BX Privacy Policy
This Privacy Policy applies to all personal data processed by BX Technologies Limited in connection with its agricultural intelligence platform, website, and AI services (including SAM AI). It is written to the highest applicable standard across all markets in which BX operates and should be read alongside the applicable Data Processing Addendum where BX acts as a data processor.
1. Who We Are
BX Technologies Limited (“BX”, “we”, “our”, “us”) is a company incorporated in England and Wales (Company Number 12545451) whose registered office is at 128 City Road, London, EC1V 2NX, United Kingdom. We develop and operate an AI-powered agricultural intelligence platform used by farming businesses in the United States, New Zealand, Peru, Chile, and the European Union. In respect of the personal data described in this Policy, BX is the data controller — meaning we determine the purposes and means of processing. Where BX processes personal data on behalf of a customer (for example, data belonging to a farm operator’s employees), BX acts as a data processor and the customer is the controller. That relationship is governed by a separate Data Processing Addendum.
Data Controller Details
Company: BX Technologies Limited
Address: 128 City Road, London, EC1V2NX, London, United Kingdom
Email: [email protected]
Website: bx.tech
For EU/UK data subjects, our lead supervisory authority is the UK Information Commissioner’s Office (ICO). Spanish data subjects may also contact the Agencia Española de Protección de Datos (AEPD).
2. Information We Collect
2.1 Information You Provide Directly
We collect information you provide when you create an account, subscribe to our platform, use SAM AI, contact us, or fill in any form, including:
Account information: full name, email address, telephone number, job title, organisation name, billing address, and country.
Farm and agronomic data: farm names, field names, coordinates, crop types, hectarage, agronomic records, and soil or weather observations you input into the platform.
Payment information: processed via our payment provider — BX does not store card numbers or bank account details.
Communications: messages, support queries, and feedback you send us, including via SAM AI.
Onboarding information: responses you give during platform onboarding and configuration.
2.2 Information Collected Automatically
When you visit our website or use the BX platform, we automatically collect:
Usage data: pages visited, features used, buttons clicked, session duration, and navigation paths.
Device and technical data: IP address, browser type and version, operating system, device identifiers, screen resolution, and referring URLs.
Log data: server access logs, error logs, and API request logs, including timestamps.
Geolocation data: general location derived from IP address (not precise GPS location, unless you grant permission for map features).
Analytics data: website and platform usage metrics (Google Analytics 4), session recordings and heatmaps where you have consented (Hotjar / Contentsquare), product analytics (Mixpanel, Contentsquare/Heap), and event routing via our customer data platform (Segment).
2.3 Information From Third Parties
We may receive information about you from:
Your employer or the organisation that holds your BX account, when they add you as a named user.
Public agricultural and weather data sources integrated into the platform, including weather data provided by Visual Crossing (visualcrossing.com).
Payment and identity verification providers.
3. How We Use Your Information
The table below sets out each purpose for which we process personal data, together with the legal basis under each applicable framework.
