Privacy Policy
Last updated: 27 March 2026
1. Who We Are (Data Controller)
The data controller responsible for your Personal Data is:
- Trading name: One Pixel Off
- Address: Available on request — Kuurne, Belgium
- Enterprise number: BE 1023.838.760
- Email: support@cropnine.com
Throughout this policy, "we", "us", and "our" refer to One Pixel Off, operating Cropnine. "You" and "your" refer to you as a user of Cropnine.
2. What Personal Data We Collect
We collect and process the following categories of Personal Data:
2.1. Data you provide directly
| Data Category | Examples | When Collected |
|---|---|---|
| Account data | Name, email address, password (hashed) | Registration |
| Profile data | Preferences (measurement units, timezone, language) | Account settings |
| Garden data | Fields, plots, plantings, crops, harvest records | Using the Service |
| Payment data | Billing name, billing address, payment method (processed directly by Stripe — we do not store full card numbers) | Subscribing |
| Consent records | Terms acceptance, cookie preferences, marketing consent | Registration, cookie banner |
| Communications | Support emails, feedback | When you contact us |
2.2. Data collected automatically
| Data Category | Examples | Purpose |
|---|---|---|
| Technical data | IP address, browser type & version, operating system, device type | Security, compatibility |
| Usage data | Pages visited, features used, timestamps | Service improvement |
| Log data | Server logs, error reports | Debugging, security |
3. Legal Bases for Processing (Art. 6 GDPR)
We process your Personal Data based on one or more of the following legal bases:
| Legal Basis | Processing Activity |
|---|---|
| Performance of contract (Art. 6(1)(b)) | Creating and managing your Account; providing the Service; processing payments via Stripe; delivering the features you use |
| Consent (Art. 6(1)(a)) | Sending marketing emails; marketing cookies; processing optional survey data |
| Legitimate interest (Art. 6(1)(f)) | Improving the Service; detecting fraud and ensuring security; basic aggregated analytics to understand general usage patterns; defending legal claims |
| Legal obligation (Art. 6(1)(c)) | Tax and accounting obligations; responding to lawful requests from authorities; maintaining consent records as required by GDPR |
4. How We Use Your Data
We use your Personal Data for the following purposes:
- Providing the Service: Creating your account, managing your plantings, generating plans, tracking harvests, and delivering all platform features.
- Processing payments: Handling subscription billing through Stripe. Your payment data is transmitted directly to and processed by Stripe; we do not store card details on our servers.
- Communicating with you: Sending transactional emails (account confirmation, password resets, billing receipts), and — only with your consent — marketing and product update emails.
- Security & fraud prevention: Monitoring for suspicious activity, protecting against unauthorised access.
- Legal compliance: Meeting our obligations under Belgian and EU law.
5. Cookies & Tracking Technologies
We use cookies and similar technologies as described in our Cookie Policy. You can manage your cookie preferences at any time through our cookie banner or your browser settings.
We only place non-essential cookies after you have given explicit, opt-in consent, in accordance with the Belgian Act of 13 June 2005 on electronic communications and the GDPR.
6. Who We Share Your Data With
We do not sell your Personal Data. We may share it with the following recipients:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Hosting provider | Storing data and running the Service | EU-based servers or Standard Contractual Clauses (SCCs) |
| Stripe, Inc. (payment processor) | Processing subscription payments securely | PCI DSS compliant; Data Processing Agreement; EU-U.S. Data Privacy Framework certified; SCCs in place. See Stripe's Privacy Policy. |
| Email service provider | Sending transactional and (with consent) marketing emails | Data Processing Agreement; SCCs where applicable |
| Legal authorities | When required by law or to protect our rights | Only in response to lawful requests |
All third-party processors are bound by Data Processing Agreements (Art. 28 GDPR) and are required to process your data only on our documented instructions.
