Privacy Policy

Effective Date: March 26, 2026 · Last Updated: March 26, 2026

This Privacy Policy describes how Sprigg AI, LLC ("Sprigg," "we," "us," or "our") collects, uses, shares, and protects personal information when you use the Sprigg platform, including our website, web application, and related services (collectively, the "Service"). Please read this policy carefully.

1. Information We Collect

1.1 Information You Provide Directly

Account Information

  • Email address
  • Name (optional)
  • Password (stored only as a bcrypt hash; we never store or have access to your plaintext password)

Property and Lawn Information

  • Property address and GPS coordinates (latitude and longitude)
  • Timezone and USDA plant hardiness zone
  • Grass type, soil description, and total lawn area
  • Property notes and expertise level
  • Irrigation zone configurations (zone names, descriptions, categories, precipitation rates, root depth, shade factors, soil type, nozzle type, slope, and maximum runtimes)
  • Watering preferences (weekly water target, maximum morning hour, sunrise offset)
  • Disease risk thresholds

Integration Credentials

  • Rachio API key
  • Orbit B-Hyve email address and password
  • WeatherFlow Tempest station ID and API key

Where possible, we use token-based authentication (such as API keys) to connect to third-party services. For services that do not support token-based authentication, login credentials are encrypted using AES-256-GCM and used solely to authenticate with the third-party service on your behalf. All integration credentials are encrypted before storage. You may remove your credentials at any time through the Settings page.

User-Generated Content

  • Chat messages sent to and received from the Ask Sprigg AI assistant
  • Lawn photos (uploaded images with optional notes and timestamps)
  • Lawn care calendar entries (fertilizer applications, mowing, aeration, fungicide treatments, etc.)

Notification Preferences

  • Email notification opt-in settings (urgent alerts, weekly summaries, system alerts)
  • Display theme preference (light, dark, or system)

1.2 Information Collected Automatically

Session and Authentication Data

  • Session cookie (sprigg-session): an httpOnly, secure cookie used solely to maintain your authenticated session. Expires after 7 days.
  • IP address: recorded during login attempts for security monitoring and rate limiting.
  • Login attempt records: email address, IP address, success or failure, and timestamp.

Service Usage Data

  • AI API usage metrics: the AI model used, input and output token counts, cost per request, and timestamp. Used for plan enforcement and usage tracking.
  • Cron job execution history: job type, execution status, duration, and any errors. Used for system monitoring.

Irrigation Decision Data

  • Decision logs: for each irrigation decision, we record the zone, the decision made (water, skip, reduce, or emergency), the reasons for the decision, weather conditions at the time, disease risk level, and planned runtime.
  • Analysis history: daily AI analysis output including overall assessment, recommendations, and disease risk data.
  • Water applied: weekly water tracking by zone.

1.3 Information from Third Parties

We receive the following data from third-party services you connect or that we use to provide the Service:

  • Rachio: Device configuration, zone details, and watering run history.
  • Orbit B-Hyve: Device information and zone configurations.
  • OpenWeatherMap: Current weather conditions and 5-day forecast (temperature, humidity, wind speed, precipitation, cloud cover) based on your property coordinates.
  • Open-Meteo: Historical weather data, dew point, cloud cover, soil temperature, evapotranspiration, and daily rainfall based on your property coordinates.
  • WeatherFlow Tempest: Personal weather station readings (temperature, humidity, wind, rainfall) using your station ID and API key.
  • Nominatim (OpenStreetMap): Geocoded coordinates derived from your property address.
  • ArcGIS: USDA plant hardiness zone derived from your property coordinates.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Generate irrigation recommendations, execute watering commands on your connected controllers, track water applied, assess disease risk, and power the Ask Sprigg chat assistant.
  • Personalize Your Experience: Tailor recommendations to your specific grass type, climate zone, soil conditions, property configuration, and expertise level.
  • Communicate With You: Send in-app notifications about irrigation decisions, alerts, and account matters. When email notifications are enabled, deliver transactional and informational emails.
  • Improve the Service: Analyze anonymized and aggregated usage patterns, irrigation outcomes, and system performance to improve our AI recommendations and overall service quality. We do not use your individually identifiable data to train AI models.
  • Ensure Security: Detect unauthorized access attempts, enforce rate limits, and maintain audit logs of administrative actions.
  • Comply With Legal Obligations: Respond to legal requests and enforce our Terms of Service.

3. How We Share Your Information

We do not sell your personal information. We do not share your personal information for advertising purposes. We do not use third-party advertising or cross-site tracking technologies. We use limited internal metrics (such as API token usage and cron job execution logs) solely for service operation, plan enforcement, and system monitoring.

We may engage service providers to perform functions on our behalf (such as hosting, database management, email delivery, and AI processing). These service providers are permitted to use your personal information only as reasonably necessary to provide services to us.

