Privacy Policy

Last updated: April 1, 2026

1. Introduction

Herbacy ("we," "our," or "us") is committed to protecting your privacy and safeguarding the personal and health-related data you entrust to us. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding your data.

This policy applies to all users of the Herbacy website, application, and related services (the "Service"), regardless of location. We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address, display name, and authentication credentials. Account creation is optional — the core safety checker works without an account.

2.2 Health-Related Data

To provide interaction safety checks, we collect information about the supplements, herbal products, and medications you search for or save to your cabinet. This may include:

  • Substance names entered in search queries
  • Items saved to your medication cabinet
  • Health profile information you voluntarily provide (e.g., age range, health conditions)
  • Interaction check history

We treat all health-related data with the highest level of care and apply additional safeguards as described in Section 5.

2.3 Usage Data

We automatically collect certain technical information when you use the Service, including device type, browser type, operating system, IP address, pages visited, and interaction patterns. This data helps us improve the Service and diagnose technical issues.

2.4 Cookies and Tracking Technologies

We use cookies and similar technologies as described in our Cookie Policy. These are used for authentication, preferences, analytics, and security purposes.

3. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Service, including interaction safety checks, personalized risk scores, and cabinet management.
  • Maintain and improve the accuracy of our interaction database.
  • Send transactional communications (e.g., account verification and safety alerts you have opted into).
  • Analyze usage patterns in aggregate to improve the Service.
  • Detect, prevent, and address fraud, abuse, and security issues.
  • Comply with legal obligations.

We do not sell your personal or health-related data to third parties. We do not use your health-related data for advertising or marketing purposes.

4. Third-Party Data Sharing

We do not share your personal or health-related data with third parties except in the following limited circumstances:

  • Service providers: We use trusted third-party services (e.g., hosting, analytics) that process data on our behalf under strict data processing agreements.
  • Legal requirements: We may disclose data if required by law, subpoena, or government request.
  • With your consent: We will only share data with additional third parties if you provide explicit, informed consent.

We never share identifiable health data with advertisers, data brokers, or any party seeking to use it for purposes unrelated to the Service.

Amazon affiliate links: When you click an Amazon product link on Herbacy, you are directed to Amazon.com. Amazon may set its own cookies and collect data according to its own privacy policy. We do not share your Herbacy account data, health data, or cabinet contents with Amazon. The only information transmitted is your click on an affiliate-tagged link.

5. Data Storage and Security

Your data is stored securely using industry-standard protections:

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Health-related data is stored separately from account identifiers where technically feasible.
  • Database access is restricted to authorized personnel via role-based access controls.
  • We perform regular security audits and vulnerability assessments.
  • Authentication tokens use HTTP-only cookies with secure and SameSite attributes.

While we take every reasonable precaution, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

  • Access: Request a copy of all personal data we hold about you.
  • Export: Download your data in a portable, machine-readable format (JSON or CSV).
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request permanent deletion of your account and all associated data. We will process deletion requests within 30 days.
  • Restriction: Request that we restrict processing of your data while a dispute is resolved.
  • Objection: Object to processing based on legitimate interests.
  • Portability: Request transfer of your data to another service provider.
  • Withdraw consent: Withdraw previously given consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@herbacy.com. We will respond within 30 days (or sooner if required by applicable law).

7. Data Retention

We retain your personal data only for as long as necessary to provide the Service and fulfill the purposes described in this policy. Specifically:

  • Account data is retained while your account is active and for 30 days after deletion request to allow for recovery.
  • Interaction check history is retained while your account is active. Anonymous, aggregated analytics data may be retained indefinitely.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

9. International Data Transfers

Your data may be processed in the United States or other jurisdictions where our service providers operate. When we transfer data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify registered users of material changes via email or in-app notification at least 30 days before the changes take effect. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related inquiries, data requests, or complaints:

Email: privacy@herbacy.com
Address: Herbacy Inc., Delaware, United States

If you are in the EU and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.