PRIVACY POLICY FOR CROPCARE AI
Last Updated: September 25, 2025
Version: 1.0.1+15
===============================================================================
YOUR PRIVACY IS IMPORTANT TO US
===============================================================================
This Privacy Policy explains how CropCare AI ("we," "our," or "us") collects,
uses, and protects your information when you use our mobile application, web
platform, and related services (collectively, the "Services"). CropCare AI
operates across multiple platforms including mobile app (dev.hamez.cropcare),
web platform (trycropcareai.com), and backend API services.
1. INFORMATION WE COLLECT
1.1 PERSONAL INFORMATION
- Account information: Email address, encrypted password
- Profile data: Name, location/region (for pricing), preferences
- Contact information for customer support and communications
- OAuth2 authentication data (Google, Apple, GitHub) -> To be added
- User-selected region for pricing tier determination (developed/underdeveloped)
- Organization membership and role information (for team features)
1.2 CROP AND IMAGE DATA
- Plant and crop photos you upload for AI analysis
- Analysis results, diagnoses, and treatment recommendations
- GPS location data (optional, if enabled) for environmental context
- Image metadata: timestamps, device information, photo quality metrics
- Analysis history and user-generated notes or tags
- Treatment effectiveness feedback and follow-up data
1.3 TECHNICAL AND DEVICE INFORMATION
- Device identifiers: Device model, operating system version, unique device ID
- App version, installation date, and usage statistics
- Network information: IP address, connection type (WiFi/cellular)
- Performance data: crash reports, error logs, loading times
- Screen resolution and device capabilities for optimal image processing
1.4 LOCATION INFORMATION
- GPS coordinates (optional, user-controlled) for regional pricing and country detection
- Country code detection for automatic regional pricing application
- Location data used for determining developed/underdeveloped region pricing tiers
- IP-based geolocation for fallback country detection when GPS is unavailable
- Location permissions managed through device settings with user consent required
1.5 SUBSCRIPTION AND BILLING DATA
- Subscription plan type (free, free trial, monthly premium, yearly premium, organisation)
- Subscription status, renewal dates, and billing cycle information
- Free trial activation date, expiry date, and conversion status
- Trial notification history and delivery status
- Purchase receipts and transaction data from Google Play Store or Apple App Store
- Scan usage tracking: number of scans used per billing period
- Payment processing data (handled by app stores or Paystack, not stored by CropCare)
- Regional pricing information and currency preferences
- One-trial-per-user enforcement data
- Organisation subscriptions: License assignments, team member access, payment webhooks
- Grace period tracking for failed payments (7-day buffer)
1.6 DISEASE OUTBREAK AND ALERT DATA
- Scan location data: Optional GPS coordinates for outbreak clustering and alert radius
- Disease patterns: Aggregated scan data for outbreak detection (anonymized)
- Alert history: Disease alerts received, read status, and user interactions
- Proximity data: Distance calculations between user scans and outbreak centers
- Outbreak participation: Anonymous contribution to outbreak case counts
- Alert preferences: Notification settings for disease outbreak alerts
- FCM tokens: Device tokens for push notification delivery
1.6 USAGE AND ANALYTICS DATA
- Feature usage patterns and user interaction data
- Analysis request frequency and timing patterns
- Success rates and confidence levels of AI analyses
- Search queries and filter preferences in analysis history
- Web platform usage: page views, session duration, feature engagement
- API usage statistics for enterprise customers
- Push notification engagement: delivery rates, open rates, interaction patterns
- Disease alert responses: read rates, action taken, follow-up scans
2. HOW WE COLLECT INFORMATION
2.1 DIRECT COLLECTION
- Account creation and profile setup information
- Images and data you upload for plant disease analysis
- Information provided through customer support interactions
- Preferences and settings configured within the application
- Feedback, ratings, and user-generated content
- Organization setup and team collaboration data
- Location permission consent and country code preferences
2.2 AUTOMATIC COLLECTION
- Mobile app usage through standard app analytics
- Web platform interaction through cookies and session tracking
- Device and technical information via standard mobile app APIs
- Performance metrics and error reporting for service improvement
- AI analysis results and confidence scores generated by our systems
2.3 THIRD-PARTY SOURCES
