HydroPing

1. Introduction and Scope

HydroPing Inc. ("HydroPing," "we," "us," or "our") operates an integrated intelligent plant care ecosystem comprising: (i) the HydroPing implant hardware ("Device" or "Implant"); (ii) the HydroPing artificial intelligence engine and cloud backend ("HydroPing AI"); (iii) the HydroPing web platform and e-commerce storefront accessible at hydroping.com ("Website"); and (iv) the HydroPing mobile application for iOS and Android ("App"). Collectively, these components are referred to herein as the "Platform."

This Privacy Policy ("Policy") governs the collection, processing, storage, use, disclosure, and protection of all personal information, agronomic data, device telemetry, commercial transaction data, and derivative analytical outputs generated through your interaction with any component of the Platform. By activating a Device, creating an account, visiting our Website, or downloading our App, you acknowledge that you have read, understood, and agreed to this Policy in its entirety.

This Policy applies to all user categories, including but not limited to: residential plant owners, serious horticulturalists, commercial greenhouse operators, large-scale agricultural enterprises, B2B clients operating multi-facility deployments, and third-party integrators accessing HydroPing data via our API. Where practices differ based on user tier or jurisdiction, such distinctions are expressly noted.

1.1 Regulatory Framework and Jurisdictional Applicability

HydroPing is committed to compliance with applicable data protection and privacy regulations across all jurisdictions in which it operates. Our practices are specifically designed to conform to, at minimum, the following regulatory frameworks:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), as amended
• General Data Protection Regulation (GDPR) — European Union and United Kingdom
• Children's Online Privacy Protection Act (COPPA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (ColoPA)
• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
• Australia's Privacy Act 1988 and the Australian Privacy Principles (APPs)
• Brazil's Lei Geral de Proteção de Dados (LGPD)
• Applicable state and federal agricultural data regulations in the United States

Where local law affords greater protection than described herein, HydroPing will apply the more protective standard to users in those jurisdictions.

1.2 Key Definitions

Personal Data

Any information relating to an identified or identifiable natural person, including device identifiers, behavioral patterns, account credentials, and transactional records.

Agronomic Data

All sensor-derived, AI-inferred, or user-submitted data pertaining to plant physiology, soil composition, environmental conditions, and botanical health metrics collected through the HydroPing Device.

Device Telemetry

Time-series data streams emitted by the HydroPing Implant including raw sensor readings, firmware states, connectivity logs, battery telemetry, and calibration events.

AI Inference Data

Derived outputs produced by the HydroPing AI engine including care recommendations, predictive watering schedules, anomaly alerts, species-specific models, and longitudinal health assessments.

Commercial Data

Transaction records, payment metadata, order histories, billing addresses, subscription states, and fulfillment logs associated with purchases on the Website or in-App.

User Content

Any text, images, notes, custom plant profiles, location tags, or other content voluntarily submitted by users to the Platform.

Aggregate Data

Data that has been de-identified and combined with other data such that no individual or specific plant location can be reasonably re-identified.

2. Information We Collect

HydroPing operates a multi-layer data collection architecture designed to deliver precision plant care intelligence. The following categories of data are collected across different components of the Platform.

2.1 Device and Sensor Data (HydroPing Implant)

The HydroPing biosensor implant is an in-soil hardware device engineered to continuously monitor and transmit the following categories of plant and environmental vitals:

2.1.1 Soil and Moisture Metrics

• Volumetric water content (VWC) measured via frequency-domain reflectometry or time-domain transmission
• Soil electrical conductivity (EC) as a proxy for dissolved nutrient concentration
• Soil pH levels via embedded solid-state pH sensing electrode
• Soil temperature at implant depth (degrees Celsius/Fahrenheit)
• Soil aeration index and compaction indicators derived from pressure-sensing arrays
• Salinity levels and ionic concentration profiles

