Introduction

This Privacy Policy explains how CredoSense Inc. (“CredoSense”, “we”, “our”, or “us”) collects, uses, discloses, and protects personal information when you visit our websites, interact with us, purchase our products or services, or use CredoSense platforms and devices.

This Policy is designed to be easy to find, easy to read, and precise about what we do with your information. If you use our devices, software platform, or other CredoSense services under separate terms, those terms may include additional privacy disclosures that work together with this Policy.

Who We Are & Applicable Laws

CredoSense Inc. is a company incorporated in Canada with operations in Canada. For most processing described in this Policy, CredoSense Inc. is the “controller” (or equivalent term under applicable law) responsible for your personal information.

We aim to comply with applicable privacy laws, including:

– Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws;
– The EU/UK General Data Protection Regulation (GDPR/UK GDPR), where applicable;
– Relevant U.S. state privacy laws (such as the California Consumer Privacy Act, as amended by the CPRA), where they apply; and
– Any other applicable privacy or data protection legislation in jurisdictions where we operate or where our services are accessed.

Local rights and obligations may vary depending on where you live.

Information We Collect

We collect personal information only where we have a clear business and user-focused reason to do so, such as to provide products and services, support our users, operate our websites and platforms securely, or improve our offerings.

Information You Provide

– Contact details: name, email address, phone number, organization, and role.
– Account details: login credentials and profile information for any CredoSense portal, platform, or service you register for.
– Transaction details: billing name, billing address, shipping address, tax information, payment amount, and purchase history. Payment card details are processed by our payment processors; we do not store full card numbers.
– Communications: content of emails, forms, support requests, meeting notes, and (where permitted by law) call recordings, along with associated metadata such as timestamps and communication channel.
– Other information you submit: feedback, survey responses, event registrations, and any information contained in files you voluntarily provide.

Information We Collect Automatically (Web & Online Services)

– Log data: IP address, browser type, device identifiers, operating system, pages visited, referring/exit pages, timestamps, and basic interaction data.
– Cookies and similar technologies: identifiers stored on your browser or device, pixel tags, and scripts used for core functionality, security, usage analytics, and — where you have given your prior, informed, and freely withdrawable consent — marketing or advertising measurement. Where required by applicable law (including GDPR, UK GDPR, and CASL), we present a cookie consent banner or preference tool before activating non-essential cookies. You may withdraw or modify your consent at any time through our cookie preference center or your browser settings. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal.

Information from Third Parties

We may receive limited information about you from payment processors, logistics providers, partners who introduce you to CredoSense, and analytics or advertising partners (often in aggregated or pseudonymous form). We use such information only in line with this Policy and applicable law.

Platform & Device Data (Leaf Chamber & Related Systems)

This section describes how we handle data generated when you use CredoSense hardware (such as Leaf Chamber systems and associated sensors), software platforms, and integrated services (collectively, the “Platform”).

Types of Platform & Device Data

– Account and user role information: information required to create and manage user accounts, including names, business contact details, organization, roles, and permissions for multi-user teams.
– Device identifiers and configuration: device serial numbers, firmware versions, configuration profiles, activation status, and logs related to setup and updates.
– Operational and telemetry data: non-personal technical information generated by the devices and Platform, such as error codes, connectivity events, uptime, performance metrics, and interaction logs used for diagnostics, reliability, and security.
– Measurement and agronomic data: data points captured through CredoSense devices and Platform, which may include leaf- and canopy-level readings, soil parameters, environmental measurements, timestamps, sampling grid identifiers, and associated farm or field metadata.
– Derived insights and recommendations: outputs generated by our analytics or AI models (such as risk scores, diagnostic indicators, and management recommendations) based on Platform & Device Data.
– Location and project metadata: optional geospatial information or project identifiers associated with fields, farms, or facilities, as configured by you or your organization. In typical use, this is business or operational information, not consumer residential data.

How We Use Platform & Device Data

We use Platform & Device Data for the following purposes, in addition to the purposes set out elsewhere in this Policy:

– Service delivery: to operate the Platform, run measurements, generate analytics and recommendations, and present results to authorized users.
– Support and reliability: to diagnose issues, provide technical support, improve performance, monitor device health, and plan updates.
– Product improvement and R&D: to analyze aggregated and de-identified Platform & Device Data to improve algorithms, hardware, and workflows. Where reasonably possible, we use de-identified or aggregated data for these purposes.
– Security and abuse prevention: to protect accounts, devices, and infrastructure from unauthorized access, misuse, or other security threats.
– Contractual and regulatory obligations: to fulfill our agreements with you or your organization and to comply with applicable legal, audit, and regulatory requirements.