7. International Data Transfers
7.1. We aim to keep your data within the European Economic Area (EEA). Where data is transferred outside the EEA — for example, by Stripe — we ensure an adequate level of protection through one or more of the following mechanisms:
- An adequacy decision by the European Commission (Art. 45 GDPR);
- Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR);
- Certification under the EU-U.S. Data Privacy Framework (applicable to Stripe).
7.2. You may request further information about the relevant safeguards by contacting us at support@cropnine.com.
8. How Long We Keep Your Data (Retention Periods)
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days after deletion request | Service provision, recovery period |
| Garden data (fields, plantings) | Duration of account + 30 days after deletion | Service provision |
| Payment & billing records | 7 years after the transaction | Belgian tax and accounting law (Art. III.86 Code of Economic Law) |
| Consent records | Duration of account + 3 years | Demonstrating GDPR compliance (accountability principle, Art. 5(2)) |
| Server logs | 90 days | Security monitoring, debugging |
| Marketing consent records | Duration of consent + 3 years after withdrawal | Proving lawful processing |
| Support communications | 2 years after last communication | Service quality, legal claims |
After the retention period expires, data is securely deleted or anonymised.
9. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your Personal Data:
| Right | Description | GDPR Article |
|---|---|---|
| Access | Obtain a copy of your Personal Data and information about how we process it | Art. 15 |
| Rectification | Correct inaccurate or incomplete Personal Data | Art. 16 |
| Erasure ("Right to be Forgotten") | Request deletion of your Personal Data (subject to legal retention obligations) | Art. 17 |
| Restriction of processing | Request that we limit processing of your data in certain circumstances | Art. 18 |
| Data portability | Receive your data in a structured, commonly used, machine-readable format (JSON/CSV) | Art. 20 |
| Object | Object to processing based on legitimate interest or for direct marketing purposes | Art. 21 |
| Withdraw consent | Withdraw consent at any time (without affecting the lawfulness of processing before withdrawal) | Art. 7(3) |
| Lodge a complaint | File a complaint with a supervisory authority | Art. 77 |
To exercise any of these rights, please contact us at support@cropnine.com. We will respond within 30 days (extendable by 60 days for complex requests, as permitted by Art. 12(3) GDPR). We may ask you to verify your identity before processing your request.
Right to Lodge a Complaint
If you believe that our processing of your Personal Data infringes the GDPR, you have the right to lodge a complaint with the Belgian Data Protection Authority:
- Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD)
- Drukpersstraat 35 / Rue de la Presse 35, 1000 Brussels, Belgium
- Phone: +32 (0)2 274 48 00
- Email: contact@apd-gba.be
- Website: www.dataprotectionauthority.be
You may also lodge a complaint with the supervisory authority of the EU Member State where you reside or work.
10. Data Security
We implement appropriate technical and organisational measures to protect your Personal Data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS/HTTPS) and at rest;
- Secure password hashing (bcrypt);
- Access controls and least-privilege principles;
- Regular security updates and monitoring;
- Data Processing Agreements with all processors (including Stripe).
While we take reasonable precautions, no method of transmission or storage is 100% secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours (Art. 33 GDPR) and, where required, inform you without undue delay (Art. 34 GDPR).
11. Children's Privacy
The Service is not directed at children under 16 years of age (the minimum age under Belgian law for consenting to information society services, per Art. 8 GDPR and Belgian Royal Decree of 9 May 2018). We do not knowingly collect Personal Data from children under 16. If we become aware that we have collected data from a child under 16 without proper parental consent, we will delete it promptly.
12. Automated Decision-Making
We do not use your Personal Data for automated decision-making or profiling that produces legal effects concerning you or similarly significant effects (Art. 22 GDPR). Features like planting suggestions are tools for your consideration and do not constitute automated decisions.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or a prominent notice within the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
14. Contact Us
For any questions about this Privacy Policy or to exercise your data protection rights, please contact us:
- Trading name: One Pixel Off
- Address: Available on request — Kuurne, Belgium
- Enterprise number: BE 1023.838.760
- Email: support@cropnine.com