Privacy Policy

1. Information We Collect

We collect the following categories of data:

• Account data: username, email address, role, and tenant association provided at registration.
• Operational data: inventory records, processing logs, dispatch records, sales entries, accounts, and any other data you enter while using FarmFlow.
• Worker or contact data: names or identifiers of estate workers or buyers that you optionally enter into the system. You are responsible for ensuring lawful basis for entering such data.
• Usage and analytics data: pages visited, features used, session duration, and click events — collected via PostHog (analytics) and Google Analytics 4 (GA4) to improve the product.
• Technical data: IP address, browser type, device type, and cookies necessary for session management and security.
• Communications: messages you send via the contact form or by email.

2. Cookies and Analytics

FarmFlow uses cookies and similar technologies for the following purposes:

• Session cookies: required to keep you logged in. These are strictly necessary and cannot be disabled.
• PostHog: a product analytics tool used to understand how features are used and to identify areas for improvement. PostHog is configured to route data via our own domain (/ingest/) and stores data in the EU. PostHog may set persistent cookies.
• Google Analytics 4 (GA4): used to understand overall website traffic and acquisition channels. GA4 sets cookies (including _ga and _gid) and sends anonymised usage data to Google's servers.

By using FarmFlow, you consent to the use of analytics cookies described above. You can opt out of Google Analytics tracking at any time by installing the Google Analytics Opt-out Browser Add-on.

3. How We Use Data

• To provide, operate, and secure the FarmFlow service.
• To authenticate users and manage sessions.
• To maintain traceability, audit records, and operational history within your workspace.
• To send transactional emails such as verification codes, weekly digests, and account alerts.
• To respond to support requests and enquiries.
• To analyse product usage and improve features.
• To comply with legal obligations.

We do not use your operational data for advertising, and we do not sell any personal data to third parties.

4. Legal Basis for Processing (DPDP Act)

Under India's Digital Personal Data Protection Act, 2023, we process personal data on the following grounds:

• Consent: where you have provided explicit consent at registration or through use of the service, including consent for analytics cookies.
• Contractual necessity: processing required to provide the service you have subscribed to.
• Legitimate interests: product analytics and security monitoring, where these do not override your privacy rights.
• Legal obligation: where we are required to retain or share data by applicable law.

5. Data Sharing and Subprocessors

We share data only with the third-party service providers (“subprocessors”) necessary to operate FarmFlow. A full list is available on the Subprocessors page. Key subprocessors include:

• Neon (database): serverless PostgreSQL; data stored in AWS regions.
• Vercel (hosting): application hosting and serverless functions.
• Resend (email): transactional email delivery.
• Anthropic (AI): AI assistant and analysis features pass relevant context to Anthropic's API. No data is retained by Anthropic for training without consent.
• PostHog (analytics): product analytics, EU-hosted.
• Google Analytics (analytics): website traffic analytics.
• Sentry (error tracking): error and performance monitoring.

We do not transfer personal data to countries outside India or the EEA without appropriate safeguards.

6. Data Retention

We retain personal data for as long as your account is active or as necessary to provide the service. Operational data (records you create) is retained for the duration of your subscription and for a reasonable period after account closure to allow data export. Account data is deleted or anonymised within 90 days of a confirmed account deletion request. Some data may be retained longer where required by legal or audit obligations.

7. Your Rights

Under the DPDP Act and other applicable law, you have the right to:

• Access: request a summary of personal data we hold about you.
• Correction: request correction of inaccurate personal data.
• Erasure: request deletion of your personal data, subject to legal retention requirements.
• Withdraw consent: withdraw consent for processing where consent is the lawful basis, without affecting prior processing.
• Grievance redressal: raise a complaint with our designated grievance officer (see below).

To exercise any of these rights, contact us at nikhil@thefarmflow.in. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include tenant-level data isolation (row-level security), encrypted connections (TLS), role-based access control, and audit logging. No method of transmission over the internet is completely secure; we cannot guarantee absolute security.

9. Children's Privacy

FarmFlow is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, please contact us and we will remove the account.

10. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the designated Grievance Officer for FarmFlow is:

Nikhil Chengappa
Email: nikhil@thefarmflow.in
We aim to acknowledge grievances within 48 hours and resolve them within 30 days.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users by email before material changes take effect. Continued use of FarmFlow after the effective date constitutes acceptance of the updated policy.