Privacy Policy

Last updated: June 12, 2026

1. What We Collect

Data	When collected	Purpose	Retention
Email address	Login / subscription	Authentication; subscription management	Until account deletion
Stripe customer & subscription IDs	Checkout	Billing; access control	Until account deletion
Field observations (lat/lon, species, found/not found, date, notes)	Manual entry via map right-click	Improve model calibration; personal log	Retained; deletable on request
Server access logs (IP, user-agent, timestamp)	Every request	Security; abuse prevention	30 days rolling
Session cookie (encrypted, server-side)	Login	Keep you logged in	Session or 30 days

We do not sell, rent, or share your data with third parties other than Stripe (payment processor) and the hosting provider necessary to operate the Service.

2. Field Observation Privacy

When you log a field observation via the map, the exact GPS coordinates are stored in our PostGIS database. Your email address is never stored alongside coordinates — we use a one-way SHA-256 hash of your email as the user_id column. This means even database administrators cannot link coordinates to your identity.

Your personal observations are only visible to you via the GET /api/my_observations endpoint (authenticated). They are not shown on any public map. We may use aggregated, anonymised observation data (grid-cell counts, not pin locations) to improve the suitability model.

3. Stripe Payment Processing

All payment processing is handled by Stripe, Inc. We never receive or store your full credit card number. Stripe's privacy policy is at stripe.com/privacy. We receive from Stripe: your email address, subscription status, and billing period dates. We do not receive card numbers, CVVs, or bank account details.

4. Cookies

We use one session cookie (HTTP-only, Secure, SameSite=Lax) to maintain your login state. We do not use advertising cookies, tracking pixels, or third-party analytics.

5. Data Security

• All traffic is encrypted via TLS 1.2+ (Let's Encrypt certificate).
• The member database is stored on an encrypted SSD with restricted filesystem access.
• Stripe secrets, Flask secret key, and database credentials are stored in /etc/porcini/secrets.env (mode 600, root-readable only).
• Passwords are not stored — we use email-based authentication only.

6. Your Rights

You may request:

• Account deletion — we will delete your email, Stripe IDs, and all observations within 30 days.
• Data export — we will provide a JSON export of your observations and account metadata.
• Correction — update your email by contacting us.

Send requests to: privacy@foraging.ninja

7. Third-Party Data Sources

The maps display data from public sources. These data providers have their own privacy policies and terms:

• iNaturalist — inaturalist.org/pages/privacy
• GBIF — gbif.org/terms/privacy-policy
• PRISM Climate Group — data is public, no personal data involved
• USGS / LANDFIRE — data is public domain

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy periodically. The "Last updated" date at the top will reflect changes. Continued use of the Service constitutes acceptance of the revised policy.

10. Contact

Privacy questions: privacy@foraging.ninja

---