OpenBasket mascotOpenBasket
Back

Privacy Policy

Last Updated: March 19, 2026 · Version 2026-03-19

Short Summary

  • What we collect: Your email (via Google), display name, neighborhood, the produce you list, your BeeCoins balance, garden posts, exchange messages, and photos you upload.
  • What we do with it: Run the platform. Match you to your neighborhood. Show your listings and garden posts to neighbors. Moderate content for safety using AI and member reports.
  • What we don't do: Sell your data. Share it with advertisers. Track you across other websites.
  • Your rights (California): You can see what we have, fix it, delete it, or ask us to stop sharing it. Email privacy@openbasket.app.
  • Who sees your data: Supabase (database), Vercel (hosting), Google (login), and our AI provider (content screening).

1. Who We Are

OpenBasket (“we”, “us”, “our”) is a neighborhood produce-sharing platform operated by its founders. For privacy inquiries, contact us at privacy@openbasket.app.

2. Scope

This Privacy Policy applies to the OpenBasket web application at openbasket.app and any related services. It does not cover third-party sites we link to.

3. Cookies and Tracking

We use session cookies and authentication tokens (set by Supabase) to keep you logged in. These are strictly necessary for the Platform to function. We do not use advertising cookies, retargeting pixels, or third-party analytics trackers.

Do Not Track: We do not currently respond to browser “Do Not Track” signals because we do not track users across third-party websites regardless of this setting.

4. Information We Collect

4.1 Information You Provide

  • Account identity: Display name, avatar photo (optional)
  • Email address: Via Google OAuth — used to authenticate and send notifications
  • Location / neighborhood: City and neighborhood name to match you to a neighborhood
  • Approximate pickup location: An optional map pin (latitude and longitude) to help neighbors find your pickup spot. This is stored on your profile and visible to exchange participants. We do not collect or store your full street address.
  • Produce listings: Crop types, descriptions, photos, pickup location hints
  • Open Baskets: Crop types, location hint, optional map pin
  • Garden posts and photos: Title, description, crop list, season, photos
  • Exchange activity: Requests, completions, ratings, reviews, and exchange messages between participants
  • Neighborhood join requests: Optional message submitted when requesting membership
  • Content reports: When you report another member or their content, we store the report reason, any additional details you provide, and a snapshot of the reported content at the time of the report
  • Suggestions / feedback: Text submitted in the suggestions feature
  • Event details: Title, description, location, start/end times

4.2 BeeCoins Activity

We maintain records of your BeeCoins balance and transaction history. BeeCoins have no monetary value and are not financial data, but are subject to your data rights under this policy.

4.3 AI Moderation Logs

We use AI to screen content before it is published. When you submit text or images, that content may be sent to our AI provider for moderation analysis. We store:

  • A moderation event record (content text, moderation score, category, outcome)
  • An AI call counter (call type, context, timestamp) for rate limiting
  • A moderation strike count if content is auto-blocked

Neighborhood leaders can view moderation events for their neighborhood. Admins can access the AI call log. Blocked content is not publicly visible.

4.4 Content Report Records

When a member reports content, we store:

  • The reporter's identity (visible to neighborhood leaders and administrators only — never disclosed to the reported user)
  • The report reason and any additional details provided
  • A snapshot of the reported content at the time of the report, preserved for review even if the original content is later deleted
  • The report outcome (pending, resolved, or dismissed) and who actioned it

4.5 Automatically Collected Information

  • Log data: IP address, browser type, pages visited, timestamps
  • Authentication tokens: Session cookies managed by Supabase
  • Device information: OS and browser version

We do not use persistent cross-site tracking cookies or advertising pixels.

4.6 From Third Parties

Google OAuth: When you sign in with Google, we receive your email address, display name, and profile photo URL. We do not receive your Google password or broad account access. Google's data use is governed by Google's Privacy Policy.

5. How We Use Your Information

  • Operating the Platform and authenticating you
  • Matching you to your neighborhood
  • Displaying your listings and posts to neighbors
  • Facilitating exchanges and BeeCoins transactions
  • Moderating content for safety (via AI screening and member-reported content review)
  • Sending notifications per your preferences
  • Investigating reports and enforcing neighborhood rules
  • Improving the Platform (aggregated analytics only)
  • Complying with legal obligations

We do not use your data for advertising, sale to data brokers, or building profiles for third-party use.

6. Information Sharing

We share your information only as follows:

  • With your neighbors: Your display name, listings, garden posts, and exchange profile are visible to members of your neighborhood
  • With neighborhood leaders: Leaders can see membership requests, moderation events, content reports for their neighborhood (including reported content snapshots and reported exchange messages), member profiles, and ban status within their community
  • With platform administrators: Administrators can view all of the above across all neighborhoods, plus reporter identities, AI moderation logs, and account status
  • With service providers: Supabase (database and auth), Vercel (hosting), Google (authentication), our AI provider (content moderation) — all under data processing agreements
  • For legal compliance: If required by law, legal process, or to protect the safety of users

We do not sell personal data. Ever.

6.1 Exchange Message Privacy

Exchange messages between two users are private by default — only the two participants can see them. However, if a message is reported by either party, its content will be made available to neighborhood leaders and platform administrators for moderation review. Both participants are notified of this policy within the exchange interface.

7. Data Retention

  • Active accounts: Retained as long as your account exists
  • Deleted content: User-deleted content (listings, posts, comments, messages) is soft-deleted and retained for up to 30 days for safety and moderation purposes before permanent removal
  • Deleted accounts: Most personal data deleted within 30 days of the scheduled deletion date; some records (exchange history for other parties' benefit, moderation logs for safety) may be retained longer in anonymized form
  • Content report snapshots: A copy of reported content is preserved at the time of the report and retained alongside the report record for as long as the report exists
  • Moderation logs: Retained for 12 months
  • AI call logs: Retained for 90 days

8. Security

We use industry-standard security practices including HTTPS, encrypted storage (Supabase), row-level security policies, and session management. However, no system is perfectly secure. If you discover a vulnerability, please report it to security@openbasket.app.

In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities as required by applicable law (including California Civil Code § 1798.82), without unreasonable delay.

9. Your Rights (California / CCPA)

California residents have the right to:

  • Know what personal information we collect and how it's used
  • Access a copy of your personal information
  • Correct inaccurate information
  • Delete your personal information (with some exceptions, including content under active moderation review)
  • Opt out of sale of personal information (we don't sell)
  • Non-discrimination for exercising your rights

To exercise these rights, email privacy@openbasket.app or delete your account directly via Settings → Account → Delete Account.

10. Children

OpenBasket is not directed at children under 18. We do not knowingly collect personal information from children under 18. If you believe a child has provided us personal information, contact us at privacy@openbasket.app.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notice and may require you to accept the updated policy before continuing to use the Platform. Continued use of the Platform after changes are posted constitutes acceptance of the updated policy.

12. Contact

For privacy questions or requests: privacy@openbasket.app