1. Overview
AgrSync Ltd (“AgrSync”, “we”, “us”) is fully committed to compliance with the United Kingdom General Data Protection Regulation (“UK GDPR”), retained from EU Regulation 2016/679 by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 (“DPA 2018”).
This page provides a comprehensive overview of how AgrSync complies with UK GDPR requirements, your rights as a data subject, and the technical and organisational measures we employ to protect your personal data. This document supplements our Privacy Policy and provides additional detail on our data protection governance framework.
AgrSync is supervised by the Information Commissioner's Office (ICO), the UK's independent authority for data protection and information rights. Our ICO registration number is ZA123456.
2. Data Controller and Data Processor Roles
2.1 AgrSync as Data Controller
When we collect and process personal data directly — for example, when you create an account, submit a contact form, book a demo, or browse our website — AgrSync acts as the data controller. We determine the purposes and means of processing this personal data.
2.2 AgrSync as Data Processor
When you use the AgrSync platform to manage data about your employees, farm workers, contractors, or other individuals, AgrSync acts as a data processor on your behalf. In this scenario, you are the data controller and we process the data strictly in accordance with your instructions and our Data Processing Agreement (DPA).
Our DPA covers all the requirements of Article 28 UK GDPR, including:
- Processing only on documented instructions from the controller.
- Ensuring confidentiality obligations for all personnel processing personal data.
- Implementing appropriate technical and organisational security measures.
- Engaging sub-processors only with prior consent and equivalent contractual protections.
- Assisting with data subject rights requests, breach notifications, and data protection impact assessments.
- Returning or deleting all personal data at the end of the service contract.
To request a copy of our DPA, please contact privacy@agrsync.co.uk.
3. Data Protection Principles
AgrSync adheres to the seven key principles of UK GDPR (Article 5) in all our data processing activities:
- Lawfulness, fairness, and transparency: We process data lawfully on a valid legal basis, treat data subjects fairly, and are transparent about our processing activities through clear privacy notices.
- Purpose limitation: We collect data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
- Data minimisation: We collect only the minimum personal data necessary for the stated purpose. Our forms and systems are designed to avoid collecting excessive information.
- Accuracy: We take reasonable steps to ensure personal data is accurate and up to date. Users can update their own data through their account settings at any time.
- Storage limitation: We retain personal data only for as long as necessary. Our retention schedule is documented in our Privacy Policy and reviewed annually.
- Integrity and confidentiality: We implement appropriate technical and organisational measures to ensure the security of personal data (see Section 5).
- Accountability: We maintain records of our processing activities, conduct regular data protection impact assessments (DPIAs), and can demonstrate compliance with UK GDPR at all times.
4. Your Data Subject Rights
Under UK GDPR, you have the following rights. AgrSync provides mechanisms to exercise all of these rights:
4.1 Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data along with supplementary information about how it is processed. You can submit a Subject Access Request (SAR) by emailing privacy@agrsync.co.uk. We will respond within one calendar month. If the request is complex, we may extend this by a further two months, and we will inform you of the reason for the delay.
4.2 Right to Rectification (Article 16)
You can update most of your personal data directly through your AgrSync account settings. For data that cannot be changed through the platform, contact us and we will make corrections promptly.
4.3 Right to Erasure (Article 17)
You may request deletion of your personal data in the following circumstances:
- The data is no longer necessary for the purpose for which it was collected.
- You withdraw consent (where consent was the legal basis for processing).
- You object to processing and there are no overriding legitimate grounds.
- The data has been unlawfully processed.
- The data must be erased to comply with a legal obligation.
Please note that we may need to retain certain data for legal or regulatory reasons (for example, financial records required by HMRC for 7 years). In such cases, we will inform you and restrict the processing of that data.
4.4 Right to Restriction of Processing (Article 18)
You can request that we restrict the processing of your personal data while we verify its accuracy, assess the legitimacy of an objection, or if you need the data for legal claims even though we no longer need it.
4.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV). AgrSync provides a data export feature in your account settings that allows you to download all your farm data, financial records, and personal information at any time.
4.6 Right to Object (Article 21)
You can object to processing based on legitimate interests (Article 6(1)(f)) at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. You can object to direct marketing processing at any time, and we will cease such processing without exception.
4.7 Rights Related to Automated Decision-Making (Article 22)
AgrSync does not currently make any decisions based solely on automated processing that produce legal or similarly significant effects on individuals. If this changes in the future, we will update this policy and implement appropriate safeguards, including the right to obtain human intervention.
5. Technical and Organisational Security Measures
AgrSync implements comprehensive security measures in line with Article 32 UK GDPR:
5.1 Technical Measures
- Encryption: All data in transit is encrypted using TLS 1.3. All data at rest is encrypted using AES-256 encryption, including database records, backups, and file storage.
- Access controls: Role-based access control (RBAC) ensures staff can only access data necessary for their role. All internal systems require multi-factor authentication (MFA).
- Network security: Our infrastructure includes firewalls, intrusion detection systems (IDS), web application firewalls (WAF), and DDoS protection.
- Logging and monitoring: All access to personal data is logged and monitored. Anomalous activity triggers automated alerts reviewed by our security team.
