Go Back Up

Privacy Policy

Privacy Policy
Last Updated: 31.03.2025

This Privacy Policy governs your (“you” or “your”) access to and use of the GreendaAI™ platform, including the website greenda.ai, the GreendaAI™ mobile application (available on iOS and Android), and the web-based expert dashboard, all operated by GreendaAI GmbH (“we”, “our” or “us”).

This Privacy Policy explains how we collect, use, store, and share your personal data, in compliance with the General Data Protection Regulation (GDPR) and applicable German data protection laws.

 

1. Who We Are (Data Controller)

GreendaAI™ GmbH
c/o Design Offices München Macherei
Weihenstephaner Str. 12
81673 Munich
Germany

Email: contact@greenda.ai

We act as the data controller for personal data collected via our website, mobile application, and expert dashboard. We do not have a designated Data Protection Officer (DPO), as we do not meet the thresholds requiring appointment under Art. 37 GDPR. For all data protection enquiries, please contact us at contact@greenda.ai.

 

2. Who This Policy Applies To

Our platform serves three categories of users, each of whom we process data for differently:

  • Farmers and agricultural professionals (“Farmer Users”): individuals or businesses who use the mobile app to submit crop assessments and receive treatment plans. Both business (B2B) and individual (B2C) users may register.
  • Agronomist experts (“Expert Users”): certified agronomists who use our web dashboard to review AI diagnoses and author treatment plans.
  • Website visitors: individuals who visit greenda.ai.

 

3. Personal Data We Collect and Process

3.1 Website — greenda.ai

3.1.1 Data Collected

  • Web forms: first name, last name, email address, phone number.
  • Analytics (GA4, HubSpot tracking): IP address, device type, browser type, operating system, referring URLs, pages visited, session duration.

3.1.2 Purpose and Legal Basis

  • Responding to enquiries and providing requested materials — Legitimate Interests (Art. 6(1)(f) GDPR).
  • Sending newsletters and marketing communications — Consent (Art. 6(1)(a) GDPR).
  • Website analytics and performance optimisation — Consent (Art. 6(1)(a) GDPR) for non-essential cookies; Legitimate Interests (Art. 6(1)(f) GDPR) for technically necessary operations.
  • Protection against fraud and security threats — Legitimate Interests (Art. 6(1)(f) GDPR).

3.2 Mobile Application — Farmer Users

3.2.1 Data Collected

  • Account data: first name, last name, email address, phone number.
  • Authentication data: one-time password (OTP) delivered by email; no permanent password is stored.
  • GPS location and geo-tagged coordinates: precise farm location captured at the time of each crop assessment submission, including reverse-geocoded address fields (country, locality, street).
  • Crop assessment data: photographs of crops and plants, voice notes (transcoded via FFmpeg), written observations, pest descriptions, growth phase, yield phase, pest counts and intensity.
  • Farm profile data: farm name, farm area (hectares), crop cultivar, irrigation type, farming type (organic / conventional / zero-residues), pesticide use history, estimated yield, estimated market price.
  • Weather data: temperature, humidity, precipitation, wind speed, and cloud cover fetched automatically at the time of assessment submission based on GPS coordinates (via OpenWeatherMap API).
  • Behavioural data: submission frequency, offline submission flags, app usage patterns, timestamps.
  • Device data: device ID, operating system, app version, Firebase Cloud Messaging push notification token.

3.2.2 Purpose and Legal Basis

  • Delivering AI-powered crop health pre-diagnosis (Google Gemini) and expert-validated treatment plans — Contractual Necessity (Art. 6(1)(b) GDPR).
  • Managing farm profiles and assessment history — Contractual Necessity (Art. 6(1)(b) GDPR).
  • Sending push notifications (treatment plan delivery, service updates) — Contractual Necessity (Art. 6(1)(b) GDPR).
  • Generating anonymised regional pest trend insights and agricultural risk reports — Legitimate Interests (Art. 6(1)(f) GDPR).
  • Improving AI models, expert advisory pipeline, and platform features using anonymised data — Legitimate Interests (Art. 6(1)(f) GDPR).
  • Sending marketing communications and newsletters — Consent (Art. 6(1)(a) GDPR).
  • Compliance with legal and regulatory obligations — Legal Obligations (Art. 6(1)(c) GDPR).

3.3 Expert Dashboard — Agronomist Users

3.3.1 Data Collected

  • Account data: name, email address, professional credentials.
  • Activity data: crop assessments reviewed, AI diagnoses corrected or validated, treatment plans authored, timestamps of all expert actions.

