Skip to main content

Privacy Policy

Last updated: January 2025 · Effective immediately

1. Data Controller

EcoShade (“we”, “us”, “our”) is the data controller for all personal data processed through the EcoShade platform. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable local laws.

2. Data We Collect

We collect the following categories of data:

  • Account data: Email address, name, country, role, and phone number provided during registration and onboarding.
  • Farm data: Farm name, location (GPS coordinates), area, soil type, irrigation type, and polygon boundaries.
  • Plant data: Species, variety, planting dates, growth stage, health status, and crop photos uploaded for AI analysis.
  • AI analysis data: Model outputs, confidence scores, safety rule triggers, and treatment recommendations — stored permanently for audit purposes.
  • Carbon data: NDVI indices, estimated CO₂ sequestration, and carbon accreditation submission documents.
  • Usage data (opt-in only): Page views, feature interactions, and session recordings — only collected with explicit cookie consent.

3. Lawful Basis (Art. 6)

  • Legitimate interest: Farm management data processing to provide core platform functionality.
  • Explicit consent: Analytics cookies (PostHog) are only activated after granular opt-in via the cookie consent banner.
  • Contractual necessity: Account data required to deliver the service.

4. Data Minimisation (Art. 5)

We practice strict data minimisation. List views use summary projections — full AI model outputs are only fetched when you open a specific analysis. Crop photo list queries never include raw model results, reducing data transfer by approximately 95%.

5. Your Rights

  • Right to erasure (Art. 17): Request complete deletion of your account and all associated data via Settings → Delete Account. Deletion is cascading and non-reversible.
  • Right to data portability (Art. 20): Export all your data as structured JSON via Settings → Export My Data. The export includes all 17 entity types with ISO timestamps.
  • Right to withdraw consent (Art. 7): Withdraw analytics cookie consent at any time via the cookie settings. Withdrawal does not affect prior processing.
  • Right of access (Art. 15): Request a copy of all personal data we hold about you.

6. Security (Art. 32)

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Authentication uses OAuth 2.0 with PKCE flow. Session tokens are short-lived (15 minutes) with automatic refresh rotation. Row-Level Security (RLS) enforced at the database layer ensures you can only access your own data — this cannot be bypassed from the client.

7. Third-Party Services

  • AI models: Gemini Pro Vision and GPT-4o for crop analysis. Images are processed but not retained by providers.
  • Satellite data: Sentinel-2 and Landsat 8 for vegetation indices. No personal data is shared.
  • Weather data: OpenWeatherMap for forecasts. Only GPS coordinates are sent — no personal identifiers.
  • Analytics (opt-in): PostHog for product analytics. Only activated after explicit consent.
  • Error tracking: Sentry for error monitoring. Captures technical errors only — no personal data.

8. Contact

For privacy-related inquiries, data access requests, or to exercise any of your rights, contact us at privacy@ecoshade.org.