- GitHub Models API for AI plant disease detection processing
- Google Play Store and Apple App Store for subscription validation
- OAuth2 providers (Google, Apple) for secure authentication
- Payment processors (via app stores) for subscription management
- Content delivery networks for optimized service delivery
3. HOW WE USE YOUR INFORMATION
3.1 PRIMARY SERVICE PURPOSES
- Provide AI-powered plant disease detection via GitHub Models API
- Generate accurate treatment and care recommendations
- Manage subscription plans and billing (free tier, free trial, premium monthly/yearly, organisation)
- Track and enforce free trial eligibility (one trial per user)
- Send trial expiry notifications at 6, 4, and 2 days before expiration
- Deliver disease outbreak alerts to premium and trial users within 50km radius
- Detect disease outbreaks automatically (daily at 2 AM UTC, ≥10 users, 25km clustering)
- Send push notifications for nearby disease outbreaks (premium feature)
- Maintain analysis history and personal plant health records
- Deliver regional pricing based on user location (developed/underdeveloped regions)
- Process and validate subscription purchases through app stores or Paystack
- Auto-detect country code during signup for improved user experience
- Apply appropriate regional pricing tiers based on geographic location
- Manage organisation subscriptions with license-based team access
3.2 PLATFORM AND FEATURE DELIVERY
- Authenticate users across mobile app and web platform
- Synchronize data between devices for premium users
- Enable team collaboration and organization features
- Provide Universal Link functionality (https://trycropcareai.com/)
- Support deep linking between web and mobile platforms
- Deliver API services for enterprise customers
3.3 SERVICE IMPROVEMENT AND ANALYTICS
- Analyze usage patterns to improve AI model accuracy
- Monitor service performance and reliability
- Identify popular plant types and common disease patterns
- Optimize application performance and user experience
- Develop new features based on user behavior and feedback
- Enhance regional and local disease detection capabilities
3.4 COMMUNICATION AND SUPPORT
- Send subscription notifications and billing updates
- Provide customer support and technical assistance
- Notify users of scan limit approaches (free tier users)
- Send trial expiry notifications (6, 4, and 2 days before expiration)
- Deliver disease outbreak alerts to premium and trial users via push notifications
- Deliver security updates and important service announcements
- Share educational content and treatment effectiveness tips
- Facilitate team communication for organizational accounts
3.5 COMPLIANCE AND SECURITY
- Prevent fraud and unauthorized subscription sharing
- Ensure compliance with app store policies and regional regulations
- Maintain data security and user account protection
- Validate subscription authenticity and prevent abuse
- Enforce one-trial-per-user limit to prevent trial abuse
- Monitor for suspicious activity and policy violations
- Track trial conversions for service improvement and fraud prevention
4. INFORMATION STORAGE AND SECURITY
4.1 LOCAL STORAGE (MOBILE APP)
- Analysis history stored locally using encrypted Hive database
- Images saved to app-specific device directories with restricted access
- Authentication tokens secured via Flutter Secure Storage with hardware-backed keystore
- User preferences and settings stored locally with encryption
- Offline analysis viewing capabilities through local data caching
- Trial status and eligibility cached locally for performance
- Disease alert notifications stored locally in Hive database with 30-day auto-cleanup
- Data remains under user control with local deletion options
4.2 CLOUD INFRASTRUCTURE AND TRANSMISSION
- Secure HTTPS transmission to backend API
- Images processed through GitHub Models API with temporary processing only
- Web platform data hosted on secure cloud infrastructure with encryption at rest
- Database backups encrypted and stored with access controls
- API requests protected with OAuth2 authentication and rate limiting
- Cross-device synchronization for premium users with end-to-end encryption
4.3 THIRD-PARTY SERVICE SECURITY
- GitHub Models API: Temporary image processing with automatic deletion
- Google Play Store/Apple App Store: Subscription validation with secure tokens
- Payment processing: Handled entirely by app stores (no credit card data stored)
- OAuth2 providers: Secure authentication without password storage
- Content delivery networks: Encrypted transmission and secure endpoints
4.4 COMPREHENSIVE SECURITY MEASURES
- Industry-standard AES-256 encryption for data at rest
- TLS 1.3 encryption for all data transmission
- Regular security audits and vulnerability assessments
- Multi-factor authentication options for enhanced account security
- Automated threat detection and prevention systems
