Privacy Policy

1. Who We Are

SoilStack is a garden planning application available at soilstack.net. SoilStack is operated as a sole proprietorship by Heath Hoffman, based in Indiana, United States. In this policy, "SoilStack," "we," "our," and "us" all refer to this same operation.

This Privacy Policy explains how we collect, use, and safeguard your information when you visit our website, create an account, subscribe to our newsletter, or otherwise interact with SoilStack.

2. We Do Not Sell Your Data

SoilStack does not sell, rent, trade, or share your personal information with third parties for commercial purposes — ever. We do not run ad networks or display third-party banner ads. We do not allow advertisers to access your data. Your garden data, email address, ZIP code, and usage history are used solely to provide you with the SoilStack service and are never monetized.

We participate in affiliate programs (Amazon Associates and Seeds Now via Refersion) which earn us a commission when you purchase products through links on our site. These programs do not give Amazon, Seeds Now, Refersion, or any other party access to your SoilStack account data, garden information, or personal details. We receive only aggregate commission reports (total clicks, total sales) — never any information about what you purchased or your accounts with those retailers.

Not a data broker. SoilStack is not a "data broker" as that term is defined in California Civil Code §1798.99.80 or in any other state's privacy law. We do not collect personal information about consumers with whom we have no direct relationship for the purpose of selling that information.

3. What We Do Not Collect

Because what we don't collect is just as important as what we do, we want to be explicit. SoilStack does not collect any of the following:

• Precise geolocation. We collect your ZIP code only. A ZIP code covers many square miles and is not considered "precise geolocation" under any state privacy law (which generally requires a radius of 1,750–1,850 feet to qualify). We never request access to your device's GPS, and we never collect street-level location data.
• Social Security numbers, driver's license numbers, passport numbers, or other government-issued identifiers.
• Financial account numbers, debit or credit card numbers, or any payment information. SoilStack is currently free to use and does not process payments.
• Health or medical information.
• Racial or ethnic origin, religious or philosophical beliefs, sexual orientation, or citizenship status.
• Biometric data (fingerprints, faceprints, voiceprints, etc.).
• Genetic data.
• Personal information from anyone we know to be a child under 13. See Section 18.
• The contents of your communications with anyone other than SoilStack support.

These categories are commonly described in state privacy laws as "sensitive personal information." SoilStack does not collect, process, sell, or share any of them.

4. Information We Collect

Information You Provide

• Account Information: When you register, we collect your name, email address, and password (stored securely using industry-standard hashing — we never store or have access to your plain-text password).
• Location Information: We collect your ZIP code to determine your USDA hardiness zone and provide location-specific planting schedules, weather forecasts, and weather-based gardening prompts. ZIP code is not precise geolocation; see Section 3.
• Garden Data: Information you create within the app, including garden area names, plant selections, plant nicknames, custom planting configurations, and task completion history.
• Harvest Data: If you use the harvest logging feature, we collect harvest weights, quantities, dates, and any notes you add.
• Product & Recipe Data: Custom product application rates, brand names, and feeding/treatment recipe configurations you create or customize.
• Seed Inventory: If you use the seed inventory feature, we collect seed names, packet counts, seeds per packet, purchase year, and any notes you add.
• Journal Entries: If you use the garden journal, we collect the text of your entries, tags, and associated weather snapshots. Journal text is encrypted at rest.
• Newsletter Subscription: If you subscribe to our newsletter, we collect your email address, optionally your ZIP code (used to derive your USDA zone for zone-specific newsletter content), and optionally your interests (such as frost alerts or seasonal planting reminders) if you select them. We also record which page on our site you subscribed from (such as the homepage footer or a specific plant page) for our own analytics. See Section 9 for full details on newsletter handling.