2.1.2 Ambient Environmental Metrics

• Ambient air temperature and relative humidity (via proximal atmospheric sensors)
• Photosynthetically active radiation (PAR) and light intensity (lux and PPFD)
• UV index and full-spectrum light wavelength distribution
• Atmospheric pressure and altitude
• CO₂ concentration in the immediate plant microenvironment

2.1.3 Plant Physiological Metrics

• Leaf surface temperature via non-contact infrared sensor (where supported by Device model)
• Chlorophyll fluorescence proxy indicators
• Stem/trunk electrical impedance as an indicator of hydration and cellular health
• Root zone activity patterns derived from dielectric soil analysis
• Transpiration rate estimates derived from combined temperature-humidity-light correlation models

2.1.4 Device Operational Data

• Device firmware version, hardware revision, and serial number
• Wireless connectivity logs (Wi-Fi SSID hash, Bluetooth pairing identifiers, signal strength)
• Battery charge level, charge cycles, and power draw telemetry
• Sampling frequency, calibration timestamps, and self-diagnostic results
• Actuator activation logs (for Devices with integrated micro-irrigation or dosing capability)

2.2 Account and Identity Data

When you register for a HydroPing account, we collect:

• Full name and preferred display name
• Email address (primary identifier for account authentication)
• Password (stored exclusively as a salted bcrypt hash; plaintext is never retained)
• Phone number (optional, used for SMS alerts and multi-factor authentication)
• Physical or business address (required for Device shipping and commercial account setup)
• Organization or business name (for commercial and enterprise accounts)
• Billing information (processed via PCI-DSS Level 1 compliant payment processor; card numbers are never stored on HydroPing servers)
• Profile photograph or avatar (optional)
• Preferred language, timezone, and unit system (metric/imperial)

2.3 Plant and Location Data

To enable accurate AI modeling and personalized care recommendations, we collect:

• Plant species, cultivar, and common name (user-submitted or AI-identified)
• Plant age, acquisition date, and pot/soil medium type
• Physical location of Device installation: indoor/outdoor designation, GPS coordinates (optional, user-consented), or user-defined zone labels
• Irrigation infrastructure configuration for commercial deployments (drip line topology, valve zone mappings, reservoir specifications)
• Multi-plant facility maps uploaded by commercial operators (floor plans, greenhouse schematics)
• Custom care notes, journals, and growth logs authored by users

2.4 App and Website Usage Data

We automatically collect technical and behavioral data through your use of the App and Website, including:

• IP address, device type, operating system version, and browser user agent
• Session identifiers, authentication tokens, and cookie data
• App version, build number, and installation identifier (IDFA/IDFV on iOS; Android Advertising ID)
• Feature interaction logs: screens viewed, buttons tapped, alerts acknowledged, settings configured
• Notification delivery and engagement metrics (open rates, response times)
• Crash reports, ANR (Application Not Responding) logs, and performance traces
• Search queries entered within the Platform and browsing behavior on the Website
• Referral source and acquisition attribution metadata
• Shopping cart contents, product page dwell time, and checkout funnel progression

2.5 Communications Data

If you contact HydroPing support or engage with our communications channels, we collect:

• Content of support tickets, live chat transcripts, and email correspondence
• Survey responses, product feedback, and feature request submissions
• Social media interactions where HydroPing is tagged or mentioned
• Opt-in marketing communication preferences and unsubscribe history

3. Legal Bases for Processing

HydroPing processes personal data only where a lawful basis exists under applicable law. For users in jurisdictions governed by the GDPR or equivalent frameworks, the following legal bases apply:

3.1 Performance of Contract

Processing necessary to fulfill our contractual obligations to you, including Device activation, delivering AI-generated care recommendations, processing commercial transactions, providing customer support, and maintaining your account.

3.2 Legitimate Interests

Processing necessary for our legitimate business interests, including fraud detection and prevention, platform security hardening, product quality improvement through aggregate analytics, research and development of AI model accuracy, and ensuring the technical integrity of Device telemetry pipelines, provided such interests are not overridden by your fundamental rights and freedoms.