- GDPR and CCPA compliant data handling procedures
- Regular backup and disaster recovery protocols
- Secure development lifecycle and code review processes
5. DATA SHARING AND DISCLOSURE
5.1 WE DO NOT SELL YOUR PERSONAL DATA
- Your personal information, images, and analysis results are never sold to third parties
- Plant health data and treatment histories remain private and confidential
- Usage patterns may be anonymized and aggregated for service improvement only
- User consent is always required before any data sharing outside of essential operations
5.2 ESSENTIAL SERVICE SHARING
- GitHub Models API: Image processing for AI disease detection (temporary processing only)
- App stores (Google Play, Apple): Subscription validation and billing management
- Cloud service providers: Secure hosting and data processing infrastructure
- Authentication services: OAuth2 providers for secure login functionality
- Analytics services: Anonymized usage data for service optimization
5.3 LEGAL AND SAFETY DISCLOSURE
- Legal compliance: When required by law, court order, or regulatory authorities
- Safety protection: To prevent harm, protect rights, or ensure user safety
- Terms enforcement: To investigate violations of terms of service or fraud
- Business continuity: In case of merger, acquisition, or business transfer (with user notification)
5.4 ORGANIZATIONAL AND TEAM SHARING
- Team collaboration features: Data sharing within user-authorized organizations
- Premium organizational accounts: Controlled sharing based on role permissions
- API enterprise customers: Data sharing governed by specific enterprise agreements
- User-initiated sharing: Analysis results shared through user-controlled mechanisms
5.5 ANONYMIZED RESEARCH DATA
- Aggregated disease pattern analysis for agricultural research (no personal identification)
- Regional crop health trends for public health and agricultural planning
- AI model improvement using anonymized image and analysis data
- Academic partnerships for agricultural technology advancement (with ethical oversight)
6. YOUR PRIVACY RIGHTS
6.1 DATA ACCESS AND PORTABILITY
- View all stored analysis history through mobile app and web platform
- Export analysis data in machine-readable formats (JSON, CSV)
- Download complete account data including images and treatment history
- Access subscription and billing information through your account dashboard
- Review usage statistics and scan history for your account
- Request copies of any data we have collected about you
6.2 DATA CONTROL AND DELETION
- Delete individual analyses or clear complete analysis history
- Permanently delete account and all associated data
- Uninstall mobile app to remove all local data
- Clear authentication tokens and logout from all devices
- Cancel subscriptions directly through Google Play Store or Apple App Store
- Request deletion of any shared data with third parties (where technically feasible)
6.3 PRIVACY PREFERENCES AND SETTINGS
- Control camera, storage, and location permissions through device settings
- Manage location access for country code detection and regional pricing
- Grant or deny location permissions for automatic country code completion
- Manage notification preferences for billing and scan limit alerts
- Opt out of analytics and crash reporting (may limit support capabilities)
- Configure automatic data backup and synchronization settings
- Set analysis history retention periods and automatic cleanup
- Choose data sharing preferences for team and organizational features
6.4 REGIONAL PRIVACY RIGHTS
GDPR Rights (EU Users):
- Right to access: Request copies of your personal data
- Right to rectification: Correct inaccurate or incomplete data
- Right to erasure: Delete personal data under certain circumstances
- Right to restrict processing: Limit how we use your data
- Right to data portability: Transfer data to another service
- Right to object: Opt out of certain data processing activities
- Right to withdraw consent: Revoke previously given consent
CCPA Rights (California Users):
- Right to know: Information about data collection and sharing practices
- Right to delete: Request deletion of personal information
- Right to opt-out: Prevent sale of personal information (we don't sell data)
- Right to non-discrimination: No penalization for exercising privacy rights
- Right to correct: Request correction of inaccurate personal information
7. CHILDREN'S PRIVACY
7.1 AGE RESTRICTIONS AND REQUIREMENTS
- The Services are intended for users aged 16 and older
- We do not knowingly collect personal data from children under 16
- Users between 16-18 require parental consent for account creation
- Educational use by younger students requires institutional supervision and consent
- School and educational institution accounts must comply with COPPA and FERPA requirements
7.2 PARENTAL CONTROLS AND OVERSIGHT
