PRIVACY POLICY AND PERSONAL DATA PROTECTION OF THE HIVE MIND SYSTEM

§1. GLOSSARY OF TERMS

Administrator: Erend Space P.S.A. with its registered office in Zambrów, ul. Bema 1/18, 18-300 Zambrów, KRS: 0001127175, NIP: 7231643842.

Operating Data: Technical and environmental information regarding apiaries and lands (e.g., economic indicators, hive parameters, crop history).

Anonymization: A technical process consisting in the irreversible and permanent removal of the link between data and a specific natural person.

User: Any natural person (Beekeeper, Farmer, Buyer, Seller) using the functionalities of the Hive Mind system.

AI/ML Models: Artificial intelligence and machine learning algorithms developed by the Administrator to automate the analysis of spatial data.

Marketplace: A platform module enabling Users to enter into purchase-sale transactions of bee products.

§2. ADMINISTRATOR’S DECLARATION OF TRANSPARENCY

The personal data administrator is Erend Space Prosta Spółka Akcyjna with its registered office in Zambrów, at the address: ul. Bema 1/18, 18-300 Zambrów, entered into the register of entrepreneurs of the National Court Register under the number KRS: 0001127175, NIP: 7231643842 (hereinafter: “Administrator”).

The Administrator has appointed an internal privacy team: privacy@erend.space.

This document constitutes the implementation of the principle of accountability and transparency in accordance with the GDPR.

§3. DATA PROTECTION PHILOSOPHY (PRIVACY BY DESIGN)

The Hive Mind system was designed in accordance with the principle of Privacy by Design and Privacy by Default. This means that the protection of the User’s privacy was considered at every stage of the application architecture creation.

The Administrator applies modern security techniques, including:

• End-to-end encryption (E2EE) for key data streams.
• Pseudo-anonymization of apiary operating data.
• Two-factor authentication (MFA) for personnel with access to the cloud infrastructure.

§4. PURPOSES OF PROCESSING AND LEGAL BASES

We process data in the following way:

Provision of Services (Art. 6(1)(b) GDPR):

• Maintaining a user account, storing apiary history, land mapping.
• Enabling communication between the Beekeeper and the Farmer for the purpose of land lease.

Development of Technology and Machine Learning (Art. 6(1)(f) GDPR):

• Use of technical and multimedia data (sound, image) to train AI models.
• Improving honey harvest predictions and automatic detection of threats to hives.

Statistics and Market Research (Art. 6(1)(f) GDPR):

• Creating reports on the condition of beekeeping and agriculture in Poland.
• Aggregate analysis of production data (anonymized).

Communication and Community (Art. 6(1)(b) GDPR):

• Operation of the LiveChat module, file transfer, and exchange of experiences between users.

Marketing and Advertising Activities (Art. 6(1)(a) GDPR):

• Displaying personalized advertisements and commercial offers of the Administrator’s partners.

Marketplace Module Operation (Art. 6(1)(b) and (c) GDPR):

• Execution of purchase-sale transactions of bee products.
• Settlement of commissions and payment handling by an external operator (Stripe Connect).
• Sharing data necessary for delivery execution.
• Fulfilling legal obligations, including reporting data on Sellers’ income to tax authorities (DAC7).

§5. DETAILED SCOPE AND CHARACTER OF DATA

• Contextual Data: geographic coordinates of apiaries and agricultural plots (protected by a special geofencing protocol).
• User Voice Notes: audio recordings dictated by the Beekeeper, processed by an external provider (OpenAI) solely for the purpose of transcription into text. Original audio files are deleted immediately after successful transcription. Transcriptions are stored as part of the User’s apiary documentation.
• Graphic Files: photos sent by the User as part of communication, apiary documentation, or offers in the Marketplace module.
• Economic Data: production volume, number of colonies, bee races, treatment history, data on spraying, soil characteristics, crop history, and other economic and technical indicators necessary for the optimization of apiary and agricultural management.
• Marketplace Transactional Data: identification data of Sellers and Buyers (name, surname, address, phone number, NIP if applicable), order history, transaction value, shipping data.

§6. DATA RECIPIENTS AND TECHNOLOGICAL PARTNERS

Your data may be transferred to the following categories of recipients:

In order to ensure the highest quality of services and innovation of the Hive Mind system, the Administrator cooperates with selected technology providers. Your data may be transferred to the following categories of recipients:

• Cloud Infrastructure Providers: Google Cloud Platform (Google Cloud Poland sp. z o.o.) – regarding secure storage of databases, multimedia files, and email handling (Google Workspace).
• Artificial Intelligence Technology Providers: OpenAI, LLC – regarding the processing of audio data (voice notes) and text analysis.
• Payment Service Providers: Stripe Payments Europe, Ltd. – regarding the handling of financial transactions and subscriptions. The Administrator does not store payment card data.
• Analytical and Diagnostic Service Providers: entities providing tools for monitoring application performance and error reporting (e.g., Google Analytics, Firebase, Crashlytics, Sentry).
• Satellite and Environmental Service Providers: entities such as CloudFerro (Creodias system), Google Cloud Platform, Google Earth Engine.
• Operational Support Entities: trusted accounting offices, law firms, and companies providing technical support services (IT Support), acting on the basis of entrustment agreements, and other software providers necessary for the proper functioning of the application.
• Transaction Participants: The Buyer’s personal data (name, surname, delivery address, phone number) are shared with the Seller for the purpose of order fulfillment. The Seller’s data are shared with the Buyer for the purpose of exercising their rights (e.g., complaints).
• Tax Administration Authorities: Data regarding Sellers’ income and identity are transferred to the relevant state authorities as part of the implementation of obligations resulting from the DAC7 directive.

In the case of the offer matching function (Farmer-Beekeeper), contact data may be shared with the other party to the transaction only after explicit approval of the request by the User.

§7. INTERNATIONAL TRANSFERS (USA)

Data may be transferred to the USA (OpenAI, Google).

The Administrator ensures security through Standard Contractual Clauses (SCC) and cooperation with entities certified under the Data Privacy Framework.

§8. RETENTION POLICY AND IRREVERSIBLE ANONYMIZATION

Retention periods:

• Account Data: Until account deletion + 30 days (Basis: Agreement).
• Apiary and Land Data: Until account deletion, then anonymization (Basis: Agreement).
• Marketplace Transaction History: 5 years from the end of the transaction year (Basis: DAC7, Tax Ordinance).
• Voice Notes (audio): Deleted immediately after transcription (Basis: Minimization).
• Invoices: 5 years (Basis: Accounting Act).
• System Logs: 24 months (Basis: Security).
• Correspondence in the communication module: 24 months from the last message (Basis: Legitimate interest).
• Marketing Consents: Until withdrawal + 3 years (for evidentiary purposes) (Basis: Accountability).
• Anonymized Data: Indefinitely (Does not apply to GDPR).

Upon account deletion, operating data undergo irreversible anonymization and may be used indefinitely as “Statistical Data” for the development of ML models.

§9. RIGHTS OF THE DATA SUBJECT

Each User has the right to:

• Access to data and receiving a copy thereof.
• Data portability (Art. 20 GDPR).
• Rectification, deletion (“right to be forgotten”), or restriction of processing.
• Objection to profiling and direct marketing.
• Lodge a complaint with the President of the Personal Data Protection Office (UODO).

§10. STRIPE PAYMENT SECURITY

Payments take place directly on Stripe servers (PCI DSS).

In the Marketplace, funds go directly to the Seller (Stripe Connect), and the commission is deducted automatically.

The Administrator does not mediate in the flow of financial funds.

§11. ROLE OF THE ADMINISTRATOR IN THE MARKETPLACE MODULE

The Administrator acts as the operator of the technological platform that enables Sellers and Buyers to establish contact and enter into transactions. The Administrator is not a party to sales agreements concluded between Users.

Division of Responsibility:

• Seller: responsible for product quality, delivery execution, complaint handling, and compliance with sales regulations (including apiary registration in accordance with Polish law).
• Administrator: responsible for platform operation, data security, and fulfilling reporting obligations (DAC7).
• Buyer: directs the complaint directly to the Seller. The Administrator may support mediation in disputes on a goodwill basis.

§12. HUMAN OVERSIGHT AND AI TRANSPARENCY (AI ACT)

AI systems in the Hive Mind application perform solely assistant and advisory roles and operate under strict human supervision.

Results generated by AI (diagnoses, predictions) are of an auxiliary nature. The Administrator does not apply fully automated decision-making with significant effects for the User without the possibility of human intervention. Every decision with actual effects (e.g., administering medicine, choosing a place for an apiary) is made sovereignly by the User.

The Administrator exercises due diligence in the selection and testing of AI models, however, does not guarantee the error-free nature of their results. The User should treat AI recommendations as one of many decision-making factors.

§13. FINAL PROVISIONS

• The Administrator reserves the right to update this Policy in order to adapt it to legal or technological changes.
• Users will be notified of significant changes with 14 days’ notice through a message inside the application or via email.
• In the event of changes significantly affecting the scope of data processing, the Administrator may ask the User to re-grant consent.