3.3 Consent

Processing based on your explicit, freely given, specific, informed, and unambiguous consent, including: optional location tracking, marketing communications, participation in beta features, and sharing of pseudonymized agronomic data with third-party research partners. You may withdraw consent at any time without affecting the lawfulness of prior processing.

3.4 Legal Obligation

Processing required to comply with applicable legal obligations, including tax reporting, financial recordkeeping, responding to lawful government requests, and fulfilling regulatory mandates under applicable agricultural or data protection laws.

3.5 Vital Interests

In rare circumstances, processing may be necessary to protect the vital interests of a person, for example in responding to emergency agricultural alerts affecting food supply chains in commercial deployments.

4. How We Use Your Information

HydroPing processes the data described above for the following specific, documented, and lawful purposes:

4.1 Core Platform Functionality

• Activating, pairing, and provisioning HydroPing Devices to user accounts
• Ingesting real-time Device telemetry and persisting time-series data in our cloud database
• Running AI inference models to generate species-specific, environment-adjusted watering schedules
• Detecting anomalous sensor readings indicative of plant stress, disease, or sensor malfunction
• Issuing push notifications, SMS alerts, and email advisories for time-sensitive plant care events
• Triggering automated irrigation actuations (for Devices with integrated actuation capability)
• Rendering historical trend visualizations and longitudinal health dashboards in the App and Website

4.2 AI Model Training and Improvement

With your consent (or where permitted under legitimate interests using de-identified data), we use agronomic data to:

• Refine species-specific machine learning models for moisture threshold prediction
• Train anomaly detection classifiers for early disease and stress identification
• Improve the accuracy of environmental correlation models (light-transpiration-moisture relationships)
• Develop generalized plant care knowledge graphs spanning thousands of cultivars
• Benchmark AI recommendation accuracy against observed plant health outcomes

4.3 Commercial and E-Commerce Operations

• Processing product orders, subscriptions, and Device activations
• Generating invoices, receipts, and financial records
• Managing inventory allocation, shipping logistics, and delivery confirmation
• Administering loyalty programs, discount codes, and promotional campaigns
• Fraud screening and chargeback management

4.4 Account Management and Support

• Authenticating user identity and managing session security
• Communicating product updates, firmware releases, and service notifications
• Providing technical support, troubleshooting Device connectivity, and diagnosing sensor faults
• Facilitating account recovery, data export, and account deletion requests

4.5 Analytics and Platform Optimization

• Measuring feature adoption rates and user engagement metrics
• Identifying usability friction points and optimizing App and Website UX
• Conducting A/B testing of new features, notification strategies, and recommendation formats
• Generating aggregate reporting for internal business intelligence

5. Data Sharing and Disclosure

HydroPing does not sell your personal data. We do not share your personal data with third parties for their independent marketing purposes. Disclosure of personal data occurs only in the following circumstances:

5.1 Service Providers and Sub-Processors

We engage vetted third-party service providers who process data on our behalf under strict data processing agreements (DPAs) that prohibit unauthorized use:

• Cloud Infrastructure: Encrypted storage, compute, and networking services (e.g., AWS, Google Cloud, or equivalent)
• Payment Processing: PCI-DSS Level 1 certified payment gateway (e.g., Stripe, Braintree)
• Push Notification Delivery: Mobile notification infrastructure providers (APNS, FCM)
• Transactional Email: Email delivery service providers for account and alert communications
• Customer Support Platform: Ticketing and live chat infrastructure providers
• Crash Reporting and APM: Application performance monitoring providers (e.g., Sentry, Datadog)
• Analytics: Privacy-respecting, data-processing-agreement-governed analytics providers

5.2 Commercial B2B API Integrations

Enterprise and commercial customers may configure the HydroPing API to integrate Device telemetry with third-party agricultural management systems (e.g., SCADA platforms, ERP systems, greenhouse automation controllers). Such integrations are configured exclusively at the customer's direction and under the customer's data responsibility. HydroPing provides technical APIs but does not independently control downstream processing in such integrations.

