Privacy Policy

Effective date: 2026-02-03
Last updated: 2026-02-03

1. Overview & scope

Farm Data Systems (“FDS”, “we”, “our”, or “us”) operates software, hardware, analytics, support services, and communications channels for agricultural customers, partners, and employees. This Privacy Policy explains how we collect, use, disclose, secure, and retain personal and farm-related information across our services, including but not limited to:

Websites, web applications, and portals
Mobile apps and SMS (including Zoom and other SMS providers)
Email, voice calls, and messaging platforms
IoT devices (sensors, gateways, controllers) and telemetry data
APIs and integrations with third parties and partners
Employee and contractor data

This Policy applies to personal data (information that can identify an individual) and certain farm or machine data when tied to an identifiable individual or account. It does not replace contract-specific privacy terms in customer agreements — where there is a conflict, the controlling contract prevails.

2. Our privacy promise

We strive to be transparent, minimize collection, protect data, and provide meaningful controls. In particular:

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

We collect only what we need for operations, safety, compliance, and to deliver value. We secure data with administrative, technical, and physical safeguards. We provide data subject rights (access, correction, deletion, portability, objection) where applicable. We require subprocessors to process data only per our instructions and with strong security and contractual protections.

3. Definitions

Personal data / personal information: Any information relating to an identified or identifiable individual.
IoT / telemetry data: Measurements, sensor readings, device identifiers, timestamps, and system logs produced by hardware deployed on-farm.
Processing: Any operation performed on data (collection, use, storage, transfer, deletion).
Controller / Processor: FDS is typically the data controller for customer accounts; third-party vendors (Zoom, cloud providers, gateways) are processors (unless otherwise stated).
Consent / Opt-in / Opt-out: Explicit agreement by an individual to receive communications (e.g., SMS) and the ability to later withdraw that agreement.

4. Data we collect & sources

4.1 Information you give us

Contact info: name, email, phone, postal address
Account data: username, password hashes, organization/farm name, billing information (card tokens)
Consent & communication preferences (including SMS opt-ins and logs)
Support & case history (support tickets, chat transcripts)
Profile data: role, job title, preferences

4.2 Automatically collected information

Website/mobile analytics: IP addresses, device/browser, cookies, usage metrics
Log data: API requests, timestamps, error logs, activity logs
Performance and diagnostic data from apps and devices

4.3 Device & telemetry data (IoT)

Sensor readings (soil moisture, temperature, humidity, flow, etc.)
Device IDs, firmware versions, battery status, location metadata (if associated)
Gateway logs, network metadata, and device error codes

4.4 Third-party & partner sources

Integrations (partners, marketplaces, resellers) may provide contact or farm account details
Public sources or third-party enrichment services (geographic data, business registries)

5. How we use data (purposes)

We use information to:

Provide and improve products and services (platform operation, device management, telemetry analysis)
Deliver communications (email, SMS, in-app messages, phone calls) that you request or consent to
Process payments, billing, invoices, and taxes
Provide customer support and troubleshooting
Personalize content and recommendations (with explicit consent where required)
Protect security, detect and prevent fraud, and maintain system integrity
Comply with legal obligations and respond to lawful requests
Conduct research and aggregated analytics (de-identified)

6. Legal bases for processing

Contractual necessity: Processing required to perform agreements with customers.
Consent: For marketing communications, non-essential profiling, or where law requires consent (e.g., EU, Canada).
Legitimate interests: For fraud prevention, platform security, analytics, and operational improvements (after balancing against individual rights).
Legal obligation: Where law requires retention or disclosure.

(Where applicable under GDPR, CCPA, CASL, TCPA, or other laws, we rely on the appropriate legal basis and document it.)

7. Marketing & communications (email, SMS, voice)

7.1 SMS (Zoom + other providers)

We operate SMS programs via Zoom and other providers. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties. We record all opt-in/opt-out events, store them securely, and honor suppression lists across providers.

Consent & opt-out: Prior express consent is required for marketing SMS in many jurisdictions (e.g., TCPA in the U.S., CASL in Canada). Users can opt out by replying STOP; HELP replies provide instructions. We keep immutable logs of consent and suppression.

Providers: Zoom and other SMS gateways act as processors — they process phone numbers and message content only per our instructions and are prohibited from using data for their own marketing.

7.2 Email & push

We send operational emails (account alerts), product announcements, and marketing messages to those who opt in. Every marketing email includes clear unsubscribe instructions.

7.3 Voice & automated calls

Automated calls or voicemails for account alerts use phone numbers provided for account management. For marketing calls, we obtain consent where required.

8. Sharing & disclosures

8.1 Service providers / subprocessors

We engage third parties to host services, send messages, process payments, provide analytics, and support operations. They are contractually bound to process data only per our instructions and maintain appropriate security.

8.2 Aggregated / de-identified data

We may share aggregated analytics that cannot reasonably identify individuals.

8.3 Legal, safety & business transfers

We may disclose data to comply with law, respond to government requests, or protect rights and safety. In business transactions (merger, sale), data may be transferred; purchasers will be required to honor privacy commitments.

8.4 Explicit exceptions & prohibitions

9. International data transfers

FDS is a global operator. When we transfer personal data internationally, we implement lawful transfer safeguards: adequacy decisions, standard contractual clauses, Binding Corporate Rules (where appropriate), or other lawful mechanisms. Details are available on request.