| Purpose | Data Categories | Legal Basis (GDPR) | Legal Basis (CCPA) | Retention |
|---|---|---|---|---|
| Providing the BX platform and account management | "Account info, farm data" | Performance of contract (Art 6(1)(b)) | Business purpose (service delivery) | 3 years after account closure + vault period |
| Processing payments and issuing invoices | Billing and payment info | Performance of contract (Art 6(1)(b)); Legal obligation (Art 6(1)(c)) | Business purpose | 7 years (accounting/tax legal obligation) |
| Operating SAM AI chatbot | "Queries, farm context, account info" | Performance of contract (Art 6(1)(b)) | Business purpose | Lifetime of subscription. Contact [email protected] for data management requests — see Section 5 |
| "Platform analytics and product improvement (Google Analytics 4, Hotjar, Mixpanel, Segment, Contentsquare, Heap)" | "Usage, device, session recording" | Consent (Art 6(1)(a)) | Consent (opt-in) | 14 months rolling (GA4); 13 months rolling (Hotjar / Contentsquare); 12 months (Mixpanel); varies by tool |
| Marketing and promotional communications | "Name, email, preferences" | Consent (Art 6(1)(a)) or Legitimate interests (Art 6(1)(f)) for existing customers | Opt-in consent (CPRA) | Until unsubscribed + 1 year |
| "Security, fraud prevention, and abuse monitoring" | "IP, device, log data" | Legitimate interests (Art 6(1)(f)) — protecting users and platform integrity | Business purpose (security) | 12 months log retention |
| Legal compliance and regulatory obligations | Any data required by law | Legal obligation (Art 6(1)(c)) | Legal obligation | Duration required by applicable law |
| Customer support and dispute resolution | "Communications, account info" | Performance of contract (Art 6(1)(b)); Legitimate interests (Art 6(1)(f)) | Business purpose | 3 years after ticket closure |
| Onboarding and account configuration | "Account info, farm setup data" | Performance of contract (Art 6(1)(b)) | Business purpose | Duration of account |
| LEGITIMATE INTERESTS BALANCING TEST |
|---|
| Where we rely on legitimate interests, we have conducted a balancing test and determined that our interests are not overridden by your rights. You may object to processing on legitimate interests grounds at any time — see Section 9. |
4. Artificial Intelligence and SAM AI
EU AI ACT TRANSPARENCY NOTICE (Article 50, Regulation (EU) 2024/1689)
SAM AI is an AI system deployed by BX Technologies Limited. You have the right to know when you are interacting with an AI system. SAM AI is not a human. Interactions with SAM AI may be used to provide you with agricultural advice, analyse farm data, and surface insights. BX is an AI Deployer under the EU AI Act.
4.1 What SAM AI Does
SAM AI is BX’s in-platform AI chatbot. It allows users to interact with their farm data using natural language, ask agronomic questions, and receive AI-generated insights. SAM AI is built on the open-source Flowise framework, self-hosted by BX on BX’s own cloud infrastructure in the United States, and uses large language model (LLM) APIs to generate responses.
4.2 AI Sub-Processors and Data Handling
When you use SAM AI, your query and relevant farm context data are processed by the following sub-processors. All SAM AI inference is routed via OpenRouter (our LLM routing layer) which provides account-wide Zero Data Retention (ZDR) endpoint controls. Data Processing Agreements and ZDR confirmations are in place or being finalised with each provider listed below:
Anthropic (Claude models) — BX holds a Claude Team subscription for internal use; customer data may be processed indirectly. DPA accepted via Claude.ai team admin settings (25 Feb 2026).
OpenAI (GPT models) — SAM AI inference and Data Pipeline, via OpenRouter BYOK (Azure-routed). ZDR confirmed via OpenRouter; DPA accepted (25 Feb 2026).
Google (Gemini models) — Vertex AI inference via OpenRouter BYOK; ZDR confirmed for Vertex AI.
Note: Import Agent and SAM AI context store currently use Google AI Studio (direct API; covered by Google API Terms with embedded SCCs as an interim measure — migration to Vertex AI within 30 days). See sub-processor table below.
Data passed to LLM providers may include your query text and agronomic context derived from your farm data. Full names, contact details, and payment information are not passed to LLM providers. LLM observability (full traces) is captured by LangSmith; automated browser sessions used for farm data import are handled by Browserbase. See the full Sub-Processor List here for details.
None of your data is used to train the underlying AI models operated by Anthropic, OpenAI, Google, or any other AI service provider used by BX. All SAM AI inference is routed via OpenRouter with account-wide Zero Data Retention (ZDR) controls enabled, and all AI provider training/logging toggles are disabled. Your farm data and personal data are not used by BX to train any proprietary AI models.
4.3 International Transfers for AI Processing
SAM AI’s inference engine is hosted in the United States. When EU/UK data subjects use SAM AI, their data is transferred to the US for processing. This transfer is conducted under EU Standard Contractual Clauses (Module 2: Controller to Processor), supported by a Transfer Impact Assessment (TIA) completed in February 2026. A copy of applicable SCCs is available on request from [email protected].
