Privacy Policy
Last updated: 11 May 2026
This Privacy Policy explains how PhytoMaps collects, uses and protects personal data when you visit our website, evaluate the platform or use the Service. We act under the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Dutch implementation act (Uitvoeringswet AVG, “UAVG”).
1. Who we are
PhytoMaps (KvK 96411163, VAT NL005208736B94), established in Limburg, the Netherlands, is the controller for the personal data described in this Policy. You can reach us at info@phytomaps.com.
For personal data we process on behalf of our customers in the course of providing the Service, our customer is the controller and PhytoMaps acts as a processor. The terms governing that processing are set out in our Data Processing Agreement at /legal/dpa.
2. Personal data we process
Visitors to our website
- Information you submit through the contact or pilot-request form: name, business email, company, phone (optional), property type and any message you send. These submissions are delivered to our business inbox and are not stored in our application database.
- Limited technical information needed to operate the site (e.g. session and locale preference cookies). See our Cookie Policy at /legal/cookies for details.
Customers and Authorised Users
- Account data: name, business email, password (stored as a salted hash), role, language preference, and the customer organisation you are associated with.
- Phone number, if you opt to receive WhatsApp alerts as part of the Advanced or Enterprise plan.
- Usage data: pages and features you access, action timestamps, IP address (for security logging) and basic device/browser information.
- Communications: emails, support messages and the records of our correspondence with you.
Billing and tax
- Customer organisation legal name, billing address, VAT number, invoice history, payment status. Card details are entered directly with our payment processor and are not stored on PhytoMaps servers.
Property and analytics data
Course and zone information (boundaries, names, agronomic notes) you configure in the platform. This data is generally not personal data; where it incidentally contains personal data (e.g. the name of a staff member in a note) it is processed under our DPA.
3. Purposes and legal bases
We process personal data only where we have a lawful basis under Article 6 GDPR.
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Responding to website enquiries and pilot requests | Contact-form data | Pre-contractual measures at your request (Art. 6(1)(b)) and our legitimate interest in answering enquiries (Art. 6(1)(f)) |
| Providing the Service to a customer | Account data, usage data, property data | Performance of the contract with the customer organisation (Art. 6(1)(b)) |
| Sending WhatsApp alerts you have opted in to | Name, phone number, alert preferences | Performance of the contract (Art. 6(1)(b)) |
| Invoicing, payment processing and tax compliance | Billing data, contact details | Performance of the contract (Art. 6(1)(b)) and legal obligation under Dutch tax law (Art. 6(1)(c)) |
| Securing the Service (fraud prevention, abuse detection, security logging) | Account data, IP, usage data | Legitimate interests in protecting the Service and its users (Art. 6(1)(f)) |
| Service emails (changes, security, maintenance, billing) | Account data | Performance of the contract (Art. 6(1)(b)) |
| Improving the Service (aggregated, anonymised usage analysis) | Aggregated usage data | Legitimate interests in improving the Service (Art. 6(1)(f)) |
| Website analytics (Google Analytics 4) | Pseudonymous identifier, anonymised IP, page views, basic device/browser, navigation events | Consent (Art. 6(1)(a)) |
| Complying with legal requests and defending claims | As required | Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) |
We do not use personal data for automated decision-making that produces legal or similarly significant effects on you, and we do not engage in profiling for such purposes.
4. Recipients of personal data
We share personal data only with the categories of recipients listed below. We do not sell personal data and we do not share it for advertising or unrelated commercial purposes.
- Service providers acting as our processors under written processing terms: cloud hosting and infrastructure, database services, object storage, transactional email, messaging delivery for WhatsApp alerts, and payment processing. The current list with names, locations and roles is published at /legal/subprocessors.
- Professional advisers (accountants, lawyers) under a duty of confidentiality where strictly necessary.
- Public authorities where we are required to share data by law or by a binding order.
- An acquirer in connection with a merger, acquisition or sale of business assets, subject to the recipient agreeing to honour this Privacy Policy.
5. International transfers
We store and process personal data within the European Economic Area (EEA) by default. Some of our processors are headquartered outside the EEA (in particular in the United States). Where personal data is transferred outside the EEA, we rely on the safeguards permitted by Chapter V of the GDPR, in particular: (i) European Commission adequacy decisions, including the EU–US Data Privacy Framework where the recipient is certified; and (ii) the European Commission's Standard Contractual Clauses (Decision 2021/914), supplemented by additional technical and organisational measures where appropriate. A copy of the relevant safeguard is available on request from info@phytomaps.com.
6. Retention
- Website contact-form enquiries: kept in the business inbox for as long as needed to handle the enquiry, and thereafter for up to 24 months for follow-up and reference, unless you ask us to delete sooner.
- Customer accounts and Authorised User profiles: for the duration of the subscription and deleted from production systems within 90 days after termination.
- Customer Data (property data, notes, generated analytics): deleted from production systems within 90 days after termination. An export can be requested within that period.
- Invoices and supporting financial documents: 7 years, as required by Art. 52 of the Dutch General State Taxes Act (Algemene wet inzake rijksbelastingen).
- Security logs: typically up to 12 months.
- Backups containing personal data are overwritten on the regular backup rotation cycle.
7. Your rights
Under the GDPR you have the following rights in respect of personal data we process about you:
- Right of access (Art. 15) — to obtain confirmation of, and a copy of, your personal data.
- Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected.
- Right to erasure (Art. 17) — to have your data deleted, where the legal grounds apply.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — to receive certain data in a structured, commonly used and machine-readable format.
- Right to object (Art. 21) — in particular to processing based on our legitimate interests; we will stop unless we have compelling legitimate grounds.
- Right to withdraw consent at any time where processing is based on consent — without affecting the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint with a supervisory authority — in the Netherlands, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
If we process your data as a processor on behalf of one of our customers (for example, you are an Authorised User), you should generally direct rights requests to that customer; we will assist them as required by Art. 28 GDPR. To exercise any right, contact info@phytomaps.com. We may need to verify your identity before responding and will reply within one month of receipt (which we may extend by a further two months for complex requests, with notice to you).
8. Security
We implement technical and organisational measures appropriate to the risk, including encryption of data in transit (TLS) and at rest, role-based access controls, least-privilege principles, secret management, secure software-development practices, vulnerability monitoring, logging and regular backups. Despite these measures, no system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by Art. 33 GDPR and, where required by Art. 34, the affected individuals.
9. Cookies and similar technologies
We use a small set of cookies that are strictly necessary to operate the site and the platform (for example, to keep you signed in, remember your language preference and protect against CSRF attacks). With your consent, we also use Google Analytics 4 to understand how the site is used; this is loaded with Google Consent Mode v2 in default-denied state and only activates after you give consent. We do not run marketing or advertising cookies. See our Cookie Policy at /legal/cookies for the full list, retention periods and your choices.
10. Children
The Service is intended for business use. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, please contact info@phytomaps.com and we will delete it.
11. Changes to this Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page shows when it was last changed. Material changes will be notified by email or in the platform before they take effect.
12. Contact
Privacy questions, requests to exercise your rights or complaints can be sent to info@phytomaps.com. Postal address: PhytoMaps, Limburg, Netherlands (KvK 96411163, VAT NL005208736B94).