Information Collected Automatically

• Usage Data: We use Google Analytics to collect anonymous information about how you interact with our service, including pages visited, time spent, and general usage patterns. This data is not linked to your account.
• Device & Browser Information: Browser type, operating system, device type, and IP address. IP addresses are used for security purposes (rate limiting, abuse prevention) and to determine general geographic region for analytics. Because all traffic to SoilStack is proxied through Cloudflare (see Section 8), we log your real IP address via the CF-Connecting-IP header rather than the Cloudflare edge IP.
• Weather Prompt Decisions: When weather-based gardening prompts appear on your dashboard (such as frost warnings or rain alerts), we log which prompt was shown, what action you took (skip, keep, dismiss), the weather conditions at the time, and which tasks were affected. This data is used to prevent duplicate prompts and improve the accuracy of future suggestions.
• Task Intelligence: We log task completion patterns, consequence scores, and scheduling adjustments to improve the accuracy of future task recommendations for your garden.
• Disease Pressure Tracking: We track disease risk states for your garden areas based on observed weather conditions, including when risk levels change and any actions you take in response. This data is used to provide timely disease alerts and is deleted when you delete the associated area or account.
• Performance & Error Monitoring: We use Nightwatch (a Laravel-specific application performance monitoring service) to record performance metrics, error reports, and scheduled task execution. This helps us detect bugs and slowdowns. See Section 8.

5. How We Use Your Information

We use the information we collect to:

• Provide personalized planting schedules based on your USDA zone
• Deliver real-time weather forecasts and weather-based gardening prompts for your location
• Save and display your gardens, plants, tasks, harvests, seed inventory, and recipes
• Monitor disease pressure conditions for your garden areas based on observed weather
• Generate task calendars and exportable garden plans
• Send important service-related communications (such as email verification and password resets)
• Send newsletter updates if you have subscribed, optionally segmented by your zone or stated interests
• Improve our application based on anonymous usage patterns
• Detect and prevent abuse, fraud, and security threats
• Respond to your support requests

We do not use your personal information, garden data, or account details to select, personalize, or target affiliate product recommendations. Product recommendations on our plant and zone pages are based on general horticultural research applicable to each plant variety or growing zone, not on individual user data.

We do not run ad networks, display third-party banner ads, or allow advertisers to access your data.

We do not use automated decision-making or profiling that produces legal or similarly significant effects about you.

6. Cookies & Local Storage

We use the following technologies to enhance your experience:

• Session Cookie: Required for authentication. This encrypted cookie identifies you as a logged-in user. It is secure (HTTPS only), HTTP-only (not accessible to JavaScript), and expires when your session ends or after a period of inactivity.
• CSRF Token Cookie: A security cookie used to protect forms against cross-site request forgery attacks. This is automatically managed by our framework and is essential for your security.
• Analytics Cookies: Google Analytics uses cookies to collect anonymous usage data. You can opt out using Google's opt-out browser add-on.
• Cloudflare Cookies: Cloudflare, our CDN and security provider, may set cookies (such as __cf_bm for bot management or cf_clearance after challenge completion) to distinguish human visitors from automated traffic and to protect our site against abuse. These cookies are set by Cloudflare on our behalf and are governed by Cloudflare's Privacy Policy.
• Affiliate Cookies (Amazon): When you click an affiliate link to Amazon.com from our site, Amazon places a cookie in your browser to attribute the referral. This cookie is set by Amazon, not by SoilStack, and is governed by Amazon's Privacy Notice. SoilStack does not read, access, or control these cookies. We receive only aggregate commission reports from Amazon (total clicks, total sales) — never any information about what you purchased or your Amazon account.
• Affiliate Cookies (Seeds Now / Refersion): When you click a Seeds Now seed link from our site, the link includes a referral code that allows Refersion (Seeds Now's affiliate tracking provider) to attribute the referral after you arrive on Seeds Now's website. Refersion may set its own cookies on your browser at that point. These cookies are set by Refersion or Seeds Now, not by SoilStack, and are governed by their respective privacy policies. SoilStack does not read, access, or control these cookies. We receive only aggregate commission reports — never any information about what you purchased.
• Local Storage: We store your theme preference (light/dark mode) in your browser's local storage under the key soilstack-theme. This data never leaves your device and is not transmitted to our servers.