- Parents can review and request deletion of their child's data
- Institutional accounts provide administrative oversight for student usage
- Educational features include enhanced privacy protections and limited data collection
- Parental notification requirements for any data processing of minors
- Special consent mechanisms for educational and agricultural training programs
7.3 EDUCATIONAL INSTITUTION COMPLIANCE
- Schools must obtain proper consent before student use
- Data processing agreements required for institutional deployment
- Enhanced data protection measures for educational environments
- Limited data retention periods for student accounts
- FERPA compliance for educational records and learning analytics
8. INTERNATIONAL DATA TRANSFERS
8.1 CROSS-BORDER PROCESSING AND COMPLIANCE
- Data may be processed in various countries to provide optimal service performance
- GitHub Models API processing occurs in Microsoft's global cloud infrastructure
- Backend services hosted in regions with strong data protection laws
- All transfers comply with applicable international privacy frameworks (GDPR Article 44-49)
- Standard contractual clauses and adequacy decisions ensure data protection across borders
8.2 REGIONAL DATA LOCALIZATION
- EU user data processed within the European Economic Area where possible
- Regional pricing and billing handled locally through app stores
- Analysis results cached locally on devices to minimize cross-border transfers
- Enterprise customers may request specific data residency arrangements
- Compliance with local data sovereignty requirements and regulations
8.3 SAFEGUARDS FOR INTERNATIONAL TRANSFERS
- Binding Corporate Rules (BCRs) for internal data transfers
- Data Processing Agreements with all third-party service providers
- Regular assessment of destination countries' privacy law adequacy
- Encryption and pseudonymization of data during international transmission
- User notification of any changes to data processing locations
9. DATA RETENTION
9.1 LOCAL DATA RETENTION POLICIES
- Mobile app analysis history: Retained until manually deleted by user
- Images and metadata: Stored locally until user removes them or app is uninstalled
- User preferences and settings: Persist between app sessions and updates
- Authentication tokens: Valid until user logs out or manually revoked
- Cached data: Automatically cleaned based on device storage availability
9.2 CLOUD AND BACKEND DATA RETENTION
- Account data: Retained while account remains active, deleted within 90 days of account closure
- Subscription information: Retained for tax and billing purposes as required by law (typically 7 years)
- Trial data: Retained while account is active to enforce one-trial-per-user limit; deleted with account
- Trial notification history: Retained for 90 days after trial expiration for analytics
- Support communications: Retained for 2 years for quality assurance and issue resolution
- Anonymized usage analytics: Retained indefinitely for service improvement
- Security logs: Retained for 1 year for fraud prevention and security monitoring
- Disease alert history: Server-side records retained for 90 days for analytics
9.3 THIRD-PARTY SERVICE RETENTION
- GitHub Models API: Images deleted immediately after processing completion
- App store data: Managed according to Google Play Store and Apple App Store policies
- OAuth providers: Token validity and refresh policies managed by respective providers
- Payment data: Handled entirely by app stores with their retention policies
- Analytics services: Anonymized data retained according to service provider policies
9.4 AUTOMATIC DELETION AND CLEANUP
- Inactive account deletion: Accounts inactive for 3 years may be automatically deleted
- Temporary data cleanup: Analysis processing data removed within 24 hours
- Error logs and crash reports: Retained for 90 days for troubleshooting purposes
- Email communications: Marketing emails retain engagement data for 2 years
- API access logs: Retained for 6 months for monitoring and security purposes
10. COOKIES AND TRACKING TECHNOLOGIES
10.1 WEB PLATFORM COOKIES (trycropcareai.com)
- Essential cookies: Required for authentication, security, and basic functionality
- Analytics cookies: Google Analytics and similar services for usage optimization
- Preference cookies: Remember user settings, language choices, and dashboard configurations
- Security cookies: Fraud prevention, rate limiting, and suspicious activity detection
- Session cookies: Maintain login state and secure communications
10.2 MOBILE APP TRACKING
- Local storage: User preferences and settings stored in app-specific directories
- Analytics tracking: Anonymized usage patterns for feature optimization and bug detection
- Crash reporting: Automatic error collection for app stability improvement
- Performance monitoring: Load times, response rates, and user interaction metrics