4.5 AI Data Notice — SAM AI
This section is linked from the SAM AI chat interface and provides a plain-language summary of how your data is handled when you use SAM AI. For full technical and legal detail, see Section 4 above.
| WHAT HAPPENS WHEN YOU SEND A MESSAGE TO SAM AI | Data Sent | Providers & Transfers | Retention & History |
|---|---|---|---|
| WHAT HAPPENS WHEN YOU SEND A MESSAGE TO SAM AI | Your query text and any relevant farm context (such as field names, crop types, or data you have entered in the platform) are sent to BX’s AI providers to generate a response. This processing is necessary to deliver the SAM AI service. | "Your data is processed by one or more of the following AI providers, each operating under Standard Contractual Clauses (SCCs) for EU/UK transfers:" • Anthropic (Claude models) — zero data retention confirmed. • OpenAI (GPT models) — zero data retention confirmed. • Google (Gemini models) — zero data retention confirmed. SAM AI inference is processed in the United States. The applicable transfer safeguards are described in Section 4.3. | Your conversation history is stored on BX’s secure GCP infrastructure and is accessible to you within the platform, so you can review previous queries and responses. Conversations are retained for the lifetime of your subscription and may be reviewed by BX staff to improve the quality and accuracy of the SAM AI service. You can contact [email protected] at any time to request restriction of access to your conversation history or to submit a data management request. |
| WHAT BX DOES NOT DO WITH YOUR SAM AI DATA |
|---|
| ✗ Use your conversations to train the underlying AI models (Anthropic, OpenAI, or Google) — no model training use is permitted under our API agreements. |
| ✗ Share your conversations with AI providers beyond what is needed to generate a response. |
| ✗ Share your farm data with other BX customers or third parties for their own purposes. |
| ✗ Make solely automated decisions that have legal or similarly significant effects on you without human oversight. |
| ✗ Sell your personal data. |
SAM AI is a core feature of the BX Platform, delivered on the legal basis of performance of contract (GDPR Article 6(1)(b)). No in-product opt-out is available. Users who do not wish to use SAM AI should contact [email protected] to discuss their subscription. For your full data rights, see Section 9 of this Policy. To contact us about SAM AI data handling: [email protected].
5. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law. Our retention periods are:
| Data Category | Retention Period | Legal Driver |
|---|---|---|
| Account and profile data | Duration of account + 3 years after closure | Contract; GDPR Art 5(1)(e) |
| Farm and agronomic data | Duration of account + 3 years after closure | Contract; EU Data Act portability window |
| Invoicing and payment records | 7 years from invoice date | UK Companies Act / HMRC; Spanish tax law |
| SAM AI conversation logs | Lifetime of subscription. Contact [email protected] for data management or access restriction requests | GDPR Art 5(1)(c) data minimisation |
| Support tickets and communications | 3 years from ticket closure | Legitimate interests (dispute resolution) |
| Marketing consent records | Duration of consent + 1 year (audit trail) | GDPR Art 7(1) |
| Website analytics (Google Analytics 4) | 14 months rolling | GA4 data retention settings; GDPR Art 5(1)(e) |
| Session recording / heatmaps (Hotjar / Contentsquare) | 13 months rolling | Hotjar/Contentsquare DPA |
| Product analytics (Mixpanel) | 12 months rolling | GDPR Art 5(1)(e) |
| Product analytics (Heap / Contentsquare) | 12 months rolling | GDPR Art 5(1)(e) |
| Event data (Segment) | 12 months rolling | Segment DPA; GDPR Art 5(1)(e) |
| Security and access logs | 12 months | GDPR Art 32; legitimate security interests |
5.1 Deletion and Data Vaulting (EU and Spain)
Upon receiving a valid erasure request, BX follows a Secure Vaulting Process to comply simultaneously with GDPR Article 17 (right to erasure) and Spanish LOPDGDD Article 32 (bloqueo de datos):
Step 1 — Deactivation: the data is immediately removed from active production systems and made inaccessible to users.
Step 2 — Vaulting: the data is transferred to an isolated, encrypted secure vault. Access is restricted to authorised BX personnel and requires senior approval.
Step 3 — Bloqueo period: the vaulted data is held for 3 years in accordance with Spanish law. During this period the data is invisible to you and cannot be used for any business purpose.
Step 4 — Permanent deletion: after the bloqueo period, the data is irrecoverably deleted and a deletion certificate is issued.