3.3.2 Purpose and Legal Basis

  • Providing access to the agronomist review queue and enabling expert validation of AI diagnoses — Contractual Necessity (Art. 6(1)(b) GDPR).
  • Retaining expert correction events and validated treatment plans as part of our IP and patent audit trail — Legitimate Interests (Art. 6(1)(f) GDPR).
  • Quality assurance and accountability in the human-AI advisory pipeline — Legitimate Interests (Art. 6(1)(f) GDPR).

 

4. AI Processing and Human Expert Review

GreendaAI™ uses Google Gemini (a third-party AI service operated by Google LLC) to generate an automatic pre-diagnosis of crop health issues based on submitted photographs, notes, and farm parameters. This pre-diagnosis is not a final recommendation and is not communicated to farmers until it has been reviewed by a certified agronomist.

Every AI pre-diagnosis is reviewed, validated, and where necessary corrected by a certified agronomist via our expert web dashboard before a treatment plan is issued to the farmer. The complete AI pipeline log — including system prompts, AI outputs in JSON format, and expert corrections — is stored per assessment for transparency, IP protection, and patent audit purposes.

Farmers are notified of completed treatment plans via push notification. Our target expert response time is 48 hours from the time of submission.

No fully automated decision-making with legal or similarly significant effect on users takes place. All treatment recommendations are validated by a qualified human agronomist before delivery (Art. 22 GDPR).

 

5. Anonymisation and Use of Aggregated Data

Where personal data are no longer required for operational purposes, they are deleted or irreversibly anonymised in accordance with this policy. Once anonymised, data cannot be used to identify any individual and falls outside the scope of GDPR.

Crop photographs are retained linked to your farmer account for the duration of your active account. Upon account deletion, photographs are anonymised and retained indefinitely for AI model training and agricultural research purposes. Once anonymised, they cannot be linked back to you or your farm.

Location and assessment data are aggregated to a non-identifiable regional level for pest trend analysis. Anonymised and aggregated datasets may be made available through our Data-as-a-Service (DaaS) offering to government bodies and agribusinesses.

 

6. Data Sharing and Subprocessors

We do not sell your personal data. We share personal data only with the following categories of recipients, all of whom are bound by appropriate data processing agreements or contractual protections:

6.1 Technology Subprocessors

  • Scaleway SAS (EU): primary cloud infrastructure. All primary data storage — farm data, crop assessments, farmer PII, GPS coordinates, and the PostgreSQL database — is hosted exclusively on Scaleway’s EU-region infrastructure. Crop photographs are stored in Scaleway Object Storage with no public direct URLs, served via imgproxy.
  • Google LLC (USA — Google Gemini API): crop assessment data (photographs, notes, farm parameters) is transmitted to Google Gemini for AI pre-diagnosis processing. Google acts as a data processor under a data processing agreement including Standard Contractual Clauses (SCCs).
  • Google LLC (USA — Firebase Cloud Messaging): push notification tokens are shared with Firebase to deliver treatment plan notifications and service alerts to farmers.
  • Scaleway SAS (EU — Transactional Email): OTP login codes and expert notification emails are sent via Scaleway’s email service, within the EU cloud boundary.
  • HubSpot Inc. (USA): farmer registration data (name, email address, phone number, farm metadata) is synchronised to HubSpot CRM for account management and customer support. Transfers are governed by SCCs.
  • Sentry (Functional Software Inc., USA): application error logs and performance data are transmitted to Sentry for error monitoring. Data is minimised and does not include full assessment content. Transfers are governed by SCCs.
  • OpenWeatherMap (OpenWeather Ltd., UK): GPS coordinates are transmitted to fetch weather data at the time of assessment submission. No personal identifiers beyond coordinates are shared.
  • Founder Blocks (development partner): our contracted development partner has access to system data under a signed Data Processing Agreement (DPA) for the purpose of platform development and maintenance.

6.2 Analytics and Marketing

  • Google Analytics 4 (Google LLC, USA): website visitor analytics (IP address, device type, behaviour). Governed by SCCs and active only with your cookie consent.
  • Mixpanel Inc. (USA): product usage analytics within the mobile application (feature interactions, submission patterns). Pseudonymised. Governed by SCCs.
  • HubSpot Inc. (USA — tracking): HubSpot tracking cookies may be active on greenda.ai subject to your cookie consent.

6.3 Legal and Regulatory

  • Government authorities, courts, and law enforcement agencies: where required by applicable law, court order, or regulatory obligation.
  • Professional advisors: legal, financial, and tax advisors bound by professional confidentiality obligations.

