GN

Privacy & security

Our approach to protecting growers and being clear about limits.

Mission

Growers Notebook exists to give home growers a trust-centered place to share notebooks, strains, and conversations. Community for cannabis home growers — notebooks, tips, strains, nutrients, and conversations with fellow growers. We work to reduce unnecessary exposure of your data in the product, and to say plainly what we cannot promise (for example, full anonymity on the public internet).

Security protocols

  • Uploaded photos (posts, comments, messages, avatars) are re-encoded in your browser to JPEG before storage, which removes EXIF and most embedded image metadata from those files. Videos are not stripped the same way. Images you only link to from other sites are unchanged.
  • Transport: we use HTTPS for the site and API in production.
  • Database access: Row Level Security is enabled on public tables in Postgres so the public Supabase API key cannot bulk-read private application data; the API server uses a privileged database role for writes. (Direct message content is not exposed through Supabase Realtime.)
  • Audit logs: when the API records mutating requests for moderation, client IP is stored in a truncated form (rough network area), not a full address.
  • Optional hardening: for stronger network privacy, consider the Tor Browser. It does not make you anonymous to us when you are signed in, and some auth flows may be harder on Tor.

Privacy overview

This section summarizes what the service processes. Formal legal text may be added or updated with counsel.

  • Who we are: the operator of Growers Notebook (entity / contact to be listed in official policy).
  • What we collect: account and profile data from Supabase Auth (e.g. email), content you post, votes, follows, messages you send, notebook data, and technical data needed to run the service (including truncated IPs in audit events for mutating API requests).
  • Cookies & analytics: session and preferences; optional privacy-oriented analytics (e.g. Plausible) if enabled for the deployment—first-party, no cross-site ad profiles.
  • International transfers: hosting and database providers may process data in the United States or other regions depending on your project configuration.
  • Vendor logging: infrastructure providers (e.g. host, database) may keep their own access and security logs, including connection metadata, according to their policies and retention.
  • Limits: we cannot fully guarantee confidentiality of content you post or send—treat public areas as public. You are responsible for using the service lawfully.

← Home