Legal · CoreTurf

Privacy Policy

How CoreTurf handles your data. Short version: your lawn data stays on your device unless you opt in to cloud backup.

Lawn data on your device by default
Optional account for cloud backup
No advertising or tracking
Cloud data stored in Sydney, Australia
Note · Internal Testing

This policy is in place for the Play Store internal testing track soft launch. It accurately reflects the app's current data handling. Before any public or commercial release, have this document reviewed by a solicitor familiar with Australian Privacy Law.

1. Introduction

CoreTurf ("the app") is a lawn care application developed and operated by K-Tech Industrial Pty Ltd ("we", "us", "our").

CoreTurf helps lawn owners track growing degree days (GDD), manage products and inventory, log spray applications and mowing records, and monitor lawn health over time with guided repeat photography.

This Privacy Policy explains what information CoreTurf collects, how it is used, and your rights. By using the app, you agree to the practices described here.

2. Information We Collect

2.1 Location data

When you add a new site or tap "Use current location," the app requests your device's GPS coordinates to fetch weather forecasts and soil temperature data for that location.

You can enter a suburb or postcode manually instead. If you use "Use current location" and the device's built-in geocoder cannot resolve a suburb name, your coordinates are sent to BigDataCloud as a fallback (see Section 4.6). Location coordinates are stored on your device as part of your site records and are not collected by K-Tech Industrial.

2.2 Photos and video

CoreTurf uses your camera or photo library in three ways:

  1. Photo strip (Sites): You can select or capture photos to attach to your lawn sites through the system's standard media picker.
  2. LawnFlex progress tracking: The LawnFlex feature has direct camera access to capture sequential photos of your lawn for guided repeat-photography comparison over time.
  3. LawnFlex video export: When you tap "Save to Photos" after generating a time-lapse or before/after video, CoreTurf writes that file to your device's Photos library. All video processing happens on-device. No photo or video data is sent to any server.

Photos and videos are stored locally on your device only in the app's private storage directory. They are never transmitted to us or any third party.

2.3 Diagnostic and usage data

CoreTurf uses Google Firebase to collect diagnostic information automatically:

  • Crash reports: If the app crashes or encounters an unhandled error, a report is sent to Firebase Crashlytics. It includes the error message, stack trace, your device model, OS version, and app version. It does not include your name, email, location, or any lawn data.
  • Usage analytics: Firebase Analytics collects anonymous session data, such as which screens you visit and how long you use the app. This data is not linked to any personal information.

Crash reports also attach a small set of non-personal context values ("custom keys"): the current screen name, the timestamp of your last successful sync, and your subscription tier. These help identify the app state at the time of a crash.

This data is used only to fix bugs and understand feature usage. It is processed by Google LLC under their Firebase terms of service.

2.4 Bug reports

CoreTurf includes an in-app bug reporting feature in Settings. When you submit a report, the following may be included:

  • Description: the text you type describing the issue
  • Diagnostics (opt-in, on by default): device model, OS version, app version, build number, sync status, and subscription tier. No lawn data, product names, or site details.
  • Screenshot (optional): an image you choose to attach. No other photos are accessed.
  • Email address (opt-in, on by default if signed in): your account email, so we can follow up

Reports are sent via a Supabase Edge Function to a private GitHub repository accessible only to the CoreTurf development team. You can turn off any optional field before submitting.

2.5 Beta application form

If you submit a beta tester application via the form at coreturf.app/beta, the following is collected:

  • Your first name and email address
  • Your preferred platform (Android, iOS, or both)
  • Your grass type and state/territory
  • Any notes you optionally add about your lawn program

This data is submitted through Netlify Forms and stored on Netlify's servers. It is accessible only to CoreTurf (K-Tech Industrial Pty Ltd) and is used only to assess beta applications and contact applicants. It is not shared with any third party and is not used for advertising or profiling. Netlify's privacy policy is at netlify.com/privacy.

