Privacy Policy

Agrocore Agricultural Marketplace Platform

Effective Date: May 2026

1. INTRODUCTION AND IDENTITY OF THE DATA CONTROLLER
   This Privacy Policy describes how Kidz Tales OÜ (registry code 17222377, registered at
   Sakala tn 7-2, 10141, Tallinn, Estonia) (“we,” “us,” “our,” “Agrocore,” or the “Company”), as
   the data controller, collects, uses, stores, transfers, and protects your personal data when
   you access or use the Agrocore agricultural marketplace platform, accessible via the iOS
   and Android mobile applications and the website Agrocore.io (collectively, the “Platform”).
   This Policy is issued in compliance with the General Data Protection Regulation (EU)
   2016/679 (GDPR), the Estonian Personal Data Protection Act, and all other applicable data
   protection laws. It applies to all Users of the Platform globally, with particular protections
   afforded to Users located in the European Economic Area (EEA).
   If you have any questions about this Privacy Policy or our data processing practices, please
   contact us at legal@agrocore.io.
2. PERSONAL DATA WE COLLECT
   2.1 Account Registration Data
   When you create a Personal Account on the Platform, we collect:

• First name and last name
• Email address
• Password (stored in encrypted form)
• Profile image (optional, if uploaded)
  2.2 Business Profile Data
  If you create a Business Profile, we may additionally collect:
• Company name and trading name
• Tax identification number or company registration number
• Company description and business information
• Product, machinery, and service listings
• Images and media uploads
• Certificates and compliance documents (e.g. Organic, GlobalGAP, ISO)
• Official company registration documents (Premium users, for verification purposes)
• Phone number (only if voluntarily enabled by you; visible only to Premium users)
• Links to external websites and social media profiles
  2.3 Usage and Interaction Data
  When you use the Platform, we and our service providers automatically collect:
• Device type, operating system, and browser type
• IP address and general geographic region (country/city level)
• Session duration and frequency of access
• Screen and page interactions, clicks, and navigation paths
• App and website usage behaviour and patterns
• Search queries and Listing interactions
• Saved, favourited, or bookmarked content
• Crash reports and performance diagnostics
  2.4 Communication Data
  When you use the in-platform chat system, we process the content of messages for the
  purpose of delivering the communication service. Messages are automatically and
  permanently deleted after 60 days from the date of transmission. We do not read, analyse,
  or use the content of private messages for commercial purposes except as required by law.
  2.5 Support and Correspondence Data
  When you contact us for support, submit reports, or send inquiries, we process the personal
  data contained in your correspondence, including your name, email address, and the content
  of your communication.
  2.6 Payment Data
  For Premium Subscriptions purchased through the mobile applications, payment processing
  is handled exclusively by Apple App Store and Google Play Store. For website subscriptions,
  payments are processed by Stripe through its hosted checkout. The Company does not
  receive, process, or store your payment card or financial account details. Such data is
  processed directly by the respective payment processor subject to their privacy terms.
  2.7 Data You Provide for AI Verification
  Where you upload official documents for AI-assisted verification purposes, those documents
  are processed for the limited purpose of verification and metadata extraction. Such
  documents are not shared with third parties except as required for the verification process.
  Documents uploaded for AI-assisted verification are processed via Google Document AI.
  This process is used to verify the authenticity of certificates and extract relevant business
  metadata. Google processes this data as a sub-processor under strict data processing
  agreements that ensure compliance with GDPR.

1. LEGAL BASIS FOR PROCESSING
   We process your personal data on the following legal bases under Article 6 GDPR:
   Contract Performance (Art. 6(1)(b)): To create and manage your account, deliver Platform
   services, process Premium Subscriptions, provide in-platform communication features, and
   fulfil our obligations to you under the Terms and Conditions.
   Legitimate Interests (Art. 6(1)(f)): To operate, maintain, and improve the Platform; to ensure
   security and prevent fraud and abuse; to conduct analytics and optimise performance; and to
   operate AI recommendation systems that personalise your experience. We conduct
   balancing tests to ensure our legitimate interests do not override your fundamental rights.
   Legal Obligation (Art. 6(1)(c)): To comply with applicable laws, including tax obligations, anti-
   money laundering requirements, and to respond to lawful requests from public authorities or
   courts.

