Skip to main content

Privacy Policy

Last updated: June 2026. Effective immediately.

EcoShade LLC (შპს ეკოშეიდი) operates the EcoShade platform from Tbilisi, Georgia. This policy explains what we collect, how we use it, and your rights when you use the farmer app, partner portals, and public site.

შპს ეკოშეიდი (EcoShade LLC)

Registration No: 400444881

Guramishvili Ave 12A, Bldg 1, Entrance 1, Floor 2, Apt 4, Tbilisi, Georgia

Privacy: privacy@ecoshade.org

1. Data Controller

შპს ეკოშეიდი (EcoShade LLC) ("EcoShade", "we", "us", "our") operates the EcoShade platform at https://ecoshade.org. Registration No: 400444881. Registered address: Guramishvili Ave 12A, Bldg 1, Entrance 1, Floor 2, Apt 4, Tbilisi, Georgia.
We act as the data controller for personal data processed through the farmer app, B2B and partner portals, auditor and agronomist tools, and our public website.
We process personal data under the General Data Protection Regulation (GDPR) where it applies, Georgian personal data protection law, and other mandatory rules in your country of residence.

2. Who May Use EcoShade

EcoShade is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided data, contact us at privacy@ecoshade.org and we will delete it promptly.

3. Data We Collect

We collect only data needed to operate the platform:
  • Account data: Email, name, country, role (farmer, carbon buyer, insurer, agro-dealer, auditor, agronomist, government, or admin), locale, and optional phone number from sign-up and onboarding.
  • Farm and field data: Farm name, GPS location, field polygons, area, soil type, irrigation type, and crop rotation records.
  • Plant and crop data: Species, variety, planting dates, growth stage, health status, and photos you upload for AI scan analysis.
  • AI analysis data: Model outputs, confidence scores, safety rule results, and treatment recommendations. Scan records may be kept for audit, quality review, and dispute resolution.
  • Carbon and MRV data: NDVI and related vegetation indices, carbon estimates, MRV project records, evidence uploads, and accreditation readiness checks.
  • Partner and marketplace data: B2B organisation details, marketplace orders, Stripe Connect identifiers for partner payouts, and API usage where applicable.
  • Usage data (opt-in only): Product analytics through PostHog, only after you accept analytics cookies in the consent banner.
  • Support and communications: Messages you send to support@ecoshade.org or privacy@ecoshade.org, and transactional emails related to your account.

4. How We Use Your Data

  • Core platform: Farm management, AI crop scans, satellite indices, weather forecasts, epidemic forecasting, tasks, irrigation planning, and carbon tracking.
  • Partner services: B2B carbon marketplace access, anonymised risk API responses, and marketplace connections between farmers and agricultural suppliers.
  • Safety and compliance: Running hardcoded treatment safety rules, maintaining AI audit logs, fraud prevention, and responding to lawful requests.
  • Product improvement: Anonymised and aggregated trends (for example regional disease patterns). We do not sell individual farmer profiles or photos.

5. What We Do Not Do

  • We do not sell your personal data, farm data, or uploaded images.
  • We do not use your crop photos to train third-party AI models for general purposes without your explicit consent.
  • We do not retain images permanently beyond service necessity, except where required for security, audit, accreditation, or legal compliance.
  • We do not share identifiable farmer data with third parties for their independent marketing without your consent.

6. Lawful Basis (Art. 6 GDPR)

  • Contractual necessity: Account and farm data needed to provide the service you registered for.
  • Legitimate interest: Platform security, abuse prevention, and aggregated analytics that respect your rights.
  • Explicit consent: Analytics cookies (PostHog). These stay off until you opt in through the cookie banner.
  • Legal obligation: Keeping audit and verification records where accreditation partners or law require it.

7. Automated Processing and AI

EcoShade uses automated systems—including AI models and rule-based safety filters—to analyse crop photos and generate recommendations. These outputs are probabilistic and may be inaccurate. Automated processing does not produce legal or similarly significant effects without human review options available through agronomist review queues and your ability to disregard recommendations.
You are not required to accept AI outputs as correct. You may request human review of scan results where available and export your scan audit history from Settings.

