This Privacy Policy explains how Agromus Limited, trading as FromFarm ("FromFarm", "we", "us", "our"), collects, uses, shares, and protects your personal data when you use our mobile application, our website at fromfarm.shop, and our smart self-service food markets, together with all related services.

We are the data controller responsible for your personal data:

Company: Agromus Limited (trading as FromFarm)
Company registration number: 760803 (Ireland)
Registered address: UNIT 3D NORTH POINT HOUSE, NORTH POINT BUSINESS PARK, NEW MALLOW ROAD, CO. CORK T23 AT2P
Email: support@fromfarm.shop

We are committed to processing your personal data lawfully, fairly, and transparently, in accordance with the EU General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and other applicable laws.

Depending on how you use our services, we may collect the following categories of personal data:

Identity data: your name.
Contact data: email address and phone number.
Account data: account credentials such as username and a securely stored password.
Payment data: transaction confirmations and references. Full card details are processed by third-party payment providers; we do not store complete card numbers.
Transaction data: purchase history, items, amounts, dates, and the market location used.
Device and technical data: device identifiers, IP address, device model, operating system, and app version.
Usage and analytics data: in-app activity, features used, and diagnostic or crash data.
Location data: collected only where you explicitly enable it on your device.
Support data: your customer support messages and their contents.
Security data: access logs and fraud-prevention signals.
Video footage: CCTV recordings at smart market locations, where applicable.

We collect this data directly from you, automatically through your use of the app and smart markets, and from third-party providers acting on our behalf.

We use your personal data to:
create, authenticate, and manage your account;
enable you to open smart markets and complete purchases;
process payments and provide receipts and transaction history;
operate, secure, and improve our services;
prevent theft, fraud, and misuse, and protect customers, staff, and assets;
respond to your enquiries and provide support;
send service-related and, with your consent, marketing messages;
comply with our legal, tax, and accounting obligations.

Our legal bases under GDPR are: performance of a contract; compliance with a legal obligation; our legitimate interests in operating and securing the service; and your consent (for example, for location data, certain analytics, and marketing). You can withdraw consent at any time.

Payments. Payments are handled by trusted third-party providers, which may include Apple Pay, Google Pay, Revolut Pay, and Stripe. Your card or wallet details are processed directly by these providers under their own privacy policies. We do not receive or store your full card number; we receive only the information needed to confirm and reconcile your transaction.

Analytics. We use Firebase Analytics and Firebase Crashlytics (provided by Google) to understand how the app is used and to detect and fix technical problems. These tools may collect device data, usage data, identifiers, and crash diagnostics. Where required, non-essential analytics are collected only with your consent, which you can withdraw at any time.

Our smart markets may use CCTV cameras and security monitoring at and around our units, for theft and fraud prevention, protection of assets, customer and staff safety, investigation of incidents, and verification of transactions.

CCTV recordings may contain personal data. They are accessible only by authorised personnel and are retained only for as long as reasonably necessary for these security purposes, typically up to 10 days, unless needed for an investigation or legal claim. Footage may be disclosed to law enforcement where legally required. You may exercise your data rights in relation to footage, subject to the rights of other individuals and legitimate security interests. Our legal basis is our legitimate interests in security and asset protection.

We do not sell your personal data. We share it only where necessary with: payment providers; analytics and crash-reporting providers; cloud hosting and infrastructure providers; customer support and email providers; security and monitoring providers; and professional advisers or authorities where required by law. We may also transfer data in connection with a business sale or merger, subject to safeguards.

Where providers act on our behalf, they are bound by written agreements requiring them to process data only on our instructions and to apply appropriate security measures.

International transfers. Some providers may process data outside the European Economic Area (EEA), including in the United States. Where this happens, we ensure appropriate safeguards, such as European Commission adequacy decisions or Standard Contractual Clauses. You may request a copy of these safeguards by contacting us.

We keep personal data only for as long as necessary, then delete or anonymise it.

Account and profile data: for the life of your account, then deleted within 30 days of closure, unless longer retention is legally required.
Transaction and payment records: up to 5 years, for Irish tax and accounting obligations.
Support communications: 12 months after resolution.
Analytics and crash data: up to 12 months.
CCTV footage: up to 10 days, unless retained for an investigation or legal claim.
Location data: only as long as needed to provide the feature.

Under GDPR, you have the right to: access your data; correct inaccurate data; request erasure; restrict processing; data portability; object to processing based on legitimate interests and to direct marketing at any time; and withdraw consent where processing is based on it.

To exercise any of these rights, contact us at support@fromfarm.shop. We respond within one month (extendable by up to two further months for complex requests) and may verify your identity first. Withdrawing consent does not affect processing carried out before withdrawal.

If you have concerns about how we handle your personal data, please contact us first at support@fromfarm.shop so we can try to resolve the matter.

You also have the right to lodge a complaint with the Irish supervisory authority:
Data Protection Commission (DPC), Ireland
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
www.dataprotection.ie

If you are located in another EEA country, you may also contact your local data protection authority.

Our services are intended for adults and are not directed at children. We do not knowingly collect personal data from children under the age of 16 (the digital age of consent in Ireland). If you believe a child has provided us with personal data, please contact support@fromfarm.shop and we will take steps to delete it.

We apply appropriate technical and organisational measures to protect your data, including: encryption of data in transit and, where appropriate, at rest; secure storage of credentials; access controls limited to authorised personnel; use of reputable, security-certified hosting providers; and regular review of our security practices.

No method of transmission or storage is completely secure. In the event of a personal data breach likely to result in a high risk to your rights, we will notify you and the Data Protection Commission as required by GDPR.

You can request deletion of your account and personal data at any time:

In the app: open Settings, then Account, then Delete Account, and follow the instructions.
By email: contact support@fromfarm.shop with the subject "Account and Data Deletion", from the email address linked to your account.

We may ask you to verify your identity first. We delete your account profile, contact details, credentials, preferences, location data, and analytics identifiers linked to you. We may retain records we are legally required to keep, such as transaction records for tax purposes, only for the minimum required period, then securely delete them.

We action verified requests without undue delay, normally within 30 days, and confirm by email once complete.

Agromus Limited (trading as FromFarm)
Company number: 760803 (Ireland)
Email: support@fromfarm.shop
Website: fromfarm.shop
Postal address: Unit 3, Block 1, Broomhall Business Park, Rathnew, Co. Wicklow, Ireland

Response time: 1–2 business days.
Business hours: Monday to Friday, 09:00 to 17:00 (Ireland time).

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify you through the app, website, or by email. Your continued use of the services after an update takes effect constitutes acceptance of the revised policy, except where your consent is required by law.