Data Protection Statement

This statement supplements our Privacy Policy with specifics about funder programme data — relevant to institutional partners (EU Green Deal, World Bank, bilateral donors, government ministries) who require documented data-handling commitments.

1. Lawful basis

We process farmer data on the following lawful bases:

• Consent, captured at enrolment by the nursery or programme officer.
• Contractual necessity, where a funder programme requires it for impact reporting.
• Legitimate interest, for ghost-farmer detection and fraud prevention, balanced against farmer rights.

2. Roles

• Data Controller: the nursery or programme that enrols the farmer.
• Data Processor: Nurseryz.io.
• Joint Controllers: where a programme has both a nursery and a funder, both are joint controllers for the slice of data they enrolled.

3. Sub-processors

The platform uses the following sub-processors. A current list with locations is available to funders on request. Material changes are notified 30 days in advance.

Sub-processor	Purpose	Region
Africa's Talking	SMS / USSD gateway	Kenya / East Africa
WhatsApp Business API	WhatsApp advisory channel	Meta (global)
Cloud hosting provider	Application + database hosting	Configurable (EU / East Africa)
Email service	Transactional + report delivery	EU

4. Security controls

• TLS 1.2+ for all data in transit.
• AES-256 encryption at rest.
• Role-based access control enforced at application and database layer.
• Cross-funder isolation: queries are scoped via a single trait (`BelongsToProgramme`) — no application path bypasses it.
• Audit log of all sensitive actions (programme creation, distribution edits, ghost-flag resolutions, report exports).
• Quarterly security review; vulnerability disclosure programme.

5. Data residency

By default, programme data is hosted in EU regions for funder convenience. For sensitive cohorts (e.g. national-security-flagged programmes or programmes with stricter local-residency clauses), we can host in East African data centres on request.

6. Cross-border transfers

Transfers outside Uganda occur for sub-processors (e.g. email service hosted in EU). These rely on Standard Contractual Clauses (SCCs) or equivalent legal safeguards.

7. Data subject rights

Farmers have the right to:

• Request access to their personal data.
• Request correction of inaccurate data.
• Request erasure (subject to retention obligations of the enrolling programme).
• Withdraw consent at any time by replying STOP to any SMS.
• Lodge a complaint with Uganda's Personal Data Protection Office.

8. Retention

Programme data is retained for the programme's active period plus a retention window required by the funder's audit policy (typically 7 years for World Bank / EU funded programmes). Beyond retention, records are anonymised — distribution counts and aggregate survival statistics remain for research and methodology work; identifying information is removed.

9. Incident response

Security incidents affecting personal data are reported to the controller within 72 hours of discovery. Material breaches are reported to Uganda's PDPO within 72 hours, and to EU funders' DPAs where their cohorts are affected.

10. Contact

Data protection enquiries: dpo@nurseryz.io