Privacy Policy of the CropiGo Platform

Last updated: April 17, 2026

This Privacy Policy sets out the rules for collecting, processing, and protecting personal data in connection with the use of the website https://cropigo.com/ and the CropiGo mobile applications (available on Google Play and the App Store).

1. General Information and Data Controller

The Data Controller (in relation to the personal data of Users creating an account) is:
Boruta.info - Sebastian Boruta
Plac Wojska Polskiego 21, 89-300 Wyrzysk, Poland
VAT ID (NIP): PL7642654830
(hereinafter referred to as the "Provider" or "Data Controller").

For all matters related to privacy and account management, you can contact us via email at: [email protected].

2. Division of Roles: Data Controller vs. Data Processor

Due to the nature of the CropiGo platform (a B2B SaaS system supporting harvest management), there are two distinct roles regarding personal data protection, in accordance with the General Data Protection Regulation (GDPR):

Provider as Data Controller:
The Provider is the Data Controller for the individuals who create an account in the CropiGo system (Farm Owners, subscribers).
Provider as Data Processor:
Regarding the data entered into the system by the Farm Owners – such as employee data, phone numbers, or information about harvests and locations – the Provider acts solely as a Data Processor on behalf of the user (providing data hosting services).
- The Farm Owner (User) remains the sole Data Controller of this data.
- No data verification: The Provider does not verify the correctness, legality, or content of the data entered by the User. The full and exclusive responsibility for having an appropriate legal basis for processing employee data (including geolocation data) and fulfilling the information obligation towards them rests with the User.
- User's Responsibility: In the event of the loss of access data (password) by the User or sharing it with third parties, the liability for any potential data security breach rests entirely with the User.

3. Processing of User Data (Provider as Data Controller)

User data (account holders on the CropiGo platform) are processed within the following scope and purposes:

Data Category	Scope of Data	Purpose of Processing	Legal Basis (GDPR)
Account Data	Login, email address, encrypted password.	Registration, login, technical account support, identity verification.	Art. 6(1)(b) (Performance of a contract)
Organization Data	Farm name, unique URL identifier (slug).	Creating isolated environments for farms and managing system permissions.	Art. 6(1)(b) (Performance of a contract)
Payment & Billing Data	Tax ID, business address, company name, transaction data.	Processing license payments, accounting, and issuing invoices.	Art. 6(1)(c) (Legal obligation) and (b) (Performance of a contract)
Technical Data	IP address, system logs.	Error diagnostics, fraud prevention, ensuring platform security.	Art. 6(1)(f) (Legitimate interest)

4. Processing of Employee and Farm Data (Provider as Data Processor)

As part of providing access to the CropiGo platform, the Provider stores the following data entered and managed independently by the Users:

Employee identification data: First name, last name, phone number.
Operational and financial data: Harvest parameters (type, date, quantity), remuneration data (e.g., for piecework), crate numbers, balances to be paid.
Geolocation data (GPS): The mobile application uses the device's location services to precisely position harvests on the farm.
- Mechanism of action: The application retrieves location data continuously only when it is active (running in the foreground). Access to location requires prior, explicit consent at the operating system level (Android/iOS). The application does not retrieve location data in the background.
- Purpose and data saving: Despite the continuous retrieval of data by the device while the app is active, the saving of this data on the Provider's servers occurs solely at the moment of a conscious action performed by the User (e.g., confirming a harvested crop record). The saved location is used strictly for the Farm Owner's record-keeping and management purposes.

5. Data Recipients (Sub-processors)

To ensure the reliability and highest quality of services, the Provider uses trusted third-party entities (Sub-processors) to whom data may be shared to the strictly necessary extent:

Cloud infrastructure providers: To maintain servers and databases (ensuring logical separation of client data).
Payment operators: External payment gateway operators, including Google LLC (Google Pay) and Apple Inc. (Apple Pay).
Telecommunication service providers: SMS gateway operators (only when using the optional communication feature).
Accounting services: The accounting firm handling the tax settlements of Boruta.info.

6. Data Retention Period

User Data (Accounts): Stored for the duration of possessing an active account on the platform.
Entrusted Data (Employees, Harvests): Stored for the duration of the active subscription and up to 2 years after its expiration (to allow smooth license renewal and data export). After this time, the data is irreversibly deleted unless the User deletes it earlier.
Accounting Documentation: Invoices and related transaction data are stored for a period of 5 years, counting from the end of the calendar year in which the tax payment deadline expired (in accordance with Polish law).

7. Rights of Data Subjects

Under the GDPR, Users of the CropiGo platform (account owners) have, among others, the right to access data, rectify it, restrict processing, and data portability.

Right to erasure (right to be forgotten): The User can delete their account at any time directly from the mobile app settings or by sending a request to [email protected]. Deleting the Farm Owner's account results in the immediate, permanent deletion of the isolated database (farm) and all related records without the possibility of recovery.
Right to lodge a complaint with a supervisory authority (the President of the Personal Data Protection Office in Poland).

Limitation regarding Employee claims: The Provider, acting solely as a Data Processor, is not authorized to independently modify or delete data entered by Users. Any inquiries, requests for data deletion, or objections reported directly to the Provider by farm employees will be immediately forwarded to the respective Farm Owner (the Data Controller of the employee) for consideration.

8. Cookies and Tracking Technologies

The website https://cropigo.com/ and web applications use strictly necessary cookies solely for the proper technical operation of the platform (e.g., maintaining a secure session, language preferences). Users can manage cookies in their browser settings.

9. Security Measures and Limitation of Liability

The Provider prioritizes data security and applies high protection standards, including:

Data transmission encryption using SSL/TLS protocols.
Multi-tenant architecture with logical database separation, preventing access between organizations (farms).
Strong cryptographic hashing of user passwords.

Disclaimer of absolute guarantee: Despite implementing advanced technical and organizational measures, no IT system or data transmission over the Internet guarantees 100% security. The User uses the system with the awareness of this fact. The Provider shall not be liable for unauthorized access to data, its loss, or modification if it results from circumstances beyond the Provider's reasonable control, including User errors (e.g., using a weak password, an infected end device), force majeure, or cyberattacks exceeding standard defense mechanisms.

10. Changes to the Privacy Policy

The Provider reserves the right to make changes to this Privacy Policy. Users will be notified of any significant updates electronically (via email) or through a notification in the mobile application, reasonably in advance of the changes taking effect.