Privacy Policy

Gardens is built on the principle that private communication should remain private. We have designed our systems to minimize data collection, maximize encryption, and give you meaningful control over your information. This policy describes exactly what we collect, why, and what we never do.

• —Account identifiers

  An email address or phone number used only for account recovery and security notifications. We do not use it for marketing.

• —Public keys

  Your MLS public key material, stored on our servers solely to enable encrypted group key exchanges. Your private keys never leave your device.

• —Ciphertext

  Encrypted message payloads are transiently relayed by our servers. We cannot read them. They are deleted from relay infrastructure as soon as delivery is confirmed.

• —Minimal metadata

  Approximate timestamps of connections (not message sends) and coarse device type, retained for up to 90 days for abuse prevention only.

• —Message content — all messages are end-to-end encrypted with MLS
• —Contact lists or social graphs
• —Location data of any kind
• —Advertising identifiers or tracking pixels
• —Behavioral profiles or usage analytics linked to your identity
• —Data from third parties about you

All messages are encrypted on your device using the IETF Message Layer Security (MLS) protocol before transmission. Gardens servers act as delivery infrastructure only — we are technically incapable of reading your messages. Group keys are managed through MLS's forward-secrecy and post-compromise security mechanisms, meaning past messages remain protected even if a device is later compromised.

We do not sell, rent, license, or broker your personal data to any third party — ever. We do not share data with advertisers. We may share the minimum necessary information with:

• —Infrastructure providers

  Cloud and network providers bound by strict data processing agreements, with access limited to encrypted infrastructure logs.

• —Law enforcement

  Only when compelled by a valid legal process under applicable law. Because we cannot decrypt your messages, any compelled disclosure is limited to the minimal metadata described above. We publish a transparency report.

We retain your account identifier and public key material for as long as your account is active. Connection metadata is deleted after 90 days. Encrypted message payloads are deleted from our relay infrastructure upon confirmed delivery, or within 30 days if undelivered. You may request full account deletion at any time; we will purge all associated data within 30 days.

• —Access — request a copy of all data we hold about you
• —Correction — update or correct inaccurate account information
• —Deletion — permanently delete your account and all associated data
• —Portability — export your data in a machine-readable format
• —Objection — object to processing in any context where we exercise discretion
• —Restriction — restrict processing while a dispute is resolved

To exercise any of these rights, contact privacy@usegardens.com. We will respond within 30 days.

We apply defense-in-depth: TLS in transit, encryption at rest for all stored data, strict access controls with hardware security keys for all engineers, regular independent security audits, and a public vulnerability disclosure program. Our MLS implementation is open-source and subject to external review.

Gardens is not directed at children under 13. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal information, contact us immediately and we will delete it.

We will notify you of material changes to this policy via in-app notification at least 30 days before they take effect. Continued use of Gardens after that period constitutes acceptance. We maintain an archived version history of this policy.

For privacy questions, data requests, or security reports: privacy@usegardens.com