EU/UK GDPR Information
Effective date: November 3, 2025
This page supplements the Privacy Policy of Crop Help and explains our practices under the EU General Data Protection Regulation (GDPR) and the UK GDPR. Crop Help is owned and operated by Stem Minds Corp. (“Stem Minds”, “we”, “us”, “our”). Stem Minds is based in Ontario, Canada and processes personal data of individuals in the European Economic Area (“EEA”) and the United Kingdom (“UK”) as described here.
1) Controller, Representatives & Contact
Data Controller: Stem Minds Corp. (owner/operator of Crop Help). Unless stated otherwise, we are the controller of personal data collected via our websites and Services.
- Primary contact (privacy)
- privacy@stemminds.com
General inquiries: info@stemminds.com - Mailing address
- Stem Minds Corp., 212 Earl Stewart Dr, Unit #3, Aurora, ON L4G 6V7, Canada
- EU Representative (Art. 27 GDPR)
- To be appointed; details will be published here.
- UK Representative (Art. 27 UK GDPR)
- To be appointed; details will be published here.
2) Scope
This notice applies to personal data processed by Crop Help in connection with our websites, products, and services (“Services”). It does not apply to anonymous or aggregated information that cannot reasonably be linked to an identifiable person.
3) Key GDPR Definitions
Open definitions
- Personal data
- Any information relating to an identified or identifiable natural person.
- Processing
- Any operation on personal data (e.g., collection, storage, use, disclosure, deletion).
- Controller
- The party that determines purposes and means of processing.
- Processor
- The party that processes personal data on behalf of the controller.
4) Categories of Personal Data
Typical categories processed by the Services are:
| Category | Examples | Source |
|---|---|---|
| Account & Profile | Name, email, organization, hashed password, role, preferences | You / your organization |
| Uploads & Project Data | Crop/field images, annotations, plot IDs, optional coordinates/EXIF | You / your devices |
| Usage & Device | IP address, device/browser info, logs, telemetry | Automatic |
| Support & Communications | Tickets, chat transcripts, feedback | You |
| Integrations (optional) | Data exchanged with services you connect (e.g., storage, mapping) | Third party (per your settings) |
5) Lawful Bases for Processing (Art. 6 GDPR)
Depending on context, we rely on one or more of the following lawful bases:
- Contract — to provide and support the Services you request (e.g., accounts, uploads, detections).
- Legitimate interests — to secure, improve, and operate the Services in a way that does not override your rights and freedoms (we conduct balancing tests).
- Consent — for non-essential cookies/analytics, certain marketing, or optional data uses; you may withdraw at any time.
- Legal obligation — to comply with applicable laws and lawful requests.
| Purpose | Examples | Lawful Basis |
|---|---|---|
| Deliver core features | Accounts, authentication, uploads, detections, reports | Contract |
| Support & communications | Troubleshooting, announcements, policy updates | Contract / Legitimate interests |
| Security & abuse prevention | Fraud/spam detection, access controls, incident response | Legitimate interests / Legal obligation |
| Analytics & product improvement | Aggregated usage metrics, quality & reliability | Legitimate interests / Consent (where required) |
| Marketing (optional) | Newsletters or campaigns you subscribe to | Consent (withdrawable) |
6) AI & Computer Vision Transparency
We apply computer vision/machine learning to crop images to detect potential plant health issues and trends. Outputs are probabilistic and may be inaccurate. We use de-identified or aggregated data to improve models; where required, we will seek consent or provide an opt-out. Limited human review may occur for quality evaluation under confidentiality.
7) Processors & Sub-Processors
We engage vetted service providers for hosting, storage, analytics, support, security, and communications. Each provider is bound by a data processing agreement that includes confidentiality, security, and sub-processing restrictions. A current list of material sub-processors is available on request and will be provided to enterprise customers in the DPA.
8) International Data Transfers
Personal data may be processed in countries outside the EEA/UK (including Canada and the United States). Where data are transferred internationally, we use appropriate safeguards such as:
- EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum;
- Risk assessments and supplementary measures where appropriate;
- Contractual commitments with processors to maintain equivalent protections.
9) Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary by data type and context (e.g., account records vs. uploads vs. telemetry). When data are no longer needed, we delete or irreversibly de-identify them, and maintain limited backups for disaster recovery for a defined period.
10) Security (Art. 32 GDPR)
We implement technical and organizational measures appropriate to the risk, including encryption in transit, access controls, environment isolation, logging, least-privilege practices, and periodic reviews. No system is perfectly secure; we cannot guarantee absolute security. If we discover a personal data breach likely to result in a risk to individuals, we will notify relevant authorities and affected users as required.
11) Automated Decision-Making & Profiling
We do not perform automated decision-making that produces legal or similarly significant effects about individuals within the meaning of Art. 22 GDPR. Our computer vision outputs are decision-support for agronomy workflows and are subject to human interpretation.
12) Your GDPR Rights
Subject to conditions and exceptions in the GDPR, you have the following rights regarding your personal data:
- Access to your personal data and certain information about our processing (Art. 15).
- Rectification of inaccurate or incomplete data (Art. 16).
- Erasure (“right to be forgotten”) where applicable (Art. 17).
- Restriction of processing in certain circumstances (Art. 18).
- Portability of data provided by you in a commonly used, machine-readable format (Art. 20).
- Objection to processing based on legitimate interests or direct marketing (Art. 21).
- Withdraw consent at any time where processing is based on consent (Art. 7(3)).
To exercise your rights, contact us at privacy@stemminds.com. We may need to verify your identity and will respond within the timelines set by law. If we act as a processor for your organization, please direct your request to that organization; we will support them as required by our DPA.
13) Complaints & Supervisory Authorities
You have the right to lodge a complaint with your local data protection authority (DPA) in the EEA/UK. We encourage you to contact us first so we can address your concerns.
15) Controller–Processor Terms (DPA)
For enterprise customers where Crop Help acts as processor, our DPA incorporates requirements of Art. 28 GDPR, including subject matter and duration of processing, nature and purpose, types of personal data, categories of data subjects, confidentiality, security measures, sub-processor controls, and assistance with data subject requests and DPIAs. Contact us to obtain a copy for your records.
16) Changes to This GDPR Notice
We may update this page to reflect changes in our practices or legal requirements. If changes are material, we will provide appropriate notice and update the effective date above.