Privacy Policy

⚠️ Working draft — pending legal review. This document is a good-faith draft based on how GreenTea works today. Items marked [REVIEW: …] need a decision or legal confirmation, and this notice must be removed, before it is published. It is not legal advice.

Last updated: [REVIEW: set the effective date on publish]

1. Who we are

GreenTea (“GreenTea”, “we”, “us”) is a non-profit social network operated by Green Tea [REVIEW: confirm the exact legal/operator name — currently a sole proprietorship based in Canada]. All profit from the service is donated to organisations fighting climate change.

If you have any questions about this policy or your data, contact us at greenteaadmin@gmail.com.

2. Scope

This policy explains what information we collect when you use the GreenTea app (on the web at app.green-tea.eco, and on iOS and Android), how we use it, who we share it with, and the choices and rights you have. It does not cover third-party services we link to, which have their own policies.

3. Information we collect

Account and profile information. When you register we collect your email address and a password (which we store only as a secure hash, never in plain text). Your profile may also include a username, bio, location, website, pronouns, birthdate, interests, an avatar image, and your time zone — most of which are optional and under your control.

Content you create. Posts, comments, likes, saved posts, and any images or video you upload. Uploaded media is stored with our storage provider (see Section 7).

Connections and invitations. Your connections and Circles, and — if you invite someone — the email address you provide for that invitation. We use it only to send the invitation and to mark it as joined if they register.

Location information. If you use location-based features such as the Nearby feed, we process location information to show you nearby posts and people. [REVIEW: confirm exactly how location is obtained — user-entered location text vs. device/approximate geolocation — and describe precisely. This determines consent handling on mobile.]

Usage and activity. How you interact with the service — for example discovery-feed views and impressions, and, if you opt in to ads, ad impressions and clicks recorded to maintain your “Impact” contribution counter.

Device and technical information. Like most online services, we automatically receive certain information such as your IP address, device and browser type, and similar identifiers, including through cookies and comparable technologies (see Section 4).

4. Advertising and cookies

Ads are strictly opt-in. By default you see no ads, and the advertising networks are not loaded for your account at all. You can turn ads on or off at any time from your profile.

If you opt in, ads are served by Google AdMob (in our iOS and Android apps) and Google AdSense (on the web). In our first version, ads are non-personalised — they are not targeted using a profile of your interests. Even non-personalised ads use cookies or device identifiers for purposes such as frequency capping, measurement, and fraud prevention.

Consent (EEA, UK, and similar regions). Where required by law, before any ad is requested we present a consent message using Google’s certified consent tooling (the IAB Transparency & Consent Framework), and ads are only served in line with your consent choices.

Google’s handling of data in connection with ads is governed by Google’s own policies. You can learn more at Google’s Privacy & Terms. [REVIEW: confirm final ad networks and link any additional required disclosures, e.g. an “How Google uses information” notice.]

We do not sell your personal information.

5. How we use your information

• To provide and operate the service — your account, feeds, posting, and social features.
• To verify your email address and send you service-related communications.
• To keep the community safe and enforce our Terms (for example, anti-spam limits).
• To show ads only if you have opted in, and to maintain your Impact counter.
• To understand and improve how the service is used.
• To comply with legal obligations.

6. Legal bases for processing (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the service you sign up for); consent (for opt-in advertising and related identifiers, and where otherwise required); legitimate interests (to keep the service secure, prevent abuse, and improve it); and legal obligation where applicable. You may withdraw consent at any time.

7. How we share information

We share information only as needed to run the service:

• Storage: uploaded media is stored with Cloudflare R2.
• Email delivery: transactional emails (such as verification) are sent via Resend [REVIEW: confirm email provider before launch].
• Advertising: if you opt in, with Google (AdMob/AdSense) as described in Section 4.
• Legal and safety: where we believe in good faith it is necessary to comply with law, enforce our Terms, or protect the rights and safety of people.

We do not sell personal information, and we do not share it for third-party advertising beyond the opt-in ad serving described above.

8. Data retention

We keep your information for as long as your account is active or as needed to provide the service. Some records are kept on shorter cycles — for example, raw advertising-event records are retained only for a limited window [REVIEW: state the retention period, e.g. 30 days, to match the app’s configured value]. When you delete your account, we delete or anonymise your personal information except where we must retain it to comply with law. [REVIEW: confirm overall retention periods.]

9. How we protect your information

Passwords are stored as secure bcrypt hashes; authentication uses signed, expiring tokens; and access to data is restricted. No system is perfectly secure, but we take reasonable measures to protect your information.

10. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal information, and to object to certain processing or withdraw consent.

• Ads: turn the ads toggle off at any time in your profile.
• Profile data: edit or remove most profile fields directly in the app.
• Account: you can request deletion of your account.

To exercise any of these rights, email greenteaadmin@gmail.com. We will respond as required by applicable law. Canadian users have rights under PIPEDA and, in Québec, under Law 25; EEA/UK users have rights under the GDPR/UK GDPR. [REVIEW: confirm which regional regimes to name, and add any region-specific disclosures required.]

11. Children’s privacy

GreenTea is not directed to children. You must be at least 13 years old [REVIEW: confirm minimum age — some regions require 16 for consent] to use the service. We do not knowingly collect personal information from children under this age; if we learn that we have, we will delete it.

12. International data transfers

We and our service providers may process your information in countries other than where you live, including outside the EEA/UK and Canada. Where required, we rely on appropriate safeguards for such transfers.

13. Changes to this policy

We may update this policy from time to time. We will revise the “Last updated” date above and, for material changes, provide a more prominent notice.

14. Contact

Questions or requests: greenteaadmin@gmail.com.