Privacy Policy

01 Who we are

This Privacy Policy explains how Earth United Ventures B.V. (“we”, “us”, “our”) collects, uses, and shares personal data about you when you use the EcoDesign web application and related services (the “Service”).

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, Earth United is the data controller for the personal data described in this policy. You can contact us at info@earthunited.eco.

02 Data we collect

Account data

• First name, last name, email address
• Hashed password (we never store your password in plain text)
• Account creation date, last login timestamp
• Subscription status, credit balance, purchase history

Project & design data

When you create projects in EcoDesign, we collect and store the data you provide and generate, including:

• Project name, location coordinates, site boundaries, and metadata
• Site analysis inputs and outputs: climate, soil, topography, hydrology, vegetation
• Building program inputs (occupants, room requirements, design preferences)
• Generated floor plans, plant guilds, planting schedules, irrigation plans, and other AI outputs
• Photos of plants, pests, soil, or sites that you choose to upload
• Conversations with AI agents (questions, feedback, ratings)

Farmer Hub data

• Farming profile: scale, experience level, current practices, water availability
• Crop selections, garden choices, transition goals, pest reports
• Photos uploaded for pest or disease identification

Technical data

• IP address, browser user-agent, device type, and timezone
• Pages visited and actions taken inside the Service
• Session identifiers and authentication tokens
• Server logs containing the timestamp of each request and any error context

Communications

When you email us, we keep a record of the correspondence to handle your enquiry.

03 How we use your data

We use personal data for the following purposes:

• Providing the Service — running your account, generating designs from your inputs, displaying weather data for your sites, processing AI agent requests
• Billing & accounts — processing one-time purchases and subscription payments, deducting credits, sending receipts, managing trial periods and renewals
• Customer support — responding to your questions and troubleshooting issues
• Service security & integrity — preventing abuse, detecting fraud, enforcing our Terms of Service, and complying with legal obligations
• Service improvement — analysing aggregated usage patterns and AI agent performance to improve quality. Where possible we use de-identified data for this purpose.
• Transactional communications — emails about your account, purchases, subscription status, security alerts, and material changes to these documents

We do not sell your personal data, and we do not use your project content or conversations with AI agents to train third-party AI models for unrelated purposes.

04 Legal basis (GDPR)

We rely on the following legal bases under Article 6 of the GDPR:

• Performance of a contract — to provide the Service and fulfil purchases you have made
• Legitimate interests — to keep the Service secure, prevent fraud, improve quality, and communicate with you about your account
• Legal obligation — to comply with tax, accounting, and consumer-protection rules
• Consent — for any optional processing for which we ask separately (for example, future marketing emails). You may withdraw consent at any time.

05 Sharing & processors

We share personal data only with service providers (“processors”) that help us operate the Service. Each processor is bound by a written agreement to handle your data only for the purposes we specify and to protect it appropriately.

We may also disclose personal data to comply with legal process, enforce our agreements, or protect our rights, property, or safety, and that of users or the public.

06 AI model processing

To deliver AI-assisted design, we transmit your project inputs and prompts to third-party AI providers (currently OpenAI, Anthropic, Google, and Perplexity). The data sent typically includes:

• Project parameters such as climate zone, soil type, area, and design goals
• Free-text descriptions you provide
• Plant or pest photos when relevant to the request
• Conversation history with the agent for context

We use these providers’ commercial APIs under terms that, at the time of writing, do not authorise the providers to use your inputs or outputs to train their generally-available models. AI providers may retain inputs for short periods to detect abuse, in line with their published policies. We do not control these third-party policies and recommend you avoid submitting highly sensitive personal information through AI agent conversations.

07 Payment data

Payments are processed by Stripe Payments Europe, Ltd. Stripe receives and holds your full payment-card data; we receive only the information needed to complete and reconcile a transaction (transaction ID, last four digits of the card, billing email, and amount). Refer to Stripe’s Privacy Policy for details of how Stripe processes your data.

08 Cookies & sessions

We use a small number of cookies and similar technologies that are strictly necessary to provide the Service:

• Session cookie — keeps you logged in across pages
• CSRF token — protects forms from cross-site request forgery
• Authentication remember-me token (if you select it at login)

We do not currently use third-party advertising cookies or cross-site tracking. If we add analytics or advertising cookies in future, we will update this policy and ask for your consent where required by law.

09 Data retention

We retain your personal data for as long as your account is active and for a reasonable period afterwards to comply with legal, accounting, and dispute-resolution obligations. Specifically:

• Account & project data — kept for the lifetime of your account, then deleted within 90 days of account closure unless we are required to retain it longer
• Billing records — kept for the period required by tax law (typically 7–10 years depending on jurisdiction)
• Server logs — typically retained for up to 30 days, then rotated
• Backups — encrypted backups may persist for a short rolling window after deletion in primary storage

10 Security

We implement reasonable technical and organisational measures to protect your data, including:

• HTTPS/TLS encryption for data in transit
• Password hashing using industry-standard algorithms
• Parameterised database queries to prevent SQL injection
• CSRF protection on form submissions
• Session-based authentication with server-side validation
• Access controls limiting employee access to data on a need-to-know basis

No method of transmission or storage is 100% secure. If we become aware of a security breach affecting your personal data, we will notify you and the relevant supervisory authority where required by law.

11 International transfers

Some of our processors are located outside the European Economic Area (notably AI model providers and certain hosting infrastructure in the United States). Where personal data is transferred outside the EEA or UK, we rely on legal transfer mechanisms such as the European Commission’s Standard Contractual Clauses, adequacy decisions, or other safeguards permitted under GDPR.

12 Your rights

Subject to applicable law (in particular GDPR for users in the EU/EEA and UK GDPR for users in the UK), you have the following rights with respect to your personal data:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure (“right to be forgotten”) — request deletion of your data, subject to legal retention obligations
• Restriction — ask us to limit processing in certain circumstances
• Portability — request your data in a structured, machine-readable format
• Objection — object to processing based on our legitimate interests
• Withdraw consent — where we rely on consent, withdraw it at any time
• Lodge a complaint — with your local data-protection authority

To exercise any of these rights, email us at info@earthunited.eco. We will respond within 30 days of receiving a verifiable request, or sooner where required by law. We may need to verify your identity before fulfilling certain requests.

If you are based in the Netherlands and believe we have not handled your personal data in accordance with the law, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl. If you are based in another EU/EEA country, you may contact your local supervisory authority.

13 Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, please contact us and we will delete it.

14 Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of the page reflects the most recent revision. If changes are material, we will notify you by email or via an in-app notice before they take effect.

15 Contact

For privacy questions, data subject requests, or any concerns about how we handle your data:

Earth United Ventures B.V. is the data controller for the personal data described in this policy. We have not appointed a Data Protection Officer; your privacy questions should be directed to the email above.