Every third party that touches your data.

Frontend hosting + edge CDN for terracefarming.in.

Request metadata (IP, user agent, URL). No body / form data leaves the function runtime.

United States (global edge POPs)

Backend API hosting (FastAPI) and the managed PostgreSQL database.

All user-record fields — name, email, phone, address, plant photos, order history. The full application database lives here.

Singapore (primary), US/EU regions for multi-region failover

Payment Aggregator under RBI PA Guidelines. Handles all card / UPI / net-banking checkout for orders, subscriptions, and consultations.

Customer name, email, phone, billing address, transaction amount. No card data ever touches our servers — capture is on Razorpay's hosted checkout.

India

Product image storage + on-the-fly transformation (resize, WebP/AVIF, watermark, label overlays).

Product images, public asset URLs, user-uploaded plant-diagnosis photos. Photos uploaded for AI diagnosis pass through ImageKit before reaching our backend.

India (Mumbai)

Application error monitoring. Captures exceptions, stack traces, and a small slice of context (user ID, current URL, browser).

User ID, email (when present in error context), IP. Sensitive bodies are scrubbed by Sentry's data-scrubbing rules before leaving the client.

European Union (de.sentry.io). Configured this way so EU traffic stays in-region.

Generative AI (Claude) for the AI plant doctor and the in-app assistant. We only call Anthropic when a user voluntarily sends a question or photo.

The user's question text, the photo (if attached), and a short conversation context. We do NOT send name, email, or other identifiers in the prompt.

United States

Fallback generative AI used by some assistant features when Anthropic is rate-limited or unavailable.

Same scope as Anthropic — user question text and photo only, no identifiers.

United States

Anonymous web analytics. Loaded only after the user accepts analytics cookies on the consent banner.

Anonymised IP, page URL, click events, broad device/browser type. No name or email is sent. Demographic features are off.

United States (with regional collection in EU/India)

Optional federated login. Only invoked when a user clicks Sign in with Google.

OAuth-returned name, email, and Google profile picture URL. We don't request additional Google scopes.

United States

Transactional email (order confirmations, verification OTPs, password resets) and SMS OTP.

Email address, phone number, the message body itself.

United States