Cropwise Open Privacy Notice

Version Date: January 2026

1. Introduction

Please take a few minutes to review this Privacy Notice carefully. We reserve the right to make changes to this Privacy Notice when we release updated versions of the Products or new Products. If we do so, we will notify you before your first use of the updated version of the Products or new Products.

In this Privacy Notice we use certain defined terms, which we have capitalised. These terms have the meaning given to them in our Terms & Conditions, which form part of the Agreement between us and you. You should also review any Commercial Offer Terms that form part of our Agreement.

Data Controller. The data controller is Syngenta Agro AG, a company duly organized and existing under the laws of Switzerland with registered seat at Schaffhauserstrasse 101, 4332 Stein, Switzerland, referred to as "Syngenta," "we," "us," "our."

Scope. This Privacy Notice covers personal data that is processed in conjunction with your use of the Products through any of our channels, including: mobile applications, websites, related products and connected services, and third-party integrations such as APIs deployed by a developer. Personal data is data that relates to you, where you are an identified or identifiable individual.

Where our services are provided through another organisation (such as a developer or business partner), that organisation may also act as a data controller and provide you with their own privacy notice.

The Products are provided to business customers only, subject to our Agreement. Consequently, your personal data will be processed by us where you are authorised to use a Product on behalf of a Business (see our Terms & Conditions for more information).

2. Personal data processing

Syngenta is the 'data controller' where we collect and use your personal data for our own purposes, as set out in the table below. However, the Business is the data controller (and Syngenta is the data processor) in respect of other data processing activities – see the section below the table on Syngenta's activities as data processor.

Syngenta's activities as data controller
Type of personal data	Purposes	Lawful grounds
Your name, email address, business name, a description of who you are, business address, telephone number, password for your Account.	If you are the Account Holder, we use this personal data to register and set up your Account and provide the Products. If you are a User, we use this personal data to set up your access to an Account (as authorised by the Account Holder or Master User) and to provide the Products.	Where you contract with us as an individual, e.g. as a sole trader the lawful ground is performance of the contract. Where your company or other legal entity contracts with us the lawful ground is our legitimate interests in creating accounts to ensure a user is authorised, and to distinguish between users / devices.
Your name, email address, payment card information, amount paid, date of purchase, IP address, country.	Our payment services provider uses this personal data to process payments securely on our behalf and to detect and prevent fraud and unauthorised payment transactions.	Where you contract with us as an individual, e.g. as a sole trader the lawful ground is taking payment under the contract (for example, under a Commercial Offer). Where your company or other legal entity contracts with us the lawful ground is our legitimate interests in taking payment under the contract (for example, under a Commercial Offer).
Your name, email address, business name, a description of who you are, business address, telephone number.	We use this personal data to communicate with you via email, text or in app notifications about updates to the Product or other important functional service messages.	Our legitimate interests in informing you about matters which are relevant to your use of the Products.
Your name, email address, business name, a description of who you are, business address, telephone number, password for the Account.	We use this personal data to provide technical and customer support.	Where you contract with us as an individual, e.g. as a sole trader the lawful ground is performance of the contract (specifically resolving your questions and issues). Where your company or other legal entity contracts with us the lawful ground is our legitimate interests in resolving questions and issues for our users.
Your name, email address, business name, a description of who you are, business address, telephone number.	We use this personal data to send you user satisfactions surveys and to ask for your feedback about the Products.	Our legitimate interests in improving the Products for you and for future users.
For Product mobile apps, the date and time the app accesses our servers as well as what information and files have been downloaded to the app.	We use this information for maintenance of the app, for statistical purposes about the usage of these apps in order to improve their functionality, to understand how they are used and resolve questions regarding their use and for security purposes. The developer of your mobile operating system (e.g. Apple; Google) may also collect app usage data. You should refer to their privacy notices and policies for more information.	Our legitimate interests in: (i) understanding how our apps are used in order to make improvements to them; and (ii) identifying and combatting security threats to our apps and our users.
If you use an online service in connection with a Product, the following will be collected: computer type (Windows or Macintosh), operating system name and version, language, internet browser type and version and the name and version of the online services you are using, IP address, the page(s) visited, time visited.	We use this information to provide the Products to our users, to ensure they work properly, to calculate usage level, to help diagnose server problems, for statistical purposes about usage of online services and for security purposes.	Our legitimate interests in: (i) understanding how our online services are used in order to make improvements to them; and (ii) identifying and combatting security threats to our online services and our users.
Contact information, as well as information about how you use the Products.	Customer profiling and marketing - we will process this data (and other information that you have provided to us through using other Syngenta products or services) to understand how you have used the Products, and what your agricultural needs are. We may then contact you (as a representative of your Business) with relevant information about other Syngenta products and services we think may be of interest to your Business. Where required by applicable law, we will obtain your consent for marketing purposes. In any case, you can stop direct marketing at any time by contacting us as set out below, or by using the unsubscribe link in our emails.	Our legitimate interests in marketing our products and services. Consent, where this is required under applicable law for the purposes of direct marketing.
Your name, email address, business name, a description of who you are, business address, telephone number.	We use software and tools containing Artificial Intelligence (AI) for business efficiency in analysis and reporting processes. If inputting any personal data (where necessary) in connection with such AI tools, we will ensure compliance with data protection legislation.	Our legitimate interests in improving the Products and service provided to you and for future users.
Name, email and device specific identifiers, (computer type (Windows or Macintosh), operating system name and version, language, internet browser type and version and the name and version of the online services you are using, IP address, the page(s) visited, time visited.	We use "cookies" and other similar technologies to collect information and support certain features of our Products. We use this information to provide the Products (including mobile apps) to our users, for maintenance, to ensure the Products work properly, to calculate usage level, for statistical purposes about the usage of our Products and online services in order to improve their functionality, to help diagnose server problems, to understand how our Products are used, to resolve questions regarding their use and for security purposes.	The legal basis for processing activities related to essential cookies is our legitimate interest in providing our Products to our users. The legal basis for processing activities related to non-essential cookies is your consent.

