Privacy Policy — BudRegistry UK

Who we are

BudRegistry UK is a private cannabis inventory tracker for UK cannabis patients. We are not affiliated with any clinic, pharmacy or dispensary. For questions or data requests, contact us through the app.

What we collect

We collect only what is necessary to provide the service:

Account data — your email address and a bcrypt-hashed password. Your email is stored encrypted (AES-256-GCM) and is only used for account login and notifications you opt into.
Inventory data — strain names, quantities, batch details, expiry dates, usage logs and notes. All sensitive fields are encrypted before storage. We cannot read your inventory data.
Community content — posts, comments and reviews you choose to share publicly within the app. This content is visible to other registered users.
Profile data — an optional display name, username, bio and avatar photo that you choose to set.
Technical data — standard server logs (IP addresses, request timestamps) for security monitoring. These are not linked to your identity and are not retained long-term.

What we do not collect

We do not collect medical records, prescription details, diagnosis information, or any clinical health data. We do not use advertising trackers, third-party analytics, or cookies beyond what is strictly necessary for authentication (HTTP-only JWT refresh tokens).

How we use your data

Your data is used solely to provide BudRegistry UK's features: storing your inventory, sending optional email notifications (stock and expiry alerts), and enabling community features you choose to use. We do not sell, share or rent your data to any third party.

Data storage and security

Data is stored on servers located in the United Kingdom. All sensitive inventory fields are encrypted at rest using AES-256-GCM with a key that never leaves the server environment. Passwords are hashed with bcrypt (never stored in plaintext). Authentication uses short-lived JWT access tokens and rotated refresh tokens stored in HTTP-only cookies.

Your rights (UK GDPR)

Under UK GDPR you have the right to access, correct, export and delete your data. You can export all your data at any time from within the app (Settings → Export Data). To request deletion of your account and all associated data, use the account settings or contact us through the app.

Cookies

We use a single HTTP-only, Secure, SameSite=Strict cookie to store your refresh token for authentication purposes. No tracking cookies, advertising cookies or analytics cookies are used.

Data retention

Your data is retained for as long as your account is active. When you delete your account, all personal data is permanently removed. Server access logs are retained for up to 30 days for security purposes.

Third parties

We use a transactional email provider (Nodemailer / SMTP) solely to send account verification, password reset, and opt-in notification emails. Your email address is not shared with any other third parties.

Changes to this policy

If we make material changes to this policy we will notify registered users via email. Continued use of the service after notification constitutes acceptance of the updated policy.