Privacy Policy

This Privacy Policy (the "Policy") describes how NCOM d.o.o., a limited liability company organised under the laws of the Republic of Slovenia ("NCOM", "we", "us" or "our"), collects, uses, discloses and otherwise processes personal data in connection with the Bento Garden website located at mybentogarden.com (the "Website") and the Bento Garden mobile application (together with the Website, the "Service").

We process personal data in accordance with Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR") and the Slovenian Personal Data Protection Act (Zakon o varstvu osebnih podatkov, ZVOP-2). By accessing the Service you acknowledge that you have read and understood this Policy.

The data controller responsible for the processing of your personal data is:

• NCOM d.o.o.
• Republic of Slovenia
• Email: hello@mybentogarden.com

You may contact us at the address above for any matter relating to the processing of your personal data, including the exercise of your rights under the GDPR.

Capitalised terms used in this Policy have the meaning given to them in Article 4 of the GDPR. Without limitation: "Personal Data" means any information relating to an identified or identifiable natural person; "Processing" means any operation performed on Personal Data; "Data Subject" means the natural person to whom Personal Data relates; "Processor" means a natural or legal person which processes Personal Data on behalf of the controller.

4.1 Website (mybentogarden.com)

When you interact with the Website we may collect and process the following categories of Personal Data:

• Waitlist information: the email address you submit, your declared signup intent, and the name of the Bento you have selected, where applicable.
• Demonstration form input: the Website currently includes a non-functional checkout demonstration. Any information entered into the demonstration checkout fields, including shipping details and payment-card-shaped fields, is not transmitted to us, not stored by us, and not forwarded to any payment processor. No payment is taken and no card data is captured. The demonstration exists solely to evaluate user interest and the user experience prior to the launch of a real commerce flow, which will be governed by an updated version of this Policy.
• Technical and usage data: IP address, user agent, device type, referrer, language, approximate location derived from IP, pages viewed, events triggered, timestamps and session identifiers.
• Identifiers set by analytics tools: pseudonymous identifiers assigned by PostHog and Meta Pixel (see Section 6).

4.2 Mobile Application

When you create an account in or use the Bento Garden mobile application, we may process the following categories of Personal Data:

• Account data: name, email address, email verification status, profile image, an indication of whether the account is anonymous, and authentication credentials (a hashed password or third-party identity-provider tokens).
• Session data: session token, expiry, IP address and user-agent string of the device used to log in.
• Onboarding preferences: declared experience level, available time, growing environment (for example house with garden, balcony or indoor only), and similar configuration inputs used to recommend a Bento.
• User-generated content: photographs and other media you upload to record the state of your Bento or log a visitor (for example a bee or butterfly), together with associated metadata such as MIME type and timestamps.
• Location-derived environmental data: where you consent to location use, approximate coordinates are used to retrieve weather information relevant to your Bento.
• Communication data: feedback, support requests and similar voluntary submissions.

We do not knowingly collect special categories of personal data (Article 9 GDPR), and you should not submit such data to us.

We process Personal Data only where a lawful basis under Article 6 GDPR exists. The principal purposes and corresponding legal bases are:

• Provision of the Service (creating and maintaining your account, delivering missions, storing your uploaded content) — performance of a contract to which you are a party (Article 6(1)(b) GDPR).
• Operation of the waitlist (receiving early- access requests and notifying you of launch) — performance of pre-contractual measures taken at your request (Article 6(1)(b) GDPR) and our legitimate interest in evaluating demand (Article 6(1)(f) GDPR).
• Product analytics, performance measurement and advertising-effectiveness measurement (PostHog, Meta Pixel) — your consent (Article 6(1)(a) GDPR) where required by applicable e-privacy rules, otherwise our legitimate interest in understanding and improving the Service (Article 6(1)(f) GDPR).
• AI-generated content and image interpretation (story text, mission guidance, lightweight image analysis) — performance of a contract (Article 6(1)(b) GDPR) and our legitimate interest in providing the core differentiating features of the Service (Article 6(1)(f) GDPR).
• Security, fraud prevention and abuse mitigation — our legitimate interest in protecting the Service and its users (Article 6(1)(f) GDPR).
• Compliance with legal obligations, including responses to valid requests from competent authorities — Article 6(1)(c) GDPR.

