BuffCowLand
Legal

Privacy Policy

Last updated: March 2026

Short version: We collect only what we need to run the service. We encrypt your personal data at rest. We never sell it. You can delete your account and all associated data at any time.
Contents
1. Who We Are2. What We Collect3. How We Use Your Data4. How We Store & Protect Your Data5. Who We Share Data With6. Cookies & Session Tokens7. Google Sign-In8. Your Rights9. Data Retention10. Children11. Changes to This Policy12. Contact Us

1. Who We Are

BuffCowLand ("we", "our", "us") is an online pharmacy platform operated as a personal/small business project. Our website is accessible at httpsbuffcowland.in and associated subdomains.

For privacy matters, contact us at support@httpsbuffcowland.in.

2. What We Collect

We collect information in two ways: information you give us, and information we collect automatically.

Information you provide:

  • Account registration: display name, email address, password (hashed — never stored in plain text), and optionally a phone number for delivery contact
  • Orders: shipping address, order contents, and payment confirmation
  • Contact form: your name, email, phone, and message
  • Google Sign-In: if you choose to sign in with Google, we receive your verified email, name, and optionally your verified phone number from Google (see Section 7)

Information we collect automatically:

  • IP address: logged per session for security — including your router's public IPv6 address when available (more precisely geolocatable to your ISP region, not your house)
  • Device information: browser user-agent, language, and approximate country (from Cloudflare headers) — used to create a device fingerprint for session security
  • Session data: login timestamps, device labels, and expiry times

We do not collect payment card numbers directly — payment processing is handled by third-party processors.

3. How We Use Your Data

  • To create and manage your account
  • To process and fulfil your orders and communicate order status
  • To send transactional emails (verification, password reset, 2FA codes, security alerts)
  • To detect and prevent fraud and unauthorised account access
  • To respond to contact form enquiries
  • To comply with applicable laws (e.g. retaining transaction records for tax purposes)

We do not use your data for advertising profiling, sell it to third parties, or share it with data brokers.

4. How We Store & Protect Your Data

Your personal data is encrypted at rest using AES-256-GCM. Passwords are stored as salted SHA-512 hashes — we cannot recover them. Session tokens are signed with HMAC-SHA-512 and are never stored in plain text.

All data is stored on a self-hosted Raspberry Pi 4 server accessed via Cloudflare Tunnel (HTTPS enforced). The database files containing personal data are:

  • data/uac/account.db — account records, sessions, orders, settings. PII fields (email, name, phone, address) are individually encrypted with AES-256-GCM before storage.
  • data/uac/avatar.db — avatar images stored as base64, indexed by a hex pointer. No PII.
  • data/uac/contact.db — contact form submissions index.

We take reasonable technical precautions, but no system is 100% secure. In the event of a data breach that is likely to result in risk to your rights, we will notify you by email within 72 hours of becoming aware.

5. Who We Share Data With

We share limited data with the following third parties, only as necessary to operate the service:

  • Cloudflare — DNS, tunnelling, and DDoS protection. Cloudflare processes request headers including IP addresses.
  • Resend — transactional email delivery. We pass your email address and the content of transactional emails (verification codes, order updates).
  • Google — only if you choose to sign in with Google (see Section 7).

We do not share your data with any other third parties.

6. Cookies & Session Tokens

We use a single session cookie (buffcowland_uac_session) when you are logged in. This cookie is:

  • HttpOnly — JavaScript cannot read it
  • SameSite=Strict — it is never sent in cross-site requests (prevents CSRF)
  • Secure (in production) — only transmitted over HTTPS
  • Valid for 7 days, auto-renewed on active use

We do not use advertising cookies, analytics cookies, or tracking pixels. We do not use Google Analytics or any similar third-party analytics service.

7. Google Sign-In

If you choose to sign in with Google, we request the following scopes:

  • openid — establishes your Google identity
  • email — your verified Google email address
  • profile — your display name and profile picture URL
  • user.phonenumbers.read — your verified phone number, if you have one on your Google account (used to pre-fill your delivery contact number)

We only use this information to create or link your BuffCowLand account. We do not access any other Google data. You can disconnect Google from your account at any time via Account → Settings. Disconnecting removes the Google ID from our records but does not delete your account.

Google's own privacy policy applies to data shared through Google Sign-In: policies.google.com/privacy

8. Your Rights

You have the right to:

  • Access: request a copy of the personal data we hold about you
  • Correction: update your display name and phone number from Account → Profile
  • Deletion: request deletion of your account and all associated data via Account → Settings → Danger Zone. Requests are reviewed by staff within 2–5 business days.
  • Portability: contact us to request your data in a machine-readable format
  • Objection: contact us to object to processing of your data in specific ways

To exercise these rights, use the in-app tools where available, or contact us at support@httpsbuffcowland.in. We will respond within 30 days.

9. Data Retention

We keep your account data for as long as your account is active. When you request deletion:

  • Personal profile data (name, email, phone) is permanently deleted upon approval
  • Order records may be retained for up to 7 years to comply with tax and accounting obligations, but are anonymised (personal details removed)
  • Contact form submissions are retained for up to 2 years, then permanently deleted
  • Server logs containing IP addresses are retained for up to 90 days

10. Children

Our service is not directed at anyone under 18. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy. When we make material changes, we will notify registered users by email and update the date at the top of this page. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions, data requests, or to report a concern:

BuffCowLand — A Pharmacy Company

Also see our Terms of Service.