Privacy Policy

1.Introduction and scope

This Privacy Policy (the “Policy”) explains how Custom Chemistry Agri, a company registered in the Republic of South Africa with its place of business at Building 7, Unit 5 & 6, Riversands Outlet Park, Riversands Boulevard, Fourways, Gauteng 2191 (trading as “EL-I Tech”, “we”, “us”, “our”), collects, uses, discloses, stores and protects Personal Information when you interact with the EL-I Tech platform at el-i.tech and related services (the “Platform”).

The Platform enables farmers, Agricultural Input Manufacturers (“AIMs”) and authorised administrators to design and run agronomic field trials, capture in-field observations, monitor crops via satellite imagery, compute scientific and economic results, and publish anonymised findings that advance agricultural science.

This Policy applies to all users of the Platform in every region in which we operate. Where a specific jurisdiction confers additional rights or imposes additional obligations on us, those are set out in the jurisdiction-specific Annexes at the end of this Policy. In the event of conflict between the general body of this Policy and an Annex, the Annex prevails for users to whom it applies.

This Policy forms part of, and should be read together with, our Terms of Service.

2.Who we are

The data controller (under GDPR), responsible party (under POPIA), controlling agency (under the NZ Privacy Act), APP entity (under Australian law), controller (under LGPD and PIPEDA) and business/controller (under US state privacy laws) responsible for your Personal Information is:

3.Personal Information we collect

We collect the following categories of Personal Information. We collect only what we need for the purposes described in Section 4 and for no longer than required (see Section 7).

3.1 Information you provide directly

(a) Partner application information — When you apply to become a partner on the /partners page, we collect: company name, your name, email address, telephone number, your role (manufacturer, distributor, farmer or registration holder), country, sub-region (state or province), annual tonnage, primary crops, technical capabilities and any free-text notes you provide.

(b) User account information — When an account is created for you (by invitation from an administrator or AIM), we collect: email address, display name, optional telephone number, and a password that is hashed by Firebase Authentication (we never see or store the plaintext password). We also store custom authentication claims on your token: user type (administrator, AIM or farmer), region, account status, and the name of the organisation you belong to.

(c) Trial information — When a trial is created or updated, we collect: farmer name, organisation and email, farm location (GPS coordinates obtained from the browser when you click “Use my location”, and polygon boundaries you draw on a map), a geohash derived from the coordinates, crop type, cultivar, soil type, farming practices, nitrogen input rates, yield expectations, rainfall information, harvest yield measurements, moisture percentage, protein percentage, stage observation notes, voice notes (which are transcribed to text), and photographs.

(d) Communications — When you contact us, submit support requests, or interact with our marketing emails, we keep records of those communications and any related attachments.

3.2 Information collected automatically

When you use the Platform, we and our service providers may automatically collect:

• technical information such as IP address, device type, operating system, browser type and version, time zone and language;
• session information held in a single first-party session cookie issued by Firebase Authentication (a JSON Web Token used to verify that you are logged in);
• usage information via Google Analytics 4 (GA4), managed through Google Tag Manager, including pages visited, features used, time on page, referrer, and aggregated events; and
• error and performance information via Sentry (stack traces, request URL, browser information and your user type) where things go wrong, so that we can fix them. Sentry may also record anonymised session replays (with all text masked and media blocked) at a 10% sample rate to help us diagnose visual bugs.

3.3 Satellite observations

Sentinel Hub returns vegetation indices (NDVI, NDRE, EVI and similar) computed over the polygon boundaries you have drawn for your trial. These satellite observations are keyed to a trial identifier and polygon geometry only; no direct personal identifiers are attached.

3.4 Information we do not collect

We do not collect special-category data (such as racial or ethnic origin, political opinions, religious beliefs, trade-union membership, health data, sexual orientation, biometric or genetic data) in the ordinary course of operating the Platform. Please do not submit such information to us. If you believe you have done so inadvertently, please contact privacy@el-i.tech so that we can remove it.

We do not intentionally collect Personal Information from children. See Section 10.

4.How we use your Personal Information

We use your Personal Information for the purposes set out below. Where a jurisdiction requires us to identify a specific legal basis (GDPR, LGPD), the applicable basis is shown in square brackets.