This process applies to all EU data subjects. Non-EU data subjects receive direct deletion under the standard process (Steps 1 and 4 only).
6. How We Share Your Information
We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We share your personal data only as described below.
6.1 Service Providers (Sub-Processors)
We engage carefully selected service providers who process personal data on our behalf under contractual data processing agreements. Our current sub-processors are:
| Provider | Service | Location | Safeguard |
|---|---|---|---|
| Google Cloud Platform (GCP) | Primary production hosting and database | "europe-west1, Belgium (EU)" | EU adequacy / DPA in place |
| Google Cloud Platform (GCP) | "SAM AI orchestration (BX self-hosted Flowise) and Data Pipeline — stores persistent SAM AI conversation history, extracted customer document text, and LLM processing records; also hosts demo environment" | "us-west1 / us-west2, Oregon / LA (USA)" | SCCs (Module 2) |
| Anthropic | Claude (Team subscription) — BX internal AI assistant; customer data may be processed indirectly | United States | SCCs (Module 2); DPA accepted (25 Feb 2026) |
| OpenAI | "GPT LLM API — Data Pipeline enrichment and transformation, via OpenRouter BYOK (Azure-routed)" | United States | SCCs (Module 2); ZDR confirmed via OpenRouter BYOK; DPA accepted (25 Feb 2026) |
| Google (Gemini) | Gemini API (Vertex AI) via OpenRouter BYOK; SAM AI inference and Data Pipeline. Note: Import Agent and context store use Google AI Studio (direct API; covered by Google API Terms with embedded SCCs as an interim measure — migration to Vertex AI within 30 days). | United States | SCCs (Module 2); ZDR confirmed via OpenRouter for Vertex AI. Google AI Studio (interim): Google API Terms with embedded SCCs — migration to Vertex AI within 30 days. |
| OpenRouter (OpenRouter Inc.) | LLM routing layer — routes all SAM AI and Data Pipeline inference via BYOK endpoints. Account-wide ZDR Endpoints Only enabled 25 Feb 2026; all training/logging toggles disabled. | USA (San Francisco) | "SCCs (Module 2) + TIA; operational data protection controls active: account-wide ZDR Endpoints Only enabled (25 Feb 2026), all AI training and inference logging disabled. Formal Data Processing Agreement under review — BX is currently assessing contractual DPA options with OpenRouter." |
| Google (AI Studio) | "Import Agent automation (Gemini CUA) and SAM AI context store (Filestore: customer documents, 48-hr expiry). Interim measure: Google API Terms apply with SCCs embedded for EU/UK data transfers. Migration to Vertex AI (GCP DPA coverage) committed within 30 days." | USA (Google LLC) | Google API Terms of Service with embedded SCCs (Module 2) for EU/UK transfers — assessed as a sufficient interim safeguard for the 30-day migration period. Full GCP DPA coverage will apply upon migration to Vertex AI. |
| LangSmith (LangChain Inc.) | "LLM observability — captures full LLM traces including prompts, completions, and customer document content. DPA in progress; EU endpoint migration in progress." | USA (New York) | SCCs (Module 2) + TIA; DPA in progress; EU data residency option available |
| Browserbase (Browserbase Inc.) | "Cloud browser for Import Agent — processes FMS login credentials, full FMS page content, and downloaded farm data files during automated import sessions. DPA to be obtained." | USA (San Francisco) | SCCs (Module 2) + TIA; DPA to be obtained |
| Unstract | ETL document extraction (backend) | United States | DPA at unstract.com/dpa |
| Cloudflare | "CDN, DDoS, WAF — used indirectly via Elementor (Cloudflare is an Elementor sub-processor; covered by Elementor DPA)" | USA / EU (global edge network) | Via Elementor DPA (Cloudflare is Elementor sub-processor) |
| Google Analytics 4 | Website and platform analytics | United States | SCCs; IP anonymisation enabled; consent-gated |
| Hotjar / Contentsquare | "Session recording, heatmaps" | EU (France) | DPA in place; consent-gated |
| Contentsquare / Heap | Product analytics and session data | EU (France) | DPA in place; consent-gated |
| Mixpanel | Product analytics | United States | SCCs; consent-gated |
| HubSpot | CRM and marketing automation | "EU (Frankfurt, Germany — AWS)" | EU-hosted; DPA in place |
| Meta (Facebook) | Advertising and remarketing (Facebook Pixel) | United States | SCCs; consent-gated |
| Professional advertising (LinkedIn Insight Tag) | United States | SCCs; consent-gated | |
| Google Ads (DoubleClick) | Advertising and remarketing | United States | SCCs; consent-gated |
| Usertiful | User onboarding and feature tooltips | EU | DPA in place |
| Xero | Invoicing and accounting | EU / UK data centres | DPA in place; EU-hosted option |
| Stripe | Payment processing | United States / EU | SCCs; PCI-DSS Level 1 certified |
A full and up-to-date Sub-processor List is published here. We will provide at least 30 days’ prior notice of material changes to our sub-processor list to EU/UK customers.