Customer Control & Business Data

In most deployments, Platform & Device Data (including farm, field, and operational data) is collected and used on behalf of a business customer (such as a farm, agronomy firm, research institution, or advisor). That organization typically controls how such data is configured and shared within its account. We process this data in accordance with our agreements with that organization and this Policy.

We do not use identifiable customer Platform & Device Data to target advertising to individual natural persons, nor do we sell such data in the sense of providing identifiable datasets to third parties for their independent use.

How We Use Your Information (All Contexts)

We use personal information collected through our websites, Platform, and interactions with you for the following purposes:

– Providing products and services;
– Operating, maintaining, and securing our websites, Platform, and devices;
– Managing accounts, orders, billing, and customer relationships;
– Communicating with you about support, updates, safety, security, and changes to our terms;
– Improving and developing our products, services, documentation, and user experience;
– Detecting, investigating, and preventing fraud, abuse, or security incidents;
– Conducting analytics and, where permitted, limited marketing activities; and
– Complying with legal and regulatory obligations and enforcing our agreements.

Legal Bases for Processing (GDPR/UK GDPR)

Where the GDPR or UK GDPR applies, we process personal data on one or more of the following legal bases:

– Performance of a contract: where processing is necessary to deliver our products, services, or Platform to you or your organization.
– Compliance with legal obligations: where we are required to process personal data to meet applicable legal or regulatory requirements.
– Legitimate interests: We may process personal data where it is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. Examples of such interests include: operating and securing our Platform and websites; preventing fraud and abuse; improving our products and services through aggregated analytics; managing and developing our business relationships; and communicating with existing customers about relevant updates or offerings. Where we rely on legitimate interests, we conduct a balancing assessment to ensure your interests and fundamental rights are appropriately considered. You have the right to object to processing based on legitimate interests (see “Your Rights” below).
– Your consent: where required by applicable law, such as for certain cookies, marketing communications, or other processing activities for which consent is the appropriate legal basis. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Cookies & Similar Technologies

We use cookies and similar technologies to provide and secure our services, understand usage, and — where applicable and with your consent — measure and improve marketing effectiveness. You can manage your cookie preferences through your browser settings and, where available, our cookie consent banner or preference center.

We do not activate non-essential cookies in regions where prior consent is legally required unless and until you provide that consent. A record of your consent is maintained where required by law.

For more detail on the specific cookies we use and their purposes, please refer to our **Cookie Notice** [we do not use any cookies at this time; we will update and provide link to this page when avialable].

How We Share Information

We do not sell personal information as defined under applicable privacy laws, including the California Consumer Privacy Act (as amended by the CPRA). We do not share personal information with third parties in exchange for monetary or other valuable consideration for their independent use, except as described in this Policy. Where U.S. state privacy laws apply, we will honor opt-out rights related to any sharing that may qualify as a “sale” or “sharing for cross-context behavioral advertising” under those laws.

We may share personal information only in the following circumstances and with appropriate safeguards:

– Within the CredoSense group of companies and affiliates, for the purposes described in this Policy;
– With service providers who process data on our behalf under contractual restrictions that require them to protect your information and use it only for the purposes we specify;
– To comply with laws, regulations, legal processes, or enforceable government requests, including where disclosure is required by a court order or regulatory authority;
– To protect the rights, property, or safety of CredoSense, our users, or others, including for fraud prevention and security purposes;
– In connection with a business transaction (such as a merger, acquisition, financing, or sale of assets), subject to appropriate confidentiality obligations and notification to affected individuals where required by law;
– With your consent or at your direction, including where you authorize integrations with third-party platforms or agree to the use of your information for specific purposes (such as testimonials or case studies); and
– Using aggregated or de-identified data that cannot reasonably be used to re-identify you.

International Transfers

We are headquartered in Canada, which has been recognized by the European Commission as providing an adequate level of protection for personal data transferred from the EU for commercial purposes under PIPEDA.

We may also transfer personal information to other countries where our service providers, operational partners, or infrastructure are located. These countries may not have privacy laws equivalent to those in your home jurisdiction. Where required by applicable law — including for transfers from the EU or UK to countries without an adequacy decision — we implement legally recognized transfer mechanisms, which may include:

– The European Commission’s Standard Contractual Clauses (SCCs);
– The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs; or
– Other legally recognized safeguards, supplemented by appropriate technical and organizational measures.

We conduct transfer impact assessments where required by applicable law. You may request information about the specific safeguards applicable to transfers of your personal data by contacting us using the details below.

Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, and in accordance with our internal retention schedules. Retention periods are determined based on the nature of the information, the purpose for which it was collected, applicable legal and regulatory obligations, and any applicable statutes of limitation.

As a general guide:

– Account and contact information: retained for the duration of the business relationship and for a period thereafter as required by law or legitimate operational need (typically up to 7 years for financial and contractual records).
– Operational and telemetry data: retained for as long as necessary for support, reliability, and product improvement purposes, subject to de-identification where extended retention is required.
– Marketing communications data: retained until you opt out or withdraw consent, after which it is suppressed or deleted in accordance with applicable law.
– Platform & Device Data: retained in accordance with our agreements with the relevant business customer and applicable legal requirements.

When information is no longer required, we delete or de-identify it in a secure manner consistent with applicable law.

Security

We use reasonable and appropriate technical and organizational measures to protect personal information against unauthorized access, use, alteration, and destruction. These measures include:

– Access controls and role-based permissions;
– Encryption of data in transit and, where appropriate, at rest;
– Network and system monitoring and intrusion detection;
– Vulnerability management and regular security assessments;
– Staff confidentiality obligations and privacy awareness training; and
– Incident response procedures.

No system is perfectly secure. In the event of a data breach that triggers notification obligations under applicable law, we will notify affected individuals and relevant authorities as required and within the timeframes prescribed by law.

Your Rights

Your rights depend on the applicable law in your jurisdiction. Subject to legal limitations, you may have the right to:

– Access personal information we hold about you;
– Correct inaccurate or incomplete personal information;
– Delete your personal information in certain circumstances;
– Restrict certain uses of your personal information;
– Object to processing based on legitimate interests or for direct marketing purposes;
– Withdraw consent where processing is based on your consent, without affecting the lawfulness of prior processing;
– Data portability: obtain a copy of your personal information in a structured, commonly used, and machine-readable format where technically feasible; and
– Opt out of the sale or sharing of personal information, where applicable under U.S. state privacy laws.

To exercise any of these rights, please contact us using the details provided in the “How to Contact Us” section below. We may need to verify your identity before responding to your request. We will respond within the timeframe required by applicable law and at no cost to you, except where permitted by law.

– Canadian residents may contact the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca, or the applicable provincial privacy regulator in Quebec, Alberta, or British Columbia.
– U.S. residents in states with applicable privacy laws (such as California, Virginia, Colorado, Connecticut, and others) may have additional rights under those laws. Where such laws apply, we will honor those rights within the timeframes and subject to the conditions prescribed by applicable state law.
– EU/UK residents may also lodge a complaint with their local data protection authority (supervisory authority). A list of EU supervisory authorities is available at https://www.edpb.europa.eu. UK residents may contact the Information Commissioner’s Office (ICO) at https://www.ico.org.uk.

Children’s Privacy

Our websites, Platform, and devices are not directed to children. We do not knowingly collect personal information from individuals under the age of 16 (or such other minimum age as may be specified under applicable law in your jurisdiction, such as 13 in certain U.S. states and the UK).

If you are under the applicable minimum age, please do not use our services or provide us with personal information. If you believe a child has provided us with personal information without appropriate consent, please contact us immediately so we can take appropriate steps, which may include deletion of that information.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes — particularly changes that affect how we process your personal information or your rights — we will:

– Update the “Last Updated” date at the top of this Policy;
– Post a prominent notice on our website or within our Platform; and
– Where appropriate and required by applicable law, provide direct notice to registered users or affected individuals (such as via email).

Where required by applicable law, we will seek your renewed consent before applying material changes to the processing of your personal information. We encourage you to review this Policy periodically to stay informed about how we protect your information. Continued use of our services following notice of non-material updates constitutes acknowledgment of those changes.

How to Contact Us

If you have questions or concerns about this Policy, wish to exercise your privacy rights, or want to report a potential privacy issue, please contact us using the following details:

CredoSense Inc.
– Email (preferred): info@credosense.com
– Mailing address: CredoSense Inc., C/O: VentureLAB, B114 — 3600 Steeles Ave E, Markham, ON L3R 9Z7, Canada

Scope Clarification

This Policy applies to personal information processed by CredoSense in connection with our websites, Platform, devices, and related online services. It does not govern third-party websites or services that may be linked from or integrated with our systems; we encourage you to review the privacy policies of any third-party services you access through or in connection with our Platform.

Where more specific privacy terms are presented for a particular product, portal, or pilot program, those terms supplement this Policy and govern that specific context. In all cases, applicable privacy law sets the minimum standard; no specific terms will reduce the rights to which you are entitled under law.