5.3 Aggregate and Anonymized Research Data

We may share de-identified, aggregated agronomic datasets with agricultural research institutions, universities, botanical organizations, and industry consortia. Such data contains no Personal Data and cannot reasonably be used to re-identify individuals or specific facilities. Commercial customers operating under enterprise agreements may opt out of such data contributions entirely.

5.4 Legal Disclosures

We may disclose personal data to government authorities, law enforcement agencies, or courts when required by applicable law, valid legal process (subpoena, court order, national security request), or when necessary to protect the safety, rights, or property of HydroPing, its users, or the public.

5.5 Business Transfers

In the event of a merger, acquisition, asset sale, financing, or corporate reorganization involving HydroPing, personal data may be transferred to the relevant successor entity. We will provide advance notice of such transfers and your rights in connection therewith, including the right to request deletion prior to transfer.

6. Data Retention

HydroPing retains personal data only for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law.

6.1 Device Telemetry and Sensor Data

• Raw sensor readings: retained for 24 months from collection, then aggregated and anonymized
• Aggregated hourly/daily summaries: retained for 7 years for longitudinal AI training
• AI inference outputs and recommendations: retained for 36 months from generation
• Anomaly and alert records: retained for 5 years for safety audit purposes

6.2 Account and Personal Data

• Account data: retained for the duration of the account plus 90 days following deletion request
• Support communications: retained for 3 years
• Marketing preferences and communication logs: retained for 2 years from last interaction

6.3 Commercial and Transaction Data

• Payment records and invoices: retained for 7 years for tax and financial compliance
• Order history and shipping records: retained for 5 years
• Subscription and entitlement records: retained for the subscription duration plus 5 years

6.4 Legal Hold

Data subject to an active legal hold, regulatory investigation, or litigation may be retained beyond standard schedules until such matter is fully resolved.

7. Data Security

HydroPing employs a defense-in-depth security architecture designed to protect all data across collection, transmission, storage, and processing stages.

7.1 Transmission Security

• All Device-to-cloud telemetry transmitted via TLS 1.3 encrypted channels
• Certificate pinning implemented in the App to prevent man-in-the-middle interception
• Mutual TLS (mTLS) authentication for Device API endpoints
• All web traffic enforced over HTTPS with HTTP Strict Transport Security (HSTS)

7.2 Storage Security

• Data at rest encrypted using AES-256 via cloud-native encryption services
• Database encryption keys managed via hardware security modules (HSM)
• Cryptographic key rotation on a minimum 12-month schedule
• Backup data encrypted equivalently to primary data stores

7.3 Access Controls

• Role-based access control (RBAC) limiting internal staff access to minimum necessary data
• Multi-factor authentication (MFA) mandatory for all HydroPing engineering and operations staff
• Privileged access management (PAM) with session recording for administrative database access
• Automated access review and de-provisioning on a quarterly schedule

7.4 Application Security

• Continuous static analysis security testing (SAST) and dynamic analysis (DAST) integrated into CI/CD pipeline
• Third-party penetration testing conducted annually and following major releases
• Bug bounty program for responsible disclosure of security vulnerabilities
• OWASP Top 10 compliance as a baseline application security standard

7.5 Incident Response

In the event of a personal data breach, HydroPing will: (i) contain the incident within 24 hours of detection; (ii) notify affected users without undue delay and within 72 hours where required by GDPR; (iii) notify relevant supervisory authorities as required; and (iv) provide a full post-incident report detailing cause, scope, remediation, and preventive measures.

8. Your Rights and Choices

Subject to applicable law, you have the following rights with respect to your personal data:

8.1 Right of Access

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data in a commonly used, machine-readable format (data portability).

8.2 Right to Rectification

You have the right to correct inaccurate personal data and to have incomplete data completed. You may update most personal data directly through your account settings.

8.3 Right to Erasure

You have the right to request deletion of your personal data where: (i) it is no longer necessary for the purposes collected; (ii) you withdraw consent on which processing was based; (iii) you object to processing and there are no overriding legitimate interests; or (iv) the data has been unlawfully processed. Deletion requests cannot apply to data subject to legal retention obligations.