6.2 Legal and Regulatory Disclosure
We may disclose your personal data to law enforcement authorities, courts, or regulatory bodies where we are legally required to do so, or where we believe disclosure is necessary to protect our legal rights or to prevent harm.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a material part of our business, personal data held by BX may be transferred to the acquirer. We will notify affected data subjects in advance where required by law.
7. International Data Transfers
BX is a UK-incorporated company. Our core API and primary EU customer data are hosted in the EU (GCP europe-west1, Belgium). SAM AI conversation history and the Data Pipeline are processed in GCP us-west1 (Oregon, USA) — this is a deliberate architectural choice and we ensure appropriate GDPR transfer safeguards are in place for this processing. We also use additional service providers located in the United States and other countries. Where we transfer personal data outside the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place as follows:
EU Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor): used for all transfers to US-based sub-processors including Anthropic, OpenAI, Google (Vertex AI/AI Studio/Analytics/Ads), OpenRouter, LangSmith, Browserbase, Mixpanel, Meta (Facebook Pixel), LinkedIn (Insight Tag), Google Ads, Cloudflare, Unstract, Sentry, Grafana Cloud, and Stripe.
UK International Data Transfer Agreements (IDTAs): used for transfers from the UK to countries without UK adequacy decisions, in addition to SCCs where applicable.
Transfer Impact Assessments (TIAs): conducted for all high-risk restricted transfers, including the BX self-hosted SAM AI/Flowise pipeline on GCP US. TIAs are reviewed annually.
Data localisation: BX’s core API and primary account data are stored in GCP europe-west1 (Belgium). SAM AI conversation history and Data Pipeline processing occur in GCP us-west1 (USA), covered by SCCs.
LLM inference data is processed via OpenRouter’s ZDR endpoints ensuring zero persistence at AI providers.
You may request a copy of the safeguards applicable to your data by emailing [email protected].
8. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on our website and platform. A full Cookie Policy is published at bx.tech/cookies. The key categories are:
| Category | Examples | Purpose | Consent Required? |
|---|---|---|---|
| Strictly Necessary | "Session cookies, CSRF tokens, auth cookies" | Essential platform and security functionality | No — service cannot function without them |
| Functional | "Language preferences, UI settings" | Remember your preferences | No — but you may disable in browser settings |
| Analytics | "Google Analytics, Hotjar, Mixpanel, Segment, Contentsquare" | Understand how the platform is used and improve it | Yes — opt-in consent via banner |
| Advertising | "Meta Pixel, LinkedIn, Google Ads, HubSpot" | Measure marketing campaigns and enable remarketing | Yes — opt-in consent via banner |
You may withdraw or update your cookie consent at any time by using the cookie consent banner on our website or by adjusting your browser settings. Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal.