8. Data Minimisation and Retention

List views in the app use summary fields where possible. Full AI model payloads load when you open a specific scan, not in bulk list queries.
We keep account data while your account is active. When you delete your account from Settings, we remove your profile and linked records through database cascade rules. Some anonymised audit entries may remain where law, security, or accreditation requires it.
Backup copies may persist for a limited period before automatic purging. Transactional email logs and security logs are retained for operational and legal purposes on a schedule consistent with our retention policy.

9. Your Rights

  • Right of access (Art. 15): Email privacy@ecoshade.org to request a copy of personal data we hold about you.
  • Right to erasure (Art. 17): Delete your account from Settings. We remove personal data and sign-in access. Immutable carbon verification records may be retained in anonymised form where required by regulation.
  • Right to data portability (Art. 20): Download a JSON export from Settings using "Export my data". The file includes your profile, farms, scans, AI logs, carbon and MRV records, orders, audit history, and a storage manifest.
  • Right to withdraw consent (Art. 7): Turn off analytics cookies in the cookie banner or Settings. Withdrawal does not undo processing that was already lawful.
  • Right to object and restrict: Object to processing based on legitimate interest, or ask us to restrict processing while a dispute is reviewed.
  • Right to lodge a complaint: You may contact your local data protection authority. In Georgia, complaints can be raised with the Personal Data Protection Service.

10. Security

Data is encrypted in transit (TLS) and at rest on our infrastructure providers. Sign-in uses Supabase Auth (email and password, with optional OAuth). Row-Level Security in Postgres limits each user to their own rows. That enforcement happens on the server, not in the browser alone.
No system is perfectly secure. We cannot guarantee absolute security and are not liable for breaches caused by factors outside our reasonable control, subject to mandatory law.

11. Third-Party Processors

  • AI models: OpenAI gpt-4.1-mini, Anthropic claude-sonnet-4-6, Google gemini-2.5-flash-lite for crop scan inference. Images are sent as base64 from our servers (not public URLs). OpenAI requests use store=false so responses are not retained by OpenAI for later retrieval. Anthropic structured-output requests qualify for Anthropic's Zero Data Retention program with limited technical retention. Google Gemini paid API requests are not used to improve Google products; prompts may be logged briefly for abuse monitoring unless Zero Data Retention is enabled on your Google AI/GCP project (see https://ai.google.dev/gemini-api/docs/zdr). Failed providers never produce synthetic diagnoses — scans fail or queue for human review instead.
  • Infrastructure: Supabase (database, auth, and file storage — EU region where configured), Vercel (hosting), Sentry (error monitoring when configured), Mapbox (farm maps), Resend (transactional email), Twilio (optional SMS alerts), and Telegram (optional bot alerts).
  • Authentication: Google OAuth when you choose “Continue with Google”. Supabase Auth processes credentials; we do not store Google passwords.
  • Satellite and weather: Copernicus Sentinel Hub (Sentinel-2 vegetation indices), Landsat 8 where applicable, OpenWeatherMap, and Open Data Hub where your farm location falls in a supported region. Requests use coordinates, not your name or email.
  • Analytics (opt-in): PostHog, only after cookie consent.
  • Payments: Stripe for B2B marketplace checkout and partner Connect payouts. EcoShade does not store full card numbers.

12. International Transfers

EcoShade serves farmers across Europe, Central Asia, and the Caucasus. Subprocessors may process data in the United States (for example Vercel, Sentry, PostHog US ingest, Stripe, Mapbox, Resend, Twilio, and AI providers) or other countries where they operate. Where required, we use appropriate safeguards such as Standard Contractual Clauses. You can configure PostHog to the EU ingest host (eu.i.posthog.com) in your deployment environment.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email, in-app notice, or by updating the date on this page. Continued use after the effective date constitutes acceptance where permitted by law.

14. Contact

შპს ეკოშეიდი (EcoShade LLC)
Registration No: 400444881
Address: Guramishvili Ave 12A, Bldg 1, Entrance 1, Floor 2, Apt 4, Tbilisi, Georgia
Privacy and data rights: privacy@ecoshade.org
General support: support@ecoshade.org
Website: https://ecoshade.org