Legal · CoreTurf

Privacy Policy

How CoreTurf handles your data. Short version: your lawn data stays on your device unless you opt in to cloud backup.

Lawn data on your device by default
Optional account for cloud backup
No advertising or tracking
Cloud data stored in Sydney, Australia
Note · Internal Testing

This policy is in place for the Play Store internal testing track soft launch. It accurately reflects the app's current data handling. Before any public or commercial release, have this document reviewed by a solicitor familiar with Australian Privacy Law.

1. Introduction

CoreTurf ("the app") is a lawn care application developed and operated by K-Tech Industrial Pty Ltd ("we", "us", "our").

CoreTurf helps lawn owners track growing degree days (GDD), manage products and inventory, log spray applications and mowing records, and monitor lawn health over time with guided repeat photography.

This Privacy Policy explains what information CoreTurf collects, how it is used, and your rights. By using the app, you agree to the practices described here.

2. Information We Collect

2.1 Location data

When you add a new site or tap "Use current location," the app requests your device's GPS coordinates to fetch weather forecasts and soil temperature data for that location.

You can enter a suburb or postcode manually instead. If you use "Use current location" and the device's built-in geocoder cannot resolve a suburb name, your coordinates are sent to BigDataCloud as a fallback (see Section 4.6). Location coordinates are stored on your device as part of your site records and are not collected by K-Tech Industrial.

iOS technical note. On iOS, our Info.plist declares two location-permission strings — NSLocationWhenInUseUsageDescription and NSLocationAlwaysAndWhenInUseUsageDescription. Apple requires both keys to be present whenever any code path in the app or its dependencies references a location API, even if the app itself never requests background or always-on location. CoreTurf only requests when-in-use permission, only in the situations described above, and never tracks your location in the background. The "always" key is declared solely to satisfy Apple's static analysis of transitive Flutter package dependencies.

2.2 Photos and video

CoreTurf uses your camera or photo library in three ways:

  1. Photo strip (Sites): You can select or capture photos to attach to your lawn sites through the system's standard media picker.
  2. LawnFlex progress tracking: The LawnFlex feature has direct camera access to capture sequential photos of your lawn for guided repeat-photography comparison over time.
  3. LawnFlex video export: When you tap "Save to Photos" after generating a time-lapse or before/after video, CoreTurf writes that file to your device's Photos library. All video processing happens on-device. No photo or video data is sent to any server.

Photos you capture in the LawnFlex feature are stored locally on your device. If you are signed in to a CoreTurf account, photos you take are also backed up to our cloud storage provider (Cloudflare R2 — see Section 4.7) so you can restore them on a new device. Free-tier users can back up up to 10 photos; Pro-tier users can back up unlimited photos. Photos beyond the free quota stay on the originating device only and are not uploaded.

Photos selected through the system media picker (Sites photo strip) are not uploaded — they remain on your device only.

2.3 Diagnostic and usage data

CoreTurf uses Google Firebase to collect diagnostic information automatically:

  • Crash reports: If the app crashes or encounters an unhandled error, a report is sent to Firebase Crashlytics. It includes the error message, stack trace, your device model, OS version, and app version. It does not include your name, email, location, or any lawn data.
  • Usage analytics: Firebase Analytics collects anonymous session data, such as which screens you visit and how long you use the app. This data is not linked to any personal information.

Each crash report is annotated with two categories of non-PII diagnostic context to help pinpoint the app state at the time of a crash:

  • Custom keys: whether you are signed in (is_authenticated), your subscription tier (app_tier — free or pro), the current sync status (sync_status), the device's display refresh rate (device_refresh_rate), and a one-way hashed identifier for the currently selected site (active_site_id, hashed so the original site identifier cannot be recovered).
  • Breadcrumbs: a short rolling log of recent in-app navigation, sync events (push/pull start, success, failure), and high-level user actions (logging an application, logging a mow, adding a product). Breadcrumbs do not include lawn data, product names, site names, or any free-text you have entered.

None of these values include personal identifiers, precise location, or the contents of your lawn data. This diagnostic data is used only to fix bugs and understand feature usage, and is processed by Google LLC under their Firebase terms of service.

2.4 Bug reports

CoreTurf includes an in-app bug reporting feature in Settings. When you submit a report, the following may be included:

  • Description: the text you type describing the issue
  • Diagnostics (opt-in, on by default): device model, OS version, app version, build number, sync status, and subscription tier. No lawn data, product names, or site details.
  • Screenshot (optional): an image you choose to attach. No other photos are accessed.
  • Email address (opt-in, on by default if signed in): your account email, so we can follow up

Reports are sent via a Supabase Edge Function. The text portion (description, diagnostics, email) is stored as an issue in a private GitHub repository accessible only to the CoreTurf development team. If you attach a screenshot, the image file is committed to the same private repository and embedded in the GitHub issue. The screenshot is only visible to people with read access to that repository (CoreTurf maintainers). You can turn off any optional field before submitting.