9. Your Rights
You have rights over your personal data. The rights available to you depend on the law applicable in your location. The table below summarises rights by jurisdiction.
| Right | GDPR (EU/UK) | CCPA/CPRA (California) | NZ Privacy Act | Chile/Peru |
|---|---|---|---|---|
| Access / Know | ✓ Art 15 | ✓ Right to Know | ✓ Principle 6 | ✓ |
| Rectification / Correction | ✓ Art 16 | ✓ CPRA | ✓ | ✓ |
| Erasure / Deletion | ✓ Art 17 | ✓ CCPA | Limited | Limited |
| Restriction of Processing | ✓ Art 18 | — | — | — |
| Data Portability | ✓ Art 20 | ✓ CPRA | — | — |
| Object to Processing | ✓ Art 21 | ✓ Opt-out of sale/sharing | — | — |
| Withdraw Consent | ✓ Art 7(3) | ✓ | ✓ | ✓ |
| Not Subject to Solely Automated Decisions | ✓ Art 22 | ✓ CPRA (profiling) | — | — |
| Opt Out of Sale of Personal Data | — | ✓ CCPA/CPRA | — | — |
| Opt Out of Targeted Advertising | — | ✓ CPRA | — | — |
| SAM AI — No In-Product Opt-Out (Core Platform Feature) | ✗ Not applicable — Art. 6(1)(b) contract performance | ✗ | ✗ | ✗ |
| Lodge a Complaint with Supervisory Authority | ✓ | ✓ (CPPA) | ✓ (OPC) | ✓ |
9.1 How to Exercise Your Rights
To exercise any right, please contact us using one of the following methods: Email: [email protected] — include “Data Rights Request” in the subject line
We will acknowledge your request within 72 hours and respond within 30 days (extendable by a further 60 days for complex requests, with notice). We will not charge a fee for reasonable requests. We may ask you to verify your identity before processing your request.
9.2 California-Specific Rights (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). BX does not sell personal data as defined by CCPA, nor do we share personal data for cross-context behavioural advertising. You have the right to opt out of any future sale or sharing and to non-discrimination for exercising your privacy rights. Submit California-specific requests to [email protected] with “CCPA Request” in the subject.
9.3 Supervisory Authorities
If you are dissatisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority:
EU data subjects: the data protection authority in your EU member state (e.g., Agencia Española de Protección de Datos (AEPD) for Spain; www.aepd.es).
UK data subjects: Information Commissioner’s Office (ICO); www.ico.org.uk.
New Zealand data subjects: Office of the Privacy Commissioner; www.privacy.org.nz.
California residents: California Privacy Protection Agency (CPPA); www.cppa.ca.gov.
10. Farm Data and the EU Data Act
EU DATA ACT (Regulation (EU) 2023/2854) — IN FORCE SEPTEMBER 2025
The EU Data Act grants users the right to access and port machine-generated data produced through the use of IoT devices and connected services, including agricultural sensors and precision farming equipment. BX is committed to full compliance with these rights.
Where you use BX-connected field sensors, soil monitors, or other data-generating equipment:
You retain ownership of your raw farm data (sensor readings, field observations, GPS coordinates).
You have the right to receive a machine-readable export of your farm data at any time, free of charge, via your account settings or by requesting it from [email protected].
You may request that BX transfer your farm data directly to a third-party service provider you designate.
Derived AI insights, benchmarks, and anonymised aggregated outputs generated by BX from your data are BX intellectual property and are not subject to portability rights under the Data Act. These rights are available to all BX users, not only those in the EU.
11. Security
BX takes the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, accidental loss, alteration, or disclosure. These measures include:
Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
Role-based access controls with audit logging for all access to personal data.
Access to customer data within internal operational tools (including project management, support ticketing, and consultancy planning tools) is restricted to authorised BX staff on a strict need-to-know basis. All such tools are covered by Data Processing Agreements. Where BX staff handle customer data in the course of consultancy or planning work, this is done under confidentiality obligations and in accordance with this Policy.
A bug bounty programme to identify and address security vulnerabilities.
Annual third-party penetration testing — planned as part of BX’s ongoing security programme.
Incident response procedures with defined escalation and notification timelines.
In the event of a personal data breach that poses a risk to your rights and freedoms, BX will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by GDPR), and will notify affected data subjects without undue delay where the breach poses a high risk.
12. Children’s Privacy
The BX platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact [email protected] and we will delete it promptly.