- Vulnerability management: We conduct regular vulnerability scans and annual penetration tests performed by independent, CREST-accredited security firms.
- Backup and recovery: Automated daily backups with encryption, stored in geographically separate UK data centres, with tested disaster recovery procedures.
5.2 Organisational Measures
- Data protection training: All staff complete mandatory data protection training upon joining and receive refresher training annually.
- Confidentiality agreements: All employees and contractors sign confidentiality and non-disclosure agreements covering personal data.
- Data Protection Officer: We have appointed a Data Protection Officer (DPO) who oversees our compliance programme and can be contacted at dpo@agrsync.co.uk.
- Privacy by design: Data protection considerations are integrated into the design and development of all new features, systems, and processes.
- Vendor management: All third-party processors are assessed for GDPR compliance before engagement and are bound by Data Processing Agreements.
6. Data Residency and International Transfers
AgrSync stores all primary data within the United Kingdom, using Amazon Web Services (AWS) EU-West-2 (London) region. Our backup data is stored in the AWS EU-West-1 (Ireland) region within the European Economic Area.
We minimise international data transfers. Where transfers outside the UK are necessary (for example, to third-party service providers), we implement the following safeguards as required by Article 46 UK GDPR:
- Adequacy decisions: We prefer transfers to countries with a UK adequacy decision, including EU/EEA member states.
- Standard Contractual Clauses: Where adequacy decisions are not available, we use the ICO's International Data Transfer Agreement (IDTA) or the EU SCCs with the UK Addendum.
- Transfer impact assessments: We conduct transfer impact assessments for all international transfers to evaluate the level of data protection in the destination country.
7. Data Breach Notification
AgrSync maintains a comprehensive data breach response plan in accordance with Articles 33 and 34 UK GDPR:
- Detection: Our monitoring systems are designed to detect potential breaches in real time. All staff are trained to recognise and report potential incidents.
- Assessment: Upon detection, our incident response team assesses the nature, scope, and potential impact of the breach within 24 hours.
- ICO notification: Where a breach is likely to result in a risk to individuals' rights and freedoms, we notify the ICO within 72 hours of becoming aware of the breach, as required by Article 33.
- Individual notification: Where a breach is likely to result in a high risk to individuals, we notify affected individuals without undue delay, as required by Article 34.
- Documentation: All breaches, regardless of whether they are reportable, are documented in our breach register, including the facts, effects, and remedial actions taken.
8. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 UK GDPR when processing is likely to result in a high risk to individuals. This includes:
- Processing of personal data on a large scale.
- Systematic monitoring of publicly accessible areas (e.g., satellite imagery processing).
- Introduction of new technologies or significant changes to existing processing activities.
- Processing of special category data.
Our DPIAs follow ICO guidance and include: a systematic description of the processing, assessment of necessity and proportionality, risk assessment, and identification of measures to mitigate those risks.
9. Records of Processing Activities
In compliance with Article 30 UK GDPR, AgrSync maintains detailed records of all processing activities, including:
- The purposes of processing.
- Categories of data subjects and personal data processed.
- Categories of recipients to whom data is disclosed.
- Details of international data transfers and safeguards.
- Retention periods for each category of data.
- A description of technical and organisational security measures.
These records are reviewed quarterly and updated whenever there are material changes to our processing activities. They are available to the ICO upon request.
10. Sub-Processors
AgrSync engages the following categories of sub-processors to deliver our Services:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and infrastructure | UK (London), Ireland |
| Stripe | Payment processing | UK, EU |
| SendGrid (Twilio) | Transactional email delivery | EU |
| Intercom | Customer support and communications | EU |
| Google Analytics | Website analytics (IP anonymised) | EU |
| Mapbox | Mapping and geospatial services | EU, US (with SCCs) |
| Planet Labs | Satellite imagery for crop monitoring | US (with SCCs) |
All sub-processors are bound by Data Processing Agreements that include UK GDPR-compliant terms. We notify existing customers of any new sub-processors at least 30 days before they begin processing personal data.
11. Children's Data
Our Services are not directed at children under the age of 16. We do not knowingly collect personal data from children. The age of digital consent in the UK is 13 under the DPA 2018 (Section 9), but we apply a higher threshold of 16 for our Services. If we become aware that we have collected data from a child under 16, we will delete it promptly and notify the child's parent or guardian.
12. Complaints and the ICO
If you believe AgrSync has not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office:
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113 (local rate) or +44 1625 545 745 (international)
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
We encourage you to contact our Data Protection Officer first at dpo@agrsync.co.uk so we can attempt to resolve your concern.
13. Updates to This Page
This GDPR compliance page is reviewed and updated at least annually, or whenever there are significant changes to our data processing activities, applicable law, or ICO guidance. The “last updated” date at the top of the page indicates when this document was last revised.
14. Contact Our Data Protection Officer
For any GDPR-related queries, please contact:
- Data Protection Officer: dpo@agrsync.co.uk
- Privacy team: privacy@agrsync.co.uk
- Post: Data Protection Officer, AgrSync Ltd, 12 Bootham Row, York, YO30 7BZ, United Kingdom