You have no privacy on the Internet. Given that, reading the rest of this page is probably a waste of time. For the excruciating details, read on…
I take your privacy seriously. I probably take it more seriously than you do. I offer options that make it possible for you to transact with me in as nearly complete privacy as one can reasonably achieve, but to actually accomplish it requires work on your end. It is not possible for me to protect your privacy unilaterally.
Let’s consider three models: the “typical” customer model, the “intermediate” model, and the “privacy zealot” model. You can accomplish any of these when transacting with Cultivariable.
The Typical Customer
The typical customer doesn’t care much about privacy or simply doesn’t have the time to manage the technical complexity required in order to obtain it. That’s just a statement of fact, not a judgment. You’re buying plants and probably don’t give a damn who knows about it. You probably found the site through Google or Facebook, you are going to register with a Gmail or Yahoo account. You’re browsing the web with Chrome. You’ll pay with a credit card. You’re already multiple layers deep in surveillance. That means that a bunch of tech companies probably knew that you were going to come to Cultivariable before you did. They know what you bought, like they know everything that you buy, they have aggregated that data, and they are using it to predict other things that they might convice you to buy. There are still a few things that I do that will help to protect you from outright abuse.
* The Cultivariable server is not a shared service. There are no third parties that run software on the server.
* The Cultivariable website is encrypted with SSL. This prevents a third party from intercepting the connection.
* I run our mail server, so your emails are not read by a third party mail provider, although it may be possible for servers that relay your mail to read them. And, of course, if you are using a free email service, they read all your mail anyway.
* I don’t use a web traffic analytics service, like Google Analytics, so your use of the Cultivariable website is not reported to other companies.
* I don’t keep your credit card details. Those are passed directly to the credit card processor (Paypal) and are never stored on the website.
* The website is not integrated with the login services of major platforms like Facebook, Google, or Twitter, so they are not able to track you here.
The Intermediate Customer
Let’s say that you are interested in privacy, but you don’t have time to learn a bunch of obscure technologies in order to keep your plant addiction secret. There are a few things that are easy to do and will significantly upgrade your privacy:
* Don’t use Chrome. Use anything else. For real privacy, use the very slow but very secure Tor Browser. Firefox and Safari are both good compromises between privacy and performance, particularly if you use their private modes.
* Don’t use free email. Use an email provider that gives you some kind of privacy guarantee. Remember, if you aren’t paying, then you are the product.
* Don’t use a credit/debit card. They were tracking their customers before the Internet.
* If you create a Cultivariable account, use a strong password. If you take all of the previous steps but then use a password that is easy to guess, it is all for naught.
The Privacy Zealot
If you care a lot about privacy and you are pretty technical or willing to learn, I have given you a lot to work with:
* You can check out in guest mode, requiring no permanent account.
* You can purchase using money order, cash, or crypto, all of which you can use without revealing your identity.
* You can send email directly using our mail server, which cuts out the possibility of having your email read in transit. To do this, you configure your mail client to connect to mail.cultivariable.com on port 25 with the STARTTLS option. You can then send your email directly.(You will be presented with an SSL certificate for mail.centralcoastdata.net, which is correct. You can also verify that this self-signed certificate is authentic by comparing the TSLA (DANE) DNS record.)
* Alternatively (or additionally), you can use PGP to encrypt your emails. PGP public keys for our email accounts are published on the PGP key servers and are also published on the website. If you create an account, you can add your public key so that automated emails from the website will be encrypted using your key.
* Our emails use SPF and DKIM, with a DMARC policy of reject. This means that you should not get fruadulent emails from the cultivariable.com domain. You can check the headers of our email messages for a valid DKIM result.
* Our emails are PGP signed. If your mail client supports it, you can download Cultivariable public keys from PGP keyservers or from the website and verify authenticity.
* Our domain has a TSLA (DANE) record for cultivariable.com, which you can use as a secondary check of our certificate authenticity.
Of course, all of the above is pretty much worthless if you are not using a browser that has effective privacy settings, if you don’t have a secure mail account, or you pay with a credit card.
For most people, doing all of this will be too much work for buying plants, but whether you live in an authoritarian country, like to play with the technology, or just really hate the idea of being spied on, I am happy to provide you with services that can maximize your privacy.
I am the only person who has access to your information.
If you make a purchase using a credit/debit card or Paypal account, then your email address, phone number, shipping address, and purchase amount are shared with Paypal.
All domestic shipping is done through Stamps.com, so they receive your mailing address.
If you are concerned about privacy, then the best practice would be to not give me any information that you would ever want deleted in the first place. The fact is, if you fit into the “typical customer” category described above, by the time you ask me to delete your data, it is already in the hands of many other companies and my deleting it will accomplish very little.
I only retain order data for two years, so if you have not ordered recently, your data has probably already been deleted.