Consent (Art. 6(1)(a)): Where required, for example for non-essential cookies and tracking
technologies. You may withdraw consent at any time without affecting the lawfulness of
processing prior to withdrawal.

4. PURPOSES OF PROCESSING
   We process your personal data for the following purposes:

• Creating and managing your Personal Account and Business Profile
• Enabling access to Platform features and services
• Processing and managing Premium Subscriptions
• Facilitating in-platform text communication between Users
• Displaying Business Profiles, Listings, and certifications publicly on the Platform
• Operating AI-driven recommendation systems based on your activity and
  preferences
• Conducting analytics to understand Platform usage and improve user experience
• Monitoring for and preventing fraud, abuse, phishing, and other harmful conduct
• Investigating reports submitted by Users and enforcing our Terms and Conditions
• Conducting AI-assisted verification of uploaded certificates and documents
• Communicating with you regarding your account, subscriptions, and support requests
• Complying with legal obligations and responding to lawful authority requests
• Protecting the rights, property, and safety of the Company, Users, and third parties

4. ANALYTICS AND TRACKING SERVICES
   We use the following third-party analytics and performance monitoring services:
   Google Analytics: Used to collect and analyse aggregated usage data about how visitors
   interact with the Platform, including session data, page views, geographic information, and
   device details. Google Analytics uses cookies and similar tracking technologies. Further
   information is available at https://policies.google.com/privacy.
   Firebase Analytics: Provided by Google LLC, used for in-app analytics, performance
   monitoring, and crash reporting. Firebase collects usage events, session data, and technical
   diagnostics. Further information is available at https://firebase.google.com/support/privacy.
   Crash Reporting and Performance Monitoring Tools: Used to identify technical issues,
   monitor Platform stability, and improve user experience.
   Where required under applicable law, your consent will be sought before any non-essential
   analytics data is collected, in accordance with our Cookie Policy.
5. AUTOMATED PROCESSING AND AI SYSTEMS
   The Platform operates artificial intelligence systems for two purposes: (i) a recommendation
   engine that analyses your usage behaviour to personalise product and service suggestions,
   and (ii) an AI-assisted document verification tool that processes uploaded certificates for
   metadata extraction and verification support.

These AI systems do not make legally significant decisions about you, do not constitute
profiling for purposes beyond Platform optimisation, and do not produce legal effects against
you. In all cases, human oversight is maintained over significant outcomes.
Where required under Articles 13, 14, and 22 of the GDPR, we will provide specific
disclosures regarding automated processing, including information on the logic involved and
the significance of such processing for you.

7. DISCLOSURE OF PERSONAL DATA
   7.1 Third-Party Service Providers
   We engage third-party service providers to assist in operating the Platform. These providers
   process personal data solely on our behalf and pursuant to our instructions, under binding
   data processing agreements. They include:

• Google LLC (Firebase, Google Cloud, Google Maps, Google Analytics, Google Ads)
• for cloud infrastructure, analytics, maps, and advertising services
• Stripe, Inc. – for payment processing on the website
• Apple Inc. – for payment processing on iOS
• Google LLC – for payment processing on Android (Google Play Store)
• Other infrastructure, security, and operational service providers as necessary
• Google Cloud / Google Document AI: Used for secure document storage and
  automated metadata extraction from uploaded certificates and identity documents.
  7.2 Public Disclosure
  Certain information you provide is publicly visible on the Platform by design, including your
  Business Profile, Listings, company descriptions, and uploaded certificates. You control what
  information you choose to publish. Phone numbers are visible only if you choose to enable
  this feature, and only to Premium users.
  7.3 Legal and Regulatory Disclosure
  We may disclose personal data to competent authorities, regulators, law enforcement, or
  courts where required by law or where reasonably necessary to: comply with a legal
  obligation; protect and defend our legal rights or those of third parties; prevent, detect, or
  prosecute fraud, abuse, or criminal conduct; or protect the vital interests of any person.
  7.4 Business Transfers
  In the event of a merger, acquisition, corporate restructuring, or sale of assets, personal data
  may be transferred to a successor entity, subject to continued protections consistent with
  this Privacy Policy.
  7.5 No Sale of Data
  The Company does not sell, rent, or trade your personal data to third parties for their own
  marketing or commercial purposes.

