Privacy

Saved Journal data, plainly explained.

Effective from 1 May 2026. This policy applies to Kitchen Journal, Garden Journal, and Home Journal in ChatGPT.

Data portal: /portal Privacy contact: privacy@colorfactory.studio

Operator

The data controller for the Garden Bud, Kitchen Journal and Home Journal apps in ChatGPT is Jim Bending, an individual UK developer trading as colorfactory.studio. Personal site: https://www.jimbending.com.

Contact for privacy matters: privacy@colorfactory.studio.

UK ICO data-protection fee status: per the ICO's data-protection fee self-assessment, sole-trader operators not yet processing personal data through live customer-facing services are exempt from the annual fee. The operator will register with the ICO and update this notice as soon as the apps begin processing data on behalf of real users in the OpenAI Apps Directory. Anyone using the apps in any form is processed under the minimal-storage practices described below.

What We Store

For each ChatGPT user who connects one of the Journal apps we store, on a server controlled by the operator (Vercel Blob storage keyed by the anonymous identifier described below):

An anonymous user identifier supplied by ChatGPT — the openai/subject value. This identifier is stable per ChatGPT account but contains no name, email, or contact details. We never link it to a real-world identity.
For each item you ask the app to add: the item name (a short noun phrase you or ChatGPT chose, e.g. "tomato plant"), an optional one-line evidence note, the inferred type or category, a confidence score, the item's status (active / done / archived), an internally-generated item id, and timestamps for when the item was first added and last updated.
Photo handles, not photo bytes. When you attach a photo to chat for an item, ChatGPT itself stores the photo via its host file system; we receive only the opaque photoFileId reference (an identifier shaped like file-...), the optional MIME type (e.g. image/jpeg), and the optional original filename. We never download or persist the photo bytes. The widget renders the photo by asking ChatGPT to resolve the photoFileId back to a temporary signed URL at display time.
Photo history, up to 10 entries per item. When you re-photograph the same plant or item under the same name, the new photo's photoFileId reference is added to a per-item photoHistory array (newest first), capped at ten entries; older entries are dropped. Each history entry holds the photoFileId, optional MIME type, optional filename, and the timestamp the photo was added. Again — only the references, never the bytes.
Inventory-level metadata: the schema version of your stored data, a monotonically increasing version counter (used to make sure widget updates ingest in order), the app key (kitchen / garden / home), and the timestamp of the most recent change.

The total store per user is typically a few kilobytes of plain text per app, scaling linearly with the number of items you save.

What We Send Back To ChatGPT (and you)

Every tool call we serve returns a small JSON object (structuredContent) the ChatGPT widget renders. The fields are:

state — what just happened (added / updated / removed / loaded / etc.)
items — a snapshot (capped at 50) of your current items, each with the fields listed above
version — the server's monotonic version counter for your data after this operation
serverTime — the ISO timestamp when the server processed the request
subject — the anonymous identifier echoed back so the widget can confirm it's reading the right data
schemaVersion — the inventory schema version
message — a short human-readable status string
Operation-specific extras — for example a removedItemName on a remove call, or a keptItemName / mergedFromName on a merge call

The structuredContent never contains text you did not type or photo bytes you did not attach. It is reflected back to the model so it can answer follow-up questions about what's in your Journal.

What We Do Not Store

We do not collect or store your name, email address, postal address, phone number, payment details, location (no IP-derived geolocation, no GPS, no platform-coarse geolocation), biometric data, health data, browsing history, advertising identifiers, or any government identifiers. We do not store the original photo bytes you attach in chat — only the opaque photoFileId reference described above. We do not store any portion of your conversation with ChatGPT outside the explicit fields you asked the app to record. We do not link the anonymous identifier supplied by ChatGPT to any real-world identity.

Photo Handling — In Detail

When you attach a photo to a chat message, ChatGPT uploads it to its own host file system via the window.openai.uploadFile API. ChatGPT returns to the app an opaque file identifier shaped like file-AbC123.... The app receives this identifier as the photo argument to the add_*_item tool call. The server stores the identifier (not the bytes) against the item.

To display the photo later, the widget asks ChatGPT to resolve the identifier back to a temporary signed URL via window.openai.getFileDownloadUrl. The signed URL is loaded into an <img> element in the widget for as long as the widget is open. We do not cache the bytes server-side, and the signed URLs are short-lived (controlled by ChatGPT, not by us).

If ChatGPT expires the file identifier, the photo will quietly disappear from the widget; the rest of the item record (name, evidence, timestamps) is unaffected. If you want to remove a photo permanently, removing the whole item via the remove_*_journal_item tool drops every photoFileId reference for that item.

Policy Violation and Operator-Side Bans

OpenAI runs automated checks on every photo attached in ChatGPT for child sexual abuse material (CSAM). If OpenAI notifies the operator of a confirmed violation by a user of these apps, the operator may delete that user's saved data and add their anonymous identifier to a blocklist that prevents further use of the apps. We do not perform our own CSAM scanning — we rely on ChatGPT's host-side checks — but we cooperate with reports from OpenAI as required.

Where It Lives

Storage is on Vercel Blob, a managed object storage service operated by Vercel Inc. Vercel processes the data on our behalf as a sub-processor under its published Data Processing Addendum. Blob data is held in Vercel's infrastructure and is not made publicly available; access requires the operator's storage token.

How Long We Keep It

We keep your saved inventory for as long as you continue to use the app. When you delete an item or your full Journal, the data is moved to a private archive for 30 days to allow recovery in case of accident, then permanently purged. We do not currently take separate offsite backups; if we begin to, we will update this policy.

Your Rights Under UK GDPR

The UK General Data Protection Regulation gives you the following rights over data we hold about you:

Access. Request a copy of the data we hold about you.
Rectification. Ask us to correct data we hold.
Erasure. Ask us to delete the data.
Restriction. Ask us to stop using the data while a query is being resolved.
Portability. Ask us to export the data in a machine-readable format.
Objection. Object to our processing.

We rely on legitimate interest as the lawful basis for processing inventory data, on the basis that you have explicitly chosen to add items to your Journal and the data is the minimum needed to provide that service.

How To Exercise Your Rights

The fastest way is from inside ChatGPT, while one of the apps is connected:

Export: ask "export my Kitchen Journal" or Garden / Home. The app returns your full saved data as JSON in chat.
Delete one item: ask "remove the kettle from my Kitchen Journal". The matched item is deleted and goes to the 30-day archive.
Delete everything for an app: ask "delete my Kitchen Journal". ChatGPT will confirm before doing so. On confirmation, the entire Journal is moved to the 30-day archive then purged.

The data portal explains these access, export, and deletion paths in plain English.

For requests that cannot be satisfied through the app, including requests to recover archived data within the 30-day window, or any other UK GDPR request, email privacy@colorfactory.studio. We respond within 7 days; UK GDPR allows up to 1 month, extendable to 3 months for complex requests.

When you write to us, please include the anonymous subject identifier from a recent export_*_journal response. Without it we may not be able to identify which inventory belongs to you, because we deliberately do not link the identifier to any real-world contact details.

Complaints

If you are unhappy with how we handle your data, you can complain to the UK Information Commissioner's Office at https://ico.org.uk/make-a-complaint or by phone on 0303 123 1113.

Sub-Processors

We use the following sub-processors:

Vercel Inc. — hosting and Vercel Blob storage. https://vercel.com/legal/dpa.

We do not use advertising networks, analytics tools, or behavioural-tracking services in the apps.

Changes To This Policy

If we change what we store, where we store it, or how long we keep it, we will update this page and change the effective date at the top. Material changes will also be summarised in the change log on the colorfactory.studio site.