Privacy Notice

Patch & Pot is a small independent gardening publisher (the “Service”) operated from the United Kingdom. The data controller is Grant Cameron Anthony, trading as Patch & Pot, based in Barrhead, East Renfrewshire, Scotland, UK. You can reach us at hello@patchandpot.com; a full correspondence address is available on request.

We try to collect as little as possible. In practice:

• Location preference. When you allow location access, your browser shares an approximate latitude / longitude with us once, which we use to look up your region and climate zone for monthly guidance. We do not store your raw coordinates against an identifier; we store the resolved region name in your browser only.
• Region, language & “My Garden” list. Stored in your browser’s local storage so the app remembers your settings between visits. None of this is sent to a server in a way that identifies you.
• Payment data. When you take out a Patch & Pot membership (£5 / year or £25 / lifetime) we use Stripe to process the payment. Card details are entered into Stripe’s servers — we never see them. We receive back your email address, the amount paid, and a Stripe session identifier so we can issue your access token.
• Access token. A random, passwordless token tied to your purchase. Stored in your browser to unlock paid content. If you lose it, your purchase email is the recovery mechanism.
• Search / generation topics. When you ask our AI to author a masterclass on a topic, that topic string is sent to our servers (and to our AI providers — see below) so we can generate and cache the lesson. Topics are not tied to your identity.
• Basic technical logs. Standard web-server logs (IP, user-agent, requested URL, timestamp) kept for a maximum of 30 days for abuse-prevention and debugging.

• Contract — for processing your membership payment and providing paid content.
• Legitimate interest — for keeping the site running, preventing abuse, and improving guidance quality.
• Consent — for use of your device location (you can decline; the site still works with a manual region).

We use a small, intentionally minimal set of trusted processors:

• Stripe (payment processing) — see stripe.com/privacy.
• Anthropic, OpenAI, Google (AI providers) — used to generate monthly guidance, masterclasses and plant images on request. We do not pass them your email, location, or identity; only the gardening topic or region/month being requested.
• Our hosting provider — runs the application servers and the MongoDB database that caches generated content.

We do not sell your data, share it with advertisers, or pass it to data brokers. We do not run third-party analytics or tracking pixels.

Some processors above are based outside the UK / EEA. Where this is the case, we rely on the UK Government’s adequacy regulations, the EU–US Data Privacy Framework, or Standard Contractual Clauses (SCCs) as appropriate to safeguard your data.

• Payment records: 7 years (HMRC requirement).
• Access tokens linked to a lifetime membership: kept indefinitely so your access keeps working.
• Access tokens for annual membership: kept until 12 months after expiry, then deleted.
• Server logs: 30 days.
• AI-generated content cache: kept indefinitely (it is shared content, not personal data) but you can request a slug be regenerated or removed.

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data erased (subject to our HMRC obligations on payment records).
• Restrict or object to processing.
• Receive a copy of your data in a portable format.
• Withdraw consent where consent is the lawful basis.
• Complain to the UK Information Commissioner’s Office (ico.org.uk) if you believe we have mishandled your data.

To exercise any of these rights, email hello@patchandpot.com. We aim to respond within 14 days and must respond within 30.

We do not use marketing or tracking cookies. We use:

• Strictly necessary local storage for your region, language, “My Garden” list, and paywall access token.
• A service worker cache so the site loads quickly and works offline. Caches no personal data.
• Stripe Checkout sets its own session cookies during payment; these are governed by Stripe’s privacy notice.

We will update the “Last updated” date at the top of this page whenever this notice changes. Material changes will be flagged on the home page for at least 14 days.