7. INTERNATIONAL DATA TRANSFERS
   Agrocore is intended for global use. Where personal data is transferred outside the
   European Economic Area (EEA) or to countries not recognised by the European
   Commission as providing adequate data protection, we ensure that appropriate safeguards
   are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Binding Corporate Rules where applicable;
• Transfers to processors who participate in recognised adequacy frameworks.
  In particular, services provided by Google LLC and Stripe involve international transfers of
  data. These providers rely on the applicable SCCs and supplementary measures to ensure
  adequate protection. You may obtain a copy of the applicable transfer safeguards by
  contacting legal@agrocore.io.

7. DATA RETENTION
   We retain personal data only for as long as necessary to fulfil the purposes for which it was
   collected, or as required by law. Our principal retention periods are:

• Account data: Routine account data is deleted or anonymised within 90 days
  following account closure. However, specific financial records, consent logs, and data
  necessary for security, fraud prevention, or legal compliance may be retained for up
  to 3 to 7 years depending on applicable statutory requirements.
• Business Profile and Listing data: Retained for the duration of the active listing or
  profile, and for up to 2 years following deletion, subject to legal retention
  requirements.
• Chat messages: Automatically and permanently deleted after 60 days from the date
  of transmission.
• Support and correspondence data: Retained for up to 3 years from the date of last
  communication.
• Analytics and usage data: Retained in aggregated or pseudonymous form for up to
  26 months, subject to applicable cookie and tracking consents.
• Payment records: Retained for the period required by applicable tax and financial
  regulations, generally up to 7 years.
• Legal compliance data: Retained for as long as required by applicable law.
  Upon account deletion via the in-platform ‘Delete My Data’ functionality or upon request, we
  will delete or anonymise your personal data within a reasonable period, subject to applicable
  legal retention obligations.

7. YOUR DATA SUBJECT RIGHTS
   As a data subject, you have the following rights under the GDPR:
   Right of Access (Art. 15): You have the right to obtain confirmation of whether we process
   personal data concerning you and, if so, to receive a copy of that data along with information
   about how it is processed.
   Right to Rectification (Art. 16): You have the right to request correction of inaccurate or
   incomplete personal data we hold about you.
   Right to Erasure (Art. 17): You have the right to request deletion of your personal data in
   certain circumstances, including where the data is no longer necessary for the purposes for
   which it was collected, or where you withdraw consent. You may use the in-platform ‘Delete
   My Data’ or ‘Delete Company’ functionality, or submit a request to legal@agrocore.io.

