🔒 Privacy Policy

1. Who We Are

Edward Farm ("we", "us", "our") operates the Edward Platform — a smart farming companion for IoT-connected aquaponics, hydroponics, and urban agriculture stations. We are committed to protecting your personal data in compliance with the EU General Data Protection Regulation (GDPR).

2. What Data We Collect

We collect the following categories of personal data:

Data Category	Examples	Legal Basis
Account Data	Email, username, display name, password (hashed)	Contract performance
Station Data	Station configuration, location (city level), hardware type	Contract performance
Telemetry Data	Water temperature, pH, sensor readings, tidal phase	Legitimate interest
Logbook Data	Plantings, harvests, fish records, observations, tasks	Contract performance
Photos	Camera uploads, captions, AI insights, tags	Consent
Community Data	Posts, comments, likes, feedback	Consent / Legitimate interest
Research Data	Data shared with research contracts (anonymized by default)	Explicit consent
Analytics	Page views, feature usage (via privacy-focused Umami)	Consent (opt-in)

3. How We Use Your Data

• Provide the Service: Account management, station monitoring, logbook features, and community interactions.
• Improve the Platform: Anonymized analytics to understand feature usage and improve user experience.
• Citizen Science: When you explicitly opt in, your anonymized station data may be shared with research partners.
• Communications: Service-related emails (account verification, station alerts). We do not send marketing emails without your explicit consent.

4. Cookies & Tracking

Essential Cookies

We use a single essential cookie (edward_token) for authentication. This is a secure, HttpOnly cookie that keeps you logged in. It cannot be disabled as it is necessary for the platform to function.

Analytics (Opt-in)

We use Umami, a privacy-focused analytics tool. Umami does not use cookies, does not track individuals, and does not collect personal data. However, we still request your consent before enabling analytics. You can manage your preferences at any time via the cookie settings banner.

5. Data Sharing

We do not sell your personal data. We may share data in the following circumstances:

• Research Contracts: Only with your explicit consent, and anonymized by default.
• Community Features: Content you mark as "public" (posts, shared stations) is visible to other users.
• Legal Requirements: When required by applicable law or regulation.

5a. AI-Powered Features & Third-Party Processing

The Edward Platform integrates AI-powered features through Google Gemini (a service provided by Google LLC). When you use the Edward AI chatbot or AI-assisted features, the following data may be sent to Google's servers for processing:

• Your chat messages and questions to the AI assistant
• Station context (name, type) to provide relevant gardening advice
• Species names and growing conditions for personalized tips

What is NOT sent to Google:

• Your email address, password, or account credentials
• Your precise GPS location or home address
• Photos or camera uploads
• Personal financial information

Google processes this data according to their Data Processing Addendum and Privacy Policy. Google Gemini API data is not used to train Google's general AI models. You can choose not to use AI features — all core platform functionality works without them.

6. Data Retention

Your personal data is retained for as long as your account is active. When you delete your account, all associated data is permanently removed within 30 days. Anonymized research data that was already shared may persist in aggregate datasets.

7. Data Security

• Passwords are hashed using bcrypt with a cost factor of 12.
• Authentication tokens are signed with JWT and transmitted via secure, HttpOnly cookies.
• All data is stored locally on our servers (self-hosted) — we do not use third-party cloud providers for data storage.
• The platform uses HTTPS in production with Helmet.js security headers.
• Rate limiting protects against brute-force attacks on authentication endpoints.
• CSRF protection prevents cross-site request forgery on all state-changing operations.
• Security events are recorded in an immutable audit log for incident response.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of Access (Art. 15): Request a copy of all your personal data. Use the "Download My Data" button in your Account Settings.
• Right to Rectification (Art. 16): Update your profile information at any time in Account Settings.
• Right to Erasure (Art. 17): Delete your account and all associated data from Account Settings.
• Right to Data Portability (Art. 20): Export your data in a machine-readable JSON format via Account Settings.
• Right to Object (Art. 21): Opt out of analytics tracking via the cookie consent banner.
• Right to Restrict Processing (Art. 18): Contact the DPO to request restriction.
• Right to Withdraw Consent: You may withdraw consent for analytics or research data sharing at any time.

To exercise any of these rights, use the tools in your Account Settings or contact our DPO at dpo@edward.farm.

9. Children's Privacy

The Edward Platform is designed for educational use, including by students in school environments. If you are under 16, please ensure your parent, teacher, or guardian has consented to your use of the platform. We do not knowingly collect personal data from children under 13 without verified parental consent.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via the platform notification system. The "Last updated" date at the top of this page indicates the most recent revision.

11. Contact Us