4.1 To provide and operate the Platform

• authenticating you, managing your account, issuing and verifying session tokens [contract];
• creating and managing trials, recording observations, computing results [contract];
• sending transactional communications such as password resets, trial notifications and stage reminders [contract / legitimate interest];
• providing satellite-derived agronomic insights over your trial polygons [contract];
• transcribing voice notes you record during field observations using Google Cloud Speech-to-Text [contract].

4.2 To improve the Platform and ensure its security

• monitoring errors, debugging, performance analytics [legitimate interest];
• understanding how the Platform is used via aggregated analytics [legitimate interest / consent where required];
• preventing abuse, fraud or unauthorised access [legitimate interest and legal obligation].

4.3 To communicate marketing and product information

Sending partner onboarding flows, product announcements and trial-related marketing messages through Klaviyo [consent, or soft opt-in where permitted]. You can unsubscribe at any time via the link in every marketing email or via the /email-preferences page.

4.4 To publish anonymised scientific results

Publishing trial results on our /data page after the farmer has given consent. Published results do not include the farmer's name or exact GPS location (see Section 4.7).

4.5 To comply with legal obligations

Complying with applicable laws, court orders and lawful requests from regulators; maintaining records required by tax, commercial or sectoral laws [legal obligation].

4.6 To establish, exercise or defend legal claims

Investigating and responding to complaints, disputes or legal proceedings [legitimate interest].

4.7 Anonymisation before publication

Before any trial result is made publicly available, the record undergoes an anonymisation step in which: (i) the farmer's name, email and organisation identifiers are removed; (ii) exact GPS coordinates and polygon boundaries are removed; (iii) the approximate location is reduced to the country/region level; and (iv) the record is reviewed and approved by an administrator.

We note for EU and Brazilian users that residual re-identification risk means published extracts may still be treated as pseudonymised rather than fully anonymised Personal Information.

4.8 No automated decision-making with legal effects

We do not use your Personal Information to make decisions based solely on automated processing that produce legal or similarly significant effects on you. Calculator B and the satellite indices produce indicative figures to inform human decisions; they do not take decisions on your behalf.

5.How we share your Personal Information

We do not sell your Personal Information. We share it with the following categories of recipients.

5.1 Inside our organisation

Your information is accessible to authorised employees, contractors and administrators of Custom Chemistry Agri who need it to operate the Platform. Access is role-based, enforced via Firebase custom claims, and recorded in immutable audit logs.

5.2 Service providers (sub-processors)

We maintain an up-to-date list of sub-processors and will notify you of material changes in line with our contractual commitments.

5.3 Business partners

Where you join the Platform as a farmer linked to an AIM, or as an AIM linked to farmers, your information will be visible to your linked counterparties to the extent necessary for the trial.

5.4 Professional advisers and authorities

We may share Personal Information with our legal, tax and accounting advisers where necessary, and with law enforcement, regulators or courts where required by law.

5.5 Business transactions

If we are involved in a merger, acquisition, financing, reorganisation, insolvency or sale of assets, Personal Information may be transferred as part of that transaction, subject to appropriate confidentiality protections.

6.International data transfers

Because the Platform serves multiple regions, your Personal Information may be transferred to, stored in and accessed from countries other than your country of residence. We take the following measures to ensure a lawful transfer:

• European Commission Standard Contractual Clauses (2021/914) for EEA transfers, and the UK IDTA for UK transfers;
• EU-US Data Privacy Framework where our US sub-processor is a certified participant;
• transfer impact assessments (TIAs) where required by law;
• section 72(1) of POPIA for transfers from South Africa;
• LGPD transfer mechanisms (Article 33) for Brazilian data;
• notice of offshore disclosure as required by APP 8 (Australia) and IPP 12 (New Zealand).

Contact privacy@el-i.tech for a copy of the safeguards.

7.Data retention

We retain Personal Information only for as long as necessary for the purposes for which it was collected, or as required by law.

When retention ends, we either delete, de-identify or archive the Personal Information in a protected form. Because trial data constitute scientific evidence, we keep those records for longer than the underlying account; an erasure request will ordinarily lead to anonymisation rather than destruction of the scientific dataset. See Section 8.

