Privacy Policy

1. Information We Collect

We collect personal information when you create an account, make a purchase, subscribe to our newsletter, submit a product review, use the Watch Later feature, or contact us. This includes your name, email address, shipping address, and payment details.

We also automatically collect technical data such as your IP address, browser type, device information, usage patterns, and approximate location through cookies and similar technologies.

Account Registration

You may create an account using your email and password or by signing in with Google OAuth. When you use Google sign-in, we receive your name, email address, and profile picture from Google. We do not access any other Google account data.

Product Reviews

When you submit a product review, we collect your name, email address, rating, and review text. Your email is used for verification only and is never displayed publicly. Reviews are moderated before being published.

Watch Later & Preferences

If you save videos or articles to your Watch Later list, this data is stored locally in your browser (localStorage). If you are signed in, your Watch Later list is synced to your account so it is available across devices. We also store your currency preference and learning progress locally in your browser.

Strain Database & Tools

When you browse the strain database, use the Strain Finder quiz, or use the Dosage Calculator, no personal data is collected or stored on our servers. Quiz answers are used only to generate results in your browser and are not retained. The Sesh Timer stores your playlist selection, volume preference, and timer-music link state in localStorage.

2. How We Use Your Information

Your information is used to process orders and payments, send order confirmations and shipping updates, deliver marketing communications (with your consent), improve our website and services, prevent fraud and abuse, and comply with legal obligations.

3. Legal Basis for Processing (GDPR)

We process your data based on: your consent (e.g., newsletter sign-up, cookie preferences), contractual necessity (e.g., fulfilling orders), legitimate interest (e.g., improving our services, fraud prevention), and legal compliance (e.g., tax records).

4. Cookies & Local Storage

We use the following cookies and browser storage:

Cookies

• herbistry420_cookie_consent — records your cookie preference (1 year)
• herbistry420_age_verified — records age verification status (30 days)
• Authentication session — maintains your signed-in status (managed by NextAuth)

Local Storage

• Watch Later list — saved videos and articles (persists until cleared)
• Shopping cart — items in your cart (persists until cleared)
• Learning progress — course and lesson completion (persists until cleared)
• Currency and exchange rates — cached for approximately 24 hours
• Sesh Timer preferences — playlist selection, volume level, timer-music link state (persists until cleared)
• Tool help overlays — whether you have dismissed help modals on the Strain Finder, Dosage Calculator, and Sesh Timer (persists until cleared)

Analytics Cookies

If you accept analytics cookies, Google Analytics 4 sets cookies including _ga and _ga_* to measure site usage anonymously. These are only loaded after you provide consent via our cookie banner.

You can manage cookie preferences through your browser settings or our cookie consent banner.

5. Third-Party Services

We work with trusted third-party services to operate our platform:

• Stripe — payment processing (receives payment and shipping details)
• Printful — print-on-demand fulfillment (receives shipping address and order details)
• Resend — transactional email delivery (sends order confirmations, shipping notifications, welcome emails, and contact form replies)
• Mailchimp — newsletter management (receives your email address when you subscribe)
• Google Analytics 4 — anonymized usage analytics (only with your consent)
• Google OAuth — optional sign-in authentication (receives basic profile info)
• Anthropic (Claude API) — AI-assisted content generation from YouTube video transcripts (no user personal data is sent; only publicly available video transcript text is processed)
• Neon (PostgreSQL) — strain database storage (stores strain data only, no user personal data)
• YouTube / YouTube Data API — embedded video playback on blog posts and the Sesh Timer, video metadata retrieval for our content pipeline (no user data is sent to YouTube beyond standard embed behavior)
• Google Search Console — search performance monitoring (uses aggregated, anonymized search data)
• Google Merchant Center — product listing feeds for Google Shopping (receives product data, not user data)
• Sanity — content management and user account data storage
• Vercel — website hosting and serverless infrastructure

Each service provider operates under their own privacy policies and only receives the data necessary to perform their function.

6. Email Communications

Transactional Emails

We send the following transactional emails via Resend:

• Welcome email upon account registration
• Order confirmation after purchase
• Shipping notification with tracking information
• Order updates and customer notes
• Contact form responses to admin

Newsletter

Newsletter subscriptions use double opt-in via Mailchimp. After entering your email, you will receive a confirmation email and must click the confirmation link to activate your subscription. Marketing emails include an unsubscribe link. You can opt out at any time; we will process your request within 10 business days. Opting out of marketing does not affect transactional emails.

7. AI-Generated Content

We use Anthropic's Claude API to assist in generating written articles from publicly available YouTube video transcripts. This process does not involve any user personal data. The transcripts processed are from our own YouTube channel content. No user-submitted content is sent to AI services.

8. Companion Apps

Herbistry420 develops companion applications including VapeHeatLab and DoseCraft. These apps may collect additional usage data as described in their respective privacy notices. Data collected through the apps is not shared with the main Herbistry420 website unless you explicitly link your accounts.

9. Affiliated Websites

Original artwork by Fordee is showcased on Herbistry420 but sold exclusively through CantStopArt.com. When you follow links to CantStopArt, their privacy policy governs your data. We do not share your Herbistry420 account data with CantStopArt.

10. Data Sharing

We do not sell your personal information. We only share data with service providers under confidentiality agreements, when required by law, or in the event of a business transfer (e.g., merger or acquisition).

11. Data Retention

• Account data — retained while your account is active and for 30 days after deletion request
• Order records — kept for 7 years as required by tax law
• Newsletter subscriptions — retained until you unsubscribe
• Product reviews — retained while published; removed upon request
• Watch Later data — retained while your account is active; localStorage data persists until you clear your browser
• Contact form messages — retained for up to 12 months
• Analytics data — retained per Google Analytics default settings (14 months)

You may request deletion of your data at any time.

12. Your Privacy Rights

GDPR (EEA/UK residents): You have the right to access, correct, delete, restrict processing, and port your data. You may also withdraw consent at any time.

CCPA/CPRA (California residents): You have the right to know what data we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

How to Exercise Your Rights

To make a data access, correction, or deletion request, please contact us through our contact page with the subject line "Data Request." We will verify your identity and respond within 30 days. You may also email us directly at the address listed in the Contact section below.

13. Age Restrictions

Herbistry420 is intended for users aged 21 and older. Age verification is required before accessing site content. We do not knowingly collect personal information from anyone under 13. If we learn that we have collected data from a minor, we will delete it promptly.

14. Data Security

We protect your data with SSL/TLS encryption, PCI-compliant payment processing via Stripe, security headers (Content Security Policy, HSTS, CSRF protection), rate limiting on sensitive endpoints, regular security updates, and access controls. No system is 100% secure, but we take reasonable measures to protect your information.

15. International Data Transfers

Herbistry420 operates from Barcelona, Spain. Our service providers, including Stripe, Printful, Resend, Mailchimp, and Anthropic, may process data in the United States, Europe, or other locations where they maintain infrastructure. For EEA/UK users, international transfers are protected by Standard Contractual Clauses (SCCs) and applicable data protection frameworks.

16. Changes to This Policy

We may update this policy periodically. Changes will be noted with an updated effective date. Significant modifications will be communicated via email to registered users.

17. Contact

For privacy inquiries or data requests, please reach out through our contact page or email us at fordee@herbistry420.com.