We share your information with the following categories of third parties, solely to provide and operate the Service:

3.1 AI Processing (Anthropic)

To generate irrigation recommendations and power the Ask Sprigg chat assistant, we send the following data to Anthropic's Claude AI API: your property configuration, zone details, weather data, disease risk information, lawn care calendar entries, water budget data, soil temperature trends, previous analysis history, and chat messages.

Anthropic processes this data in accordance with their API terms. Anthropic's API terms provide that data submitted via the API is not used to train their models. For more information, see Anthropic's Privacy Policy.

3.2 Irrigation Controller Providers

  • Rachio: Your Rachio API key is sent as a bearer token to Rachio's API. We retrieve device and zone information and send control commands (start zones, stop zones, set rain delays) on your behalf.
  • Orbit B-Hyve: Your B-Hyve email and password are sent to Orbit's authentication servers to establish a session. We control your devices via their API and WebSocket connection.

3.3 Weather Services

  • OpenWeatherMap: Your property's GPS coordinates are sent to retrieve weather data. We use a server-side API key; your identity is not shared with OpenWeatherMap.
  • Open-Meteo: Your property's GPS coordinates are sent to retrieve weather and soil data. This is a free, open service with no authentication; your identity is not shared.
  • WeatherFlow Tempest: Your station ID and API key are sent to retrieve personal weather station data.

3.4 Geocoding Services

  • Nominatim (OpenStreetMap): Your property address is sent once to convert it to GPS coordinates.
  • ArcGIS: Your property's GPS coordinates are sent once to determine your USDA plant hardiness zone.

3.5 Infrastructure Providers

  • Neon: Our cloud PostgreSQL database provider. All user data is stored in Neon's infrastructure, encrypted in transit and at rest per Neon's security practices.
  • Vercel: Our hosting provider. Vercel processes HTTP requests, runs our serverless functions, and provides blob storage for lawn photos. Data is handled in accordance with Vercel's privacy policy.
  • Resend: Our email delivery service (when activated). Receives user email addresses solely to deliver transactional emails such as email verification and password reset messages.

4. Cookies and Tracking Technologies

Sprigg uses a single, essential cookie:

  • Name: sprigg-session
  • Purpose: Maintaining your authenticated session
  • Type: Essential (required for the Service to function)
  • httpOnly: Yes (not accessible to client-side JavaScript)
  • Secure: Yes (transmitted only over HTTPS)
  • SameSite: Lax
  • Expiry: 7 days

We do not use analytics cookies, advertising cookies, tracking pixels, or any third-party tracking technologies. We store your theme preference (light, dark, or system) in your browser's local storage for display purposes only; this is not used for tracking.

Do Not Track: Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently respond to them. However, we do not engage in cross-site tracking regardless of DNT settings.

5. Legal Basis for Processing

We process your personal information on the following legal bases:

  • Contractual necessity: Processing required to provide the Service you have requested, including generating irrigation recommendations, executing watering commands, and maintaining your account.
  • Legitimate interests: Processing for our legitimate business interests, including improving the Service through anonymized analytics, maintaining security and preventing fraud, and monitoring system performance. We balance these interests against your privacy rights.
  • Consent or your direction: Processing based on your choices, including enabling Active Mode for automated irrigation, connecting third-party integrations, and opting in to email notifications. You can change these settings at any time.
  • Legal obligations: Processing necessary to comply with applicable laws, regulations, or legal processes.

6. Data Retention

  • Account data: Retained as long as your account is active. Upon account deletion, your data is marked as deleted. We will make reasonable efforts to permanently remove your data within a reasonable period, except where retention is required by law or legitimate business interests (such as fraud prevention or dispute resolution).
  • Analysis and irrigation history: Visible history is limited by your subscription plan (default: 7 days). Older entries may be retained in our systems but are not accessible through the application.
  • Decision logs: A maximum of 500 decision log entries are retained per property. When this limit is reached, the oldest entries are automatically removed.
  • Chat messages: Retained until you delete individual chat threads through the application.
  • Lawn photos: Retained until you delete them through the application. Photos are stored in cloud blob storage and are accessible via their URLs.
  • Login attempt records: Retained for security monitoring and fraud prevention purposes.
  • Sessions and tokens: Expired sessions, password reset tokens, and email verification tokens are automatically cleaned up hourly.

7. Your Rights and Controls

7.1 Access Your Data

You can view your property settings, zone configurations, analysis history, irrigation history, decision logs, photos, calendar events, and chat history through the application interface. For a complete copy of all data associated with your account, contact us at privacy@sprigg.ai.

7.2 Correct Your Data

You can update your property information, zone configurations, watering preferences, and integration credentials at any time through the application Settings page.

7.3 Delete Your Data

You can delete individual chat threads, photos, and calendar entries through the application. To request full account deletion, contact us at privacy@sprigg.ai. We will process your request and make reasonable efforts to delete or anonymize your data, subject to our legal obligations and legitimate business interests.

