Privacy Policy
Last updated: 26 March 2026
1. Data Controller
PlantBreed EU is the data controller for personal data processed through this platform. PlantBreed EU is a project serving European plant breeders.
2. Data We Collect
We collect and process the following personal data:
- Account data: email address, username, hashed password
- Report history: crop selections, trait selections, report type, timestamps of report generation
- Usage data: login timestamps, report generation counts
We do not collect payment card details directly (if payment processing is added, it will be handled by a certified third-party processor).
3. Purpose of Processing
- Account management: creating and maintaining your user account, authentication, email verification, password resets
- Report generation: processing your crop/trait selections to generate intelligence reports
- Usage analytics: understanding platform usage patterns to improve the service
- Service communication: sending verification codes, password reset emails, and important service notices
4. Legal Basis (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)): Processing your account data and report requests is necessary for the performance of the contract between you and PlantBreed EU (i.e., providing the service you signed up for).
- Legitimate interest (Art. 6(1)(f)): Usage analytics and platform improvement are based on our legitimate interest in maintaining and improving the service, balanced against your privacy rights.
5. Third-Party Processors
We share data with the following third-party processors, each acting under data processing agreements:
Report content (crop name, trait name, search results from public databases) is sent to Anthropic's API for AI-powered report generation. Anthropic processes this data to generate the report text. No personal account data (email, username) is sent to Anthropic.
The platform is hosted on Render.com infrastructure. Render processes data as necessary for hosting and delivering the service.
Email delivery (verification codes, password resets, service notices) is handled by our SMTP provider. Only your email address and message content are shared for delivery purposes.
6. International Data Transfers
Anthropic is based in the United States. When reports are generated, crop/trait data is processed by Anthropic's API, which may involve data transfer to the US. These transfers are conducted under Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of data protection.
7. Data Retention
- Account data: Retained until you request account deletion.
- Report metadata: Crop, trait, timestamps, and report type are retained for usage analytics and service improvement, even after account deletion (in anonymized form).
- Report content: Generated report text is not stored server-side after delivery to your browser. Reports exist only in your browser session and downloaded files.
8. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate personal data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to data portability (Art. 20): Request your data in a structured, machine-readable format.
- Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
- Right to object (Art. 21): Object to processing based on legitimate interest.
9. How to Exercise Your Rights
To exercise any of your GDPR rights, contact us by email at the address provided in your account settings or platform communications. We will respond to your request within 30 days, as required by GDPR.
10. Cookies and Sessions
PlantBreed EU uses session cookies only. These are strictly necessary for the platform to function (authentication, CSRF protection). We do not use:
- Tracking cookies
- Analytics cookies (e.g., Google Analytics)
- Advertising cookies
- Third-party cookies
Because we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Passwords are hashed using industry-standard algorithms (never stored in plain text)
- All data transmitted over HTTPS (TLS encryption in transit)
- Session security with CSRF protection
- Access controls and authentication for all user data
12. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For users in the Netherlands, the relevant authority is:
Autoriteit Persoonsgegevens
https://autoriteitpersoonsgegevens.nl
You may also lodge a complaint with the supervisory authority in your EU member state of residence or place of work.
13. Updates to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users. The "last updated" date at the top of this page indicates when the policy was last revised.