Effective Date: 17 October 2025
Controller: AgroSync, UAB (company code 306755037), Mokslininkų g. 2A, LT‑08412, Vilnius, Lithuania
Contact (Privacy / Legal): info@agrosync.io

This Privacy Policy (the “Policy”) constitutes a comprehensive and authoritative statement of the personal data protection posture adopted by AgroSync, UAB (“AgroSync,” “we,” “us,” or “our”) in respect of the AgroSync Indonesia solution suite, encompassing without limitation the government portal, cooperative portal, and farmer mobile application (collectively, the “Services”). The Policy is intended to be interpreted in concert with, and to the fullest extent harmonized under, (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and (b) the Indonesian Personal Data Protection Law No. 27 of 2022 and its implementing regulations and ancillary guidance (“PDP Law”). Where obligations diverge, the stricter or more protective regime prevails by design.

By accessing, installing, or otherwise using any portion of the Services, you irrevocably acknowledge that you have read, understood, and accepted this Policy. Capitalized terms not otherwise defined herein shall have the meaning ascribed in the GDPR or PDP Law as context dictates. This Policy is written to be over-inclusive and interpretively expansive to ensure coverage of foreseeable and unforeseeable processing scenarios within the lawful perimeter.

1) Definitions, Construction, and Interpretive Canon

1.1 Broad Construction. Terms such as “Personal Data,” “Processing,” “Controller,” “Processor,” “Transfer,” and “Data Subject” shall be construed maximally within the limits of applicable law so as to capture any information, operation, or actor that could reasonably fall within the protective ambit of the GDPR and PDP Law.
1.2 Supplemental Concepts. “Aggregated Data” denotes data that have undergone rigorous anonymization such that re-identification is not reasonably possible given current and reasonably foreseeable techniques; “Pseudonymised Data” denotes data processed such that they cannot be attributed to a specific Data Subject without the use of additional information held separately under technical and organizational controls; “Sensitive Data” includes, inter alia, location data, financial identifiers, health-related information, children’s data, and any category deemed sensitive by PDP Law or applicable sectoral guidance.
1.3 Order of Precedence. In the event of interpretive friction: (i) mandatory law; (ii) a signed governmental or cooperative agreement; (iii) a Data Processing Addendum (“DPA”); (iv) this Policy; (v) in-product notices.

2) Scope, Roles, and Allocation of Responsibility

2.1 Scope. This Policy governs Processing in connection with the Services for: (a) farmers (mobile end users), (b) cooperatives / organizations (administrators and agronomic staff), and (c) governmental / institutional users.
2.2 Controller Posture. AgroSync acts as Controller for account, identity, telemetry, platform security, and product analytics data.
2.3 Processor Posture. Where a government ministry, agency, or cooperative provides source datasets (e.g., registries, subsidy datasets, parcel records) and instructs AgroSync on limited-scope Processing, AgroSync shall act as Processor strictly per written instructions, with the ministry/agency/cooperative remaining the Controller.
2.4 Joint Arrangements. Where joint determination occurs, a documented allocation of responsibilities will be implemented pursuant to GDPR Art. 26-style arrangements and PDP Law requirements.

3) Data Categories, Sources, and Provenance Controls

3.1 Categories. We may collect and Process: (a) Identity & Account Data (name, email, phone, organization, roles, credential material, audit trails); (b) Farm & Operational Data (field polygons; crop type; planting/sowing dates; input plans and actuals for seed, fertilizer, and chemical applications; scouting notes; pest/disease reports; harvest results and yield metrics); (c) Geospatial & Imaging Data (satellite tiles, rasters, vectors, derived indices, zoning/prescription layers); (d) Device & Usage Data (IP address, device model, OS/SDK versions, crash/diagnostic logs, event telemetry); (e) Location/GPS Data (with device permissions); (f) Financial/Transactional Data (invoicing metadata and payment confirmations processed via PCI-compliant providers); (g) Support & Communications (tickets, emails, call/chat transcripts where lawful); and (h) Derived, Pseudonymised, Aggregated outputs.
3.2 Sources. Data originate from Data Subjects, organizational administrators, cooperative/government program sources, publicly available datasets, and automated capture via SDKs, cookies, or sensors.
3.3 Provenance. Uploading parties warrant lawful collection and transfer, including obtaining any required consents or notices for datasets they provide. AgroSync reserves the right to audit provenance representations to the extent reasonably necessary to satisfy compliance obligations.

4) Purposes and Legal Bases (Exhaustive, Non-Limiting)

4.1 Contractual Necessity. Provision of core functionality; creation and maintenance of accounts and roles; generation of mapping, monitoring, zoning, and program dashboards; delivery of recommendations and operational exports; user support.
4.2 Legitimate Interests. Information security; fraud and misuse prevention; service integrity and availability; diagnostic analytics; product research and development; capacity planning; internal governance and compliance testing. We implement balancing tests and honor objections where mandated.
4.3 Consent. GPS access; optional analytics/diagnostics cookies and SDKs; beta participation; certain communications. Consent is granular, recorded, and revocable prospectively.
4.4 Legal Obligations & Public Interest. Audits, record-keeping, sanctions and anti-corruption compliance, responses to binding governmental orders, and safety-related notifications where authorized or required.
4.5 Compatibility. We do not Process for incompatible purposes without appropriate safeguards and, where required, renewed consent.

5) Cookies, SDKs, and Similar Technologies

5.1 Strictly Necessary. Authentication, load balancing, and preference cookies/SDKs operate by default.
5.2 Optional Analytics. Non-essential analytics are opt-in in jurisdictions requiring consent. Browser or OS settings may also regulate tracking.
5.3 Do Not Track. Industry standards for DNT signals remain unsettled; we treat explicit in-product preferences as authoritative where available.