8.Your rights

Depending on where you live and which laws apply, you may have some or all of the following rights:

• Right of access — to ask whether we hold Personal Information about you and obtain a copy.
• Right of correction / rectification — to ask us to correct inaccurate or incomplete information.
• Right of deletion / erasure — to ask us to delete Personal Information we no longer have a lawful basis to hold. Note the limits for trial data (Section 7).
• Right to restrict processing — to ask us to pause certain processing in defined circumstances.
• Right to object — to object to processing based on legitimate interests or to direct marketing.
• Right to data portability — to receive your Personal Information in a structured, commonly used, machine-readable format.
• Right to withdraw consent — at any time without affecting the lawfulness of prior processing.
• Right not to be subject to solely automated decision-making with legal effects (we do not engage in such processing).
• Right to lodge a complaint with the relevant regulator (see Section 13).

8.1 How to exercise your rights

Send your request to privacy@el-i.tech. We may ask for information to verify your identity. We will respond within the period required by your applicable law (typically one month under GDPR and 30–45 days under POPIA, LGPD, US state laws and APPs).

8.2 Self-service today and our commitment

The Platform currently supports self-service email preference management at /email-preferences and one-click unsubscribe via /api/unsubscribe. Other rights (access, correction, deletion, portability) are currently handled on request via privacy@el-i.tech. We are working to add self-service tools for access and deletion.

9.Cookies and similar technologies

The Platform uses a small number of cookies and similar technologies.

With your explicit consent in the “Marketing” category, we also load the Meta Pixel, the LinkedIn Insight Tag and Google Ads conversion tags through Google Tag Manager. These tags set additional cookies (for example _fbp for Meta and li_fat_id for LinkedIn) and transmit limited interaction data to Meta, LinkedIn and Google for conversion measurement. Without your marketing consent, these tags do not load and no marketing cookies are set.

Alongside the browser-side Meta Pixel and LinkedIn Insight Tag, when you submit a partner application or otherwise generate a conversion event with your “Marketing” consent granted, we also send matching server-side events via Meta’s Conversions API and LinkedIn’s Conversions API. The server-side events mirror the browser ones and are deduplicated by each provider against the browser event using a shared event_id. We forward only your hashed identifiers (SHA-256 hashes of your email address and, where available, phone number), your IP address and user agent (which Meta requires unhashed for attribution matching), and the type of event you performed. To LinkedIn we additionally pass plain-text company name, role/title and country code so LinkedIn can match the conversion to its B2B graph (the standard LinkedIn Conversions API user-info schema). The Conversions APIs exist so that conversion attribution still works when iOS privacy features, ad blockers or strict browser modes prevent the browser tags from reaching the providers. If you have not granted marketing consent, no Conversions API event is sent.

Where required by your jurisdiction (in particular the EU/EEA, the UK and Brazil), we will display a cookie banner on your first visit and obtain your consent before setting any non-essential cookies. Until you grant consent, Google Analytics, Meta Pixel, LinkedIn Insight Tag and Google Ads tags are blocked through Google Consent Mode v2 (defaults set to denied before any tag loads). Strictly necessary cookies do not require consent. You can change your preferences at any time through the cookie settings link in the footer.

9.1 EU/EEA cookie notice (EU GDPR + ePrivacy)

If you are located in the European Economic Area (“EEA”), we process cookies and similar technologies in accordance with Regulation (EU) 2016/679 (“EU GDPR”) and the EU ePrivacy Directive (Directive 2002/58/EC), as implemented in local Member State laws.

Except for cookies that are strictly necessary for the operation of our website, we will request your consent before placing or accessing cookies on your device. You may accept all cookies, reject non-essential cookies, or manage your cookie preferences at any time.

Withdrawal of consent. You may withdraw or modify your consent at any time through our cookie preference centre, available via the “Cookie settings” link in the site footer.

Cross-border data transfers. Some cookie providers (Google, Meta, LinkedIn) may process personal data outside the EEA. Where this occurs, we implement appropriate safeguards in accordance with Chapter V of the EU GDPR, including Standard Contractual Clauses where required.

10.Children's data

The Platform is a business-to-business tool aimed at farmers, agricultural input manufacturers and related professionals. It is not directed at children and we do not knowingly collect Personal Information from anyone under the age of 18.

If you are under 18, please do not use the Platform. If you believe a child has provided Personal Information to us, please contact privacy@el-i.tech.

