← All discrepancies

Vendor Privacy Policy: Discrepancies

Side-by-side of provisions in Gardyn’s public-facing Privacy Policy against CISA advisory ICSA-26-055-03, the maintainer’s coordinated-disclosure repository, and against itself, plus changes observed in the policy over time per Wayback Machine captures.

Source documents

Item 1: Information Security Program description

Privacy Policy section 13 (paraphrased): The Information Security Program is described as employing commercially available physical and IT security tools including firewalls, segmented data storage, encryption, multi-factor authentication, SSL software, and policies providing for least-privileged access to data across the organization.

CISA advisory (paraphrased): The advisory documents ten CVEs including hard-coded administrative credentials reachable in API responses (CVE-2025-1242), a hardcoded Azure Blob Storage account key (CVE-2025-10681), default credentials enabling SSH access (CVE-2025-29629), cleartext transmission of an IoT Hub connection string over HTTP (CVE-2025-29628), administrative endpoints accessible without authentication (CVE-2026-32646, CVE-2026-28767), development endpoints reachable in production (CVE-2026-32662), and an unauthenticated endpoint exposing user account information (CVE-2026-28766).

Specific contradiction on least-privileged access: Per the CVE-2026-28766 page, the unauthenticated /api/users endpoint returned each of 134,215 user records with the hub_conn_string field populated — the Azure IoT Hub connection string carrying the iothubowner SharedAccessKey (separately cataloged as CVE-2025-1242). Per Azure IoT Hub documentation, the iothubowner key grants Service Connect, Device Connect, and Registry Read/Write across the entire IoT Hub. A single anonymous HTTP GET that returns the administrative credential controlling the production IoT Hub in every one of 134,215 customer records is incompatible with the described policy of “least-privileged access to data across the organization.” The separately-cataloged single-record companion endpoint /api/user/{id} (CVE-2026-25197), reachable by incrementing a sequential integer user id with no authentication, is similarly incompatible with the described access model.

Item 2: Payment information

Privacy Policy section 5a (paraphrased): States that Gardyn does not collect and maintain payment information directly, instead utilizing a third-party payment processor for online payments. Storage of payment information on a customer account is described as facilitated by the Payment Processor and not by Gardyn directly.

Maintainer repository (paraphrased): The affected /api/users endpoint returned records that included a partial payment-card field (last_four), not full card number or CVV.

Item 3: Breach notification

Privacy Policy section 13 (paraphrased): Acknowledges that no security program can completely eliminate the risk of a data security incident, and commits that if Gardyn suffers a security incident that affects personal information, it will report it as required by applicable data breach notification laws.

Vendor public statement (paraphrased): Gardyn’s customer-facing security update post characterizes the incident as not a data breach. Application of state and federal breach notification laws is a fact-specific legal question that varies by jurisdiction.

Item 4: California disclosure

Privacy Policy section 16(a) (paraphrased): In the California Residents Legal Notice, the Privacy Policy lists Financial Information (described as “Your payment information”) as a category of Personal Information collected by Gardyn.

Vendor public statement (paraphrased): The customer-facing security update post states that payment card information was not exposed.

Item 5: Internal contradiction on cross-contextual advertising

The current (March 19, 2026) Privacy Policy contains two statements about cross-contextual advertising that do not reconcile.

Section 15 (paraphrased): Gardyn does not share Personal Information for cross-contextual advertising.

Section 16(d) (paraphrased): Gardyn does share Personal Information for cross-contextual advertising, and lists the NAI How-to-Opt-Out page and the DAA AdChoices Tools as opt-out resources.

Both statements appear in the same policy as captured at mygardyn.com/policy/privacy/ on April 27, 2026.

Item 6: “Last updated” date and Privacy Policy change history

Per Wayback Machine captures of https://mygardyn.com/policy/privacy/:

Per the captures above, the Privacy Policy displayed “Last updated: July 31, 2024” through at least the March 2, 2026 capture, and displayed “Last updated: March 19, 2026” in captures from April 2, 2026 onward.

The earlier maintainer-side capture of the same page (April 27, 2026) recorded the embedded JSON-LD dateModified field as 2026-03-20T12:36:12+00:00. The page text states “Last updated: March 19, 2026” while the embedded structured-data dateModified field is March 20, 2026.