2.6 Lawn and application data

All data you enter — site details, lawn profiles, product inventory, spray records, mowing records, treatment protocols, and settings — is stored in a local database on your device. If you create a CoreTurf account and enable Cloud Backup, this data is also uploaded to Supabase (see Section 4.4) so it can be restored on a new device. Without an account, nothing is uploaded.

2.7 Account data

Creating a CoreTurf account is optional. The app works fully without one. If you create an account:

  • Email address: used for authentication and password resets
  • Display name (Google sign-in only): your name from your Google account, used to personalise the app

Your email is not used for marketing and is not shared with any third party beyond what authentication requires.

3. How We Use Your Information

Data Purpose
GPS coordinates Sent to Open-Meteo to fetch weather and soil temperature for your site. Sent to BigDataCloud if the device geocoder can't resolve a suburb name.
Photos (Sites) Displayed in the app for your reference. Not transmitted.
Photos and video (LawnFlex) Stored locally for the repeat-photography and export features. Not transmitted.
Lawn, spray, and mow data Used to calculate GDD, generate tracker schedules, and maintain records. Uploaded to cloud if you have an account.
App settings Stored locally and, if signed in, synced to your account profile so they restore on a new device.
Bug report data Sent via Supabase Edge Function to a private GitHub repository for the CoreTurf team.
Beta application form data Sent to Netlify Forms and used to assess applications and contact applicants.
Crash reports Sent to Google Firebase Crashlytics to identify and fix errors.
Anonymous usage analytics Sent to Google Firebase Analytics to understand feature usage.
Account data (email, name) Used for authentication and identifying your cloud backup.

We don't use any of your information for advertising, profiling, or any purpose beyond running the app's features.

4. Third-Party Services

4.1 Open-Meteo

Open-Meteo is a free, open-source weather API. When CoreTurf fetches weather data, your site's latitude and longitude are sent to Open-Meteo's servers to retrieve the relevant forecast and soil temperature readings. Open-Meteo does not require an account and does not associate received coordinates with any individual. Their privacy policy is at open-meteo.com/en/terms.

4.2 Netlify

Netlify, Inc. hosts the CoreTurf website and handles beta application form submissions. Form data is transmitted to and stored on Netlify's servers. Netlify's privacy policy is at netlify.com/privacy.

4.3 Google Firebase

Google Firebase is a mobile platform provided by Google LLC. CoreTurf uses two Firebase services:

  • Firebase Crashlytics: receives automatic crash reports as described in Section 2.3. Data is processed by Google under their Privacy Policy.
  • Firebase Analytics: receives anonymous usage data (screen views, session duration). Data is aggregated and not linked to any individual.

Google's privacy policy is at policies.google.com/privacy. Firebase's terms are at firebase.google.com/terms.

4.4 Supabase

Supabase is a cloud platform used for authentication and cloud data backup. If you create a CoreTurf account:

  • Your email and authentication credentials are processed by Supabase for sign-in and session management
  • If you sign in with Google, Supabase receives your Google display name and email via the OAuth flow
  • Your lawn data may be backed up to Supabase's hosted PostgreSQL database so you can restore it on a new device

CoreTurf's Supabase project is hosted in the Sydney, Australia (ap-southeast-2) region. Your data is stored in Australian data centres. Supabase is a US-based company, and some authentication processing may involve their US infrastructure. See Section 8 for cross-border disclosure under Australian Privacy Principles.

Supabase's privacy policy is at supabase.com/privacy.

4.5 GitHub

When you submit a bug report through the in-app feature, the report is sent via a Supabase Edge Function to the GitHub Issues API and stored as an issue in a private repository accessible only to the CoreTurf team. GitHub is operated by GitHub Inc. (a Microsoft company). GitHub's privacy statement is at docs.github.com/en/site-policy/privacy-policies.

4.6 BigDataCloud

When you tap "Use current location" during site setup, CoreTurf first tries to resolve your suburb using your device's built-in geocoder. If that fails (on some devices or when the OS geocoder is unavailable), it falls back to BigDataCloud's free reverse-geocoding endpoint. Your latitude and longitude are sent to api.bigdatacloud.net to return your suburb, state, and country.