7. Third-Party Services

We use the following third-party services to operate SoilStack. No personally identifiable information beyond what is listed in the "Data Sent" column is shared with any of them.

Service	Purpose	Data Sent	Privacy Policy
Hetzner Cloud	Web hosting & server infrastructure	All data stored on their servers under our account; data is held at Hetzner's Ashburn, Virginia (United States) facility	hetzner.com/privacy
Cloudflare	CDN, DDoS protection, WAF, bot management; inbound email routing for support@soilstack.net; web performance analytics beacon	All HTTP traffic passes through Cloudflare edge servers; IP addresses, request headers, basic page-load metrics	cloudflare.com/privacy
Resend	Transactional and newsletter email delivery (account verification, password resets, welcome emails, broadcasts)	Recipient email address, sender name, and email content	resend.com/privacy
Nightwatch	Application performance monitoring & error tracking	Performance metrics, error stack traces, scheduled task results; we configure sampling to minimize the volume of data sent	nightwatch.io/privacy
National Weather Service (NWS)	Weather forecasts & alerts	Geographic coordinates derived from your ZIP	weather.gov/privacy
Google Analytics	Anonymous usage analytics	Page views, session data — no PII	policies.google.com
Google Fonts	Typography	Browser font requests (standard web request)	policies.google.com
CARTO	Map tile imagery	Tile requests (no user data)	carto.com/privacy
unpkg.com	Open-source library CDN (Leaflet, TopoJSON)	Static file requests (no user data)	N/A — static files only
Amazon Associates	Affiliate product links	Referral attribution via Amazon's cookie (set by Amazon on click, not by SoilStack) — no SoilStack user data is sent to Amazon	amazon.com/privacy
Seeds Now (via Refersion)	Affiliate seed links	Referral attribution via Refersion's cookie set on click (not by SoilStack) — no SoilStack user data is sent to Seeds Now or Refersion	seedsnow.com/privacy · refersion.com/privacy

IndexNow. SoilStack participates in the IndexNow protocol, an open URL-submission protocol used by Bing, Yandex, Seznam, and Naver. Once per day, our server submits a list of our public page URLs (plant pages, zone pages, etc.) to api.indexnow.org so search engines can discover new and updated pages faster. No user data is included in these submissions — only the URLs of public content on our own site.

8. Newsletter & Email Communications

SoilStack sends two kinds of email:

• Transactional emails — account verification, password resets, and similar service messages. These are sent only when triggered by an action you take, and you cannot opt out of them while you have an active account (without them, the account cannot function).
• Newsletter / broadcast emails — marketing and informational messages sent only to people who have explicitly subscribed.

Single Opt-In

We use single opt-in: when you submit your email address through our newsletter signup form, you are subscribed immediately and we send you a welcome email. This is permitted under the federal CAN-SPAM Act for our type of free, informational newsletter to United States residents. We may move to double opt-in (where you must click a confirmation link before being subscribed) in the future; the verification mechanism is already built and can be enabled at any time.

What We Store for Newsletter Subscribers

When you subscribe, we store:

• Your email address
• Your ZIP code (optional — if provided, we derive your USDA zone for zone-relevant newsletter segments)
• Your USDA zone, derived from your ZIP code if provided
• Your stated interests, if you selected any (such as frost alerts, seasonal planting reminders, etc.)
• The page on our site you subscribed from (such as the homepage footer or a specific plant page), so we can understand which content drives signups
• The date you subscribed, the date of your most recent email (if any), and your unsubscribe status
• A unique, randomly-generated unsubscribe token that allows you to unsubscribe in one click without logging in

Where Subscriber Data Is Stored

Subscriber data is stored in our own MariaDB database on our Hetzner Cloud server. We do not use a third-party email service provider (such as Mailchimp, ConvertKit, or Buttondown) to store the subscriber list. Email delivery itself is handled by Resend; Resend sees only the recipient address, sender name, and message content at the moment of sending, not the broader subscriber list.

