Your data is yours.

Dear Grove is a web application that helps you document the accounts, passwords, contacts, and wishes your family would need if something happened to you. The company is a Michigan-registered entity operating the service at deargrove.com. When this policy says “we,” “us,” or “Dear Grove,” we mean that entity.

We collect only what the service needs to work. There is no marketing pixel, no analytics that identifies you individually, no tracking across other sites.

• Account information. Your email address (for sign-in) and, if you enter it, your name. We do not use passwords. You sign in with Google or a one-time email link.
• The content you create. Everything you enter in the eight guided sections: personal details, contacts, financial accounts, insurance, property, digital accounts, legal documents, and final wishes. This is the whole point of the product.
• Payment information. Stripe handles your card details directly. We never see them. We store only the Stripe customer id and a record that you paid.
• Basic technical data. IP address, browser type, and timestamps on sign-in, purchase, and share-link access. Used to prevent abuse and diagnose errors. Deleted within 90 days.
• Share-link access logs. When someone you invite opens your document, we record the timestamp and IP so you can see who accessed what. Visible to you in Settings.

We do not collect: location beyond the country level inferred from IP, contacts from your address book, social graph data, behavioral fingerprints, or anything about sites you visit outside Dear Grove.

The content you enter is encrypted with AES-256-GCM in our application layer before it touches our database. The encryption keys are managed by a key-management service and are never stored in the database alongside the ciphertext. This means:

• A full database breach reveals only encrypted bytes.
• Our own staff cannot read your content without a deliberate, audited request involving the KMS-held key.
• Every query on your data is scoped by your account id through row-level security in our database.

We use Supabase (PostgreSQL) for the database, hosted on AWS in the United States. Your data stays in the US.

Nobody except a short list of sub-processors needed to run the service. Each one sees only the narrow slice of data required for its job, and each is bound by contractual confidentiality and security obligations.

We do not sell personal information. We do not share it for advertising. We do not swap it with anyone for any reason. If a government agency serves a valid legal order for your information, we will notify you unless the order prohibits it, and we will provide only what is legally required.

Regardless of where you live, you have these rights with respect to your Dear Grove data:

• Access. See everything we have about you. Available anytime in Settings or via the Export button.
• Correct. Update any field, any time.
• Delete. One click in Settings removes your account and all associated data. Purged from backups within 30 days.
• Export. Download a password-optional PDF of your entire document at any time.
• Object or restrict. Write to privacy@deargrove.com. We will respond within 30 days.

If you live in California, the CCPA gives you the rights above plus the right to know the categories of personal information collected (listed in “What we collect”) and the right not to be discriminated against for exercising these rights.

If you live in the EU, the UK, or another jurisdiction with a GDPR-style law, the rights above apply along with your right to data portability (satisfied by the Export feature) and the right to lodge a complaint with your supervisory authority. Our legal basis for processing is contract performance (to provide the service you purchased) and legitimate interest (abuse prevention and diagnostics).

We use only what we need. There are no advertising cookies, tracking cookies, or third-party marketing pixels.

• Session cookies (HTTP-only, Secure, SameSite=Lax) keep you signed in between pages.
• CSRF tokens prevent cross-site request forgery on mutating actions.

Plausible, our analytics provider, is cookie-free by design.

Data is kept for as long as you have an account.

• When you delete your account: purged from active systems immediately; removed from backups within 30 days.
• Payment records: retained for 7 years to comply with US tax law. Stored separately, encrypted, never joined to your content.
• Share-link access logs: 90 days, then purged.
• Sign-in events: 30 days.
• Error telemetry: 30 days, scrubbed of personal content before storage.

Dear Grove is not intended for use by anyone under 18. We do not knowingly collect information from children. If you believe a child has created an account, write to privacy@deargrove.com and we will delete it promptly.

We take a defensive approach: least privilege, encryption at rest and in transit, signed webhooks, row-level security, and responsible-disclosure contact at security@deargrove.com. A detailed posture is available at /security.

No system is perfect. If a breach ever affects your data, we will notify you within 72 hours of confirming the scope, along with what happened, what data was involved, and what we are doing about it.

If we change this policy in a way that reduces your rights or expands what we collect, we will email every account holder at least 30 days before the change takes effect. Minor clarifications (typos, reformatting, new sub-processors that receive no additional data) will be noted in the “Last updated” date above.

For privacy questions: privacy@deargrove.com.

For security issues: security@deargrove.com.

For anything else: hello@deargrove.com.