2.5 Beta application form

If you submit a beta tester application via the form at coreturf.app/beta, the following is collected:

  • Your first name and email address
  • Your preferred platform (Android, iOS, or both)
  • Your grass type and state/territory
  • Any notes you optionally add about your lawn program

This data is submitted through Netlify Forms and stored on Netlify's servers. It is accessible only to CoreTurf (K-Tech Industrial Pty Ltd) and is used only to assess beta applications and contact applicants. It is not shared with any third party and is not used for advertising or profiling. Netlify's privacy policy is at netlify.com/privacy.

2.6 Lawn and application data

All data you enter — site details, lawn profiles, product inventory, spray records, mowing records, treatment protocols, and settings — is stored in a local database on your device. If you create a CoreTurf account and enable Cloud Backup, this data is also uploaded to Supabase (see Section 4.4) so it can be restored on a new device. Without an account, nothing is uploaded.

2.7 Account data

Creating a CoreTurf account is optional — the app works fully without one. If you create an account, you can sign in using one of three methods:

  • Email and password: Supabase stores your email and a salted password hash. CoreTurf never stores your plaintext password.
  • Sign in with Google: Supabase receives your email address and Google display name via OAuth. CoreTurf does not access any other Google account information.
  • Sign in with Apple: Supabase receives your email address (or Apple's private relay address if you choose to hide your email). CoreTurf does not access any other Apple ID information.

Once you have an account, the following is stored against it:

  • Email address: used for authentication, password resets (email/password method only), and identifying your cloud data
  • Display name (optional): used to personalise your experience

Your email is not used for marketing and is not shared with any third party beyond what authentication requires.

2.8 On-device notifications

CoreTurf can schedule local reminders on your device — for example, when a product application is due or when your lawn's growth phase changes. These reminders are generated and scheduled entirely on your device; no notification content or schedule is sent to any server. On Android 13 and later this uses the POST_NOTIFICATIONS permission; on iOS it uses the standard notification authorization. You can turn notifications off at any time in the app's Settings or in your device's system settings.

3. How We Use Your Information

Data Purpose
GPS coordinates Sent to Open-Meteo to fetch weather and soil temperature for your site. Sent to BigDataCloud if the device geocoder can't resolve a suburb name.
Photos (Sites) Displayed in the app for your reference. Not transmitted.
Photos and video (LawnFlex) Stored locally for the repeat-photography and export features. LawnFlex photos also backed up to Cloudflare R2 (signed-in users, within quota).
Lawn, spray, and mow data Used to calculate GDD, generate tracker schedules, and maintain records. Uploaded to cloud if you have an account.
App settings Stored locally and, if signed in, synced to your account profile so they restore on a new device.
Bug report data Sent via Supabase Edge Function to a private GitHub repository for the CoreTurf team.
Beta application form data Sent to Netlify Forms and used to assess applications and contact applicants.
Crash reports Sent to Google Firebase Crashlytics to identify and fix errors.
Anonymous usage analytics Sent to Google Firebase Analytics to understand feature usage.
Account data (email, name) Used for authentication and identifying your cloud backup.

We don't use any of your information for advertising, profiling, or any purpose beyond running the app's features. CoreTurf contains no advertising SDKs, no third-party tracking pixels, and does not use Apple's App Tracking Transparency (ATT) framework — we do not track you across other apps or websites and we do not request permission to do so.

4. Third-Party Services

4.1 Open-Meteo

Open-Meteo is a non-profit weather project headquartered in Germany and integrated with the German Meteorological Service (DWD). When CoreTurf fetches weather data, your site's latitude and longitude are sent to Open-Meteo's servers. The free public API routes requests via GeoDNS to the closest server cluster, which may be in Europe (typically Germany) or North America (United States or Canada) depending on your location.

Open-Meteo does not require an account and does not associate received coordinates with any individual. Their privacy policy is at open-meteo.com/en/terms.

4.2 Netlify

Netlify, Inc. hosts the CoreTurf website and handles beta application form submissions. Form data is transmitted to and stored on Netlify's servers. Netlify's privacy policy is at netlify.com/privacy.

