Privacy Notice

§ 01What we collect

When you create an account and use the site, we collect the following. Each item is described with why we need it.

• Account identity — your email address, a display name, a username (chosen by you, edit-able in your profile), and an avatar URL. These come from GitHub when you sign in with GitHub OAuth. Required to associate contributions with a stable identity and to contact you about your account.
• Session — a signed session token stored as a cookie in your browser, tied to a row in our database. Required to keep you signed in.
• Your contributions— strain entries, grow journals (including temperature and humidity readings), day entries, comments, edit suggestions, "found helpful" votes, and any photos you upload. Public by design.
• Photos — image files you upload to illustrate grow journal entries. Stored in object storage (Cloudflare R2) under a key tied to the entry ID.
• Server logs — standard information captured by our hosting provider (IP address, user agent, URL requested, timestamp). Used for debugging, security, and aggregate traffic metrics. Retained for up to 30 days by default.
• Aggregate analytics — page views, referrer, country (derived from IP, IP itself discarded), browser family, and performance metrics (page load time, Core Web Vitals), collected by Vercel Analytics and Vercel Speed Insights. These are first-party and do not use cookies, do not profile individuals, and are not shared with advertisers.
• Age confirmation — a boolean indicating whether you have confirmed you are 18 or older. Required by § 02 of the Terms.

§ 02What we do not collect

• We do not run third-party advertising trackers, analytics that profile individuals across sites, or social-media tracking pixels. The aggregate analytics described in § 01 do not fall in this category.
• We do not collect precise location data, device fingerprints, or biometric information.
• We do not collect real-name identity documents. The site operates under chosen usernames.
• We do not ask for or store payment information. The site is currently free to use.

§ 03Who we share data with (subprocessors)

We use a small set of third-party services to operate the site. Each has its own privacy practices, which you can review at their sites.

• GitHub — OAuth sign-in. Receives the fact that you initiated sign-in from psilocybea. We receive your public GitHub profile in return.
• Vercel — hosting and edge delivery of the site. Sees all HTTP traffic.
• Neon — managed PostgreSQL database where your account, contributions, and session live.
• Cloudflare (R2) — object storage for uploaded photos.

We do not sell personal data, and we do not share personal data with third parties for their independent marketing.

§ 04How long we keep things

• Account and contributions — for as long as your account is active, and for a reasonable archival period after closure to preserve the public record of the codex (see below).
• Server logs— up to 30 days under our hosting provider’s defaults.
• Photos — until the associated entry is deleted or the photo is removed by you. We best-effort delete from object storage at that time.

§ 05Your rights

You can, at any time:

• Access — view your own contributions on your profile and journal pages; request a machine-readable export of everything associated with your account.
• Correct — edit your profile, edit your journal entries, delete individual comments and photos you have posted.
• Delete— close your account. Closing an account deletes the private fields (email, session) immediately. Your public Contributions (strain edits, grow journal entries, comments) may be retained in an anonymized form to preserve the historical record of the codex, with your username replaced by "Former contributor." If you want your Contributions fully removed rather than anonymized, request that explicitly when you close the account.
• Object or restrict — tell us to stop particular uses of your data, where the law grants you that right (EU/UK GDPR, California CCPA/CPRA, and similar regimes).

To exercise any of these rights, reach the contact channel in § 10. We respond within 30 days.

§ 06Cookies

We use cookies only for essential site function: keeping you signed in, remembering that you have passed the age gate, and storing a cross-site-request-forgery (CSRF) token for forms. We do not use tracking, advertising, or analytics cookies.

§ 07Where your data lives

Our database and object storage live in the United States (us-east-1 region). If you access the site from outside the U.S., your data will be transferred to and processed in the U.S. By using the site you consent to that transfer. Our subprocessors comply with applicable cross-border data-transfer frameworks.

§ 08Security

We use HTTPS for all traffic, store passwords only as OAuth provider links (we never see your GitHub password), and scope our database and object-storage credentials to the least privilege needed. No system is perfectly secure; if you learn of a vulnerability, please report it at the contact channel below — we will not pursue legal action against good-faith security research.

§ 09Children

The site is not for anyone under 18. We do not knowingly collect personal information from minors. If we learn an account is held by a minor, we will delete it. If you believe a child has given us their information, contact us and we will remove it.

§ 10Contact

psilocybea is currently operated as a solo project based in Massachusetts, U.S. For privacy requests, data exports, deletion, or questions about this notice, reach out through the contact surface linked in the site footer, or open an issue in the public repository. A dedicated email will be published here once the site leaves early beta.

§ 11Changes to this notice

Material changes will be announced on the site, with the "last updated" date at the top reflecting the change. Continued use after an update means you accept the new notice.