Syngenta as data processor

Please note that when you use the Product as an authorised User on behalf of a Business, in respect of any personal data that you submit when using the Products (including as part of Your Inputs), the relevant data controller is the Business. We are the data processor when we use the personal data you submit to deliver the service and Outputs.

For example, a Product may allow you to enter information about your location, in-field observations or to upload imagery. Further, a Product may have GPS functionality which can track the location of the device when the Product is in use or track the location of farm machinery. We use some or all this information as a data processor to help deliver the service offered by the Product and to produce the Outputs for the Business (our "customer").

Please refer to the privacy notice(s) of the Business (the data controller) for more information about this processing, including how to exercise your rights.

Service providers and partners

We share personal data with companies and organisations that we work with for the purposes set out above. These third parties are required by contract to use the personal data we share with them only for the purposes that we have specified and to take commercially reasonable measures to protect the confidentiality and security of your personal data.

Transfers outside your country and outside the European Economic Area

We may transfer your personal data to recipients in countries outside your country and outside the European Economic Area ("EEA"). We ensure that personal data will be adequately protected, including by ensuring that the recipient country is deemed to provide an adequate level of protection under applicable data protection laws and, if that is not the case, ensuring that we put appropriate safeguards in place such as standard data protection transfer clauses.

For more information on the European Commission's standard contractual clauses see:

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

Intra-group transfers within Syngenta

Our parent company, Syngenta AG, is a Swiss corporation based in Basel, Switzerland ("Syngenta Parent"). Syngenta Parent has concluded Intragroup Data Transfer Agreements (IDTAs) with many of its subsidiaries (Syngenta DP Network), including us, to enable the effective transfer and processing of personal data. We use web servers, store and otherwise process personal data within the Syngenta DP Network in countries within the EEA and also in countries outside the EEA, including the UK, Switzerland, and the United States.

Transfers to Third parties

We may transfer or otherwise make personal data available to service providers, who process your personal data under our instructions to help us to deliver the services offered by our Products, and to carry out the purposes listed in section 2 above. These service providers include:

