
Your planting plan includes links to UK nurseries. When you click and purchase, we may receive a commission. This never increases the price you pay. Affiliate links are clearly disclosed in your plan.
6. Sharing Your Data
We do not sell your personal data. We share it only with:
- Service providers — hosting, email delivery, AI processing. All bound by data processing agreements.
- Legal requirements — if required by law or court order.
- Business transfer — if Selfseed is acquired, with prior notice to you.
Key service providers
| Provider | Purpose | Data Location |
|---|---|---|
| Render | Web hosting | EU / USA (SCCs) |
| Neon (PostgreSQL) | Database | EU / USA (SCCs) |
| Cloudflare R2 | Photo storage | EU / USA (SCCs) |
| Anthropic (Claude) | AI plan generation | USA (SCCs) |
| Postmark | Email delivery | USA (SCCs) |
7. International Transfers
Where data is transferred outside the UK/EEA, we use Standard Contractual Clauses (SCCs) approved by the UK ICO.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (email, password hash) | Until deletion, or 3 years of inactivity |
| Garden photos | Until account deletion or on request |
| Planting plans | Until deletion, or 3 years of inactivity |
| Analytics events | 24 months, then anonymised |
| Server logs (IP, technical) | 90 days |
9. Your Rights Under UK GDPR
- Access — request a copy of your personal data
- Rectification — correct inaccurate or incomplete data
- Erasure — ask us to delete your data (subject to legal obligations)
- Portability — receive your data in a machine-readable format
- Restriction — limit how we process your data in certain circumstances
- Objection — object to processing based on legitimate interests
To exercise any right, email selfseed@polsia.app. We respond within 30 days.
You may also lodge a complaint with the Information Commissioner's Office (ICO).
10. Security
- All data in transit is encrypted via TLS/HTTPS
- Passwords are hashed with bcrypt
- OAuth tokens encrypted at rest with AES-256-GCM
- Production access is restricted and logged
If you discover a security issue, contact us immediately at selfseed@polsia.app.
11. Children's Privacy
Selfseed is not directed at children under 13. We do not knowingly collect data from children. Contact us to remove any such data promptly.
12. Changes to This Policy
We update this policy when our practices change. Material changes trigger a notification by email and an updated date above. Continued use constitutes acceptance.
13. Contact
We aim to respond within 5 working days.