4.3 Google Firebase

Google Firebase is a mobile platform provided by Google LLC, a United States company. Crash reports and analytics events are processed on Google infrastructure in the United States. CoreTurf uses two Firebase services:

  • Firebase Crashlytics: receives automatic crash reports as described in Section 2.3. Data is processed by Google under their Privacy Policy.
  • Firebase Analytics: receives anonymous usage data (screen views, session duration). Data is aggregated and not linked to any individual.

Google's privacy policy is at policies.google.com/privacy. Firebase's terms are at firebase.google.com/terms.

4.4 Supabase

Supabase is a cloud platform used for authentication and cloud data backup. If you create a CoreTurf account:

  • Your email and authentication credentials are processed by Supabase for sign-in and session management
  • If you sign in with Google, Supabase receives your Google display name and email via the OAuth flow
  • Your lawn data may be backed up to Supabase's hosted PostgreSQL database so you can restore it on a new device

CoreTurf's Supabase project is hosted in the Sydney, Australia (ap-southeast-2) region. Your data is stored in Australian data centres. Supabase Inc. is a United States company; account credentials, support metadata, and Edge Function logs may be processed at their United States support and engineering tier. See Section 8 for cross-border disclosure under Australian Privacy Principles.

Supabase's privacy policy is at supabase.com/privacy.

4.5 GitHub

When you submit a bug report through the in-app feature, the text portion is sent via a Supabase Edge Function to the GitHub Issues API and stored as an issue in a private repository accessible only to the CoreTurf team. If you attach a screenshot, the image is committed to the same private repository and embedded in the GitHub issue (see Section 2.4 for details). GitHub is operated by GitHub Inc. (a Microsoft company). GitHub's privacy statement is at docs.github.com/en/site-policy/privacy-policies.

4.6 BigDataCloud

BigDataCloud is operated by Big Data Cloud Pty Ltd, an Australian company. When you tap "Use current location" during site setup, CoreTurf first tries to resolve your suburb using your device's built-in geocoder. If that fails (on some devices or when the OS geocoder is unavailable), it falls back to BigDataCloud's free reverse-geocoding endpoint. Your latitude and longitude are sent to api.bigdatacloud.net to return your suburb, state, and country.

This only happens when you explicitly tap "Use current location" — never in the background. BigDataCloud does not require an account or API key for this endpoint and does not associate received coordinates with any individual. Their privacy policy is at bigdatacloud.com/privacy-and-cookie-policy.

4.7 Cloudflare R2 (LawnFlex Photo Storage)

If you are signed in to a CoreTurf account and have not exceeded your photo backup quota, your LawnFlex photos are stored in Cloudflare R2, an object storage service operated by Cloudflare, Inc. (a US company). Cloudflare R2 stores data on Cloudflare's global edge network; the specific physical region may vary. We disclose this as a cross-border data transfer for the purposes of Australian Privacy Principle 8.

Each photo is uploaded over HTTPS and stored at a path scoped to your unique user identifier. Access is limited to your authenticated CoreTurf session via short-lived (15-minute) presigned URLs issued by our backend; no other user can access your photos.

Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.

4.8 Typography fonts

All typefaces used in CoreTurf (Fraunces, IBM Plex Sans, DM Mono) are bundled directly within the app. No network request is made to Google Fonts or any other font server at any time.

5. Data Storage and Security

Local data

All CoreTurf lawn data (sites, products, spray records, mow records, photos, settings) is stored locally on your device using SQLite (via the Drift library) and your device's key-value storage system (Android SharedPreferences / iOS NSUserDefaults). The security of local data depends on your device's own protections: screen lock, device encryption, and app sandboxing enforced by the OS.

Excluded from device-level cloud backup

CoreTurf explicitly excludes its local database and LawnFlex photos from Android Auto Backup, Android device-transfer, and iOS iCloud / Finder backup. Your CoreTurf data therefore never syncs to your Google or Apple account, never counts against your iCloud storage quota, and is not restored automatically when you set up a new device. To carry your data to a new device, sign in with the same CoreTurf account on the new device and let Cloud Backup & Sync restore it.

LawnFlex photo cloud backup

Photos taken in LawnFlex (within your free or Pro quota) are uploaded to Cloudflare R2 over HTTPS and stored at a per-user path. They are encrypted in transit (TLS 1.2+) and at rest (Cloudflare-managed AES-256). See Section 4.7.

Account credentials

If you create a CoreTurf account, authentication tokens are stored securely using Android Keystore or iOS Keychain. They are never stored in plaintext.

Cloud data

If you have an account, your data may be backed up to Supabase's PostgreSQL database. Data is encrypted in transit (TLS) and at rest (AES-256) by Supabase's infrastructure. Row-level security policies ensure each user can only access their own data.

