1. Who We Are
Gweens AgriTech is a precision agriculture platform operated by GweensCraft, a technology company based in Nairobi, Kenya. Our mobile application (package ID: com.gweth.gweensagritech) and website (agritech.gweenscraft.co.ke) provide IoT-enabled farm management, smart irrigation, pest and disease detection, agronomist consultations, and an agricultural marketplace for smallholder farmers across Kenya.
This Privacy Policy explains what personal data we collect when you use our app and website, why we collect it, how we use and protect it, and what rights you have over it.
This policy is governed by the Kenya Data Protection Act, 2019 and aligns with principles of the EU General Data Protection Regulation (GDPR) where applicable to internationally operating services. It also satisfies Google Play Store Data Safety disclosure requirements.
2. Data We Collect and Why
We only collect data that is necessary to provide our services. The following table describes each category of data, its purpose, and the legal basis for processing it.
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Full name | Account creation, identity verification, communications from agronomists and support | Contract performance |
| Email address | Account authentication, password reset, transactional notifications, order confirmations | Contract performance |
| Phone number | SMS alerts (crop advisories, irrigation reminders, weather warnings), OTP verification | Contract performance; Legitimate interest |
| GPS coordinates | Farm and plot mapping, location-accurate weather data, agronomist routing, local marketplace listings | Contract performance; Consent (location permission) |
| Crop photos | AI-powered disease and pest detection; photos are processed locally or sent to our ML model endpoint and not retained beyond the session unless you save a detection record | Consent (camera permission) |
| IoT sensor readings | Soil moisture, temperature, humidity, pH, NPK levels from your farm sensors — stored as time-series data to power alerts, irrigation automation, and yield analytics | Contract performance |
| FCM device token | Deliver push notifications (sensor alerts, order updates, consultation responses) | Consent (notification permission) |
| Order and transaction data | Processing marketplace purchases, order tracking, seller payouts, financial reporting for your farm | Contract performance; Legal obligation |
| Usage analytics | Understanding how features are used so we can improve the product. Collected in anonymised form — no individual user profiling | Legitimate interest; opt-out available |
| Support ticket content | Resolving technical issues and customer service queries | Contract performance; Legitimate interest |
We do not collect biometric data, government identification numbers, financial account credentials, or any data not listed above.
3. How We Use Your Data
Your data is used exclusively for the following purposes:
- Providing the service — creating and maintaining your account, syncing farm data across devices, processing marketplace orders, and enabling agronomist consultations.
- Alerts and notifications — sending SMS messages and push notifications when sensor thresholds are breached, weather events are forecast, or irrigation schedules are triggered.
- AI crop health analysis — running disease-detection inference on photos you submit. Results are returned to you immediately. We may retain anonymised, de-identified images to improve model accuracy only with your explicit opt-in consent.
- Personalisation — showing weather and marketplace data relevant to your farm location.
- Safety and fraud prevention — detecting unusual account activity and preventing marketplace fraud.
- Legal compliance — retaining transaction records as required by Kenyan tax and commerce regulations.
We do not sell, rent, or trade your personal data to third parties. We do not use your data for advertising profiling.
4. Third-Party Services
We use a small number of trusted third-party services to operate the platform. Each is listed below with the data shared and a link to their own privacy policy.
Supabase
Role: Primary database and authentication provider.
Data shared: All user account data and farm data is stored in Supabase's managed PostgreSQL database, hosted on AWS infrastructure.
Privacy policy: supabase.com/privacy
Google Firebase (FCM)
Role: Push notification delivery via Firebase Cloud Messaging.
Data shared: Your device's FCM token (an anonymous device identifier) is sent to Firebase to route push notifications. Firebase does not receive your name, email, or farm data.
Privacy policy: firebase.google.com/support/privacy
OpenWeatherMap
Role: Weather data provider for farm-specific forecasts and alerts.
Data shared: Your farm's GPS coordinates (latitude and longitude) are sent to OpenWeatherMap to retrieve weather data. No personal identifiers are included in these requests.
Privacy policy: openweather.co.uk/privacy-policy
Africa's Talking
Role: SMS delivery service for notifications and OTP verification in Kenya.
Data shared: Your phone number and the SMS message content (e.g., "Soil moisture below 30% on Plot A") are transmitted to Africa's Talking to deliver the message. SMS content is minimal and does not contain financial or sensitive personal data.
Privacy policy: africastalking.com/privacy
Google Maps Platform
Role: Farm boundary mapping and location visualisation within the app.
Data shared: GPS coordinates are sent to Google Maps APIs to render map tiles and calculate farm areas. Google Maps API usage is subject to Google's standard API terms.
Privacy policy: policies.google.com/privacy
5. Data Storage and Security
Where your data is stored
Your data is stored in a Supabase-managed PostgreSQL 17 database hosted on Amazon Web Services (AWS) infrastructure in the eu-west-1 (Ireland) or us-east-1 (Virginia) region, depending on your project configuration at setup. We are working towards selecting the closest available region to Kenya as new Supabase regions become available.
Security measures
- Encryption in transit: All communication between the app and our backend, and between the backend and Supabase, uses HTTPS/TLS 1.2 or higher. No data is transmitted over unencrypted HTTP.
- Encryption at rest: Supabase encrypts all data at rest on AWS managed storage.
- Row Level Security (RLS): Every database table has PostgreSQL Row Level Security policies enforced. A farmer can only read and write their own farms, plots, and sensor data. A buyer can only view their own orders. These policies are enforced at the database layer, not only in application code.
- Password security: Passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
- JWT authentication: Session tokens expire after 30 minutes. Refresh tokens expire after 7 days.
- Offline data: Data cached on your device for offline use is stored in SQLite on device-local storage and is protected by your device's operating system security.
No system is perfectly secure. In the event of a data breach that affects your personal data, we will notify you by email within 72 hours of becoming aware of the breach, as required by the Kenya Data Protection Act, 2019.
6. Your Rights
Under the Kenya Data Protection Act, 2019, you have the following rights:
Right to access
You may request a copy of all personal data we hold about you. Email agritechsupport@gweenscraft.co.ke with subject line "Data Access Request". We will respond within 21 days.
Right to correction
You can update your name, phone number, and email at any time in the app under Settings → Account. For other corrections, contact support.
Right to deletion
You may request deletion of your account and all associated personal data. To do so:
- Open the app → Settings → Data Management → Delete My Account
- Or email agritechsupport@gweenscraft.co.ke with subject line "Account Deletion Request"
We will delete your account and personal data within 30 days. Transaction records may be retained for up to 7 years for legal and tax compliance purposes (see Data Retention below). Sensor readings and farm data will be permanently deleted.
Right to data portability
You may export your farm data (sensor readings, reports, transaction history) in CSV format at any time from Settings → Data Management → Export My Data. For a full JSON export of all data, contact support.
Right to opt out of analytics
You can disable usage analytics at any time in Settings → Privacy → Usage Analytics. This does not affect the core functionality of the app.
Right to withdraw consent
Where processing is based on consent (location, camera, push notifications), you can withdraw consent at any time through your device's permission settings. Withdrawing location permission will disable weather data and farm mapping features.
Right to object / restrict processing
Contact agritechsupport@gweenscraft.co.ke to object to or request restriction of specific processing activities.
7. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (name, email, phone) | Duration of account + 30 days after deletion request | Service provision |
| Sensor readings | 2 years (raw data); aggregated summaries retained indefinitely | Trend analysis, storage cost management |
| Transaction / order records | 7 years | Kenya Revenue Authority (KRA) tax compliance |
| Support ticket content | 2 years after resolution | Quality assurance, dispute resolution |
| Crop photos (disease detection) | Not retained after session unless saved to detection history | Minimisation principle |
| Device FCM tokens | Refreshed automatically; deleted on logout or account deletion | Notification delivery |
8. Children's Privacy
Gweens AgriTech is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13 years of age. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at agritechsupport@gweenscraft.co.ke and we will delete that data promptly.
Users between 13 and 17 years of age should use the app only with the knowledge and consent of a parent or guardian.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an in-app notification or email to all registered users at least 14 days before the change takes effect
- For significant changes affecting your rights, request fresh consent where required by law
Your continued use of the app after changes take effect constitutes acceptance of the updated policy.
10. Contact Us
For privacy-related requests, questions, or complaints, contact the Gweens AgriTech data team:
- Email: agritechsupport@gweenscraft.co.ke
- WhatsApp: +254 788 666 778
- Postal address: GweensCraft, Nairobi, Kenya
To delete your account and data directly from the app, go to: Settings → Data Management → Delete My Account.
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya at odpc.go.ke.
Effective date: This policy is effective from March 2026 and was last updated in March 2026.