Right to Restriction of Processing (Art. 18): You have the right to request that we restrict
processing of your personal data in certain circumstances, for example while a rectification
request is being assessed.
Right to Data Portability (Art. 20): Where processing is based on consent or contract and
carried out by automated means, you have the right to receive your personal data in a
structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Art. 21): You have the right to object to processing based on legitimate
interests, including profiling. You also have an absolute right to object to processing for
direct marketing purposes.
Rights in Relation to Automated Decision-Making (Art. 22): You have the right not to be
subject to a decision based solely on automated processing, including profiling, which
produces legal or similarly significant effects concerning you.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw your
consent at any time without affecting the lawfulness of processing carried out prior to
withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with the competent
supervisory authority. In Estonia, the supervisory authority is the Estonian Data Protection
Inspectorate (Andmekaitse Inspektsioon), reachable at www.aki.ee. You may also contact
the supervisory authority in your EU Member State of habitual residence, place of work, or
place of the alleged infringement.
To exercise any of your rights, please submit a written request to legal@agrocore.io. We will
respond within 30 days of receipt of your request. Where requests are complex or
numerous, we may extend this period by a further 60 days, of which we will inform you.
10.1 Additional Disclosures for California Residents
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act
(CPRA), California residents have specific rights regarding their personal information:
 Right to Know: You have the right to request that we disclose what personal
information we collect, use, disclose, and “sell” (as defined by California law). *
 Right to Opt-Out of Sale or Sharing: Agrocore does not sell your personal data
for money, nor do we currently “share” personal information for cross-context
behavioral advertising.
 Right to Non-Discrimination: We will not discriminate against you for exercising
any of your CCPA rights.
To exercise these rights, please contact us at legal@agrocore.io with the subject line
“California Privacy Rights Request”.

10.2 Rights of Brazilian Residents (LGPD)
If you are a resident of Brazil, the processing of your personal data is governed by the Lei
Geral de Proteção de Dados Pessoais (LGPD). In addition to the rights listed in Section 10,
you have the right to request:
 Confirmation of the existence of data processing;
 Anonymization, blocking, or deletion of unnecessary or excessive data;
 Information about public and private entities with which we have shared your data. To
exercise your LGPD rights, contact our Data Protection Officer at
privacy@agrocore.io.

11. DATA SECURITY
    We implement and maintain appropriate technical and organisational security measures to
    protect your personal data against unauthorised access, accidental loss, destruction, or
    alteration. These measures include, without limitation: encryption of stored and transmitted
    data, access controls and authentication, regular security testing, and secure cloud
    infrastructure provided by Google Cloud.
    Notwithstanding the above, no data transmission over the internet or storage system can be
    guaranteed to be 100% secure. In the event of a personal data breach that is likely to result
    in a risk to your rights and freedoms, we will notify the relevant supervisory authority within
    72 hours of becoming aware of the breach, and, where required, will notify affected data
    subjects without undue delay.
12. CHILDREN’S PRIVACY
    The Platform is not directed at and may not be used by persons under the age of 18. We do
    not knowingly collect personal data from children. If we become aware that we have
    inadvertently collected personal data from a person under 18, we will take immediate steps
    to delete that data. If you believe we may hold personal data about a person under 18,
    please contact us at legal@agrocore.io.
13. COOKIES AND TRACKING TECHNOLOGIES
    We use cookies and similar tracking technologies on the Platform. Full details of the cookies
    we use, their purposes, and how to manage your cookie preferences are set out in our
    Cookie Policy, which is available on the Platform and incorporated herein by reference.
14. THIRD-PARTY LINKS AND EXTERNAL PLATFORMS
    The Platform may contain links to external websites and social media profiles submitted by
    Users, and integrates with Third-Party Services. These third parties operate under their own
    privacy policies, which we encourage you to review. The Company is not responsible for the
    data processing practices of any third party.
15. CHANGES TO THIS PRIVACY POLICY
    We may update this Privacy Policy from time to time. Where changes are material, we will
    provide advance notice of at least 14 days via the Platform, by email to your registered
    address, or by in-app notification. The effective date at the top of this Policy reflects the date

of the most recent revision. Your continued use of the Platform following notice of changes
constitutes your acceptance of the updated Policy.

CONTACT AND DATA CONTROLLER DETAILS
For any questions, concerns, or requests relating to this Privacy Policy or our data
processing practices, please contact:
Kidz Tales OÜ
Registry Code: 17222377
Sakala tn 7-2, 10141, Tallinn, Estonia
Email (Privacy / DPO Enquiries): legal@agrocore.io
Email (Support): info@agrocore.io
Last updated: May 2026