Food for Humans
Explore

Legal

Privacy Policy

Last updated: April 18, 2026

Overview

Food for Humans ("we," "us," or "our") operates the website findfoodforhumans.com (the "Site"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our Site or use our services, including our farm directory, farm registration form, listing claim flow, and payment processing.

Information We Collect

Farm Registration & Listing Data: When a farm is added to the directory (either through our intake form or by claiming an existing listing), we collect the farm name, owner name, email address, phone number, website URL, physical address, geographic coordinates, business description, business hours, farming practices, products offered, order options, and uploaded images (logo, hero photo, gallery photos).

Account & Authentication Data: If you sign in as an administrator, we collect your name, email address, and OAuth provider identifier (for example, Google account ID) through Supabase Auth. Passwords are not stored by us directly; OAuth tokens are stored in secure HTTP-only cookies.

Payment Information: Payment processing is handled entirely by Stripe, Inc. We do not store credit card numbers, bank account numbers, CVV codes, or other sensitive payment information on our servers. We receive from Stripe only non-sensitive metadata such as your subscription status, tier, and subscription ID. Stripe collects and processes payment data in accordance with their own privacy policy and PCI-DSS Level 1 compliance obligations.

Usage & Analytics Data: We automatically collect certain information when you visit the Site, including your IP address (anonymized), browser type, operating system, pages visited, referring URL, and approximate geographic region. If Google Analytics 4 is active, it collects aggregate usage metrics with IP anonymization enabled.

Cookies: We use essential cookies to maintain session state and authentication. We may also use analytics cookies (via Google Analytics) to understand site usage in aggregate. Our mapping service (Mapbox) sets functional cookies required for map rendering. We do not use advertising cookies or retargeting trackers.

How We Use Your Information

We use the information we collect to:

  • Display farm listings in our public directory and interactive map
  • Process farm registration, subscription payments, and claim requests
  • Communicate with registered farms about their listings, renewals, and changes
  • Generate and display map markers based on farm addresses
  • Verify the identity of administrators signing into the platform
  • Improve the functionality, performance, and reliability of our Site
  • Detect, prevent, and respond to fraud, abuse, or security incidents
  • Comply with applicable legal and regulatory obligations

Parties We Disclose Information To

We do not sell your personal information. We disclose information only in the following circumstances:

  • Service providersthat operate our infrastructure and process data on our behalf under contractual confidentiality obligations. These are listed in the "Third-Party Services" section below.
  • Public display: farm listing information (name, address, description, products, practices, images, business hours, website, public contact details) is published on the Site for discovery by visitors. This is the primary purpose of the directory.
  • Legal compliance: we may disclose information when required by law, subpoena, court order, or to comply with regulatory requirements.
  • Fraud prevention & safety:we may disclose information to investigate suspected fraud, security incidents, or violations of our Terms of Service, or to protect the rights, property, or safety of Food for Humans, our users, or the public.
  • Business transfers: if Food for Humans is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. You will be notified via email and/or a prominent notice on the Site of any change in ownership or uses of your information.

How We Disclose Information

All disclosures to service providers take place over encrypted channels (HTTPS/TLS 1.2 or higher) using authenticated API calls. Data is transmitted only as strictly necessary to deliver the services described in this Policy. Where possible, data is passed through server-to-server connections rather than client-side, to limit exposure. Public listing data appears on the Site as standard web pages accessible over HTTPS.

We do not transmit your information via unencrypted email, SMS, or public file shares, and we do not use third-party advertising networks.

Security Practices

We take reasonable and appropriate technical and organizational measures to protect your information against loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures include:

  • Encryption in transit: all traffic to and from the Site is served over HTTPS with TLS 1.2 or higher, including the administrative area, form submissions, and API endpoints.
  • Encryption at rest: database records and uploaded images are stored encrypted at rest by our infrastructure providers (Supabase Postgres, Supabase Storage, Netlify edge cache).
  • Access controls: administrative access to the production database and storage is restricted to a small allowlisted team using multi-factor authentication. Service-role credentials are scoped to server-side code only and are never exposed to browsers.
  • Authentication: admin login uses Supabase Auth with OAuth (Google) or password-plus-allowlist verification. Session tokens are stored in HTTP-only, Secure cookies.
  • Payment isolation: payment card data never touches our servers. All card entry happens inside Stripe-hosted checkout pages that are PCI-DSS Level 1 compliant.
  • Webhook signature verification: inbound Stripe webhooks are cryptographically verified before being processed, to prevent forged payment-state updates.
  • Infrastructure hardening: the Site is deployed on managed cloud platforms (Netlify, Supabase) that maintain SOC 2 compliance, regular security patching, and DDoS protection at the edge.
  • Least-privilege data access: we only request, retain, and process the minimum information necessary to operate the directory.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. In the event of a confirmed breach affecting your personal information, we will notify affected users without undue delay in accordance with applicable law.

Third-Party Services

We rely on the following third-party service providers to operate the Site. Each processes personal information only as necessary to deliver its service and is bound by its own privacy policy and data-processing terms:

  • Supabase: Postgres database hosting, file storage for images, and user authentication. Hosted in the United States.
  • Stripe: payment processing, subscription billing, and customer portal. PCI-DSS Level 1 certified.
  • Mapbox: interactive map rendering and address geocoding.
  • Netlify: website hosting, content delivery network, edge functions, and SSL certificate issuance.
  • Google Analytics 4: aggregate site usage analytics with IP anonymization enabled (if configured).
  • Google OAuth: optional single-sign-on for administrator accounts.

International Data Transfers

Food for Humans operates from Canada, but our service providers host data in the United States and other jurisdictions. By using the Site, you acknowledge that your information may be transferred to, stored in, and processed in countries outside your country of residence, including the United States. These transfers are protected by the security measures described above and by the contractual terms we have in place with each provider.

Data Retention

Farm listing data is retained for as long as the listing is active or the farm maintains a subscription. If a subscription expires or a farm requests removal, listing data may be retained in backups for up to 90 days before permanent deletion. Usage and analytics logs are retained for up to 14 months. Authentication session cookies expire according to Supabase defaults (typically 7 days of inactivity). We may retain information longer when required to comply with legal obligations, resolve disputes, or enforce our agreements.

Your Rights

Depending on your location, you may have the following rights under applicable privacy laws (including GDPR, CCPA/CPRA, PIPEDA, and similar frameworks):

  • Request access to the personal data we hold about you
  • Request correction of inaccurate or incomplete information
  • Request deletion of your data (subject to legal retention requirements)
  • Request a copy of your data in a portable format
  • Withdraw consent for data processing where applicable
  • Object to or restrict certain processing activities
  • Opt out of analytics cookies via your browser settings or the Do-Not-Track signal
  • Lodge a complaint with your local data protection authority

To exercise these rights, contact us at the email address provided below. We will respond within the timeframes required by applicable law (typically 30 days).

Children's Privacy

Our Site is not intended for children under the age of 13 (or 16 in jurisdictions where that is the minimum age). We do not knowingly collect personal information from children under these ages. If we become aware that we have collected data from a child, we will take steps to delete that information promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced with a prominent notice on the Site and, where appropriate, by email to registered users. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Site after changes are posted constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or want to report a security concern, please contact us at hello@findfoodforhumans.com.