Vendor Privacy Policy: Discrepancies
Side-by-side of provisions in Gardyn’s public-facing Privacy Policy against CISA advisory ICSA-26-055-03, the maintainer’s coordinated-disclosure repository, and against itself, plus changes observed in the policy over time per Wayback Machine captures.
Source documents
| Privacy Policy (current) | mygardyn.com/policy/privacy/ |
|---|---|
| Wayback Machine capture index | web.archive.org/web/*/mygardyn.com/policy/privacy/ (79 captures, Aug 12, 2020 – Apr 27, 2026) |
| Federal advisory | CISA ICSA-26-055-03 (Update A) |
| Maintainer repository | github.com/MichaelAdamGroberman/ICSA-26-055-03 |
Item 1: Information Security Program description
Privacy Policy section 13 (paraphrased): The Information Security Program is described as employing commercially available physical and IT security tools including firewalls, segmented data storage, encryption, multi-factor authentication, SSL software, and policies providing for least-privileged access to data across the organization.
CISA advisory (paraphrased): The advisory documents ten CVEs including hard-coded administrative credentials reachable in API responses (CVE-2025-1242), a hardcoded Azure Blob Storage account key (CVE-2025-10681), default credentials enabling SSH access (CVE-2025-29629), cleartext transmission of an IoT Hub connection string over HTTP (CVE-2025-29628), administrative endpoints accessible without authentication (CVE-2026-32646, CVE-2026-28767), development endpoints reachable in production (CVE-2026-32662), and an unauthenticated endpoint exposing user account information (CVE-2026-28766).
Item 2: Payment information
Privacy Policy section 5a (paraphrased): States that Gardyn does not collect and maintain payment information directly, instead utilizing a third-party payment processor for online payments. Storage of payment information on a customer account is described as facilitated by the Payment Processor and not by Gardyn directly.
Maintainer repository (paraphrased): The affected /api/users endpoint returned records that included the last_four partial payment-card field.
Item 3: Breach notification
Privacy Policy section 13 (paraphrased): Acknowledges that no security program can completely eliminate the risk of a data security incident, and commits that if Gardyn suffers a security incident that affects personal information, it will report it as required by applicable data breach notification laws.
Vendor public statement (paraphrased): Gardyn’s customer-facing security update post characterizes the incident as not a data breach. Application of state and federal breach notification laws is a fact-specific legal question that varies by jurisdiction.
Item 4: California disclosure
Privacy Policy section 16(a) (paraphrased): In the California Residents Legal Notice, the Privacy Policy lists Financial Information (described as “Your payment information”) as a category of Personal Information collected by Gardyn.
Vendor public statement (paraphrased): The customer-facing security update post states that payment card information was not exposed.
Item 5: Internal contradiction on cross-contextual advertising
The current (March 19, 2026) Privacy Policy contains two statements about cross-contextual advertising that do not reconcile.
Section 15 (paraphrased): Gardyn does not share Personal Information for cross-contextual advertising.
Section 16(d) (paraphrased): Gardyn does share Personal Information for cross-contextual advertising, and lists the NAI How-to-Opt-Out page and the DAA AdChoices Tools as opt-out resources.
Both statements appear in the same policy as captured at mygardyn.com/policy/privacy/ on April 27, 2026.
Item 6: “Last updated” date and Privacy Policy change history
Per Wayback Machine captures of https://mygardyn.com/policy/privacy/:
| Wayback capture date | “Last updated” text on page |
|---|---|
| November 5, 2024 (and earlier) | Last updated: July 31, 2024 |
| January 5, 2026 | Last updated: July 31, 2024 |
| January 16, 2026 | Last updated: July 31, 2024 |
| March 2, 2026 | Last updated: July 31, 2024 |
| April 2, 2026 | Last updated: March 19, 2026 |
| April 27, 2026 | Last updated: March 19, 2026 |
Per the captures above, the Privacy Policy displayed “Last updated: July 31, 2024” through at least the March 2, 2026 capture, and displayed “Last updated: March 19, 2026” in captures from April 2, 2026 onward.
The earlier maintainer-side capture of the same page (April 27, 2026) recorded the embedded JSON-LD dateModified field as 2026-03-20T12:36:12+00:00. The page text states “Last updated: March 19, 2026” while the embedded structured-data dateModified field is March 20, 2026.
Item 7: Substantive changes between the July 31, 2024 and March 19, 2026 versions
Per the Wayback Machine captures referenced above, the following changes are observed between the July 31, 2024 version (last visible Mar 2, 2026 capture) and the March 19, 2026 version (first visible Apr 2, 2026 capture):
- Product definition. Old version: “Product” defined as Gardyn’s artificial intelligence powered indoor garden. New version: “Product” defined as Gardyn’s smart indoor hydroponic garden.
- Cross-contextual advertising statement (Section 15). Old version: explicitly states that Gardyn does share Personal Information for cross-contextual advertising and references an opt-out via marketing-email links. New version: states that Gardyn does not share Personal Information for cross-contextual advertising. (See Item 5 above for the contradiction this introduces with Section 16(d) of the same new version.)
- Payment processors enumerated. Old version: lists Amazon and PayPal as third-party payment processors, with Affirm described separately. New version: lists Amazon, Affirm, and PayPal together as third-party payment processors.
- Section numbering. Old version: section headings use unnumbered titles. New version: section headings use Arabic numerals (1, 2, 3, …) with explicit subsection labels.
- California Shine the Light section. Old version: contains a separate California Shine the Light Law section under Section 1798.83 of the California Civil Code. New version: this section is not present in captures from April 2, 2026 onward.
- Cookie banner / promo and other interface text. The header promo banner above the policy varies between captures (HSA/FSA promo, “Take the quiz” promo, Mother’s Day promo). These are page-template differences and not changes to the policy itself.
What this site does not say
This site does not characterize Gardyn’s Privacy Policy. It documents the public record. The reconciliation between the Privacy Policy’s stated commitments and the CISA advisory’s findings, and between sections of the Privacy Policy itself, is left to the reader and to any regulator or attorney with appropriate jurisdiction.