Personal Data is disclosed only to recipients that have a need to access it and that are bound by appropriate confidentiality and data-processing terms. Our principal categories of recipients are:

• PostHog Inc. — product analytics and event tracking on the Website and within the mobile application.
• Meta Platforms Ireland Limited — advertising- effectiveness measurement via the Meta Pixel embedded on the Website.
• Google LLC — generative AI inference (Google Gemini) used to produce evolving story content and milestone text.
• OpenAI, L.L.C. — generative AI inference used to produce evolving story content and to perform lightweight interpretation of user-uploaded images.
• Supabase, Inc. — managed PostgreSQL database hosting and object storage for user-uploaded media.
• Hosting and infrastructure providers used by us and our processors to operate the Service.
• Email and transactional messaging providers engaged to send service-related communications.
• Professional advisers and competent authorities where required by law.

We do not sell Personal Data and we do not disclose it for the independent commercial purposes of third parties.

Certain of our processors are established outside the European Economic Area, including in the United States. Where Personal Data is transferred to such recipients, we rely on appropriate safeguards within the meaning of Chapter V of the GDPR, in particular the Standard Contractual Clauses adopted by the European Commission, and, where applicable, the EU-U.S. Data Privacy Framework. A copy of the relevant safeguards is available on request from hello@mybentogarden.com.

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements, and thereafter we either erase or anonymise it.

• Waitlist data is retained until you request removal or until the waitlist programme is discontinued.
• Account data and user-generated content are retained for the duration of your account. Following deletion of your account, we erase or anonymise account data within thirty (30) days, save where a longer retention period is required by applicable law.
• Session and security logs are retained for the period necessary to address security and abuse, typically not exceeding twelve (12) months.
• Analytics data is retained in accordance with the default retention configurations of PostHog and Meta Pixel.

Subject to the conditions and limitations set out in Articles 15–22 GDPR, you have the right to:

• request access to the Personal Data we hold about you;
• request rectification of inaccurate or incomplete data;
• request erasure of your data (the "right to be forgotten");
• request restriction of processing;
• request portability of data you have provided to us;
• object to processing carried out on the basis of our legitimate interests, including for direct-marketing purposes; and
• where processing is based on your consent, withdraw that consent at any time, without affecting the lawfulness of processing prior to withdrawal.

You may exercise any of these rights by contacting us at hello@mybentogarden.com. You also have the right to lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec, Dunajska cesta 22, 1000 Ljubljana, Slovenia, www.ip-rs.si) or with the supervisory authority of the Member State of your habitual residence, place of work or place of the alleged infringement.

The Service is not directed to, and we do not knowingly process Personal Data of, children under sixteen (16) years of age. If you become aware that a child has provided us with Personal Data without verifiable parental consent, please contact us and we will take steps to delete such information.

We implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks for the rights and freedoms of natural persons (Article 32 GDPR). Notwithstanding such measures, no method of transmission over the internet or method of electronic storage is wholly secure, and we cannot guarantee absolute security.

The Website uses cookies and similar local-storage technologies set by analytics and advertising-measurement providers, in particular:

• PostHog — to assign a pseudonymous identifier to your browser, to record events and to enable session-level analytics.
• Meta Pixel — to attribute conversions to Meta advertising campaigns and to enable measurement and remarketing features.

You may manage cookies through your browser settings or, where a consent mechanism is presented, through the controls offered in that mechanism. Disabling cookies may impair certain features of the Service.

We do not subject Data Subjects to decisions based solely on automated processing, including profiling, that produce legal effects concerning them or similarly significantly affect them within the meaning of Article 22 GDPR. AI-generated narrative and guidance produced within the Service is informational in nature, is reviewed and refined as the Service evolves, and is not used to make legally significant decisions about you.

We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law. The updated version will be indicated by an updated "Last updated" date at the top of this page. Material changes will be brought to your attention by reasonable means, such as a notice within the Service or by email where we have your address.

Questions, comments or requests regarding this Policy or our processing of Personal Data should be addressed to: hello@mybentogarden.com.