Privacy and data handling

This is a plain-English summary of how AgroYield handles your data. The full Privacy Policy at /privacy is the legally binding version.

What we collect

You give us:

Account info — name, email, phone, profile photo, location, bio
Business info — business name, CAC + TIN if you provide them, bank details (for invoice display only — we never debit you), team members
Content you create — posts, comments, listings, mentorship requests, reviews
Direct messages between you and other users

We collect automatically:

Sign-in events — IP address, device, browser, timestamp (for security)
Page views and module clicks — anonymised, used to improve the platform
Payment receipts — from Monnify (we never see your card details; we only see "this user paid X NGN on date Y")
Bot-protection signals — IP address, browser characteristics, and timing patterns processed by Cloudflare Turnstile on signup, login, and content-creation forms. Most users never see a challenge; Turnstile operates invisibly in the background. By using AgroYield Network, you agree to Cloudflare's Turnstile Privacy Addendum, which covers what Cloudflare collects and how. We added this in May 2026 to prevent automated abuse on the platform.

What we do with it

Operate the platform — show your profile to people who'd want to find you, deliver your messages, run your business invoices, etc.
Personalise content — the For-You tabs on Grants, Opportunities, etc. use your declared interests + behaviour
Send transactional email — verification, password resets, order notifications, mentorship session reminders, invoice receipts
Send marketing email — onboarding drip, weekly digest. You can unsubscribe at any time from the link at the bottom of every marketing email
Detect fraud + abuse — anomaly detection on sign-ins, marketplace orders, and content posting

What we don't do

We don't sell your data to third parties
We don't share your data with advertisers
We don't use your content to train AI models without your explicit consent
We don't share your bank details with anyone other than the buyer on a specific invoice

Your rights

Under NDPC (Nigeria) and GDPR (EU) — applicable to all AgroYield users regardless of location:

Access — see everything we have about you. Account → Privacy → Export my data. Returns a JSON bundle within 24 hours.
Correct — fix anything wrong. Most fields are user-editable from your profile.
Delete — request account deletion. Account → Privacy → Delete my account. We hold your data for 30 days for recovery, then permanently delete.
Portability — your exported data is in a standard JSON format you can take elsewhere.
Object to processing — opt out of personalisation, marketing, etc. Account → Notifications.

Data residency

Primary database: Supabase, EU-Central-2 region (Switzerland). Backups: same region. Email infrastructure: Resend, US-East. Live chat and help center: Zendesk (US + EU). Payment processor: Monnify (Nigeria, AWS Lagos). Bot protection: Cloudflare Turnstile (global edge network).

If data residency is a hard requirement for your organisation, contact us — we have a path to Lagos-region hosting available for Growth+ customers with a longer-term commitment.

Security in practice

All connections to AgroYield use HTTPS (TLS 1.3)
Passwords are bcrypt-hashed; we never see your plaintext password
Database row-level security gates every read and write — even our own admin staff can't query your data without going through a logged audit trail
Sentry receives error reports; PII is scrubbed before being sent
Annual third-party security audits (next: November 2026)

Contact

Privacy questions: privacy@agroyield.africa (general inbox). Data subject requests + formal complaints: dpo@agroyield.africa (Data Protection Officer mailbox, currently Okoli Chijioke during founder-DPO phase). We respond to formal DSR within 30 calendar days per NDPR §2.6; general questions within five working days.

For the full data-processing register (every PII column we store, every third-party processor, lawful basis, retention period), see docs/compliance/data-processing-register.md — investor + regulator-ready artefact, maintained per AGR-37.

What we collect

You give us:

Account info — name, email, phone, profile photo, location, bio

Business info — business name, CAC + TIN if you provide them, bank details (for invoice display only — we never debit you), team members

Content you create — posts, comments, listings, mentorship requests, reviews

Direct messages between you and other users

We collect automatically:

Sign-in events — IP address, device, browser, timestamp (for security)

Page views and module clicks — anonymised, used to improve the platform

Payment receipts — from Monnify (we never see your card details; we only see "this user paid X NGN on date Y")

Bot-protection signals — IP address, browser characteristics, and timing patterns processed by Cloudflare Turnstile on signup, login, and content-creation forms. Most users never see a challenge; Turnstile operates invisibly in the background. By using AgroYield Network, you agree to Cloudflare's Turnstile Privacy Addendum, which covers what Cloudflare collects and how. We added this in May 2026 to prevent automated abuse on the platform.

What we do with it

Operate the platform — show your profile to people who'd want to find you, deliver your messages, run your business invoices, etc.

Personalise content — the For-You tabs on Grants, Opportunities, etc. use your declared interests + behaviour

Send transactional email — verification, password resets, order notifications, mentorship session reminders, invoice receipts

Send marketing email — onboarding drip, weekly digest. You can unsubscribe at any time from the link at the bottom of every marketing email

Detect fraud + abuse — anomaly detection on sign-ins, marketplace orders, and content posting

Your rights

Under NDPC (Nigeria) and GDPR (EU) — applicable to all AgroYield users regardless of location:

Access — see everything we have about you. Account → Privacy → Export my data. Returns a JSON bundle within 24 hours.

Correct — fix anything wrong. Most fields are user-editable from your profile.

Delete — request account deletion. Account → Privacy → Delete my account. We hold your data for 30 days for recovery, then permanently delete.

Portability — your exported data is in a standard JSON format you can take elsewhere.

Object to processing — opt out of personalisation, marketing, etc. Account → Notifications.

Data residency

If data residency is a hard requirement for your organisation, contact us — we have a path to Lagos-region hosting available for Growth+ customers with a longer-term commitment.

Security in practice

All connections to AgroYield use HTTPS (TLS 1.3)

Passwords are bcrypt-hashed; we never see your plaintext password

Database row-level security gates every read and write — even our own admin staff can't query your data without going through a logged audit trail

Sentry receives error reports; PII is scrubbed before being sent

Annual third-party security audits (next: November 2026)

Contact