Amazon Web Services, Inc (AWS), 410 Terry Avenue North, Seattle, WA 98109-5210, USA provides hosting services in the USA that support the underlying infrastructure for our platform and products. The appropriate safeguard in place is the adequacy decision adopted by the European Commission (the EU-U.S. Data Privacy Framework) for transfers outside the EEA. Amazon Web Services complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (as applicable). For more information, please see the following links:
https://aws.amazon.com/compliance/gdpr-center/ (opens in new tab)
Amplitude Inc., 631 Howard St., Floor 5, San Francisco, CA 94105, USA provides usage analysis services by processing device data (device model, OS version, country, and region) in the USA. The appropriate safeguard in place is the adequacy decision adopted by the European Commission (the EU-U.S. Data Privacy Framework) for transfers outside the EEA. Amplitude complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (as applicable). For more information, please see this link:
https://amplitude.com/blog/data-minimization (opens in new tab)
Braintree, a PayPal Service, PayPal (Europe) S.à r.l. et Cie, S.C.A.22-24 Boulevard Royal, L-2449 Luxembourg PayPal provides us with payment services and is an independent controller alongside us. The appropriate safeguards in place are the EU standard contractual clauses ("EU Standard Contractual Clauses") or standard data protection clauses specified in regulations made by the Secretary of State under section 17C(b) of the 2018 Data Protection Act and for the time being, in force in the United Kingdom (the "UK Standard Contractual Clauses) where the third country is not subject to an adequacy decision by the European Commission. For more information, please see the PayPal Data Protection Addendum For Card Processing Products:
https://www.braintreepayments.com/be/legal/data-protection-addendum (opens in new tab)
Datadog Inc., 620 8th Ave., 45th Fl., New York, NY 10018 USA, a Delaware corporation We subscribe to Datadog's services (under their standard Master Subscription Agreement) for business and technical event tracking of our cloud-based applications to help us understand usage and improve our users' experience with our Products. For these purposes, we may send Datadog the following account information such as name, pseudonymised user ID and IP address which they may process in the USA. Processing of personal data will be in accordance with Datadog's standard Data Processing Addendum. The appropriate safeguard in place is the adequacy decision adopted by the European Commission (the EU-U.S. Data Privacy Framework) for transfers outside the EEA and the UK. Datadog complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (as applicable). For more information, please see:
Datadog's Master Subscription Agreement (opens in new tab)
Datadog's Data Processing Addendum (opens in new tab)
Google Cloud, https://cloud.google.com/terms/google-entity (opens in new tab) provides hosting services that support the underlying infrastructure for our platform and products. The appropriate safeguards in place for transfers of personal data to any other country than those within the EU/EEA or subject to an adequacy decision by the European Commission are the EU Standard Contractual Clauses as specified in the Cloud Data Processing Addendum. For more information, please see this link
https://cloud.google.com/terms/data-processing-addendum (opens in new tab)
OneSignal, a U.S. company located at 2850 S Delaware St Suite 201, San Mateo, CA 94403 OneSignal provides business and technical event tracking of applications to understand usage and improve our users' experience with our Products. The appropriate safeguard in place is the adequacy decision adopted by the European Commission (the EU-U.S. Data Privacy Framework) for transfers outside the EEA or UK. OneSignal complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (as applicable). For more information, please see this link:
https://onesignal.com/privacy_policy (opens in new tab)
Pendo.io Inc., 301 Hillsborough St, Suite 1900, Raleigh, NC 276031, USA processes device data in order to provide us with usage statistics for the platform which hosts our Products. The appropriate safeguards in place include the standard contractual clauses approved by the European Commission for transfers outside the EEA or the UK and/or other adequate safeguards. For more information, please see these links:
https://www.pendo.io/legal/privacy-policy/ (opens in new tab)
https://www.pendo.io/legal/data-processing-addendum/ (opens in new tab)
ProdPad by CreateShift Ltd, a UK registered company (8092272) with the registered office 11 Kingsley Court, 142 Kings Road, Brighton, BN1 2LP is used by us to review and understand customer feedback and plan Product improvements. Personal data is processed in the EEA. For more information, please see these links:
Privacy Policy and Customer Data (prodpad.com) (opens in new tab)
Terms of Service | ProdPad (opens in new tab)
Sentry, Functional Software Inc., 132 Hawthorne St. San Francisco, CA 94107, USA provides usage analysis services by processing device data (device model, OS version, country, and region) in the USA. The appropriate safeguard in place is the adequacy decision adopted by the European Commission (the EU-U.S. Data Privacy Framework) for transfers outside the EEA or UK. Sentry complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (as applicable). For more information, please see this link:
https://sentry.io/legal/dpa/5.0.0/ (opens in new tab)
Smartlook.com, s.r.o., ID No.: 095 08 830, registered office at: Šumavská 524/31, Veveří, 602 00 Brno, Czech Republic Smartlook provides qualitative website and mobile app analytics and the Service with various modules which include, but are not limited to visitor recordings (user replay), automatic event tracking, conversion funnels, and heatmaps for websites. Data is stored in EU. For more information, please see this link:
Terms of Service | Smartlook Help Centre (opens in new tab)
Google Ireland Limited, incorporated and operating under the laws of Ireland (Registered Number: 368047), Gordon House, Barrow Street - Dublin 4, Ireland We use Firebase to track, prioritise, and fix stability issues that impact app quality, collecting device and application data, to improve the service provided to the user. For more information, please see this link:
Crashlytics and App Distribution Data Processing and Security Terms (google.com) (opens in new tab)
Yara, Yara International ASA, Drammensveien 131, 0277 Oslo, Norway We use Yara to integrate the crop nutrition expertise offered by them into our service to provide field-specific advice throughout the crop cycle. The appropriate safeguards in place are the EU Standard Contractual Clauses where a transfer takes place to a country outside the EEA that is not subject to an adequacy decision by the European Commission. For more information, please see the following links:
Privacy Policy Yara Digital Farming privacy policy | Yara International (opens in new tab)
Yara Data Processor Agreement (opens in new tab)
Zendesk Inc, a Delaware corporation Zendesk provides us with software which is designed to improve customer relationships through management and resolution of user queries and issues (customer service ticketing). The appropriate safeguard in place is the adequacy decision adopted by the European Commission (the EU-U.S. Data Privacy Framework) for transfers outside the EEA or UK. Zendesk complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (as applicable). For more information, please see this link:
https://www.zendesk.co.uk/company/agreements-and-terms/privacy-notice/#georedirect (opens in new tab)