8.4 Right to Restrict Processing

You have the right to restrict processing of your data pending resolution of an accuracy dispute, an objection, or pending determination of whether our legitimate interests override yours.

8.5 Right to Object

You have the right to object at any time to processing of your data for: (i) direct marketing; (ii) profiling for marketing purposes; or (iii) processing based on legitimate interests, unless we can demonstrate compelling legitimate grounds that override your interests.

8.6 Rights Related to Automated Decision-Making

Where HydroPing makes automated decisions that significantly affect you, you have the right to request human review, challenge the decision, and receive an explanation of the logic applied.

8.7 California-Specific Rights (CCPA/CPRA)

California residents have additional rights including: the right to know specific categories and pieces of data collected; the right to opt out of sale or sharing of personal data (Note: HydroPing does not sell personal data); the right to non-discrimination for exercising privacy rights; and the right to correct inaccurate personal information.

8.8 Exercising Your Rights

To exercise any of the above rights, submit a verifiable request to support@hydroping.com or through the Privacy Controls section in your account settings. We will respond within 30 days (or 45 days where permitted for complex requests) after verifying your identity.

9. Cookies and Tracking Technologies

HydroPing uses cookies, pixels, local storage, and similar technologies on our Website and App.

9.1 Strictly Necessary Cookies

Essential for Platform operation: session management, authentication state, CSRF protection, and secure checkout. These cannot be disabled without breaking core functionality.

9.2 Performance and Analytics Cookies

Used to measure usage patterns, error rates, and feature adoption. Subject to your consent where required by applicable law and may be disabled through our Cookie Preference Center.

9.3 Functional Cookies

Used to remember your preferences, language, timezone, and display settings to provide a personalized experience.

9.4 Targeting and Attribution Cookies

Used (where consented) for measuring marketing campaign effectiveness and attributing acquisitions. We do not use third-party advertising cookies for behavioral ad targeting.

9.5 Managing Cookie Preferences

You may manage your cookie preferences at any time through our Cookie Preference Center accessible in the Website footer or App Settings > Privacy. Blocking or deleting cookies may impair certain Platform features.

10. Children's Privacy

The HydroPing Platform is not directed to, and we do not knowingly collect personal data from, children under the age of 13 (or the applicable minimum age in your jurisdiction). If we learn that we have inadvertently collected personal data from a minor below the applicable age threshold, we will promptly delete such data. If you believe a minor has submitted personal data to us, please notify us at support@hydroping.com.

For commercial or educational deployments involving minors (e.g., school garden programs), appropriate institutional consent and COPPA-compliant data handling practices will be established under a dedicated agreement.

11. International Data Transfers

HydroPing operates globally and may transfer your personal data to countries other than the one in which you reside. Where such transfers involve data originating in the European Economic Area, United Kingdom, or Switzerland, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding Corporate Rules (BCRs) for intra-group transfers
• EU-U.S. Data Privacy Framework certification where applicable

For transfers from other jurisdictions, we implement equivalent contractual and technical safeguards mandated by applicable local law.

12. Changes to This Privacy Policy

HydroPing reserves the right to update this Privacy Policy to reflect changes in our data practices, legal requirements, or Platform capabilities. Material changes will be communicated via: (i) prominent in-App notification; (ii) email to your registered address; and (iii) a version notice on this document. Your continued use of the Platform following the effective date of a revised Policy constitutes acceptance of the updated terms. Where applicable law requires explicit consent for material changes, we will obtain such consent before the changes take effect.

13. Contact Information and Data Protection Officer

For privacy-related inquiries, rights requests, or concerns, contact HydroPing at:

support@hydroping.com

For users in the European Economic Area or United Kingdom, our EU/UK Representative and Data Protection Officer can be contacted via the above email with the subject line "DPO Inquiry." Supervisory authority complaints may be filed with the data protection authority in your country of residence.