Crash reports and anonymous analytics are transmitted to Google Firebase as described in Sections 2.3 and 4.3.

We recommend keeping your device's OS up to date.

6. Data Retention and Deletion

We retain personal information only for as long as needed to deliver the service or meet legal obligations, then delete or de-identify it. The table below summarises retention for each category covered by this policy.

Data category Retention Trigger to delete
Account email + password hash + OAuth tokens Until account deletion User taps Settings > Account > Delete Account
Cloud-synced lawn data (sites, lawns, products, applications, mows, photos, settings) Until account deletion Same
Local lawn data + LawnFlex photos on device While app is installed Uninstall or Clear Data
Crash reports (Crashlytics + custom keys + breadcrumbs) 90 days (Google Firebase default) Auto-expired by Firebase
Anonymous usage analytics (Firebase Analytics) 14 months for event data, 60 days for installation IDs (Google defaults) Auto-expired by Firebase
Bug report (GitHub issue + diagnostics + optional screenshot) While the issue is open + 90 days after the issue is closed Issue close + lifecycle expiry
Weather + reverse-geocoding requests (Open-Meteo, BigDataCloud) Not retained beyond the request itself per their stated policies n/a

Local data

To delete all local CoreTurf data on Android:

  • Uninstall the app. Android removes all app data when uninstalled.
  • Or go to Settings > Apps > CoreTurf > Storage > Clear Data.

To delete all local CoreTurf data on iOS:

  • Delete the app from your device. iOS removes all app data when you delete an app.
  • Or go to Settings > General > iPhone Storage > CoreTurf > Delete App.

Account and cloud data

If you have a CoreTurf account, go to Settings > Account > Delete Account to permanently delete your account and all associated cloud data. This removes your Supabase authentication record, all synced lawn data, and all backed-up LawnFlex photos from Cloudflare R2 storage. It cannot be undone.

Deleting your account does not remove local data from your device — use the steps above to clear that separately.

7. Children's Privacy

CoreTurf is intended for users aged 16 and over. We do not knowingly collect personal information from anyone under 16. If you believe a person under 16 has created an account or submitted information through the app, contact us at contact@coreturf.app and we will delete the account and any associated data.

Note: the Google Play and Apple App Store listings target an 18+ audience because CoreTurf includes references to chemical lawn products. The 16+ floor in this policy applies to the data we accept; the 18+ store rating reflects the content classification.

8. Your Rights (Australian Privacy Principles)

K-Tech Industrial Pty Ltd is an Australian entity operating under the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs).

If you use CoreTurf without an account, no personal information is collected or transmitted to K-Tech Industrial Pty Ltd, so most APP obligations don't apply in practice.

If you have an account:

  • APP 1 (Transparency): This policy describes all data handling practices.
  • APP 6 (Use and disclosure): Your account data is used only for authentication. Your lawn data is backed up only for your own restoration. Neither is shared with third parties for marketing.
  • APP 8 (Cross-border disclosure): When you use cloud-dependent features, your data may leave Australia and be processed in: United States (Supabase support tier, Firebase, Open-Meteo via GeoDNS routing, Cloudflare R2 global edge network), Germany (Open-Meteo headquarters and primary European server cluster), and other European or North American locations where Open-Meteo's GeoDNS routes free-tier API requests. Where data is processed outside Australia, we rely on contractual safeguards (Standard Contractual Clauses, vendor data-processing agreements) consistent with APP 8.2.
  • APP 11 (Security): Account credentials are encrypted on-device (Android Keystore / iOS Keychain). Cloud data is encrypted in transit (TLS) and at rest (AES-256).
  • APP 12 (Access and correction): You can view all your data in the app. To request a copy of, or correction of, the personal information we hold, email contact@coreturf.app. We commit to acknowledge your request within 7 days and respond substantively within 30 days. If we cannot honour a request (for example, where it would breach another person's privacy or a legal obligation), we will explain why in writing within the same window.
  • APP 13 (Correction): You can update your data directly in the app.

If you have questions about how your data is handled, or believe this policy has not been followed, contact us at contact@coreturf.app. You also have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, the "Last updated" date at the top of this page changes. If the changes are material, we'll display a notice within the app.

Continued use of the app after a policy change means you accept the updated terms.

10. Contact Us

For questions, concerns, or requests about this Privacy Policy, contact us:

K-Tech Industrial Pty Ltd

This Privacy Policy applies to the CoreTurf Android and iOS application. It does not apply to third-party websites or services linked from within the app.