Last updated: July 12, 2026
Privacy Policy
This Privacy Policy explains how Orchards ("we," "us," or "our") collects, uses, discloses, and safeguards your information when you visit orchards.com (the "Site").
1. Information We Collect
1.1 Information You Provide Voluntarily
When you subscribe to our launch notification list, we collect:
- Email address — the only required field
- Source — whether the signup originated from the homepage form (value:
notify)
We do not collect your name, phone number, physical address, payment information, or any government identifier.
1.2 Information Collected Automatically
When you visit the Site, Cloudflare (our hosting and edge provider) and standard browser mechanisms automatically collect:
- IP address — used by Cloudflare's security layer (Bot Fight Mode, WAF, DDoS protection)
- User-Agent string — used for browser compatibility and security
- Request timestamps — used for rate limiting and audit logging
- HTTP referer header — used for CSRF protection
We do not use third-party analytics (no Google Analytics, no Google Tag Manager, no Meta Pixel, no Hotjar, no Mixpanel, no Segment). We do not use cookies for tracking. We do not use browser fingerprinting. We do not sell or share data with data brokers.
1.3 What We Do Not Collect
We do not knowingly collect personal information from children under 13 (COPPA), under 16 (GDPR-K), or under 18 (CCPA for minors). The Site is not directed to children.
2. How We Use Your Information
We use the limited information we collect for the following purposes only:
- To deliver the service you requested — sending you a single confirmation email when you sign up, and one launch announcement when we go live.
- To protect the Site and our users — Cloudflare's security layer uses IP and User-Agent to block bots, attackers, and abusive traffic.
- To comply with legal obligations — if required by valid court order, subpoena, or applicable law.
We do not use your information for:
- Advertising or marketing to third parties
- Profiling or automated decision-making that produces legal effects
- Sale, rent, lease, or trade to any third party (we do not have any)
- Behavioral tracking across other websites
3. Cookies and Local Storage
The Site uses the following browser storage:
- Cloudflare cookies (
__cf_bm) — security bot management. Expires after 30 minutes of inactivity. Required for Cloudflare's security layer to function. - Admin session cookie (
orchords_session) — only set when you sign in to the admin panel. HttpOnly, Secure, SameSite=Lax, 12-hour expiry.
No third-party cookies. No analytics cookies. No advertising cookies.
4. How We Share Your Information
We share your information only in the following limited circumstances:
- Service providers who act on our behalf:
- Cloudflare, Inc. — hosting, edge security, and (if you opt in to email) transactional email delivery. Cloudflare's data processing terms apply (subprocessors list).
- Stripe, Inc. or similar payment processor — only if you make a paid purchase (we do not currently offer paid products).
- Legal compliance — if compelled by valid legal process. We will challenge any request we believe is improper or overbroad.
- Business transfers — in the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before the transfer takes effect.
- With your consent — for any other purpose disclosed at the time of collection.
We do not sell your personal information. We do not share it with advertising networks. We do not participate in data broker networks.
5. Data Retention
| Data | Retention | Reason |
|---|---|---|
| Email (notify signup) | Until you unsubscribe, plus 30 days | Service delivery + abuse window |
| Confirmation / launch email logs | 7 days | Delivery debugging |
| Cloudflare access logs (IP, UA, request metadata) | 7 days | Security (paid plan retention) |
| Admin session token | 12 hours from login | Session lifecycle |
| Admin audit log | 2 years | Compliance + security review |
When you unsubscribe, we delete your email from the subscriber list within 30 days. Audit log entries are anonymized after the retention period (email replaced with hash, IP replaced with hash).
6. Your Rights
6.1 GDPR (EU/EEA and UK residents)
You have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure ("right to be forgotten") (Art. 17)
- Restriction of processing (Art. 18)
- Data portability in a machine-readable format (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
- Lodge a complaint with your supervisory authority (Art. 77)
To exercise any of these rights, email privacy@orchards.com. We respond within 30 days.
6.2 CCPA/CPRA (California residents)
You have the right to:
- Know what personal information we collect, use, share, or sell (Cal. Civ. Code § 1798.100, § 1798.110, § 1798.115)
- Delete personal information we collected from you (§ 1798.105)
- Correct inaccurate personal information (§ 1798.106, effective 2023-01-01)
- Opt out of sale or sharing (§ 1798.120, § 1798.135) — we do not sell or share personal information
- Limit use of sensitive personal information (§ 1798.121) — we do not collect SPI
- Non-discrimination for exercising your CCPA rights (§ 1798.125)
To submit a CCPA request, email privacy@orchards.com with subject line "CCPA Request". We respond within 45 days. You may designate an authorized agent to act on your behalf per § 999.326.
6.3 Other Jurisdictions
If you are a resident of a jurisdiction with similar privacy rights (e.g., Brazil LGPD, Canada PIPEDA, Australia Privacy Act, Japan APPI, South Korea PIPA), you may exercise analogous rights by contacting privacy@orchards.com.
7. Data Security
We implement commercially reasonable security measures:
- Transport: TLS 1.2 minimum, TLS 1.3 preferred, HSTS with preload (1-year max-age)
- Edge: Cloudflare WAF, Bot Fight Mode, DDoS L7 protection, Managed Free Ruleset (Log4j, Shellshock, WordPress exploits)
- Application: HttpOnly + Secure + SameSite=Lax cookies; HMAC-SHA-256 password hashing (salted, 128-bit salt); CSRF protection via Origin/Referer verification; rate limiting on all sensitive endpoints; per-IP and per-account audit logging
- Headers: Strict-Transport-Security, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy
Despite our efforts, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
8. International Data Transfers
Your information may be transferred to and processed in the United States, where Cloudflare's primary data centers are located. By using the Site, you consent to the transfer of your information to the U.S. We rely on Cloudflare's Standard Contractual Clauses for transfers from the EU/EEA and UK.
9. Children's Privacy
The Site is not directed to children under 13 (COPPA), under 16 (GDPR-K), or under 18 (CCPA for minors). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@orchards.com and we will delete it within 30 days.
10. Do Not Track
We honor Do Not Track (DNT) and Global Privacy Control (GPC) signals. Since we do not perform cross-site tracking in the first place, there is no behavioral tracking to disable.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the effective date. Material changes will be notified via email to subscribers at least 30 days before the change takes effect, except where a shorter period is required by law. Continued use of the Site after the effective date constitutes acceptance of the revised policy.
12. Contact
For any questions, complaints, or rights requests regarding this Privacy Policy or our data practices:
- Email: privacy@orchards.com
- Postal: available upon request — we are a small team and don't maintain a public mailing address; email is the primary contact channel
EU representative: appointed upon request under GDPR Art. 27.
UK representative: appointed upon request under UK GDPR.