Business transfers

Your personal data may be transferred to a company that acquires, or considers acquiring, the stock or assets of, or invests in, Syngenta, the Syngenta Parent, one of its affiliates, or one of our businesses (or that company's advisors, lenders or auditors), for example, as the result of a sale, merger, reorganisation or liquidation. The legal basis for this data processing is that we have a legitimate interest in being able to sell or acquire investment in our business. If such a transfer occurs, the acquiring company's use of your personal data would still be subject to this Privacy Notice and the privacy preferences you have expressed to us.

Compliance with laws and protection of our rights and the rights of others

We may disclose personal data when this is necessary to comply with the law, a court order, a request from a regulator or a subpoena. The legal basis for this data processing is that it is necessary for compliance with a legal obligation to which we (the data controller) are subject, otherwise that we have a legitimate interest in complying with lawful requests from public authorities. Before disclosing personal data, or making personal data available to, public authorities in third countries, we will consider our obligations to provide an adequate level of protection for the data, except where relevant derogations exist.

We may also disclose personal data: (i) to prevent or investigate a possible crime, such as fraud or identity theft (the legal basis being that we have a legitimate interest in protecting ourselves from crime and enforcing or defending our rights); (ii) to enforce or apply our online terms of use or other contractual relationship with you (the legal basis being that it is necessary for the performance of a contract with you (where we contract with you as a sole trader) or it is otherwise in our legitimate interest to do so; or (iii) to protect our own rights or property or the rights, property or safety of our users or others (the legal basis being that we have a legitimate interest in doing so).

4. How can you exercise your rights in relation to your personal data?

We strive to maintain a high level of transparency about the data we process. As regards our processing of your personal data described in this Privacy Notice, you have the following rights:

To confirm Syngenta is processing your personal data, to get access to or receive a copy of the personal data we may have about you;
To require us to rectify or update any inaccurate personal data, or complete any incomplete personal data;
To require us to delete or erase your personal data;
To restrict our processing of your personal data;
To require us to transmit certain of your personal data to you or to transfer or have them transferred to another data controller (data portability);
To object to our processing of your personal data on a legitimate interests basis. If we agree with your objection then, subject to other legitimate interests which we may be able to rely on (e.g. in the context of legal claims pending or threatened against us), we will then no longer be allowed to process your personal data;
To require that we stop processing your personal data for direct marketing purposes; and
To withdraw your given consent at any time without affecting the lawfulness of the processing based on consent until withdrawal.

Certain rights are subject to restrictions or limitations, and their availability may depend on the lawful basis we rely on to process your personal data (see section 2 above). Further, we may rely on applicable exemptions under applicable law in order to deny part or all of your request. If we do so, we will inform you when responding to your request.

If you wish to exercise any of your above rights, you can contact us as follows:

You can contact our Data Privacy Office at data_privacy.office@syngenta.com or via post at the address for Syngenta given in the Introduction section at the beginning of this Privacy Notice.

We will respond to your reasonably specified request as quickly as possible after validating the request.

5. How to delete your Account? How long does Syngenta store your personal data?

Subject to the below, we intend to store your personal data only for so long as you have an Account (if your Business is an Account Holder) or for so long as you are an authorised User of an Account. Syngenta will delete Accounts if the Products are not used for thirty-six months unless applicable law requires a longer data retention period.

Please note that removing the Products from your device will not delete the Account. The Account will remain active unless the Account Holder asks for deletion by emailing support@cropwise.com. Subject to the below, deletion of an Account Holder's Account will delete the personal data of Users. However, we may retain non-personal data after the Account has been deleted.

For evidentiary purposes, in particular to be prepared for legal disputes or complaints, we may store certain personal data (such as a record of your identity and the fact that you were a User of our Products) for a period of time after deletion of an Account that you had access to as a User as long as this is permissible and necessary given the statutes of limitations in your country, so our retention period may vary depending on the circumstances. However, in such cases we will no longer actively process the personal data for the originally specified purpose, but only for the purpose mentioned above. Further we will limit access to your personal data on that basis. The legal basis for such processing is that is it necessary for our legitimate interest in establishing, exercising, or defending our rights. We may also retain your personal data after deletion of your Account, if necessary, to comply with an applicable legal obligation.

6. Questions, concerns, and complaints concerning our privacy practices

Should you have any questions, you can contact our Data Privacy Office at data_privacy.office@syngenta.com or by writing to the address for Syngenta given in the Introduction section at the beginning of this Privacy Notice. You also have a right to lodge a complaint with the relevant supervisory authority.