Privacy Policy

Last updated: March 2026

1. Who We Are

MyFarmer operates the MyFarmer mobile app. We are the data controller for personal data collected through the app.

Contact: it.myfarmer@gmail.com

ICO Registration: [to be added before launch]

2. What Data We Collect

Buyers:

• Name and email address (at signup)
• Postcode or approximate location (to show nearby farms)
• Shopping list activity
• Push notification token (only if you grant notification permission — used solely to send you stock alerts you have opted into)

Farmers:

• Name and email address (at signup)
• Farm name, address, phone number, email
• Product listings (names, prices, stock levels, photos)
• Opening hours and schedule

All users:

• App usage data (pages visited, features used)
• Device type and operating system (for debugging only)

We do NOT collect payment information, financial data, or sensitive personal data.

3. How We Use Your Data

• To operate the app and provide its core features
• To show buyers farms and products near their location
• To allow farmers to manage their listings
• To send in-app and push notifications you have opted into (e.g. out-of-stock alerts, farm hours updates) — push notifications require your explicit permission and can be withdrawn at any time in your device Settings
• To investigate reports of policy violations
• To improve the app based on usage patterns

4. Legal Basis (UK GDPR)

We process your data on the following legal bases under the UK GDPR and the Data Protection Act 2018:

• Contract (Article 6(1)(b)): to provide the service you signed up for
• Legitimate interests (Article 6(1)(f)): to operate, secure, and improve the platform; to detect and prevent abuse; to retain anonymised moderation records to protect other users
• Consent (Article 6(1)(a)): for optional features — location access, push notifications. You may withdraw consent at any time.
• Legal obligation (Article 6(1)(c)): where required by applicable law

Push notifications are also governed by the Privacy and Electronic Communications Regulations 2003 (PECR). We only send push notifications where you have given explicit permission via your device's notification prompt. You can revoke this at any time in your device Settings → Notifications → MyFarmer.

5. Who We Share Data With

We do not sell your personal data. We share data only with the following processors:

• Supabase Inc. (USA) — database, authentication, and file storage. Data stored on EU-region servers. Transfers covered by Standard Contractual Clauses (SCCs). See supabase.com/privacy.
• Stripe Inc. (USA) — subscription billing for farmer accounts. Stripe is certified under the UK-US Data Bridge and uses SCCs. See stripe.com/gb/privacy.
• Expo (USA) — push notification delivery. Your push token is sent to Expo solely to deliver service notifications you have opted into. See expo.dev/privacy.
• Apple / Google — app distribution and push notification routing. Subject to their own privacy policies.

We do not share your personal details (name, email, address) with other users of the platform.

6. Data Retention

• Account data: retained while your account is active. Permanently deleted within 30 days of account deletion.
• Shopping list: individual items expire after 7 days. All data deleted immediately on account deletion.
• Notification history: read notifications purged after 30 days. All deleted on account deletion.
• Push notification token: deleted immediately when you revoke permission or delete your account.
• Reports you submitted: your identity is removed when you delete your account. The report content may be retained in anonymised form for platform safety.
• Farmer billing records: Stripe retains payment records for 6 years for HMRC compliance. Contact Stripe directly to exercise rights over payment data.

Anonymised, non-identifiable usage statistics may be retained indefinitely.

7. Your Rights (UK GDPR)

Under UK GDPR and the Data Protection Act 2018, you have the right to:

• Access: request a copy of the personal data we hold about you
• Rectification: correct inaccurate or incomplete data
• Erasure: delete your account directly via Settings → Delete Account
• Restriction: ask us to pause processing in certain circumstances
• Objection: object to processing based on legitimate interests
• Data portability: receive your data in a structured format
• Withdraw consent: at any time for consent-based processing

To exercise any right (other than account deletion, which is self-service), contact us at it.myfarmer@gmail.com. We will respond within one calendar month.

You also have the right to complain to the Information Commissioner's Office (ICO):

• ico.org.uk/concerns
• 0303 123 1113

8. Security

Session tokens are stored in your device's encrypted keychain. All data in transit is encrypted via HTTPS/TLS. Database access is protected by Row Level Security — each user can only access their own data.

9. International Transfers

Your data is primarily stored on EU-region servers (Supabase). Some data is transferred to processors based in the USA (Stripe, Expo) under Standard Contractual Clauses and the UK-US Data Bridge. We do not transfer data to countries without adequate protections.

10. Children

The app is not directed at children under 18. We do not knowingly collect data from under-18s. If you believe a child has created an account, contact us at it.myfarmer@gmail.com.

11. Changes

We may update this policy. We will notify you of significant changes via the app. Continued use constitutes acceptance.