Privacy Policy

Last updated: April 28, 2026

Introduction

Supercycler ("we", "us", "the app") is an indoor cultivation automation system that lets growers monitor sensors, schedule lights, and control irrigation through internet-connected devices. We take privacy seriously: this document explains exactly what data we collect, why, how we keep it safe, and the choices you have. If anything is unclear, write to hackers@supercannabis.ar and a human will answer.

Data We Collect

We collect only what we need to make the app work. Nothing more.

Account informationEmail address, display name, and avatar URL — supplied either through Google Sign-In (Firebase) or through email/password registration. If you sign in with Google, we store the Firebase UID and the email Google returns to us. We never see or store your Google password.
Device telemetrySensor readings (temperature, humidity, soil moisture, pH, EC) coming from the IoT devices you connect (Tuya, Sonoff/eWeLink, Shelly, Bluelab, Zigbee2MQTT). Readings are stored in user-scoped tables — only your account can see your readings.
Optional content you createPhotos uploaded to the journal feature, free-text notes, and audio dictation transcripts. Voice dictation runs in the Web Speech API in your browser; only the resulting text is sent to our server, never the raw audio.
Third-party API credentialsOAuth tokens and API keys you provide so the app can talk to Tuya, Sonoff/eWeLink, Shelly Cloud, and Bluelab on your behalf. These are stored encrypted at rest in the user_api_keys table and are scoped to your user account.
Diagnostic dataWhen the front-end hits an error, we record the error kind, error code, page URL, browser User-Agent, and originating IP — but never the contents of the screen, your notes, or your sensor data. This helps us fix bugs.
Standard request logsApache web-server access logs (IP, timestamp, requested URL) are retained for 14 days for security and abuse investigation, then automatically rotated out.

Data We Do NOT Collect

We do not collect GPS or location, contacts, advertising identifiers, biometrics, or any data unrelated to running the app. We do not run advertising or analytics SDKs, and we do not embed third-party tracking pixels.

Cookies

We use a single first-party session cookie (SC_SESSION) so the app remembers you are logged in. If you tick "Remember me", we add a SC_REMEMBER cookie for up to 30 days — strictly opt-in. There are no third-party cookies, no analytics cookies, no ad cookies.

Data Sharing

We do not sell, rent, or share your data with third parties for marketing or advertising. The only outbound data flow is to the IoT vendors you have connected (e.g. Tuya, Sonoff/eWeLink, Shelly, Bluelab) — and only when you (or an automation rule you configured) ask the app to control a device. Each of those vendors has its own privacy policy that applies to the data exchange.

Security

All traffic between you and our servers travels over HTTPS (TLS 1.2 or higher). API tokens for third-party services are encrypted at rest. The PostgreSQL database is firewalled to localhost and a single trusted operator subnet, and all credentials use 32-character random passwords. Audit-log entries are kept so we can investigate abuse if it ever happens.

Retention

Account data and the content you create are kept until you delete your account. Sensor readings are retained for as long as your account is active. Audit logs may be kept indefinitely so we can comply with legal requests or investigate abuse. Apache request logs roll off after 14 days.

Your Rights

Whatever jurisdiction you live in, you can exercise the following rights at any time:

AccessMost of the data we hold about you is visible inside the app itself — dashboards, journal, devices list. If you want a machine-readable export, write to the contact email below.
DeletionOpen the hamburger menu and tap "Eliminar cuenta" (Delete account). Type "DELETE" to confirm. This wipes 21 user-scoped tables — devices, sensor readings, journal entries, API tokens, audit log entries linked to your user, the lot. The deletion is immediate and permanent.
CorrectionProfile fields can be edited from the Settings screen. For anything else, contact us.
Object / RestrictYou can disconnect any IoT integration at any time from the API Keys screen, which severs the data flow to/from that vendor without deleting your account.

Children

The app is not directed at children under 13, and we do not knowingly collect data from minors. If you believe a child has registered an account, write to us and we will delete it.

Jurisdiction & International Users

Supercycler is operated from Argentina; the servers are located there as well. If you are a data subject in the European Economic Area you may have additional rights under GDPR (access, rectification, erasure, portability, objection, restriction). If you are a California resident you may have rights under CCPA/CPRA (knowledge of categories collected, deletion, opt-out of sale — though we do not sell). To exercise any of these, contact us at the email below.

Updates to This Policy

We may update this page when we add features or to clarify wording. The "Last updated" date at the top of the page always reflects the most recent change. Material changes will be flagged inside the app.

Contact

Questions, complaints, or data requests: hackers@supercannabis.ar. You can also use our contact form.