Legal
Privacy notice
Effective 4 June 2026.
Who we are
Vuna is an orchard-intelligence and export-compliance platform for estate agriculture, built and operated by Tall Guys (the studio that develops Vuna (currently pre-incorporation)). For each estate that uses Vuna, the estate is the data controller for its operational data and Tall Guys acts as the data processor. This notice describes how we process personal data on the Vuna platform.
What we collect
Vuna is invite-only. We collect personal data only when an estate manager creates an account for you, or when you sign in and use the app:
- Account details — name, email, phone (if provided), role (worker, scout, agronomist, manager, viewer), preferred language.
- Authentication — a hashed password and session token (we never see your password in plain text).
- Operational records you create — scouting observations, spray events, irrigation, harvest, phenology, lab assays and recommendations. These may carry your name as the recorder, a GPS coordinate, and a timestamp.
- Technical metadata — IP address, user agent and request timestamps held in server logs and the application audit trail. Used for security, troubleshooting and auditability.
We do not collect special-category data (health, ethnicity, beliefs, biometrics) and we do not run advertising or marketing tracking on Vuna.
Why we process it
- To run the service— authenticate you, show you the data you’re authorised to see, and let staff capture field events.
- To produce agronomic recommendations (irrigation, nutrition, pest control) and the compliance records the estate needs for buyer audits (e.g. Japan-MRL gate, PHI/REI, spray traceability).
- To meet legal and audit obligations — keeping an immutable audit trail of who changed what and when, for the food-safety and data-protection regimes the estate operates under.
Our lawful basis is the estate’s legitimate operational interest as your employer or service provider, with food-safety record-keeping as the legal-obligation overlay.
Where it is stored
All operational data is stored and processed in the European Union (Frankfurt, eu-central-1) via Supabase (Postgres + PostGIS + Auth + Storage). Computing and the website are hosted by Vercel. Data is encrypted at rest and in transit. Access inside the platform is governed by row-level security tied to your role and field assignments.
If you are located outside the EU, your data is transferred to the EU. We rely on the EU GDPR’s safeguards for inbound processing; for Malawi-based data subjects, this is a deliberate residency choice we make on behalf of the estate and is documented in the estate’s compliance file.
Who else processes it (sub-processors)
The following sub-processors operate on our behalf. We disclose their presence, not their credentials.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, Auth, Storage, Edge Functions — primary platform | Frankfurt, EU |
| Vercel | Web hosting, serverless functions, scheduled crons | EU region |
| KoboToolbox | Field-data capture (scouting, sprays, harvest forms) | Global / EU |
| IrriCheck | On-site weather station relay (Davis Vantage Pro2) | External |
| Open-Meteo / NASA POWER / Sentinel Hub | Weather forecast & remote-sensing feeds (no personal data exposed) | External (EU/US) |
| ImprovMX | Email forwarding for hello@vuna.dev | EU |
We update this list before adding any new sub-processor that would handle personal data. The in-app /admin/settings view shows the live integration status.
How long we keep it
We keep operational records for as long as the estate needs them for audit and yield analysis — typically multiple seasons. We keep the immutable audit log indefinitely (it is an append-only food-safety record). When an account is deleted, the staff’s personal details are removed but the records they created remain with the “who” field cleared, so the audit trail is preserved without identifying the person.
Your rights
Under GDPR and Malawi’s Data Protection Act 2024 you can:
- Ask what personal data we hold about you.
- Ask us to correct anything that is wrong.
- Ask us to delete your account and personal data (your records stay but the attribution is cleared).
- Object to processing, or ask us to restrict it.
- Lodge a complaint with the data-protection authority where you live.
To exercise any of these rights, email hello@vuna.dev and your estate’s manager. We respond within 30 days.
Cookies and similar technology
Vuna uses strictly necessary cookies only — the Supabase session cookie that keeps you signed in. We do not use analytics cookies, marketing cookies, or third-party trackers, so we do not show a cookie consent banner. If we ever add analytics, we will update this notice and ask for your consent first.
Security
TLS in transit; encryption at rest; row-level security on every table; an append-only audit log; least-privilege roles. Secrets live only on the server. We do not store payment data.
Changes to this notice
If we change how we process personal data, we will update this page and the effective date at the top. Material changes will be flagged inside the app.
Contact
For privacy questions, write to hello@vuna.dev.
This notice is the public summary. The detailed compliance posture — sub-processor register, data inventory, role/RLS matrix, audit-log behaviour — is captured inside the app at /admin/settings for authorised users.