1. Who we are
This Privacy Policy explains how sproot handles personal data. sproot is operated by sproot AG, a company registered in Switzerland with enterprise identification number (UID) CHE-376.987.068, with its registered office at Maienmatt 8, 6315 Oberägeri, Switzerland (“sproot”, “we”, “us”, “our”).
For questions about this policy or about how your data is handled, contact us at info@sproot.com or by post at the address above. [ If a Data Protection Officer or EU/UK representative has been appointed, give their name and contact details here. ]
2. Scope of this policy, and who controls the data
sproot is a platform used by agribusinesses to run outgrower and contract-farming schemes. Different people interact with sproot in different ways, and the role we play depends on whose data it is.
Data where sproot is the controller
For some data we decide why and how it is processed, and we are the controller. This includes the data of visitors to our website, and the data of the staff at our customers who hold sproot user accounts (for example a scheme manager or administrator who logs in to the platform).
Data where sproot is the processor
The agribusiness that uses sproot to run its scheme decides what farmer and operational data to collect and why. For that data the agribusiness is the controller and sproot acts as a processor, handling the data on the agribusiness's instructions under a data processing agreement.
This includes the data of the smallholder farmers enrolled in a scheme, their farms and plots, their contracts, field-visit records and inspection records. If you are a farmer enrolled in a scheme and you have a question about your data, the agribusiness running your scheme is your first point of contact as the controller. We will support them in responding to you.
3. The data we collect
Website visitors
When you visit sproot.com we collect limited technical data such as IP address, browser and device type, pages viewed and referring page. If you fill in a form to request a demo or start a trial, we collect the contact and company details you provide, such as name, work email, phone number, company name and country.
Customer account users
When a member of a customer's staff is given a sproot account, we process their name, work email, phone number, role, the organisation they belong to, and records of their activity in the platform such as sign-in times and actions taken.
Farmer and operational data processed on behalf of customers
On the instructions of the agribusiness running a scheme, sproot stores and processes operational data that can include personal data. Depending on how the customer configures the platform, this may include:
- Farmer identity and contact details, such as name, photograph, date of birth, gender, national identification number, tax or revenue authority reference, and phone number.
- Farm and plot data, such as location, GPS-mapped boundaries, soil and irrigation characteristics, and crop history.
- Contract data, such as the crop contract a farmer operates under, planned inputs and activities, and expected output.
- Field-operations data, such as field-visit reports, geotagged photographs, crop-monitoring observations, input distribution and harvest collection records.
- Communications data, such as messages exchanged with farmers over WhatsApp and SMS, and the farmer's consent to be contacted on those channels.
- Certification and internal-inspection records, including inspection findings, non-conformities and corrective actions.
Some of this data, for example a national identification number, may be treated as sensitive or specially protected under the law that applies. [ Counsel to confirm how identification numbers and any other special-category data are classified under the applicable laws, and that an appropriate lawful basis and safeguards are in place. ]
4. Why we use data, and our lawful basis
For data where sproot is the controller, we use personal data to operate and secure our website, to respond to demo and trial requests, to provide and administer sproot accounts to customer staff, to communicate with customers about their account and the service, to improve and develop the platform, and to meet our legal and accounting obligations.
Our lawful bases for that processing are: performance of a contract, where we are providing the service to a customer; our legitimate interests in running, securing and improving our business, balanced against your rights; consent, where we rely on it, for example for certain marketing communications; and compliance with a legal obligation. [ Counsel to confirm the lawful-basis mapping for each purpose, and to confirm the position under the Swiss Federal Act on Data Protection in addition to the GDPR. ]
For farmer and operational data, sproot processes it only on the documented instructions of the customer who controls it, as set out in our data processing agreement with that customer. The lawful basis for collecting farmer data is the responsibility of that customer as controller.
5. How we share data
We do not sell personal data, and we never will. We share data only as described here:
- Service providers and sub-processors who help us run sproot, such as our cloud hosting provider, communications providers and analytics tools. They may process data only on our instructions and under contract. The current list of sub-processors is in section 6.
- Our customers, who access the data in their own scheme through the platform.
- Authorities or other parties where we are required to by law, or to establish, exercise or defend legal claims.
- A successor entity, in connection with a merger, acquisition or reorganisation of sproot, subject to this policy. [ Counsel to confirm wording. ]
6. Sub-processors and hosting
sproot is hosted on Amazon Web Services, with the application database and file storage on AWS infrastructure. We use additional sub-processors to provide parts of the service, such as communications and analytics.
[ sproot to provide and maintain the full list of sub-processors, each with: name, the service they provide, and the country or region where they process data. This list should be kept current and, for customers, referenced in the data processing agreement. The hosting region for the AWS database and file storage should be stated here. ]
7. International data transfers
sproot operates from Switzerland, works with customers and schemes in several countries including in East Africa, and uses service providers that may be located in other countries. This means personal data may be transferred across borders, including out of the country where it was collected.
Where we transfer personal data internationally, we put in place a lawful transfer mechanism, such as an adequacy decision where one exists, or Standard Contractual Clauses with any additional safeguards that are required. [ Counsel to confirm the transfer mechanisms actually used, in particular for transfers involving the EU, the United Kingdom, Switzerland and the countries where schemes operate, and to confirm compliance with the Kenya Data Protection Act 2019 and any other applicable local law for farmer data. ]
8. How long we keep data
For data where sproot is the controller, we keep personal data only for as long as we need it for the purpose it was collected, and to meet our legal, accounting and reporting obligations, after which it is deleted or anonymised.
For farmer and operational data, retention is determined by the customer who controls it. We retain it for as long as the customer's agreement with us is in effect, and we return or delete it after the agreement ends, as set out in the data processing agreement. [ Counsel and sproot to set specific retention periods, including the period for returning or deleting customer data after termination. ]
9. How we protect data
We take the security of personal data seriously and use technical and organisational measures intended to protect it against unauthorised access, loss or misuse. These include hosting on established cloud infrastructure, access controls, and encryption in transit. [ sproot and counsel to confirm the specific security measures that can be accurately stated, for example encryption at rest, backup practices, access-control model, and to add any formal certifications such as ISO 27001 or SOC 2 only once actually held. Do not state measures that are not in place. ]
10. Your rights
Depending on the law that applies to you, you may have the right to access the personal data we hold about you, to have it corrected or deleted, to object to or restrict certain processing, to data portability, and to withdraw consent where processing is based on consent. You may also have the right to complain to a data protection authority.
If sproot is the controller of your data, you can exercise these rights by contacting us at info@sproot.com. If your data is part of a scheme run by an agribusiness, that agribusiness is the controller and you should contact them; we will assist them as their processor.
[ Counsel to confirm the specific rights and response timescales under each applicable law, including the GDPR, the Swiss FADP and the Kenya Data Protection Act 2019, and to name the relevant supervisory authorities. ]
11. Cookies
sproot.com uses cookies and similar technologies. How we use them, and the choices available to you, are explained in our Cookie Policy.
12. Children
sproot is a business tool and is not directed at children. We do not knowingly collect data directly from children through our website. [ Counsel to confirm wording, taking into account that farmer records entered by a customer are controlled by that customer. ]
13. Changes to this policy
We may update this policy from time to time. When we make material changes we will update the date at the top and, where appropriate, notify customers. The current version is always available on sproot.com.
14. Contact
For any question about this policy or your personal data, contact us at info@sproot.com, or by post at Maienmatt 8, 6315 Oberägeri, Switzerland.