Privacy Policy
Agrovus ERP — agrovus.app
- Version
- 1.1
- Effective
- 2026-04-30
- Applies to
- agrovus.app and all Agrovus ERP user-facing surfaces
- Framework
- CCPA / CPRA and other US state privacy laws; GDPR (EU) 2016/679 and UK GDPR where applicable
1. Who We Are
Agrovus ("Agrovus", "we", "us", "our") operates the Agrovus ERP platform at agrovus.app ("the Service"). The Service is a business-to-business enterprise resource planning system used by Agrovus and its subsidiaries to manage production, inventory, procurement, sales, finance, and related operations.
For questions about this policy or to exercise your rights, contact:
- Email: privacy@agrovus.com
- Postal: Agrovus — Data Protection Lead, 3800 Camp Creek Pkwy, Building 1400, Suite 116B #434, Atlanta, GA 30331
2. Scope
This policy describes how we collect, use, store, disclose, and protect personal data in connection with:
- The Agrovus ERP admin application used by employees, contractors, and subsidiary administrators;
- The Agrovus client portal used by authorized customers and partner organizations; and
- Any background services, APIs, scheduled jobs, or integrations that process data on behalf of those applications.
By accessing or using agrovus.app, you acknowledge that you have read this policy. Where required by applicable law, you will be asked to explicitly accept this policy before the Service will grant you access.
3. Personal Data We Process
We collect only data that is necessary to operate the Service.
3.1 Account & Identity Data
| Data | Purpose | Source |
|---|---|---|
| Full name | User identification, audit trails | You / your employer |
| Work email address | Authentication, notifications | You / your employer |
| Hashed password (bcrypt) | Authentication | You |
| Role assignment (SUPER_ADMIN, ADMIN, FINANCE, SALES, STAFF, CUSTOMER) | Access control | Your administrator |
| Multi-factor authentication secret (TOTP) | Account security | You |
| Password reset tokens & backup codes (hashed) | Account recovery | System-generated |
3.2 Operational Data You Submit
Information you enter into the Service while doing your job — for example: purchase orders, bills of materials, customer and partner records, inventory movements, delivery notes, invoices, bank reconciliation entries, uploaded documents (PDFs, safety data sheets, formulation manuals).
This content is the property and responsibility of the Agrovus entity that operates your account. We process it as a data processor on their behalf.
3.3 Automatically-Collected Data
| Data | Purpose | Retention |
|---|---|---|
| IP address of each sign-in | Security monitoring, abuse detection | 90 days |
| User agent / browser string at sign-in | Security monitoring | 90 days |
| Session identifiers (HTTP-only cookies) | Keeping you signed in | Session lifetime (24 h) + 15 min idle timeout |
| Activity log entries (who did what, when) | Audit trail, compliance | 7 years (financial actions), 2 years (other) |
| Error traces | Debugging and service health | 30 days |
3.4 Third-Party Integration Data
When you connect a bank account through Plaid, we receive account metadata and transaction records strictly scoped to the accounts you link. We do not receive bank credentials — Plaid handles that directly with your institution. See Plaid's own privacy policy at https://plaid.com/legal/.
3.5 Data We Do Not Collect
- Payment card numbers (we do not accept payments through the Service).
- Health or biometric data.
- Location data beyond the general-region inference possible from an IP address.
- Advertising identifiers or cross-site tracking data. agrovus.app carries no third-party advertising.
4. How We Use Your Data
We process personal data only for the following purposes:
- Delivering the Service — authenticating you, rendering the dashboards and pages you request, executing the server actions you invoke, and persisting the records you create.
- Security — detecting unauthorized access, enforcing multi-factor authentication, blocking brute-force attempts, and maintaining tamper-evident audit logs.
- Compliance — meeting legal obligations around financial record-keeping, tax reporting, and industry-specific regulations applicable to agricultural and chemical formulation operations.
- Service improvement — diagnosing defects and performance issues. We do not train machine-learning models on your operational data without explicit written agreement.
- Communications — transactional emails tied to actions you take (password resets, approval requests, invoice notifications). We do not send marketing emails from agrovus.app.
5. Legal Basis for Processing (GDPR Article 6)
Where GDPR applies, we rely on the following legal bases:
| Basis | Examples |
|---|---|
| Contract (Art. 6(1)(b)) | Providing the ERP service to your employing organization under its subscription agreement |
| Legal obligation (Art. 6(1)(c)) | Retaining financial records for statutory periods; responding to lawful subpoenas |
| Legitimate interest (Art. 6(1)(f)) | Securing the Service, preventing fraud, maintaining audit logs |
| Consent (Art. 6(1)(a)) | Your explicit acceptance of this policy; optional third-party integrations you choose to enable |
You may withdraw consent at any time (see §10). Withdrawal does not affect processing already carried out on another valid basis.
6. How We Share Data
We share personal data only with:
| Recipient | Purpose | Safeguard |
|---|---|---|
| Vercel Inc. (hosting) | Application hosting, edge delivery, logs | Data Processing Addendum in place; EU Standard Contractual Clauses |
| Neon (Databricks) / Amazon Web Services | Database and object storage | DPA; encryption at rest and in transit |
| Upstash | Redis session cache, rate limiting | DPA; data scoped to tokens, not personal data |
| Plaid Inc. | Bank account linking (opt-in per user) | Plaid Data Protection Terms |
| Resend | Outbound transactional email | DPA; EU data residency where available |
| Pusher | Real-time presence/notifications | DPA; contents limited to user IDs and status flags |
| Your own administrator(s) | Access control, audit review, support | Bound by your employer's internal policies |
| Competent authorities | Where legally compelled (court order, regulatory investigation) | Only the minimum data required by law |
We do not sell personal data. We do not share data with advertising networks, data brokers, or analytics vendors that monetize user behavior.
