Privacy Policy
Last updated: March 12, 2026
SoilStack ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our garden planning application at soilstack.net.
We Do Not Sell Your Data
SoilStack does not sell, rent, trade, or share your personal information with third parties for commercial purposes — ever. We do not display advertisements. We do not allow advertisers to access your data. Your garden data, email address, ZIP code, and usage history are used solely to provide you with the SoilStack service and are never monetized. This applies to all users, including California residents under CCPA.
1. Information We Collect
Information You Provide
- Account Information: When you register, we collect your name, email address, and password (stored securely using industry-standard hashing — we never store or have access to your plain-text password).
- Location Information: We collect your ZIP code to determine your USDA hardiness zone and provide location-specific planting schedules, weather forecasts, and weather-based gardening prompts.
- Garden Data: Information you create within the app, including garden area names, plant selections, custom planting configurations, and task completion history.
- Harvest Data: If you use the harvest logging feature, we collect harvest weights, quantities, dates, and any notes you add.
- Product & Recipe Data: Custom product application rates, brand names, and feeding/treatment recipe configurations you create or customize.
- Newsletter Subscription: If you subscribe to our newsletter, we collect your email address and the page you subscribed from.
Information Collected Automatically
- Usage Data: We use Google Analytics to collect anonymous information about how you interact with our service, including pages visited, time spent, and general usage patterns. This data is not linked to your account.
- Device Information: Browser type, operating system, and device type for optimizing your experience.
- Weather Prompt Decisions: When weather-based gardening prompts appear on your dashboard (such as frost warnings or rain alerts), we log which prompt was shown, what action you took (skip, keep, dismiss), the weather conditions at the time, and which tasks were affected. This data is used to prevent duplicate prompts and improve the accuracy of future suggestions.
2. How We Use Your Information
We use the information we collect to:
- Provide personalized planting schedules based on your USDA zone
- Deliver real-time weather forecasts and weather-based gardening prompts for your location
- Save and display your gardens, plants, tasks, harvests, and recipes
- Generate task calendars and exportable garden plans
- Send important service-related communications (such as email verification)
- Send newsletter updates if you have subscribed
- Improve our application based on anonymous usage patterns
- Respond to your support requests
We do not display advertisements or allow advertisers to access your data.
3. Cookies & Local Storage
We use the following technologies to enhance your experience:
- Session Cookie: Required for authentication. This encrypted cookie identifies you as a logged-in user. It is secure (HTTPS only), HTTP-only (not accessible to JavaScript), and expires when your session ends or after a period of inactivity.
- CSRF Token Cookie: A security cookie used to protect forms against cross-site request forgery attacks. This is automatically managed by our framework and is essential for your security.
- Analytics Cookies: Google Analytics uses cookies to collect anonymous usage data. You can opt out using Google's opt-out browser add-on.
- Local Storage: We store your theme preference (light/dark mode) in your browser's local storage. This data never leaves your device and is not transmitted to our servers.
4. Third-Party Services
We use the following third-party services. No personally identifiable information (name, email, garden data) is shared with any of them.
| Service | Purpose | Data Sent | Privacy Policy |
|---|---|---|---|
| National Weather Service (NWS) | Weather forecasts & alerts | Geographic coordinates derived from your ZIP | weather.gov/privacy |
| Google Analytics | Anonymous usage analytics | Page views, session data — no PII | policies.google.com |
| Google Fonts | Typography | Browser font requests (standard web request) | policies.google.com |
| CARTO | Map tile imagery | Tile requests (no user data) | carto.com/privacy |
| unpkg.com | Open-source library CDN (Leaflet, TopoJSON) | Static file requests (no user data) | N/A — static files only |
| InMotion Hosting | Web hosting & server infrastructure | All data stored on their servers under our account | inmotionhosting.com |
5. Data Security
We take the security of your data seriously and implement multiple layers of protection:
Data Protection
- Password Security: Passwords are hashed using bcrypt and never stored in plain text. We cannot see or recover your password.
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS (TLS). We enforce HTTPS through HTTP Strict Transport Security (HSTS), which instructs your browser to always use a secure connection.
- Session Encryption: Your session data is encrypted at rest, preventing tampering even if intercepted.
- Journal Entry Encryption: Journal entry text is encrypted at rest in our database using AES-256. Even in the event of a database breach, your journal content is unreadable without the application's encryption key.
- Secure Cookies: Authentication cookies are marked secure (HTTPS only), HTTP-only (inaccessible to JavaScript), and SameSite (not sent with cross-site requests), protecting against session hijacking and cross-site attacks.
Application Security
- Content Security Policy: We use a Content Security Policy (CSP) that instructs browsers to only load resources from approved sources, blocking potentially malicious injected content.
- Rate Limiting: Automated request limits protect against brute-force attacks and abuse.
- Input Validation: All user-submitted data is validated server-side before processing to prevent injection attacks.
- Access Controls: Every request for user-specific data is verified to ensure you can only access your own information.
- Subresource Integrity: Third-party library files are verified using cryptographic hashes to ensure they have not been tampered with.
While we strive to protect your data using these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We continuously review and improve our security practices.
6. Data Retention
We retain your data as follows:
| Data Type | Retention Period | Notes |
|---|---|---|
| Account & garden data | Until account deletion | Includes areas, plants, tasks, harvests, recipes, product rates |
| Journal entries | Until account deletion | Encrypted at rest using AES-256 |
| Weather prompt logs | Until account deletion | Used to prevent duplicate prompts and improve suggestions |
| GDD & weather snapshots | 400 days (GDD) / 30 days (weather) | Automatically pruned by scheduled job; deleted on account deletion |
| Newsletter email | Until unsubscribe or removal request | Not linked to your account |
| All account data on deletion | Immediately | Account deletion removes all associated data immediately and permanently |
7. Your Rights
You have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Update or correct inaccurate information through your account settings
- Deletion: Delete your account and personal data through your account settings or by contacting us
- Export: Download your garden data, task calendars, and plans in portable formats
To exercise these rights, you can use the relevant features in your account settings or contact us at the email below.
8. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- The right to know what personal information we collect and how it's used
- The right to request deletion of your personal information
- The right to opt-out of the sale of personal information (we do not sell your data)
- The right to non-discrimination for exercising your privacy rights
9. Children's Privacy
SoilStack is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. For material changes that affect how we use your personal data, we will make reasonable efforts to notify registered users. We encourage you to review this policy periodically.
11. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:
SoilStack Privacy Inquiries
Email: support@soilstack.net