Unsubscribe

Every marketing email includes an unsubscribe link in the footer. Clicking that link takes you to a confirmation page at soilstack.net/unsubscribe/{token}; one click on the confirmation button completes your unsubscribe. No login is required. Unsubscribe requests are honored immediately, well within the 10 business days required by CAN-SPAM. After you unsubscribe, your record is retained in a "suppressed" state so we do not accidentally email you again; you may also email support@soilstack.net to request full deletion of your subscriber record.

Physical Mailing Address

The federal CAN-SPAM Act requires marketing emails to include a valid physical postal address. Our current mailing address is available upon request by emailing support@soilstack.net; we will include a permanent mailing address in the footer of every marketing email before any broadcast is sent.

9. Security & Operational Logs

To protect the site and its users from abuse, we keep certain operational logs separate from your account data:

• Probe-attempt logs. We maintain decoy URLs that no legitimate page on SoilStack ever links to. When an automated scanner probes one of these URLs, we log the visitor's IP address, the user-agent string the browser sent, and the path requested, then return a "Not Found" response. These logs are kept short-term for security review and then automatically discarded. Legitimate visitors to SoilStack never trigger this logging.
• Temporary IP blocks. An IP address that triggers our probe-attempt detection may be temporarily blocked at our network firewall. Blocks expire automatically after a short period. Legitimate visitors are not affected.
• Content Security Policy violation reports. Modern browsers can report to our server when something on a page tries to do something the page's Content Security Policy doesn't allow (for example, an injected third-party script). Browsers may POST these reports to a dedicated endpoint on our site. We use the reports to detect and fix bugs and to detect attacks. The reports include the URL of the page, the type of resource that was blocked, and the user-agent string.
• DMARC reports. As part of email authentication, mail providers send us aggregate reports about email purporting to come from soilstack.net. These reports help us detect spoofing attempts and validate that legitimate email is reaching inboxes. The reports contain no individual recipient information.
• Application logs. Standard web-server and application logs (HTTP request method, path, response code, timestamp, IP, user-agent) are kept for a short period for debugging and security purposes. These logs are rotated daily and retained on a rolling basis.

10. Data Security

We take the security of your data seriously and implement multiple layers of protection:

Data Protection

• Password Security: Passwords are hashed using bcrypt and never stored in plain text. We cannot see or recover your password.
• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS (TLS). We enforce HTTPS through HTTP Strict Transport Security (HSTS), which instructs your browser to always use a secure connection.
• Session Encryption: Your session data is encrypted at rest, preventing tampering even if intercepted.
• Journal Entry Encryption: Journal entry text is encrypted at rest in our database using AES-256. Even in the event of a database breach, your journal content is unreadable without the application's encryption key.
• Secure Cookies: Authentication cookies are marked secure (HTTPS only), HTTP-only (inaccessible to JavaScript), and SameSite (not sent with cross-site requests), protecting against session hijacking and cross-site attacks.

Application & Network Security

• Content Security Policy: We deploy a Content Security Policy (CSP) that restricts which scripts, styles, fonts, images, and network connections the browser is allowed to load on our pages. This significantly reduces the risk of cross-site scripting (XSS) and data injection attacks. Inline scripts are authorized via per-request cryptographic nonces.
• Network-Level Filtering: All web traffic to SoilStack is proxied through Cloudflare, which provides DDoS protection, bot management, and a web application firewall. The origin server is additionally protected by a cloud firewall that accepts traffic only from Cloudflare's published IP ranges.
• Abuse Detection & IP Blocking: See Section 9 above.
• Rate Limiting: Automated request limits protect against brute-force attacks and abuse.
• Input Validation: All user-submitted data is validated server-side before processing to prevent injection attacks.
• Access Controls: Every request for user-specific data is verified to ensure you can only access your own information.
• Subresource Integrity: Third-party library files are verified using cryptographic hashes to ensure they have not been tampered with.
• Email Authentication: Our outbound email is authenticated using SPF, DKIM, and DMARC (policy: quarantine).

While we strive to protect your data using these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We continuously review and improve our security practices.