11.How we protect your Personal Information

We implement appropriate technical and organisational measures including:

• encryption in transit (TLS 1.2+) and at rest (Google Cloud default encryption, AES-256);
• a Content Security Policy (CSP), HTTP Strict Transport Security (HSTS) and secure-cookie flags enforced in middleware;
• role-based access control enforced through Firebase custom claims and server-side authorisation;
• a four-layer Data Access Layer architecture (presentation → server actions → cached authentication DAL → repository);
• rate limiting on public API routes, input validation (Zod) and OWASP-aligned secure coding practices;
• secrets kept in Google Secret Manager, not in code;
• dual-region Firestore for data sovereignty;
• immutable audit logs, error monitoring (Sentry) and regular backups;
• least-privilege IAM, including fine-grained permissions for the Firebase App Hosting compute service account.

No system is perfectly secure. If we become aware of a data breach that is reportable under applicable law, we will notify the competent regulator and affected individuals in line with our obligations.

12.Changes to this Policy

We may update this Policy from time to time. The “Effective date” and “Version” at the top show when it was last updated. Material changes will be communicated through the Platform or by email before they take effect.

13.Contact us and regulators

For questions or complaints, contact us at privacy@el-i.tech. You may also lodge a complaint with your national regulator:

Annex A— South Africa (POPIA)

This Annex supplements the Policy for data subjects in South Africa and for processing governed by the Protection of Personal Information Act 4 of 2013 (“POPIA”).

A.1 Responsible party and Information Officer

The responsible party is Custom Chemistry Agri. The Information Officer, duly registered with the Information Regulator in terms of section 55 of POPIA and Regulation 4, can be contacted at privacy@el-i.tech.

A.2 Conditions for lawful processing

We comply with the eight conditions for lawful processing set out in Chapter 3 of POPIA (accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards; and data subject participation).

A.3 Your rights under POPIA

• be notified that Personal Information about you is being collected (section 18);
• be notified where your Personal Information has been accessed or acquired by unauthorised persons (section 22);
• request confirmation, at no cost, of whether we hold Personal Information about you, and request access (section 23);
• request correction or deletion of inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained information (section 24);
• object, on reasonable grounds, to the processing of your Personal Information (section 11(3)(a));
• object to direct marketing by unsolicited electronic communications (section 69);
• not be subject to a decision based solely on the automated processing of your Personal Information (section 71);
• submit a complaint to the Information Regulator (section 74) and institute civil proceedings (section 99).

A.4 Direct marketing (section 69)

We will only send you direct marketing by electronic means if you have consented or if you are an existing customer whose details we obtained in the context of the sale of a product or service. Every marketing email contains an unsubscribe mechanism.

A.5 Cross-border transfers (section 72)

We transfer Personal Information outside South Africa only if one of the conditions in section 72 applies.

A.6 Security compromise (section 22)

If we have reasonable grounds to believe that your Personal Information has been accessed by an unauthorised person, we will notify the Information Regulator and you as soon as reasonably possible.

A.7 Complaints

Information Regulator: inforegulator.org.za · complaints@inforegulator.org.za · +27 10 023 5200. JD House, 27 Stiemens Street, Braamfontein, Johannesburg 2001.

Annex B— European Union (GDPR)

This Annex applies to individuals in the EEA and to processing subject to Regulation (EU) 2016/679 (“GDPR”).

B.1 Controller and representative

The controller is Custom Chemistry Agri. We have not currently appointed an EU representative under Article 27 GDPR; if and when our processing triggers that requirement, we will appoint one and publish the details in this Annex. For all GDPR-related contact in the meantime, write to privacy@el-i.tech.

B.2 Lawful bases for processing

• Performance of a contract (Art. 6(1)(b)) — to provide the Platform, manage your account, run trials, and send transactional communications;
• Consent (Art. 6(1)(a)) — for marketing emails, non-essential cookies, and the publication of trial results;
• Legitimate interests (Art. 6(1)(f)) — for security, anti-fraud, service improvement and aggregated analytics;
• Legal obligation (Art. 6(1)(c)) — to comply with applicable tax, company and regulatory laws.

B.3 Your GDPR rights

In addition to the general rights in Section 8: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7(3)), freedom from solely automated decisions (Art. 22), and the right to lodge a complaint with your supervisory authority.

