Privacy Policy

1. Introduction

PlotObit ("we", "us", or "our") operates the irrigation verification platform at www.plotobit.com and related services including the PlotObit dashboard, SMS notification system, USSD service, and IoT sensor network.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our services. We are committed to protecting your privacy in accordance with the Kenya Data Protection Act, 2019, the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.

2. Data Controller

PlotObit is the data controller responsible for your personal data. For any data protection inquiries, contact us at:

• Email: privacy@plotobit.com
• Address: Nairobi, Kenya

3. Data We Collect

3.1 Information You Provide

• Account information: Full name, email address, phone number (+254), farm location (county)
• Farm details: Plot names, crop types, irrigation schedules, device serial numbers
• Communications: Messages you send us via email, WhatsApp, or support channels

3.2 Sensor & IoT Data

• Irrigation data: Water flow rates, volumes delivered, pump runtime, moisture levels
• Environmental data: Temperature, humidity, pressure readings from field sensors
• Device data: Battery voltage, gateway connectivity status, sensor health metrics
• Satellite data: NDVI (Normalized Difference Vegetation Index) and crop health indicators derived from publicly available Sentinel-2 satellite imagery

3.3 Automatically Collected Data

• Usage data: Pages visited, features used, time spent on dashboard
• Device information: Browser type, operating system, IP address
• Cookies: See Section 8 (Cookie Policy) below

4. How We Use Your Data

We process your personal data for the following purposes:

• Service delivery: Providing irrigation verification, SMS digests, alerts, and dashboard access
• Account management: Creating and managing your account, processing free pilot enrollment
• Communication: Sending daily SMS irrigation reports, critical alerts (no-flow, low-flow, pump abnormal), and service updates
• Analytics & improvement: Understanding how our service is used to improve features and user experience
• Billing: Processing subscription payments and managing billing records
• Legal compliance: Meeting regulatory obligations under Kenyan and applicable international law

5. Legal Basis for Processing

We process your data based on the following legal grounds:

• Consent: You provide explicit consent when signing up for our service and opting into SMS notifications
• Contract performance: Processing necessary to deliver the irrigation verification service you requested
• Legitimate interest: Improving our service, ensuring security, and preventing fraud
• Legal obligation: Compliance with the Kenya Data Protection Act, 2019 and other applicable laws

6. Data Sharing & Third Parties

We may share your data with the following categories of recipients:

• SMS providers: To deliver daily irrigation digests and alerts to your phone number (Africa's Talking / Twilio)
• Payment processors: To process subscription payments (M-Pesa / Stripe)
• Cloud infrastructure: Our servers are hosted on secure VPS infrastructure. Sensor data is stored in TimescaleDB; account data in PostgreSQL
• Satellite data providers: We use publicly available Sentinel-2 data from the European Space Agency (ESA). No personal data is shared with ESA

We do not sell your personal data to third parties. We do not share your farm data with competitors, insurance companies, or financial institutions without your explicit written consent.

7. Data Retention

• Account data: Retained for the duration of your account plus 12 months after deletion request
• Sensor readings: Raw sensor data retained for 90 days; aggregated data retained for up to 3 years for trend analysis
• Billing records: Retained for 7 years as required by Kenyan tax regulations
• SMS logs: Delivery metadata retained for 30 days

8. Cookie Policy

Our website uses the following cookies:

Analytics cookies are only set after you provide consent via our cookie banner. You can withdraw consent at any time by clearing your browser cookies or using the cookie settings on our website.

9. Your Rights

Under the Kenya Data Protection Act, 2019 and the GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data ("right to be forgotten")
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interest or for direct marketing
• Right to withdraw consent: Withdraw consent at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@plotobit.com. We will respond within 30 days.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS/HTTPS for all API and web communications)
• Access controls and authentication for all internal systems
• Regular database backups with encrypted storage
• Sensor data transmitted via encrypted MQTT channels

11. International Data Transfers

Our primary servers are located in Europe. If your data is transferred outside Kenya, we ensure appropriate safeguards are in place in accordance with the Kenya Data Protection Act, 2019 and GDPR requirements, including standard contractual clauses where applicable.

12. Children's Privacy

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@plotobit.com.

13. Complaints

If you are unsatisfied with how we handle your personal data, you have the right to lodge a complaint with:

• The Office of the Data Protection Commissioner (ODPC), Kenya — www.odpc.go.ke
• Your local data protection authority if you are located in the EU/EEA

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via SMS or email at least 14 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.