 

7. International Data Transfers

Some of our subprocessors — including Google LLC (Gemini AI, Firebase, GA4), HubSpot Inc., Sentry, and Mixpanel — are based in the United States and may process personal data outside the EU/EEA. We ensure that all such transfers comply with GDPR Chapter V through:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Art. 46(2)(c) GDPR), incorporated into our data processing agreements with each US-based subprocessor.
  • Adequacy Decisions by the European Commission, where applicable.

All primary data storage remains within the EU on Scaleway’s EU-region infrastructure.

 

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, or as required by applicable law. The following retention periods apply:

8.1 Farmer Account and Operational Data

  • Farmer account, profile, farm data, and assessment history: duration of active account + 3 years after account closure.
  • Crop photographs: retained linked to your farmer identity for the duration of your active account. Upon account deletion, photographs are anonymised and retained indefinitely for AI model training purposes.
  • AI pipeline logs and expert correction records (assessment logs): retained on the basis of legitimate interests (IP and patent protection) for as long as necessary. You may request erasure of assessment logs at any time (see Section 10); we will erase them unless a legal obligation or legitimate interest override applies.
  • Support and communication records: 3 years from last interaction.

8.2 Financial Data

  • Financial and accounting records: 10 years after the end of the relevant calendar year (statutory requirement under German commercial law, § 257 HGB).
  • Payment transaction data (Stripe, when integrated): 10 years from date of transaction.

8.3 Marketing and Analytics

  • Marketing consent records: duration of relationship + 3 years.
  • Website analytics (GA4): 14 months from collection.
  • Product usage analytics (Mixpanel): 2 years from collection.
  • CRM data (HubSpot — contact records): duration of active relationship + 3 years.
  • Sales pipeline records (HubSpot): duration of active opportunity + 3 years.

8.4 Expert User Data

  • Expert account and activity data: duration of active engagement + 3 years.

 

9. Security of Your Data

We implement the following technical and organisational measures to protect your personal data:

  • All API and application traffic is served exclusively over HTTPS/TLS.
  • Crop photographs are stored in Scaleway Object Storage with no public direct URLs, served via imgproxy with on-the-fly compression and resizing.
  • All primary personal data (GPS coordinates, farmer PII, assessment data) is stored within EU-based Scaleway infrastructure.
  • OTP login codes are single-use and expire immediately after use.
  • Access to personal data is restricted on a strict need-to-know basis across internal admin, operations, and development roles.
  • Application errors and anomalies are monitored in real time via Sentry.
  • A penetration test is planned prior to our Q2/Q3 2026 public launch.

 

10. Your Rights under GDPR

As a data subject, you have the following rights under GDPR (Arts. 15–21):

  • Right of access (Art. 15): obtain confirmation of whether we process your data and receive a copy.
  • Right to rectification (Art. 16): correct inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): request deletion of your personal data (“Right to be Forgotten”). This right may be limited where retention is required by law or legitimate interest (e.g. statutory retention periods, IP audit trail).
  • Right to data portability (Art. 20): receive your personal data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing carried out on the basis of legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
  • Right to restriction of processing (Art. 18): request that we limit how we use your data in certain circumstances.
  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time for consent-based processing, without affecting the lawfulness of prior processing.

To exercise any of these rights, email contact@greenda.ai. We will respond within one month of receipt (Art. 12 GDPR). You also have the right to lodge a complaint with the competent supervisory authority. In Bavaria, Germany, this is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 18, 91522 Ansübach, Germany

Website: www.lda.bayern.de

 

11. Consent and Withdrawal

Where we rely on consent as the legal basis for processing (e.g. marketing communications, non-essential cookies), we will obtain your consent before processing begins. You may withdraw consent at any time by emailing contact@greenda.ai or using the unsubscribe link in any marketing email. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

 

12. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website greenda.ai. These include:

  • Strictly necessary cookies: required for the website and platform to function. No consent required.
  • Analytics cookies (GA4, HubSpot tracking): used to understand website traffic and user behaviour. Active only with your consent.
  • Marketing cookies (HubSpot): used to personalise content and track marketing effectiveness. Active only with your consent.

You can manage or withdraw cookie consent at any time via our cookie preference centre at greenda.ai. For full details, see our Cookie Policy.

 

13. Updates to This Policy

We may update this Privacy Policy periodically to reflect changes to our services, data practices, or applicable law. The date of the latest revision is shown at the top of this document. We will notify users of material changes via email or in-app notification prior to the change taking effect. Previous versions may be requested at contact@greenda.ai.

 

14. Contact Us

For any questions or concerns about this Privacy Policy or how we handle your personal data:

GreendaAI™ GmbH
c/o Design Offices München Macherei
Weihenstephaner Str. 12
81673 Munich
Germany

Email: contact@greenda.ai