GDPR Compliance
Last updated: December 8, 2025
Our Commitment
Harvestry is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. We have implemented comprehensive measures to ensure compliance and safeguard your rights.
1. What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to organizations that process personal data of individuals in the European Union (EU) and European Economic Area (EEA), regardless of where the organization is located.
GDPR establishes strict requirements for how personal data must be collected, processed, stored, and protected, and grants individuals enhanced rights over their personal data.
2. Our Role Under GDPR
2.1 As a Data Controller
When Harvestry collects and processes personal data for our own purposes (such as managing customer accounts, marketing, and analytics), we act as a Data Controller. In this role, we determine the purposes and means of processing personal data.
2.2 As a Data Processor
When we process personal data on behalf of our customers (such as cultivation data and employee information entered into our platform), we act as a Data Processor. We process this data only in accordance with our customers' instructions and applicable agreements.
3. Lawful Basis for Processing
We only process personal data when we have a valid lawful basis under GDPR. The lawful bases we rely on include:
- Contractual Necessity: Processing necessary to perform our contract with you (e.g., providing the Services you subscribed to).
- Consent: Where you have given clear consent for us to process your data for a specific purpose (e.g., marketing communications).
- Legitimate Interests: Processing necessary for our legitimate interests, provided they are not overridden by your rights (e.g., improving our Services, security).
- Legal Obligation: Processing necessary to comply with legal requirements (e.g., tax records, regulatory reporting).
4. Your Rights Under GDPR
If you are located in the EU/EEA, you have the following rights regarding your personal data:
Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you, along with information about how we use it.
Right to Rectification (Article 16)
You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
Right to Erasure / "Right to be Forgotten" (Article 17)
You have the right to request deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purpose it was collected.
Right to Restriction of Processing (Article 18)
You have the right to request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of your data).
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that significantly affect you, and to request human intervention.
Right to Withdraw Consent
Where we rely on consent to process your data, you have the right to withdraw that consent at any time.
5. How to Exercise Your Rights
To exercise any of your GDPR rights, you can:
- Email us at privacy@harvestry.io
- Use the data management features in your account settings
- Submit a request through our support portal
We will respond to your request within 30 days. We may need to verify your identity before processing your request. In some cases, we may extend this period or charge a reasonable fee, as permitted by GDPR.
6. International Data Transfers
As a company based in the United States, we may transfer personal data from the EU/EEA to the US and other countries. When we do so, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers to countries without adequacy decisions.
- Data Processing Agreements: We enter into GDPR-compliant DPAs with all sub-processors.
- Supplementary Measures: We implement additional technical and organizational measures as needed.
7. Data Protection Measures
We have implemented comprehensive technical and organizational measures to protect personal data, including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access controls and role-based permissions
- Regular security assessments and penetration testing
- Employee training on data protection
- Incident response and breach notification procedures
- Data minimization and retention policies
- Privacy by design and default principles
8. Data Processing Agreement (DPA)
For customers who need a Data Processing Agreement for GDPR compliance, we offer a standard DPA that covers:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data and categories of data subjects
- Obligations and rights of the controller
- Sub-processor requirements
- Security measures
- Audit rights
- Standard Contractual Clauses
To request a DPA, please contact us at legal@harvestry.io.
9. Sub-Processors
We use trusted sub-processors to help provide our Services. Key sub-processors include:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting & infrastructure | US/EU |
| Supabase | Database & authentication | US/EU |
| Stripe | Payment processing | US |
| SendGrid | Email delivery | US |
| Google Analytics | Website analytics | US |
We maintain an up-to-date list of sub-processors and can notify you of changes upon request.
10. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours (where required)
- Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms
- Document all breaches, including facts, effects, and remedial actions taken
- Notify customers (as controllers) of any breach affecting their data promptly
11. Data Protection Officer
For questions about our GDPR compliance or to exercise your rights, you can contact our Privacy Team:
Harvestry Privacy Team
Email: privacy@harvestry.io
12. Complaints
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. For EU residents, you can contact the data protection authority in your country of residence.
We encourage you to contact us first at privacy@harvestry.io so we can try to resolve your concerns directly.