Privacy Policy

Last Updated: May 18, 2025  |  Effective Date: May 18, 2025

---

1. Introduction

ShambaCare ("we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our agricultural technology platform, including our website, mobile applications, and related services (collectively, the "Services").

This policy complies with the Kenya Data Protection Act, 2019, the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

• Entity: ShambaCare
• Address: Taita Taveta County, Kenya
• Email: shambacare@proton.me
• Data Protection Officer: shambacare@proton.me

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Information You Provide Directly

• Account Information: Full name, email address, phone number, password
• Farm Information: Farm name, farm size, ward, county, crop types grown
• Business Information: Company name, business registration number (for buyers)
• Communication Data: Messages, support tickets, contact form submissions
• Diagnostic Data: Crop images uploaded for disease diagnosis

3.2 Information Collected Automatically

• Device Information: Browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, timestamps
• Location Data: GPS coordinates (when you use weather or ward-based features, with your consent)
• Log Data: IP address, access times, referring URLs

3.3 Information from Third Parties

• Weather data from third-party weather APIs
• AI-generated crop diagnostic results from Google Generative AI services

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Consent (Section 32, Kenya DPA / Art. 6(1)(a) GDPR): When you register an account and agree to this policy, or when you enable ward services
• Performance of Contract (Art. 6(1)(b) GDPR): To provide our agricultural advisory, diagnostic, and marketplace services
• Legitimate Interests (Art. 6(1)(f) GDPR): For service improvement, fraud prevention, and platform security
• Legal Obligation (Art. 6(1)(c) GDPR): To comply with applicable laws and regulatory requirements

5. How We Use Your Data

We use your personal data for the following purposes:

• Service Delivery: Account creation, crop diagnostics, weather forecasts, marketplace transactions, extension officer assignments
• AI-Powered Analysis: Processing crop images to identify diseases and provide treatment recommendations
• Communication: Sending service notifications, support responses, and important updates
• Platform Improvement: Analyzing usage patterns to enhance our services
• Safety & Security: Detecting and preventing fraud, abuse, or unauthorized access
• Legal Compliance: Meeting regulatory requirements and responding to lawful requests

6. Automated Decision-Making and AI

Our platform uses artificial intelligence for:

• Crop Disease Diagnosis: AI analyzes uploaded crop images to identify potential diseases and suggest treatments. These are advisory only and should not replace professional agricultural advice.
• Crop Recommendations: Automated recommendations based on your ward, weather data, and soil conditions.
• Pesticide Calculations: Automated dosage calculations based on farm size and crop type.

You have the right to request human review of any automated decision that significantly affects you. Contact us at shambacare@proton.me to request a manual review.

7. Data Sharing and Third Parties

We may share your data with:

• Extension Officers: Your farm data and diagnostic history may be shared with assigned extension officers to provide you with better agricultural support
• Marketplace Participants: Limited information (farm name, ward, crop details) is shared with buyers/sellers when you participate in marketplace activities
• Service Providers:
  • Google Generative AI (for crop diagnosis processing)
  • Weather API providers (for weather forecast data)
  • Cloud hosting providers (for data storage and processing)
• Legal Authorities: When required by law, court order, or to protect our legal rights

We do not sell your personal data to third parties for marketing purposes.

8. International Data Transfers

Your data may be transferred to and processed in countries outside Kenya, including:

• Cloud servers located in the United States or European Union
• AI processing services operated by Google (United States)

Where data is transferred internationally, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by relevant authorities
• Appropriate safeguards as required by the Kenya Data Protection Act, 2019 (Section 48)

9. Data Retention

We retain your personal data for the following periods:

• Account Data: For the duration of your account plus 2 years after deletion
• Diagnostic Records: 5 years (for agricultural research and historical reference)
• Transaction Records: 7 years (as required by Kenyan tax and commercial law)
• Support Tickets: 3 years after resolution
• Log Data: 12 months
• Contact Form Submissions: 2 years

After the retention period, data is securely deleted or anonymized.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure password hashing
• Access controls and role-based permissions
• Regular security assessments and updates
• Secure backup procedures
• Staff training on data protection

11. Your Rights

Under the Kenya Data Protection Act 2019 and GDPR, you have the following rights:

• Right of Access (Section 26(a), Kenya DPA): Request a copy of the personal data we hold about you
• Right to Rectification (Section 26(b)): Request correction of inaccurate or incomplete data
• Right to Erasure (Section 26(c)): Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw your consent at any time without affecting the lawfulness of prior processing
• Right Not to Be Subject to Automated Decisions: Request human review of automated decisions

To exercise any of these rights, contact us at shambacare@proton.me. We will respond within 30 days.

12. Cookies and Tracking Technologies

We use the following cookies:

• Essential Cookies: Required for platform functionality (session management, CSRF protection, authentication)
• Analytics Cookies: To understand how users interact with our platform (anonymized where possible)

You can control cookie settings through your browser preferences. Disabling essential cookies may affect platform functionality.

13. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at shambacare@proton.me and we will promptly delete such data.

14. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach
• We will notify affected individuals without undue delay if the breach is likely to result in high risk
• We will document all breaches and remedial actions taken

15. Complaints

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with:

• Office of the Data Protection Commissioner (Kenya): www.odpc.go.ke
• Relevant EU Supervisory Authority: If you are an EU resident, you may contact your local data protection authority

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will notify you via email or a prominent notice on our platform
• The "Last Updated" date at the top will be revised
• Continued use of our Services after notification constitutes acceptance of the updated policy

17. Contact Us

For any privacy-related questions, concerns, or requests:

• Email: shambacare@proton.me
• Data Protection Officer: shambacare@proton.me
• General Support: shambacare@proton.me
• Address: Taveta Sub-County, Taita Taveta County - Kenya