This only happens when you explicitly tap "Use current location" — never in the background. BigDataCloud does not require an account or API key for this endpoint and does not associate received coordinates with any individual. Their privacy policy is at bigdatacloud.com/privacy-and-cookie-policy.

4.7 Typography fonts

All typefaces used in CoreTurf (Fraunces, IBM Plex Sans, DM Mono) are bundled directly within the app. No network request is made to Google Fonts or any other font server at any time.

5. Data Storage and Security

Local data

All CoreTurf lawn data (sites, products, spray records, mow records, photos, settings) is stored locally on your device using SQLite (via the Drift library) and your device's key-value storage system (Android SharedPreferences / iOS NSUserDefaults). The security of local data depends on your device's own protections: screen lock, device encryption, and app sandboxing enforced by the OS.

Account credentials

If you create a CoreTurf account, authentication tokens are stored securely using Android Keystore or iOS Keychain. They are never stored in plaintext.

Cloud data

If you have an account, your data may be backed up to Supabase's PostgreSQL database. Data is encrypted in transit (TLS) and at rest (AES-256) by Supabase's infrastructure. Row-level security policies ensure each user can only access their own data.

Crash reports and anonymous analytics are transmitted to Google Firebase as described in Sections 2.3 and 4.3.

We recommend keeping your device's OS up to date.

6. Data Retention and Deletion

Local data

To delete all local CoreTurf data on Android:

  • Uninstall the app. Android removes all app data when uninstalled.
  • Or go to Settings > Apps > CoreTurf > Storage > Clear Data.

To delete all local CoreTurf data on iOS:

  • Delete the app from your device. iOS removes all app data when you delete an app.
  • Or go to Settings > General > iPhone Storage > CoreTurf > Delete App.

Account and cloud data

If you have a CoreTurf account, go to Settings > Account > Delete Account to permanently delete your account and all associated cloud data. This removes your Supabase authentication record and all synced lawn data. It cannot be undone.

Deleting your account does not remove local data from your device — use the steps above to clear that separately.

7. Children's Privacy

CoreTurf is not directed at children under 13. We don't knowingly collect information from children. If you believe a child has provided information through the app, contact us at contact@coreturf.app and we'll take appropriate steps.

8. Your Rights (Australian Privacy Principles)

K-Tech Industrial Pty Ltd is an Australian entity operating under the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs).

If you use CoreTurf without an account, no personal information is collected or transmitted to K-Tech Industrial Pty Ltd, so most APP obligations don't apply in practice.

If you have an account:

  • APP 1 (Transparency): This policy describes all data handling practices.
  • APP 6 (Use and disclosure): Your account data is used only for authentication. Your lawn data is backed up only for your own restoration. Neither is shared with third parties for marketing.
  • APP 8 (Cross-border disclosure): Supabase Inc. is incorporated in the United States. CoreTurf's database is hosted in Supabase's Sydney data centre, so your lawn data is stored in Australia. Authentication processing may involve Supabase's US infrastructure. Google Firebase (US-based) processes crash reports and analytics. By creating an account, you consent to this limited cross-border processing.
  • APP 11 (Security): Account credentials are encrypted on-device (Android Keystore / iOS Keychain). Cloud data is encrypted in transit (TLS) and at rest (AES-256).
  • APP 12 (Access): You can view all your data in the app. To request a copy of your cloud data, contact us below.
  • APP 13 (Correction): You can update your data directly in the app.

If you have questions about how your data is handled, or believe this policy has not been followed, contact us at contact@coreturf.app. You also have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, the "Last updated" date at the top of this page changes. If the changes are material, we'll display a notice within the app.

Continued use of the app after a policy change means you accept the updated terms.

10. Contact Us

For questions, concerns, or requests about this Privacy Policy, contact us:

K-Tech Industrial Pty Ltd

This Privacy Policy applies to the CoreTurf Android and iOS application. It does not apply to third-party websites or services linked from within the app.