Breach notification. If a security breach affecting your personal information occurs, we will notify you and any applicable state or federal authorities in accordance with the law that applies to you and to us. Indiana law, where SoilStack is operated, requires notification of certain breaches without unreasonable delay and not more than 45 days after discovery. We are committed to honoring this and equivalent obligations in other jurisdictions.

11. Data Retention

We retain your data as follows:

Data Type	Retention Period	Notes
Account & garden data	Until account deletion	Includes areas, plants, plant nicknames, tasks, harvests, recipes, product rates
Journal entries	Until account deletion	Encrypted at rest using AES-256; soft cap of 500 entries per user
Weather prompt logs	Until account deletion	Used to prevent duplicate prompts and improve suggestions
GDD & weather snapshots	400 days (GDD) / 30 days (weather)	Automatically pruned by scheduled job; deleted on account deletion
Task intelligence logs	Until account deletion	Consequence scores, completion patterns, scheduling context
Seed inventory	Until account deletion	Seed names, packet counts, purchase year, notes
Disease risk states	Until area or account deletion	Automatically pruned after 90 days of inactivity; deleted with area
Newsletter subscriber record	Until unsubscribe and removal request	After unsubscribe, record is kept in suppressed state to prevent accidental re-emailing; email support@soilstack.net for full deletion
Probe-attempt logs	Short-term, rolling	IP, user-agent, and path of automated probe attempts only; legitimate visitors are not logged here
Temporary IP blocks	Short-term	Automatically expire
Application logs & CSP reports	Short-term, rolling	Daily rotation, retained briefly for debugging and security review
Server backups (Hetzner)	7-day rolling	Automatic daily backups by our hosting provider for disaster recovery; deleted data may persist in backups for up to 7 days before being overwritten
Affiliate referral data	Not stored by SoilStack	Referral tracking is handled entirely by Amazon and by Refersion (for Seeds Now) via their own cookies; SoilStack does not store click or purchase data
All account data on deletion	Immediately	Account deletion removes all associated data immediately and permanently from active systems; data may persist in 7-day server backups before being overwritten

12. Where Your Data Is Stored

SoilStack is operated from Indiana, United States. Your data is stored at our hosting provider's Ashburn, Virginia, United States data center facility. We do not transfer your data outside the United States as part of normal operations.

Our hosting provider, Hetzner Online GmbH, is a German company. As a corporate matter, Hetzner is subject to European Union and German law and the company maintains data centers in multiple countries. The data center where SoilStack's data is physically held, however, is in the United States.

SoilStack is intended for use by residents of the United States. We do not actively market the service to residents of the European Union, the United Kingdom, or other jurisdictions with comprehensive data protection laws, and we do not currently offer the additional rights and request mechanisms required by the General Data Protection Regulation, the United Kingdom General Data Protection Regulation, or similar laws.

13. Your Rights

Regardless of where you live, you have the following rights with respect to the personal information SoilStack holds about you:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update or correct inaccurate information through your account settings.
• Deletion: Delete your account and personal data through your account settings or by contacting us.
• Export / portability: Download your garden data, task calendars, and plans in portable formats through the app's export features.
• Unsubscribe: Stop receiving marketing emails at any time, either by clicking the unsubscribe link in any newsletter or by emailing us.
• Withdraw consent: Where we process information based on your consent, you may withdraw that consent at any time.
• Non-discrimination: We will not deny you service, charge you a different price, or provide a different level of service in retaliation for exercising any of these rights.

To exercise these rights, you can use the relevant features in your account settings or contact us at support@soilstack.net. We aim to respond within 3–5 business days, and in any event no later than 45 days from the date we receive your request (or longer where state law permits an extension and we notify you of the extension).

14. California Privacy Rights (CCPA / CPRA)

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives California residents specific rights with respect to their personal information. SoilStack does not currently meet the revenue or data-volume thresholds that make a business subject to the CCPA, but we honor the substantive rights below for California residents as a matter of good practice.