7.4 Disconnect Integrations

You can clear your Rachio API key, B-Hyve credentials, and Tempest API key at any time through the integrations settings page. Disconnecting an integration immediately stops Sprigg from accessing that third-party service on your behalf.

7.5 Disable Automated Irrigation

You can switch from Active Mode to Audit Mode at any time in your settings. This immediately stops all automated irrigation execution while continuing to provide AI-generated recommendations for your review.

7.6 Data Portability

To request an export of your data in a portable format, contact us at privacy@sprigg.ai.

8. Automated Decision-Making

Sprigg uses artificial intelligence (Anthropic Claude) to make irrigation recommendations. AI-generated recommendations may be inaccurate, incomplete, or unsuitable for your specific property conditions. In Active Mode, these AI-generated recommendations are automatically executed on your irrigation controller without per-action human review.

Automated decisions determine:

  • Which irrigation zones to water on a given day
  • How long to water each zone
  • Whether to skip watering entirely based on weather or disease conditions
  • Disease risk assessments and severity levels

Programmatic safety limits are enforced to constrain automated decisions (for example, maximum water application per event and maximum runtime per zone).

You can override automated decisions at any time by:

  • Switching to Audit Mode (stops all automated execution)
  • Manually controlling your irrigation controller through its native app
  • Disconnecting the controller integration entirely

All automated decisions are recorded in your decision log and analysis history for full transparency and review.

9. Data Security

We implement the following security measures to protect your data:

  • Encryption in transit: All data is transmitted over HTTPS with HTTP Strict Transport Security (HSTS) enabled.
  • Encryption at rest: Sensitive credentials (third-party API keys and passwords) are encrypted with AES-256-GCM before storage. Encryption keys are stored separately from the database.
  • Password security: User passwords are hashed using bcrypt with 12 salt rounds. We never store plaintext passwords.
  • Session security: Session tokens are stored in httpOnly, Secure, SameSite=Lax cookies with 7-day expiration.
  • Rate limiting: Login attempts are limited to 5 per 60 seconds per IP address. Account registration is limited to 3 per 300 seconds per IP. AI chat usage is subject to plan-based limits.
  • Access control: All database queries enforce user-level isolation. Property ownership is verified on every request.
  • Security headers: We set X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers to reduce attack surface.

Photo storage note: Lawn photos are stored in cloud blob storage and may be accessible to anyone who has the direct URL. Please avoid uploading images that contain sensitive information, such as faces, license plates, or house numbers.

While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Children's Privacy

The Service is not directed at children under the age of 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@sprigg.ai.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request that we delete the personal information we have collected about you, subject to certain exceptions (such as legal obligations or completing a transaction).
  • Right to Opt-Out of Sale: We do not sell personal information. Because no sale occurs, no opt-out mechanism is necessary.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

Categories of personal information we collect:

  • Identifiers (email address, name, IP address, account ID)
  • Geolocation data (property address, GPS coordinates)
  • Internet or electronic network activity (login attempts, session data, API usage metrics)
  • Visual information (lawn photos)

Categories of sources: Directly from you, automatically through the Service, and from third-party APIs (weather data, geocoding, irrigation controller data).

Business purposes for collection: Providing the Service, personalizing recommendations, security, analytics, and legal compliance.

Categories of third parties with whom we share data: AI processing (Anthropic), infrastructure providers (Vercel, Neon), irrigation controller APIs (Rachio, Orbit), weather services (OpenWeatherMap, Open-Meteo, WeatherFlow), and geocoding services (Nominatim, ArcGIS).

Sensitive personal information: To the extent we collect sensitive personal information (such as precise geolocation), we use and disclose it only as reasonably necessary to provide the Service and do not use it for purposes other than those permitted under the CCPA/CPRA.

To exercise your California privacy rights, contact us at privacy@sprigg.ai.

12. International Users

The Service is operated from the United States. All data is stored on servers located in the United States (Neon database infrastructure and Vercel hosting). We do not currently offer localized data storage outside the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to the transfer of your information to the United States.

13. Business Transfers

If Sprigg AI, LLC is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice within the Service of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

14. Email Communications

We may send you the following types of email communications:

  • Transactional emails: Account verification, password resets, and security alerts. These are essential to the operation of your account and cannot be unsubscribed from.
  • Service notifications: Urgent irrigation alerts, disease warnings, and system status updates. You can manage these in your notification preferences.
  • Informational emails: Weekly lawn care summaries and seasonal recommendations. You can opt out of these at any time through your notification settings or by contacting us at privacy@sprigg.ai.

We do not send marketing emails to users who have not opted in, and we do not share your email address with third parties for marketing purposes.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. For material changes, we will provide notice through the Service or via email at least 30 days before the changes take effect. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Sprigg AI, LLC
Email: privacy@sprigg.ai