Back to Legal

Privacy Policy

Effective June 26, 2026. What we collect, how it's stored, and your controls.

Private by default

Your humidors, tasting notes, and ratings are private by default. Sharing is opt-in per item, you can export your data at any time, and account/data deletion is honored on request.

What we collect

Your account email; the humidor, inventory, tasting, rating, wishlist, and request data you enter; and any photos you upload. We do not ask for or store your date of birth — the age gate verifies 21+ on your device and keeps only the pass/fail result.

Optional humidor climate readings

If you choose to connect a humidor sensor (for example through Home Assistant), the readings you send us — temperature and relative humidity, plus an optional device label and timestamp — are stored against the humidor you select. These readings are sent using a private webhook token tied to your account, which you can view and regenerate from the humidor's settings. This integration is entirely optional and off unless you set it up.

How it's stored

Your data lives in our database (Supabase) with row-level security, so each account can only read and write its own records. The app is hosted on Vercel. Your cigar photos are kept in a private storage area scoped to your account. Supabase and Vercel act as our processors and store data on our behalf.

How we use it

We use your data only to provide the app — your inventory, history, analytics, and recommendations. Climate readings, if you send them, power storage tracking and personal insights such as how your cigars smoked at different humidity levels. We do not sell your data or share it with advertisers.

Sharing

Nothing is public by default. Any future sharing will be opt-in, per item, and non-transactional. We do not facilitate the sale or trade of tobacco products.

How long we keep it

We keep your account and the data you enter for as long as your account is active. When you delete your account, your humidors, items, sessions, ratings, notes, wishlist, requests, photos, and climate readings are removed. Residual copies in routine provider backups age out on their normal cycles.

Your controls

You can export all of your data as a file at any time from Settings, and you can delete your account from Settings — deletion removes your humidors, items, sessions, ratings, notes, wishlist, requests, and photos.

Not directed to anyone under 21

Plume & Ash is intended only for adults who are at least 21children. We do not knowingly collect information from anyone under 21. If you believe someone under-age has provided us information, contact us and we will remove it.

Cookies & local storage

We use a small number of essential, first-party items: a session cookie that keeps you signed in (set by our authentication provider), a cookie that remembers your age confirmation, and browser local storage for in-app preferences such as rating scale and taste profile. These are necessary for the app to work — we use no third-party advertising or tracking cookies, so no cookie-consent banner is required.

Affiliate links

Plume & Ash currently shows no advertising and contains no affiliate or retailer links. If we add retailer links in the future, we will disclose any affiliate relationship clearly and conspicuously near those links, consistent with FTC guidance, and update this policy.

Changes & contact

We may update this policy as the app evolves; material changes will be reflected here with a new effective date. Questions about your data or this policy? Contact us at [contact email — set before public launch], or at the email associated with your account.