- Authentication persistence: Secure token storage for seamless user experience
- Trial tracking: Trial activation, expiry, and conversion metrics (anonymized)
- Disease alert engagement: Notification delivery and interaction tracking
10.3 THIRD-PARTY TRACKING AND ANALYTICS
- GitHub Models API: No tracking cookies, temporary processing only
- App store analytics: Usage statistics provided by Google Play Store and Apple App Store
- OAuth providers: Authentication tracking managed by Google, Apple according to their policies
- Content delivery networks: Performance optimization tracking for faster service delivery
- Customer support systems: Interaction tracking for support quality and response time improvement
10.4 COOKIE MANAGEMENT AND USER CONTROL
- Web platform cookie preferences: Configurable through browser settings and our cookie banner
- Mobile app analytics: Opt-out available through app settings (may limit support capabilities)
- Third-party cookie control: Managed through respective service provider settings
- Tracking prevention: Compatible with browser privacy settings and tracking protection
- Cookie deletion: Regular cleanup and user-controlled cookie management options
11. THIRD-PARTY SERVICES
11.1 AI AND MACHINE LEARNING SERVICES
GitHub Models API:
- Purpose: AI-powered plant disease detection and analysis
- Data shared: Plant images (temporary processing only)
- Data retention: Images deleted immediately after analysis completion
- Privacy policy: Subject to Microsoft/GitHub Terms of Service and Privacy Policy
- Security: HTTPS encryption, no permanent storage of user images
11.2 AUTHENTICATION AND IDENTITY SERVICES
OAuth2 Providers (Google, Apple, GitHub):
- Purpose: Secure user authentication and account creation
- Data shared: Basic profile information (email, name), authentication tokens
- Data retention: Managed according to respective provider policies
- Privacy policies: Subject to Google, Apple, GitHub privacy policies
- Security: Industry-standard OAuth2 protocol with encrypted token exchange
11.3 PAYMENT AND SUBSCRIPTION SERVICES
Google Play Store and Apple App Store:
- Purpose: Subscription management, billing, and payment processing
- Data shared: Purchase receipts, subscription status, billing information
- Data retention: Managed by respective app stores according to their policies
- Privacy policies: Subject to Google Play and Apple App Store terms
- Security: End-to-end encrypted payment processing, no credit card data stored by CropCare
11.4 CLOUD INFRASTRUCTURE AND HOSTING
Backend Services:
- Purpose: User account management, subscription validation, API services
- Data shared: Account information, subscription status, usage analytics
- Data retention: Controlled by CropCare data retention policies
- Security: Encrypted data transmission and storage, regular security audits
- Compliance: GDPR, CCPA, and other applicable privacy regulations
11.5 ANALYTICS AND PERFORMANCE MONITORING
Usage Analytics Services:
- Purpose: App performance monitoring, crash reporting, usage optimization
- Data shared: Anonymized usage patterns, performance metrics, error logs
- Data retention: Varies by service provider (typically 1-2 years)
- Privacy protection: Data anonymization and aggregation before sharing
- User control: Opt-out available through app settings
12. CHANGES TO THIS PRIVACY POLICY
12.1 POLICY UPDATES AND NOTIFICATIONS
- We review and update this policy regularly to reflect service changes and legal requirements
- Material changes will be communicated through multiple channels:
* In-app notifications with policy change summaries
* Email notifications to registered users (if email provided)
* Web platform banner notifications (trycropcareai.com)
* App store update descriptions highlighting privacy changes
- Minor technical updates may be made without specific notification
12.2 VERSION CONTROL AND TRANSPARENCY
- All policy versions archived and accessible through our website
- Change logs maintained to track specific modifications and additions
- "Last Updated" date prominently displayed at the beginning of policy
- Version numbers correspond to major app releases and significant policy changes
- Users can request previous policy versions for comparison and reference
12.3 CONSENT AND CONTINUED USE
- Continued use of Services after policy updates constitutes acceptance of changes
- Users who disagree with policy changes may delete their account and data
- Grace periods provided for significant changes that affect data processing
- Clear instructions provided for users who wish to withdraw consent
- Enterprise customers receive advance notice of changes affecting contractual obligations
12.4 REGULATORY COMPLIANCE UPDATES
- Policy updates may be required to comply with new privacy regulations
- Changes to international data transfer mechanisms reflected promptly
- Regional privacy law compliance updates (GDPR, CCPA, etc.)