B.4 Consent toggles

At trial creation, the farmer is asked to confirm anonymised data sharing, case-study use, and benchmark comparison. For EU users, these toggles are optional — you may decline without losing access. Withdrawal of consent does not affect prior processing.

B.5 International transfers

We rely on Standard Contractual Clauses (2021/914), transfer impact assessments, the EU-US Data Privacy Framework, or your explicit consent. Contact privacy@el-i.tech for a copy.

B.6 Data breach notification

We will notify the competent supervisory authority within 72 hours of becoming aware of a breach likely to risk the rights of natural persons, and affected data subjects where the risk is high.

B.7 Supervisory authorities (Ireland and other Member States)

You have the right to lodge a complaint with the data protection supervisory authority in your country of residence, place of work, or where an alleged infringement of the EU GDPR has occurred. For users located in Ireland, the competent supervisory authority is the Data Protection Commission (DPC): dataprotection.ie · +353 0761 104 800 · 21 Fitzwilliam Square South, Dublin 2, D02 RD28. The ICO is the UK supervisory authority and does not have jurisdiction over the EU GDPR; EEA users should contact their own national DPA.

Annex C— United Kingdom (UK GDPR and DPA 2018)

The rights and lawful bases in Annex B apply in substantially the same form under the UK GDPR and the Data Protection Act 2018, with the ICO as the supervisory authority.

International transfers from the UK rely on the UK International Data Transfer Agreement (IDTA) or the Addendum to the EU SCCs.

ICO: ico.org.uk · 0303 123 1113 · Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Annex D— United States

This Annex describes rights under applicable US state privacy laws including the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, FDBR, OCPA, and other comprehensive state privacy laws.

D.1 B2B scope

The Platform is a B2B service. We nonetheless extend rights to all US users to promote transparency.

D.2–D.3 Categories, sources and disclosures

See Sections 3–5 of this Policy. For CCPA purposes: identifiers, customer records, commercial information, network activity, geolocation data, professional information, and inferences. We have not collected sensitive personal information as defined in the CCPA.

D.4 Sale and sharing

We do not “sell” or “share” personal information for cross-context behavioural advertising. We have not done so in the preceding 12 months.

D.5 Your rights

Subject to verification: right to know, access, correction, deletion, opt out of sale/share (not applicable), limit SPI use (not applicable), and appeal a refusal. Submit requests via privacy@el-i.tech. We respond within 45 days.

D.9 Iowa note

Our US production database is hosted in Iowa (us-central1). We apply the ICDPA's requirements to Iowa residents' personal information.

Annex E— Canada (PIPEDA and Quebec Law 25)

Privacy Officer: privacy@el-i.tech. We obtain meaningful consent, comply with CASL for commercial electronic messages, and host Canadian Firestore in Montreal (northamerica-northeast1). Quebec privacy impact assessments are conducted for cross-border disclosures.

Complaints: Office of the Privacy Commissioner of Canada — priv.gc.ca · 1-800-282-1376. Commission d'accès à l'information du Québec — cai.gouv.qc.ca.

Annex F— Australia (Privacy Act 1988 and APPs)

We treat ourselves as an “APP entity” and comply with the APPs in full. Cross-border disclosures are made under APP 8 with contractual protections. Direct marketing complies with APP 7 and the Spam Act 2003. For eligible data breaches under Part IIIC, we notify the OAIC and affected individuals as soon as practicable.

Complaints: oaic.gov.au · 1300 363 992.

Annex G— New Zealand (Privacy Act 2020)

Privacy Officer: privacy@el-i.tech. Cross-border disclosures comply with IPP 12. Access and correction requests under IPPs 6 and 7 are responded to within 20 working days. For notifiable privacy breaches, we notify the Office of the Privacy Commissioner and affected individuals as soon as practicable.

Complaints: privacy.org.nz · 0800 803 909.

Annex H— Brazil (LGPD)

Encarregado / DPO: privacy@el-i.tech. A Portuguese-language version will be available at el-i.tech/br/politica-de-privacidade prior to launch in Brazil.

Legal bases (Article 7): consent, contract, legal obligation, legitimate interests, exercise of rights, protection of credit, safeguarding life. International transfers follow Article 33 LGPD mechanisms.

Your rights: confirm processing, access, correct, anonymise/block/delete, port, delete data processed with consent, be informed of sharing, be informed of consent consequences, and revoke consent.

Complaints: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd.