Privacy Policy

Scope

This policy applies to the Farmly public website, directory and search features, contact forms, and producer dashboard areas. It is intended to describe the current core operation of the service and should be updated when major data-processing features change.

Depending on how you use the service, different categories of data may apply to you as a visitor, contact requester, registered producer, or authenticated user.

Data We May Collect

Technical and usage data: when you access the site, servers and infrastructure providers may process technical request data such as IP address, browser information, device or session metadata, requested URLs, and timestamps.

Authentication data: when you log in, the service uses a third-party identity provider for authentication. Depending on the login flow, this may include a unique account identifier and basic account information needed to operate authenticated features.

Profile and listing data: producer accounts may provide business or contact information such as name, email address, phone number, address, website, descriptive text, language, images, and product-related details. Some of this information may be published in public listings by design.

Contact data: when you use the contact form, we process the sender email address, subject, message content, and anti-abuse verification data needed to deliver the request.

Location-related data: when producer addresses are saved or updated, the service may use address data to request approximate map coordinates from a third-party geolocation service so profiles can be displayed and searched geographically.

How We Use Personal Data

We use personal data to operate the site, authenticate users, maintain sessions, display producer listings, respond to messages, protect the service against abuse, support search and map functionality, and maintain the security and reliability of the platform.

We may also use data to investigate misuse, comply with legal obligations, keep records needed for administration, and improve the service based on operational needs.

Legal Bases

Where the GDPR or similar laws apply, processing may rely on one or more of the following legal bases: performance of a contract or steps requested before entering into one, compliance with legal obligations, consent where required, and legitimate interests such as operating, securing, and improving the service.

If a specific processing activity requires consent, you may withdraw that consent for future processing, subject to legal and technical limitations.

Cookies, Sessions, and Security Features

The service uses cookies or comparable browser storage mainly for session management, login flows, and security-related features. For example, signed session cookies may be used to keep authenticated sessions active between requests.

Security and anti-abuse controls may also use verification mechanisms such as bot-detection or challenge-response services before certain actions are accepted.

Third-Party Services

Based on the current implementation, the service may rely on third-party providers for authentication, bot protection, email delivery, infrastructure hosting, object storage for uploaded media, and geolocation services. These providers process data under their own policies and contractual terms.

Examples reflected by the current project setup include Auth0 for authentication flows, Cloudflare Turnstile for anti-abuse verification, and OpenStreetMap Nominatim for address geocoding.

Sharing and Disclosure

We do not describe this service as selling personal data. Personal data may, however, be disclosed where necessary to run the platform, publish directory information chosen for public display, deliver communications, protect rights and security, or comply with legal requests and obligations.

If producer profile information is entered for public discovery, that content may become visible to site visitors and search users.

Retention

Personal data may be retained for as long as reasonably necessary for the purposes described in this policy, including account operation, public listing management, support requests, legal compliance, dispute resolution, backup handling, and security review.

Because the exact retention periods may depend on operational and legal context, this page should be revised if the project adopts fixed retention schedules.

Data Security

We aim to use reasonable technical and organizational measures to protect personal data, including secure transport and signed session handling where configured. However, no website or transmission method can guarantee absolute security.

You should avoid sending unnecessary sensitive data through the site unless it is clearly required for the relevant feature.

Your Rights

Depending on applicable law, you may have rights to request access, correction, deletion, restriction, objection, or portability of your personal data, and to lodge a complaint with a supervisory authority.

To make a privacy-related request, use the contact page of the site and provide enough information for the project maintainers to understand and verify the request.

International Processing

Third-party service providers may process data in countries other than your own. Where that occurs, the project maintainers should ensure an appropriate legal basis or safeguard is in place when required by applicable law.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. The latest version will be published on this page with an updated date.

Controller and Austrian Provider Information

For purposes of Article 4(7) GDPR, the controller is the sole proprietor operating Farmly. Privacy and data-protection requests can currently be submitted through the site's contact page.

If a separate imprint, provider notice, or business-identification page is published for Austrian legal compliance, the sole proprietor's full name, business address, and other mandatory provider details stated there supplement this Privacy Policy.

Sources of Data and Recipients

Most personal data is collected directly from you. Limited account data may also be received from the external authentication provider during login and from technical providers involved in operating the service.

Recipients or recipient categories may include hosting and infrastructure providers, the authentication provider, anti-abuse service providers, geolocation providers, email-delivery providers, storage providers, professional advisers, and public authorities where disclosure is legally required.

Transfers Outside the EEA

If service providers process personal data outside the EEA or provide access from a third country, transfers should occur only on the basis of an adequacy decision, Standard Contractual Clauses, or another lawful safeguard recognized under the GDPR.

Obligation to Provide Data and Automated Decisions

Providing certain data may be necessary to use specific functions, such as login-protected areas, producer profile management, or the contact form. If required data is not provided, the relevant function may not be available.

Based on the current project implementation, the sole proprietor operating the service does not appear to carry out solely automated decision-making, including profiling, that produces legal effects or similarly significant effects within the meaning of Article 22 GDPR.

Right to Lodge a Complaint in Austria

If Austrian data-protection law applies, you also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, Austria, or via www.dsb.gv.at, without prejudice to any other administrative or judicial remedy.

Contact

For privacy-related requests, please use the project's contact page. Go to contact page