Sub-processors may be updated over time. A current list is available on request from privacy@agrovus.com.
7. International Transfers
Agrovus ERP is hosted in multiple regions to provide low-latency access. Personal data may be transferred to, stored in, and processed in countries outside your own, including the United States and the European Union. Where GDPR applies, such transfers are protected by:
- EU Standard Contractual Clauses (2021/914) with each processor;
- Vercel's, Neon's, and AWS's respective certifications and transfer mechanisms (EU-U.S. Data Privacy Framework, where applicable);
- Technical safeguards (TLS 1.3 in transit, AES-256 at rest, field-level access controls).
8. Data Retention
We retain personal data only as long as necessary to fulfil the purposes for which it was collected and to meet legal obligations:
| Category | Retention |
|---|---|
| Active user accounts | Duration of employment / relationship + 90 days |
| Deactivated user accounts | Credentials and personal identifiers anonymized within 90 days; attribution on historical records preserved for audit |
| Financial transactions (invoices, payments, GL entries) | 7 years (or longer where law requires) |
| Bank-link access tokens | Revoked immediately on user request or disconnection |
| Session & security logs | 90 days |
| Backups | Up to 35 days, then cryptographically erased |
When data is deleted, it is removed from primary storage immediately and purged from backups on the rolling backup schedule above.
9. How We Protect Your Data
Agrovus ERP is operated under a documented Information Security Policy aligned to the NIST Cybersecurity Framework v2.0. Key controls include:
- TLS 1.3 for all network traffic; HSTS enforced on agrovus.app.
- Passwords hashed with bcrypt (cost factor ≥ 12); MFA required for all staff accounts.
- Role-based access control with least-privilege defaults.
- Tamper-evident activity logging for sensitive actions.
- Automated dependency and vulnerability scanning on every deployment.
- Encrypted backups with separate key management.
- Incident response procedures with a defined notification timeline for regulators and affected users (within 72 hours of confirmed breach, where required by law).
A summary of the security policy is available on request.
10. Your Rights
Where applicable law grants them (including CCPA/CPRA and other US state privacy laws, as well as GDPR and UK GDPR where applicable), you have the right to:
| Right | What it means |
|---|---|
| Access | Obtain a copy of the personal data we hold about you. |
| Rectification | Correct inaccurate or incomplete data. |
| Erasure ("right to be forgotten") | Delete your personal data, subject to legal retention obligations. |
| Restriction | Pause processing while a dispute is resolved. |
| Portability | Receive your data in a structured, machine-readable format. |
| Objection | Object to processing based on legitimate interests. |
| Withdraw consent | Where processing is based on consent, withdraw it at any time. |
| Lodge a complaint | With the relevant regulator. In the US: the Federal Trade Commission (reportfraud.ftc.gov) or your state attorney general; California residents may also contact the California Privacy Protection Agency (cppa.ca.gov). |
To exercise any right, email privacy@agrovus.com with sufficient detail to verify your identity. We respond within 30 days. Note: because Agrovus ERP is operated on behalf of your employing organization, some requests (particularly erasure of operational records) must be coordinated with your administrator and may be subject to their retention obligations.
11. Cookies and Similar Technologies
agrovus.app uses only strictly necessary cookies. We do not set analytics, advertising, or cross-site tracking cookies.
| Cookie | Purpose | Duration |
|---|---|---|
authjs.session-token / __Secure-authjs.session-token |
NextAuth session | Session |
portal-token |
Client portal session | 24 hours |
next-intl-locale |
Language preference | 1 year |
active-subsidiary-id |
Remember which entity you last viewed | Session |
theme |
Light/dark mode preference | 1 year |
You can clear cookies at any time through your browser settings, but doing so will sign you out of the Service.
12. Children's Privacy
Agrovus ERP is a business application and is not intended for or marketed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@agrovus.com and we will delete it.
13. Automated Decision-Making
The Service includes AI-assisted features (for example, parsing uploaded safety data sheets, suggesting bills of materials). These features produce recommendations only. No decision that produces a legal or similarly significant effect on an individual is made solely by automated means within Agrovus ERP; a qualified human user always reviews and approves the outcome.
14. Changes to This Policy
We may update this policy from time to time. Every change is recorded in the Git history of docs/legal/privacy-policy.md. When a change is material, we will:
- Increment the Version field at the top of this document;
- Update the Effective Date;
- Require every user to re-accept the new version before continuing to use agrovus.app; and
- Notify active users via email where required by law.
The policy version you accepted — together with the date, time, and the IP address from which you accepted it — is recorded in our systems and is available to you on request.
15. Contact
- Email: privacy@agrovus.com
- Postal: Agrovus — Data Protection Lead, 3800 Camp Creek Pkwy, Building 1400, Suite 116B #434, Atlanta, GA 30331
- Regulator (US): Federal Trade Commission — reportfraud.ftc.gov
- California residents: California Privacy Protection Agency — cppa.ca.gov
This policy is issued by Agrovus and is binding on all Agrovus entities operating the Service. The source of truth is the Git-tracked file docs/legal/privacy-policy.md in the Agrovus ERP repository.