Effective April 29, 2026
Privacy Policy
This policy explains what data Droughtless Inc. (“Droughtless,” “we,” “us”) collects when you use the Droughtless irrigation platform, how we use it, who we share it with, and the choices you have.
1. Information we collect
Account and authentication
When you create an account, we collect your full name, email address, and a password. Passwords are stored only as one-way hashes — we never see or store your password in plaintext. We also store your last login timestamp and basic flags (such as whether your email is verified).
If you sign in with Google or Microsoft, we receive your email address and basic profile (name, profile photo URL) from the provider via the OAuth 2.0 PKCE flow. We do not receive your password or any other account data.
If you register a passkey, we store the public key and credential ID returned by your device. Biometric data never leaves your device.
Site and property data
When you set up a site, we store information you provide about that property: a name and description, a location label, latitude and longitude, timezone, and any building or zone polygons you draw. You may also upload site images, which are stored in Google Cloud Storage.
Sensor and device telemetry
Sensors and controllers connected to your sites send us measurements such as soil moisture, temperature, humidity, pressure, and flow, along with timestamps, quality scores, and device identifiers. We store both raw readings and aggregated views (5-minute, hourly, and daily) in a time-series database. Controllers also report a last-seen timestamp, firmware version, and a certificate fingerprint used to authenticate the device.
Cookies and local storage
After you sign in, we set short-lived authentication cookies on your browser (see Section 5). We also use your browser’s local storage to remember preferences such as units, onboarding tour progress, and your active organization. These local-storage values are not transmitted to our servers.
Server logs
Our servers log standard HTTP request information for each request: the request method and URL, the client IP address, the user-agent string, a request ID, the response status, and the duration. These logs are used for debugging, abuse prevention, and operational monitoring.
Marketing site and waitlist
If you join the waitlist or request an assessment on droughtless.com, we collect the email address you submit, the page section it was submitted from, and a timestamp. This information is stored in Google Cloud (Firestore), is used only to contact you about your assessment and Droughtless product updates, and is never sold or shared for advertising. Email contact@droughtless.com to have it deleted at any time.
2. How we use your information
We use the information described above to:
- Operate the irrigation platform — display your sites, run schedules, and surface alerts.
- Generate AI-driven irrigation recommendations and respond to your chat queries.
- Send transactional email such as verification, password resets, and operational alerts.
- Diagnose problems, prevent abuse, and keep the service secure.
- Produce audit and compliance reports (e.g. water-use summaries) at your request.
We do not sell your personal information, and we do not use your sensor or site data to train third-party AI models.
3. Third parties we share data with
Droughtless relies on the following third-party services to deliver features. Data is shared only as needed for the listed purpose:
| Service | Purpose |
|---|---|
| Anthropic Claude | AI scheduling, planning, and chat assistance |
| DeepSeek (optional) | AI fallback for scheduling and chat |
| Mapbox GL JS | Map rendering for site and zone visualization |
| Google OAuth 2.0 | Single sign-on (email and basic profile only) |
| Microsoft OAuth 2.0 | Single sign-on (email and basic profile only) |
| NOAA & Open-Meteo | Public weather forecasts for irrigation planning |
| Google Cloud Storage | Storage for site images and generated PDF reports |
| Langfuse (optional) | Observability traces for AI interactions |
| Hunter Hydrawise | Bridging your existing third-party irrigation controller |
| SMTP email provider (e.g. SendGrid, Amazon SES) | Transactional email (verification, password reset, alerts) |
We do not currently use any third-party advertising, analytics, or product-tracking SDKs (no Google Analytics, no Mixpanel, no Sentry, no PostHog). If we add any in the future, we will update this policy first.
We may also disclose information when required by law (subpoena, court order) or to protect the rights, property, or safety of Droughtless, our users, or the public.
4. Where your data is stored
Application data is stored in PostgreSQL and TimescaleDB instances we operate. Site images and generated PDF reports are stored in Google Cloud Storage. Backups are retained on the same infrastructure. All data is held in the United States.
5. Cookies we set
- access_token — authenticates your session. HttpOnly, SameSite=Strict, expires after about one hour.
- refresh_token — lets us renew your session without re-prompting. HttpOnly, SameSite=Strict, expires after seven days.
- oauth_verifier_* and oauth_redirect_* — set briefly during single sign-on. HttpOnly, SameSite=Lax, expire after ten minutes.
We do not use advertising or cross-site tracking cookies. You can clear these cookies at any time using your browser settings, which will sign you out.
6. How long we keep your data
- Account records are kept for as long as your account is active.
- Sensor and irrigation history may be retained for up to seven years to support sustainability certifications and audits (e.g. LEED, GRESB, ISO 14001) that require multi-year continuous records.
- Weather forecast data is kept on a rolling 14-day window.
- Password-reset tokens expire 15 minutes after issue.
- When you delete a site or organization, we soft-delete the record (mark it inactive) so audit trails remain intact. You can request a hard delete at any time using the contact details below.
7. Your rights and choices
You can ask us to:
- Access the personal information we hold about you.
- Correct information that is inaccurate or out of date.
- Delete your account and the personal information associated with it.
- Export your sensor and site data in a portable format.
- Opt out of any non-transactional email.
If you are a California resident, the California Consumer Privacy Act (CCPA) gives you the rights above plus the right to know what personal information we collect and to opt out of any “sale” of personal information. Droughtless does not sell your personal information.
Account deletion is currently handled by request rather than self-serve. Email us at the address below and we will action the request within 30 days.
8. Security
We encrypt data in transit, store passwords only as one-way hashes, authenticate connected controllers using device certificates, and use HttpOnly, same-site session cookies. Access to production systems is limited to a small number of Droughtless employees and contractors who need it for support and operations.
No system can be guaranteed perfectly secure. If we ever discover a breach that affects your personal information, we will notify affected users without undue delay.
9. Children
Droughtless is a business product not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has created an account, contact us and we will remove it.
10. Changes to this policy
We may update this policy as the product changes. When we do, we will update the effective date at the top of this page. For material changes, we will also notify active users by email.
11. Contact us
Questions, deletion requests, or other privacy concerns:
- Droughtless Inc.
- Email: privacy@droughtless.com
- Mailing address available on request.
© 2026 Droughtless Inc.