Koru Farm
Current as of 1 April 2026

GDPR Compliance

How Koru Farm complies with the General Data Protection Regulation to protect your personal data.

Koru Farm OÜ ("Koru Farm", "we", "us", or "our") is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page outlines our approach to data protection, your rights as a data subject, and how we implement GDPR principles across our agricultural management platform.

Data controller

Koru Farm OÜ acts as the data controller for the personal data collected through our platform. This means we determine the purposes and means of processing your personal data.

Legal bases for processing

We process your personal data based on the following legal grounds:

  • Contract performance: Processing necessary to provide you with our agricultural management services, including account management, farm data processing, and SIEX compliance reporting.
  • Legal obligation: Processing required to comply with EU and Spanish agricultural regulations, including data retention requirements under Real Decreto 1054/2022.
  • Legitimate interests: Processing for platform improvement, security monitoring, and fraud prevention, balanced against your rights and freedoms.
  • Consent: Processing based on your explicit consent, such as marketing communications and optional analytics. You can withdraw consent at any time.

Data we process

Personal data

We process the following categories of personal data:

  • Identity data: name, username, and professional role.
  • Contact data: email address and phone number.
  • Account data: login credentials and account preferences.
  • Voice data: recordings from the Voice AI assistant (processed with your consent).

Farm and agricultural data

In addition to personal data, we process agricultural data that may be associated with your identity:

  • PAC document data and parcel references.
  • Treatment records and product usage logs.
  • SIGPAC map references and crop information.
  • Stock and inventory records.
  • Worker and equipment data.

Data protection measures

We implement comprehensive technical and organisational measures to protect your data:

  • Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Access controls: Role-based access ensures only authorised personnel can access personal data.
  • Data minimisation: We collect only the data necessary to provide our services.
  • Regular audits: We conduct periodic security assessments and vulnerability testing.
  • EU data residency: All data is stored and processed within the European Union.

Your rights

Under the GDPR, you have the following rights regarding your personal data:

  1. Right of access — You can request a copy of all personal data we hold about you.
  2. Right to rectification — You can request correction of inaccurate data.
  3. Right to erasure — You can request deletion of your personal data, subject to legal retention obligations.
  4. Right to restriction — You can request that we limit how we process your data.
  5. Right to data portability — You can request your data in a structured, machine-readable format.
  6. Right to object — You can object to processing based on legitimate interests.
  7. Right regarding automated decisions — You have the right not to be subject to decisions based solely on automated processing.

How to exercise your rights

To exercise any of your GDPR rights, please contact us at privacy@koru.farm. We will respond to your request within 30 days as required by the GDPR. We may request verification of your identity before processing your request.

Data retention

We retain personal data for the following periods:

  • Account data: for the duration of your account plus 30 days after deletion.
  • Farm and treatment data: minimum 5 years as required by Spanish agricultural regulations.
  • Voice recordings: until you delete them, or 12 months after your last use of the Voice AI feature.
  • Analytics data: 26 months from collection.

International data transfers

Your data is processed and stored within the European Union. If any data transfer outside the EU is necessary (e.g., for specific cloud services), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Articles 33 and 34 of the GDPR.

Contact and complaints

If you have questions about our GDPR compliance or wish to file a complaint, you may:

  • Contact us at privacy@koru.farm
  • Lodge a complaint with your local data protection supervisory authority.

Ready to transform your farm?

Free 14-day trial. No credit card. Set up in 2 minutes with your PAC document.

Start freeAsk for demo
Koru Farm mobile app showing a farmer recording a treatment by voice