Item 7: Substantive changes between the July 31, 2024 and March 19, 2026 versions

Per the Wayback Machine captures referenced above, the following changes are observed between the July 31, 2024 version (last visible Mar 2, 2026 capture) and the March 19, 2026 version (first visible Apr 2, 2026 capture):

• Product definition. Old version: “Product” defined as Gardyn’s artificial intelligence powered indoor garden. New version: “Product” defined as Gardyn’s smart indoor hydroponic garden.
• Cross-contextual advertising statement (Section 15). Old version: explicitly states that Gardyn does share Personal Information for cross-contextual advertising and references an opt-out via marketing-email links. New version: states that Gardyn does not share Personal Information for cross-contextual advertising. (See Item 5 above for the contradiction this introduces with Section 16(d) of the same new version.)
• Payment processors enumerated. Old version: lists Amazon and PayPal as third-party payment processors, with Affirm described separately. New version: lists Amazon, Affirm, and PayPal together as third-party payment processors.
• Section numbering. Old version: section headings use unnumbered titles. New version: section headings use Arabic numerals (1, 2, 3, …) with explicit subsection labels.
• California Shine the Light section. Old version: contains a separate California Shine the Light Law section under Section 1798.83 of the California Civil Code. New version: this section is not present in captures from April 2, 2026 onward.
• Cookie banner / promo and other interface text. The header promo banner above the policy varies between captures (HSA/FSA promo, “Take the quiz” promo, Mother’s Day promo). These are page-template differences and not changes to the policy itself.

Item 8: Wayback Machine snapshot index for this page

The following Wayback Machine snapshots of https://mygardyn.com/policy/privacy/ are mirrored locally on this site under /captures/wayback/privacy/. Mirrors are not modified after fetch; SHA-256 hashes are recorded in the /captures/wayback/manifest.json file. The capture index spans October 4, 2025 through May 25, 2026 (eighteen snapshots: seventeen Wayback Machine captures and one direct maintainer fetch).

Item 9: Session replay disclosure removed from policy

Per the Wayback Machine captures of the Privacy Policy referenced in Item 8 above, the policy contained the following sentence in the “Information collected automatically” section in captures dated November 6, 2025 through March 2, 2026:

“Additionally, we may use session replay technologies on both our Website and App that capture user interactions, such as clicks, mouse movements, scrolling, and other on-screen behavior.”

The same sentence is not present in captures of the same page dated April 2, 2026 onward. Per the captures, this sentence was added to the policy between the October 7, 2025 capture (in which it is absent) and the November 6, 2025 capture (in which it is present), and removed from the policy between the March 2, 2026 capture (in which it is present) and the April 2, 2026 capture (in which it is absent). Each of these capture-bracketed timeframes corresponds to a JSON-LD dateModified change recorded in the captures themselves: October 8, 2025 (addition) and March 20, 2026 (removal).

Item 10: Global Privacy Control signal disclosure

The current Privacy Policy (dateModified March 20, 2026) contains the following sentence:

“Please note that We do not recognize the GPC signal.”

Per the Wayback Machine captures referenced in Item 8 above, this sentence is not present in captures dated through March 2, 2026 and is present in captures dated April 2, 2026 onward. The Global Privacy Control (GPC) is a browser-level signal documented at globalprivacycontrol.org, the link the Privacy Policy itself directs readers to. Application of GPC under the California Consumer Privacy Act and the California AG’s enforcement guidance is a fact-specific legal question.

Item 11: JSON-LD dateModified revision dated three days after CISA advisory publication

Per the Wayback Machine captures referenced in Item 8 above, the JSON-LD dateModified field on the Privacy Policy advanced from 2025-10-08T13:54:43+00:00 (visible in captures through January 16, 2026) to 2026-02-27T17:31:00+00:00 (visible in the March 2, 2026 capture). The body-text “Last updated” string was not changed during this transition (it remained “Last updated: July 31, 2024” in the March 2 capture). CISA published the original ICSA-26-055-03 advisory on February 24, 2026; the JSON-LD dateModified change is dated February 27, 2026.

Item 12: Internal inconsistency between Product definition and photo-processing description after the March 20 edit

The Privacy Policy as captured on April 27, 2026 (dateModified March 20, 2026) contains two statements about whether the Product is AI-powered. Both appear in the same document.

Section 2 (Definitions), as captured April 27, 2026:

“Product(s)” means our smart indoor hydroponic garden that You have bought from our Website.

Section 5 (Information collected), photo-processing disclosure, as captured April 27, 2026:

The photos are processed by our proprietary artificial intelligence to gather information about the plants, and we do not process or store any of Your biometric information, including facial geometry, that might be inadvertently captured by the camera.

Per Wayback Machine captures referenced in Item 8 above, the Product definition contained the phrase “artificial intelligence powered indoor garden” in every capture from October 4, 2025 through March 2, 2026 (nine captures), and contained the phrase “smart indoor hydroponic garden” in every capture from April 2, 2026 onward (nine captures). The photo-processing disclosure’s use of “our proprietary artificial intelligence” is unchanged across all eighteen captures from October 4, 2025 through May 25, 2026. The change in Section 2 occurred between the March 2 capture and the April 2 capture; per the JSON-LD dateModified field, the underlying revision is timestamped 2026-03-20T12:36:12+00:00.

Both statements appear in the current Privacy Policy at mygardyn.com/policy/privacy/, locally mirrored at /captures/wayback/privacy/20260427050154.html.

What this site does not say

This site does not characterize Gardyn’s Privacy Policy. It documents the public record. The reconciliation between the Privacy Policy’s stated commitments and the CISA advisory’s findings, and between sections of the Privacy Policy itself, is left to the reader and to any regulator or attorney with appropriate jurisdiction.