6) Data Localization, Transfers, and Cross-Border Safeguards

6.1 Residency. Primary data residency for AgroSync Indonesia is within the territory of Indonesia.
6.2 Restricted Transfers. Limited remote access from outside Indonesia may occur (e.g., 24/7 support, security investigations, resiliency testing) subject to: (i) a transfer impact assessment, (ii) appropriate safeguards (e.g., contractual clauses, encryption, access gating), and (iii) compliance with PDP Law Art. 56 and GDPR Chapter V.
6.3 Encryption & Segregation. Data in transit and at rest are encrypted using industry-standard cryptography; production access is role-scoped, time-bounded, and logged.
6.4 Governmental Requests. We scrutinize requests for legality, scope minimization, and necessity, challenge overbroad or extraterritorial demands where feasible, and disclose only what is strictly compelled.

7) Security Governance, SDLC, and Incident Response

7.1 Governance. Security management aligns to ISO/IEC 27001-style controls, including risk assessments, vendor due diligence, employee background checks where lawful, and mandatory security training.
7.2 SDLC. Secure development lifecycle practices include code review, dependency scanning, secrets management, and environment segregation.
7.3 Incident Response. A documented runbook governs detection, triage, containment, eradication, and recovery; post-incident reviews drive corrective actions.
7.4 Notification. Where a personal data breach triggers notification obligations, we will notify competent authorities and Data Subjects without undue delay and target the 72-hour window or earlier when practicable.
7.5 Disclaimer. To the maximum extent permitted by law, we disclaim responsibility for any indirect, incidental, consequential, punitive, exemplary, or special loss alleged to arise out of any security incident notwithstanding our adherence to commercially reasonable measures.

8) Retention, Archiving, and Deletion

8.1 Schedules. Retention is calibrated by category and purpose (e.g., account records per statutory minimums; telemetry for security windows).
8.2 Backup Cycling. Backups and disaster recovery snapshots cycle out on fixed schedules; restoration is not guaranteed for user-deleted content.
8.3 Deletion. Upon expiry, data are irreversibly anonymized or securely destroyed. We disclaim liability for any loss arising from lawful deletion or irreversible anonymization.

9) Data Subject Rights and Operational Mechanics

9.1 Rights. Access, rectification, erasure, restriction, objection, portability, and withdrawal of consent, subject to statutory conditions and exceptions.
9.2 Verification. We will authenticate identity via proportionate measures.
9.3 Processor Context. Where we act as Processor, we will relay requests to the Controller and assist per DPA.
9.4 Response Windows. Statutory deadlines apply; complex requests may be extended as permitted.
9.5 Limitation. We shall not be liable for consequences arising from the exercise (or non-exercise) of rights to the extent permitted by law.

10) Children and Vulnerable Persons

The Services target professional agricultural use. Where youth or household data are implicated in public programs, we implement heightened safeguards, parental/guardian authorizations, and purpose minimization.

11) Ownership, Licensing, and Aggregation Doctrine

11.1 Ownership. You own the Farm Data and content you submit.
11.2 License to AgroSync. You grant us a non-exclusive, transferable, sublicensable, worldwide license to host, process, reproduce, transmit, display, adapt, and create derivative operational outputs for the purposes set out herein and to generate Aggregated Data.
11.3 Aggregated / De-identified Outputs. Aggregated Data is owned by AgroSync and may be used for statistical analysis, research, benchmarking, and product development, provided re-identification is not reasonably possible.

12) Processors, Sub-Processors, and Third Parties

12.1 Appointment. We appoint Processors and Sub-Processors (hosting, storage, security, analytics, communications, payment, imagery providers) under written terms imposing confidentiality, security, and data protection obligations equivalent to this Policy and applicable law.
12.2 Oversight. We maintain a registry of Sub-Processors and implement onboarding and periodic reassessment.
12.3 Third-Party Policies. Third-party terms control your use of third-party services; review them prior to enablement.

13) Disclaimers; Allocation of Risk (Privacy)

13.1 Informational Character. Insights, indices, models, recommendations, and prescriptions are advisory only and may contain inaccuracies or be unsuitable for specific parcels, crops, or seasons. Independent verification is essential prior to implementation.

13.2 No Liability. To the maximum extent permitted by law, AgroSync disclaims any responsibility for outcomes, yield variance, crop loss, environmental or ecological impacts, financial or opportunity costs, fines, penalties, regulatory actions, reputational harm, data loss, corruption, latency, downtime, incompatibility, or any loss associated with reliance on data or outputs, service interruption, or third‑party failures, whether foreseeable or unforeseeable.

13.3 Non‑Waivable Rights. Nothing herein purports to waive non‑waivable statutory rights; where a disclaimer is unenforceable, it applies to the fullest permissible extent.

13.4 No Duty to Monitor. AgroSync has no obligation to monitor fields, operations, or regulatory compliance in real time; alerts and notifications, if provided, are best‑effort only.

14) Changes and Versioning

We may amend this Policy to reflect legal, technical, or organizational developments. Material changes will be signposted; continued use after the effective date constitutes acceptance.

15) Contact and Supervisory Authorities

Controller: AgroSync, UAB (306755037) • Mokslininkų g. 2A, LT‑08412, Vilnius, Lithuania • info@agrosync.io
Authorities: Lithuania – State Data Protection Inspectorate (VDAI); Indonesia – PDP Authority / Kominfo.