- Industry-specific compliance requirements for agricultural technology services
- Proactive updates to maintain best practices in privacy protection
13. CONTACT US
For privacy-related questions, requests, or concerns:
Primary Contact:
- Email: hamez@hamez.dev
- Subject line: "Privacy Policy - [Your Request Type]"
- Response time: We aim to respond within 48-72 hours for privacy inquiries
Data Protection Inquiries:
- GDPR requests: Include "GDPR Request" in subject line
- CCPA requests: Include "CCPA Request" in subject line
- Data deletion requests: Include "Data Deletion Request" in subject line
- Data portability requests: Include "Data Export Request" in subject line
Additional Contact Methods:
- Web platform contact form: https://trycropcareai.com/contact/
- In-app support: Available through Settings > Help & Support
- Mailing Address: [Physical address for formal legal requests]
Enterprise Privacy Contacts:
- Enterprise customers: Contact your designated account manager
- Bulk data processing inquiries: hamez@hamez.dev
- Data Processing Agreements: hamez@hamez.dev
- Security incident reporting: hamez@hamez.dev
Response Procedures:
- Standard privacy inquiries: 48-72 hours
- Data subject rights requests: Within 30 days as required by applicable law
- Security incidents: Immediate acknowledgment, resolution within 72 hours
- Complex technical requests: May require additional time with progress updates
14. REGULATORY COMPLIANCE
14.1 GDPR COMPLIANCE (EU/EEA Users)
- Lawful basis for processing: Legitimate interest, consent, and contract performance
- Data Protection Officer: Available upon request for data protection inquiries
- Right to lodge complaints: Users may file complaints with local supervisory authorities
- Data breach notifications: Users notified within 72 hours of discovery when required
- Privacy by design: Built-in privacy protections in all service features
- Regular Data Protection Impact Assessments (DPIAs) for new features
14.2 CCPA COMPLIANCE (California Users)
- Categories of personal information collected: As detailed in Section 1 of this policy
- Business purposes for collection: Service delivery, analytics, security, compliance
- Third parties receiving information: As detailed in Section 5 of this policy
- Sale of personal information: We do not sell personal information
- Non-discrimination policy: No penalization for exercising CCPA rights
- Authorized agent requests: Accepted with proper verification procedures
14.3 OTHER REGIONAL PRIVACY LAWS
- Canada (PIPEDA): Compliance with Personal Information Protection and Electronic Documents Act
- Brazil (LGPD): Lei Geral de Proteção de Dados compliance for Brazilian users
- Australia (Privacy Act): Australian Privacy Principles compliance
- South Africa (POPIA): Protection of Personal Information Act compliance
- India (PDPB): Alignment with emerging Personal Data Protection Bill requirements
14.4 INDUSTRY-SPECIFIC COMPLIANCE
- Agricultural data standards: Compliance with agricultural technology industry best practices
- Educational technology: COPPA and FERPA compliance for educational institution users
- Healthcare adjacent: HIPAA-like protections where plant health intersects with food safety
- International standards: ISO 27001 and SOC 2 compliance for data security
- Agricultural research ethics: Compliance with research data sharing ethical standards
15. SECURITY INCIDENTS
15.1 INCIDENT RESPONSE AND NOTIFICATION
- Immediate investigation and containment of any security breaches or incidents
- User notification within 72 hours of confirmed data breach affecting personal information
- Detailed incident reports provided including scope, impact, and remediation measures
- Cooperation with law enforcement and regulatory authorities as required
- Post-incident security reviews and improvement implementation
15.2 BREACH PREVENTION AND MONITORING
- 24/7 security monitoring and threat detection systems
- Regular penetration testing and vulnerability assessments
- Employee security training and access control management
- Multi-layered security architecture with redundant protection systems
- Incident response plan testing and regular updates
15.3 USER PROTECTION MEASURES
- Automatic account security measures activated during incidents
- Password reset requirements for accounts potentially affected
- Enhanced monitoring for affected accounts and suspicious activity detection
- Free credit monitoring services provided when applicable
- Clear communication about steps users should take to protect themselves
===============================================================================
EFFECTIVE DATE: This Privacy Policy is effective as of September 25, 2025
===============================================================================
END OF PRIVACY POLICY