Security at GrowLeaf
GrowLeaf is a small, independent team. We treat your garden data the way we'd want ours treated — encrypted, scoped to you, and never sold.
Encrypted in transit and at rest
All traffic is served over HTTPS (TLS 1.2+). Your garden data and uploaded photos are stored encrypted at rest in managed Supabase infrastructure.
Row-level access control
Every row in our database is gated by row-level security policies tied to your authenticated user ID. Other users — and even our app code — cannot read your data without your session.
Payments handled by Stripe
We never see or store your card details. All subscription payments are processed by Stripe, a PCI-DSS Level 1 certified provider.
Modern authentication
Sign in with email + password (with leaked-password protection) or Google OAuth. Sessions use rotating refresh tokens stored securely in your browser.
No selling, no ad tracking
We don't sell data, share it with data brokers, or run third-party advertising pixels. Your plants are yours.
Minimal device permissions
GrowLeaf only sees the specific photo you choose to upload to Plant Doctor. We never access your camera roll, contacts, location, or files in the background.
Reporting a vulnerability
If you believe you've found a security issue in GrowLeaf, please email security@growleaf.app with reproduction steps. We respond to credible reports within 72 hours and won't pursue good-faith researchers who follow responsible disclosure.