10. Data retention & deletion

We retain personal data only as long as necessary for business or legal reasons. Typical retention guidelines:

Account & profile data: life of the account + 6 years (or as required)
Billing & transaction records: 7 years (or as required by local law)
Opt-in/consent & suppression records: retained indefinitely or as required to prevent re-enrollment
Telemetry & device logs: 2 years for operational logs; aggregated analytics retained longer if de-identified
Support tickets: 3–7 years depending on contractual or legal needs

Deletion requests (subject to verification) are honored unless retention is required for legal/regulatory reasons or to complete transactions. We will anonymize data for analytics where deletion is requested but aggregated data is needed.

11. Security measures

We employ administrative, physical, and technical safeguards, including:

Encryption in transit (TLS) and at rest (AES-256 or equivalent)
Access controls and RBAC with least privilege
Multi-factor authentication for privileged systems
Network security, firewalls, vulnerability scanning, and pen testing
Logging, monitoring, and anomaly detection
Contractual security obligations for subprocessors and periodic third-party audits

No security system is perfect; we maintain an incident response plan and will notify affected individuals and authorities as required by law.

12. Data subject rights & exercising rights

Depending on jurisdiction, you may have the right to:

Access your personal information
Correct inaccurate data
Delete personal information (subject to exceptions)
Restrict or object to processing, including marketing
Port your data in a machine-readable format
Withdraw consent for processing that relied on consent

How to exercise rights: Contact privacy@farmdatasystems.com or use your account portal (if available). We verify requests to protect privacy and respond within applicable statutory timelines (e.g., 30 days).

13. Cookies, tracking & analytics

We use cookies and equivalent technologies to operate our websites, analyze usage, and deliver a personalized experience. Cookie categories:

Strictly necessary: essential to operate the site
Performance/analytics: aggregated usage statistics
Functional: personalize preferences
Advertising/targeting: only when you consent

Cookie consent banners and management tools are available on our websites; consent choices are logged.

14. IoT & farm data specifics

We recognize telemetry and machine data are critical to operations and may be commercially sensitive.

Ownership & usage: Unless contractually assigned, telemetry and farm data are treated according to the customer agreement. We use telemetry to operate services, optimize performance, and provide analytics.
Location data: Only collected when necessary. Where precise geolocation is collected, explicit notices and controls are provided.
Firmware & remote management: We may push firmware/security updates. Device access is logged; emergency access is restricted and audited.

15. API & developer integrations

Third-party developers and partners using our APIs must register and agree to terms that limit data use to stated purposes. We provide scopes and least-privilege tokens for API access and require third parties to respect data deletion and suppression requests.

16. Employee & contractor data

We process employee and contractor data for hiring, payroll, benefits, performance, and legal compliance. Separate internal privacy notices and lawful bases apply. Access to employee data is limited and audited.

17. Subprocessors, vendor management & DPAs

We maintain a list of subprocessors (cloud hosts, SMS gateways, analytics vendors, payment processors). For each, we:

Execute Data Processing Agreements (DPAs) with appropriate security, confidentiality, and breach-notification clauses
Require subprocessors to process data only per FDS’s instructions
Maintain a public or internal subprocessor registry and notify customers of material changes

DPA checklist: encryption, breach notification timelines, subprocessors limitation, audit rights, data return/deletion at termination, geographic restrictions.

19. Security incidents & breach notification

We maintain an incident response plan. In the event of an incident affecting personal data, we will: contain, investigate, remediate, and notify affected individuals and regulators as required by law. Notifications will include scope, steps taken, and recommended individual actions.

20. Compliance & audits

We perform internal and external audits, DPIAs (where applicable), and regular security assessments. We cooperate with supervisory authorities and provide mechanisms to lodge complaints.

21. Changes to this policy

We may update this Policy to reflect legal or operational changes. Material changes will be posted with an updated effective date and, where appropriate, notified to affected individuals.

22. Contact & Data Protection Officer

Privacy inquiries, DSARs, or complaints:
Email: John@farmdatasystems.com

23. Implementation details

23.1 Consent & logging

Standardize opt-in text across channels with locale-specific variants.
Record: phone number, consent text, timestamp (UTC), capture method, IP, user agent, campaign_id.
Keep an immutable audit log for opt-ins, opt-outs, and consent changes.

23.2 SMS & messaging

Implement suppression lists that are honored in real time by all messaging providers (Zoom, Twilio, etc.).
Use double opt-in for marketing lists where possible.
Ensure STOP/HELP flows are processed immediately and confirmation messages are sent.

23.3 IoT & telemetry

Store telemetry raw data for the operational retention window, then summarize/anonymize for analytics.
Secure device update channels and maintain firmware signing.

23.4 Subprocessors & DPA

Require subprocessors to provide SOC 2 or equivalent reports where appropriate.
Implement contractual breach-notification SLAs (e.g., notify within 72 hours)

23.5 Security

Enforce MFA, RBAC, and least-privilege access.
Encrypt sensitive fields at rest and audit access.
Schedule penetration testing and vulnerability scanning annually (or more often for high-risk changes).

23.6 DSAR & verification

Establish a verified DSAR workflow: verify requestor control of phone number or account before releasing data.
Keep logs of DSAR decisions and timing for compliance.

24. Sample consent & disclosure language

I consent to Farm Data Systems sending SMS messages to the mobile number I provide, including marketing messages if I opt-in. I understand messages may be sent using automated systems. I can withdraw consent at any time by replying STOP. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

26. Glossary & legal notes

This Policy is operational guidance and does not constitute legal advice. Jurisdiction-specific requirements (TCPA, CASL, GDPR, CCPA/CPRA, LGPD, etc.) should be verified with counsel. Contractual terms in customer agreements or DPAs may impose additional obligations.