• Right to know: What categories of personal information we collect, where it comes from, why we collect it, and with whom we share it. This Privacy Policy serves as that notice.
• Right to access: Request a copy of the specific pieces of personal information we have collected about you.
• Right to delete: Request that we delete personal information we have collected from you.
• Right to correct: Request that we correct inaccurate personal information we hold about you.
• Right to opt-out of sale or sharing: SoilStack does not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of, but we honor the right.
• Right to limit use of sensitive personal information: SoilStack does not collect "sensitive personal information" as defined under California law (see Section 3). There is nothing to limit, but we honor the right.
• Right to non-discrimination for exercising any of the rights above.

Global Privacy Control (GPC). We honor opt-out preference signals such as the Global Privacy Control sent by your browser. Because we do not sell or share personal information for cross-context behavioral advertising, the GPC signal does not change how we handle your data, but we treat any GPC signal as a valid expression of your privacy preferences.

How to exercise California rights. Email support@soilstack.net with the request and a way to verify your identity (we will typically ask you to send the request from the email address associated with your SoilStack account). Authorized agents may submit requests on your behalf with written authorization.

15. Texas Privacy Rights (TDPSA)

The Texas Data Privacy and Security Act gives Texas residents specific rights with respect to their personal data. SoilStack is operated as a sole proprietorship and qualifies as a "small business" under the United States Small Business Administration's definition; under the TDPSA, small businesses are largely exempt from the law's controller obligations. However, the TDPSA does require small businesses to obtain consent before selling sensitive personal data.

SoilStack does not sell sensitive personal data. In fact, SoilStack does not collect sensitive personal data at all (see Section 3) and does not sell any personal data of any kind (see Section 2). The TDPSA's small-business consent requirement does not apply because the predicate condition (sale of sensitive data) is not present.

As a matter of good practice, we honor the substantive rights below for Texas residents regardless of whether the law requires us to:

• Right to confirm whether we process your personal data and to access that data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to data portability (a copy of your data in a portable, readable format)
• Right to opt out of the sale of your personal data (we do not sell), targeted advertising (we do not engage in this), and profiling for decisions with legal or similarly significant effects (we do not do this)

To exercise these rights, email support@soilstack.net.

16. Other State Privacy Rights

SoilStack does not currently meet the applicability thresholds of comprehensive privacy laws in Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Delaware, New Hampshire, New Jersey, Minnesota, Nebraska, Maryland, Kentucky, or Rhode Island. As SoilStack grows we will reassess and update this Privacy Policy and our practices accordingly.

Regardless of applicability, we voluntarily honor the substantive rights described in Sections 13–15 (access, correction, deletion, portability, opt-out, non-discrimination) for residents of all U.S. states. Email support@soilstack.net to exercise these rights.

Not a data broker. SoilStack is not a registered "data broker" under California, Texas, Oregon, or Vermont data-broker registration laws, because we do not collect personal information about consumers with whom we have no direct relationship for purposes of selling that information to third parties. We do not participate in the California Privacy Protection Agency's Delete Request and Opt-out Platform (DROP) because we are not a data broker.

17. Children's Privacy

SoilStack is a general-audience website. It is not directed to children under 13 years of age, and we do not knowingly collect personal information from anyone we know to be under 13.

If you are a parent or guardian and you believe a child under 13 has created a SoilStack account or otherwise provided personal information to us, please email support@soilstack.net with the child's account email or other identifying information. We will delete the account and all associated personal information within 7 days of verifying your request, and we will not require a formal verification process beyond confirming that you are contacting us as the parent or guardian.

This commitment satisfies the notice and parental contact requirements of the Children's Online Privacy Protection Act (COPPA) for general-audience websites.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date at the top. For material changes that affect how we use your personal data, we will make reasonable efforts to notify registered users by email and/or by an in-app notice. We encourage you to review this policy periodically.

If a change to this policy would expand the categories of personal information we collect, the purposes for which we use it, or the parties with whom we share it, we will obtain your consent before applying that change to data we have already collected from you, to the extent required by applicable law.

19. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us: