Privacy Policy

Privacy Policy — AgriECU

AgriECU ("we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and otherwise process your personal information when you use our website, applications, and services at agriecu.farm and related subdomains (collectively, the "Service").

Please read this Privacy Policy carefully. By accessing or using AgriECU, you acknowledge that you have read, understood, and agree to be bound by all the provisions of this Privacy Policy.

1. Information We Collect

1.1 Information You Provide Directly

• Account Registration: When you create an account, we collect your full name, email address, and password. You may optionally provide your Thai Citizen ID (national ID number) and mobile phone number.
• Farm Location: You can pin your farm location on our interactive Thailand map. We store the geographic coordinates (latitude, longitude) and the nearest weather station ID.
• Irrigation Configuration: When you set up your irrigation calculator or edge device, we collect information about your crop type, growth stage, soil type, irrigation system (drip/sprinkler), emitter rate, canopy properties, and other agronomic parameters to calculate your water needs.
• Communications: When you contact us via email or support channels, we collect the contents of your messages and any attachments.

1.2 Information Collected Automatically

• Device & Browser Information: IP address, browser type, operating system, referring URL, pages visited, and timestamps of your activity.
• Weather Data: We fetch and cache live weather data from Open-Meteo API (free, public service) based on your farm's coordinates. This data is not permanently stored in your profile unless you explicitly save it.
• Sensor Data (Owners Only): If you own an AgriECU Jetson edge device, we collect 15-minute weather cycles (temperature, humidity, wind speed, solar radiation, vapor pressure deficit) from your on-site sensors via InfluxDB Cloud. This data is encrypted and access-controlled per your device.

1.3 Third-Party Data

• We may receive aggregate, anonymized data from weather API providers and analytics services to improve our models.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide irrigation recommendations, calculate water needs (ETo/ETc), manage your account, and deliver notifications (via LINE Notify for premium users).
• Model Improvement: To train and refine machine learning models for ETo prediction, crop water stress (CWSI) estimation, and forecast accuracy (all processing done on anonymized, aggregated data).
• Research & Development: To understand usage patterns and improve the Service (anonymized and aggregated only).
• Legal Compliance: To comply with Thai law, including the Personal Data Protection Act (PDPA), tax obligations, and regulatory requests.
• Security & Fraud Prevention: To detect, prevent, and address technical and security issues.
• User Support: To respond to your inquiries and provide customer support.

3. Data Storage & Security

3.1 Where We Store Your Data

• Supabase PostgreSQL: Your account, profile, and configuration data are stored on Supabase (PostgreSQL database hosted in Southeast Asia, Singapore region). All data is encrypted at rest using AES-256 and in transit using TLS/SSL.
• InfluxDB Cloud (Owners Only): Sensor data from your Jetson edge device is stored in InfluxDB Cloud (US East region) and synced to your local device. Access is controlled via InfluxDB API tokens.
• LINE Messaging API (Owners Only): Notification events are sent to LINE via webhook; LINE's systems store message metadata per their privacy policy.

3.2 Security Measures

• Row-Level Security (RLS): Your data is isolated; you can only access your own profile and configurations.
• Password Security: Passwords are hashed using bcrypt (Supabase Auth standard); we never store plaintext passwords.
• API Tokens: InfluxDB and LINE API tokens are encrypted at rest and never exposed to the browser.
• HTTPS/TLS: All communication between your browser and our servers is encrypted.
• Regular Audits: We monitor access logs and perform security reviews of our infrastructure.

3.3 Data Retention

• Account Data: Retained for as long as your account is active. Upon deletion, data is purged within 30 days unless required to be retained for legal reasons.
• Sensor Data: Retained according to your device's InfluxDB retention policy (default: 30 days rolling; customizable).
• Logs: Server and access logs are retained for 90 days for security and debugging purposes.

4. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data to third parties.

We share data only in the following limited circumstances:

• Service Providers: Supabase (data hosting), InfluxDB (sensor storage), Open-Meteo (weather API), LINE (notifications). These providers are bound by data processing agreements.
• Legal Requests: If required by law, court order, or regulatory authority (Thai authorities, PDPC), we will disclose the minimum necessary information. We will notify you unless legally prohibited.
• Business Transfer: If AgriECU is acquired or merged, your data may be transferred as part of that transaction. You will be notified of any change in ownership and control of your data.
• Anonymized Aggregates: We may publish aggregate, anonymized statistics about irrigation patterns, crop water needs, or regional climate trends for research and public benefit (no individual identification possible).

5. Your Rights Under Thai Law (PDPA)

Under Thailand's Personal Data Protection Act (B.E. 2562 / 2019), you have the following rights with respect to your personal data:

• Right to Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can request that we correct inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data, except where we are legally required to retain it (e.g., tax records, contract obligations).
• Right to Object: You can object to the processing of your data for certain purposes (e.g., marketing).
• Right to Data Portability: You can request your data in a machine-readable format and request transfer to another controller.
• Right to Withdraw Consent: If we process your data based on consent, you can withdraw it at any time. This does not affect the lawfulness of prior processing.

To exercise any of these rights, please contact us at kristianlorenz.bajao@gmail.com with the subject line "PDPA Data Request" and provide sufficient detail for us to identify your account. We will respond within 30 days.

6. Data Breach Notification

In the event of a personal data breach that compromises your security or privacy, we will notify you and any affected users within 72 hours of discovery, as required by the PDPA. Notification will include the nature of the breach, types of data involved, likely consequences, and steps you should take.

7. Cookies & Tracking

AgriECU uses minimal tracking technology:

• localStorage: We store your language preference (EN/TH) in your browser's localStorage to persist your choice across sessions. This is not a cookie and contains no personal information.
• Session Tokens: Supabase Auth stores a session token in localStorage for automatic login. This token is encrypted and specific to your session.
• No Third-Party Cookies: We do not use Google Analytics, Facebook Pixel, or other third-party tracking pixels. We do not track you across other websites.

8. Children's Privacy

AgriECU is not intended for children under the age of 13 (or the minimum age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we discover that a child has provided personal information, we will delete it immediately. Please contact us if you believe a child has registered.

9. International Data Transfers

Your data may be transferred to and processed in countries other than Thailand, including the United States (InfluxDB Cloud), Singapore (Supabase), and where Open-Meteo servers operate. These jurisdictions may have data protection laws different from Thailand's PDPA. By using AgriECU, you consent to such transfers and processing under the safeguards described in this Privacy Policy.

10. Data Protection Officer & Accountability

AgriECU is committed to PDPA compliance. While we do not currently designate a formal Data Protection Officer (as we are a small operation), we maintain internal accountability mechanisms and privacy-by-design principles in all systems.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal changes, new features, or improved clarity. We will notify you of material changes by email or by posting a prominent notice on our website. Your continued use of the Service after changes constitutes your acceptance of the revised Privacy Policy. The "Last updated" date at the top of this document indicates when it was last modified.

12. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

• Email: kristianlorenz.bajao@gmail.com
• Mailing Address: Chumphon, Thailand
• Website: agriecu.farm

If you believe your rights under the PDPA have been violated and we have not resolved your concern, you may lodge a complaint with the Thai Personal Data Protection Committee (PDPC) at pdpc.go.th.

13. Acknowledgment

By creating an account or using AgriECU, you acknowledge that you have read and understood this Privacy Policy and agree to our collection, use, and processing of your personal information as described herein.