13. Automated Decision-Making and Profiling
BX does not make solely automated decisions that produce legal or similarly significant effects about you as defined by GDPR Article 22. SAM AI generates advisory outputs to assist human decision-making by farm operators — all AI-generated outputs are recommendations only and are subject to human review and judgment. Where you opt in, BX may include your anonymised farm performance data in aggregated benchmarking analytics (e.g., yield comparisons against anonymised peer farms). This feature is opt-in only; benchmarks are derived exclusively from data contributed by farms that have explicitly consented to participate. Aggregated benchmarking analytics do not involve profiling of individual natural persons and no individual farm is identifiable in any benchmark output.
14. Third-Party Websites and Links
Our website and platform may contain links to third-party websites or integrations with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you use.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:
Email notification to the account holder’s registered email address, at least 14 days before the change takes effect (for material changes affecting your rights).
In-platform notice on your next login.
Updating the “Effective Date” at the top of this Policy.
If you do not accept the revised Policy, you may close your account and request deletion of your data. Your continued use of the platform after the effective date constitutes acceptance of the revised Policy. Previous versions of this Policy are archived and available on request.
16. How to Contact Us
PRIMARY PRIVACY CONTACT
BX Technologies Limited
Attn: Privacy Team Email: [email protected]
Subject line: “Privacy Enquiry” or “Data Rights Request”
RESPONSE TIMES
Acknowledgement: within 72 hours Full response: within 30 calendar days Complex requests: up to 90 days (with notice)
Appendix A — Jurisdiction-Specific Supplements
This Policy is written to the Highest Common Denominator standard, meaning all rights and protections described above apply globally. The supplements below provide additional statutory notices required in specific jurisdictions.
A1 — EU/EEA Supplement (GDPR)
The legal bases for processing are as set out in Section 3. Where we rely on legitimate interests, you may object at any time. You have the right to lodge a complaint with your national data protection authority. BX Technologies Limited is a UK-incorporated company that processes personal data of EU data subjects. BX is currently reviewing its obligations under Article 27 GDPR regarding the appointment of an EU representative and will update this Policy and publish representative contact details at bx.tech/privacy-policy once that review is complete.
A2 — UK Supplement (UK GDPR)
This Policy also constitutes BX’s privacy notice under the UK GDPR and Data Protection Act 2018. The UK supervisory authority is the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Reports to the ICO can be made online at ico.org.uk/make-a-complaint.
A3 — California Supplement (CCPA/CPRA)
For California residents: BX does not sell or share personal information as defined by CCPA/CPRA. No financial incentives are offered in exchange for personal data. You have the right to non-discrimination for exercising CCPA rights. You may designate an authorised agent to make requests on your behalf. We do not knowingly sell or share personal information of California residents under 16 years of age.
A4 — New Zealand Supplement (Privacy Act 2020)
BX holds personal information in accordance with the New Zealand Privacy Act 2020. You have the right to access and correct your personal information. Complaints may be made to the Office of the Privacy Commissioner (privacy.org.nz). BX complies with the Information Privacy Principles set out in the Privacy Act 2020.
A5 — Chile Supplement (Ley 19.628 / Ley 21.719)
BX processes personal data of Chilean residents in accordance with Ley 19.628 sobre Protección de la Vida Privada and, where applicable, Ley 21.719 (new data protection framework, enacted December 2023 with transitional provisions in force). You have rights of access, rectification, cancellation, and opposition (ARCO rights). Contact: [email protected].
A6 — Peru Supplement (Ley 29733)
BX processes personal data of Peruvian residents in accordance with Ley 29733 (Ley de Protección de Datos Personales) and its Reglamento (D.S. No. 003-2013-JUS). You have ARCO rights. Personal data databases involving Peruvian residents are operated under the principles of legality, consent, purpose, proportionality, and security. Contact: [email protected].
A7 — Spain Supplement (LOPDGDD)
BX processes personal data of Spanish residents in accordance with the Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD). On receipt of a valid erasure request from a Spanish resident, BX applies the bloqueo de datos procedure described in Section 5.1. Complaints may be directed to the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.
Glossary
| Term | Definition |
|---|---|
| Controller | The entity that determines the purposes and means of processing personal data. |
| Data Subject | A natural person whose personal data is processed. |
| GDPR | General Data Protection Regulation (EU) 2016/679. |
| HCD | Highest Common Denominator — a compliance strategy applying the strictest applicable standard globally. |
| LLM | Large Language Model — the AI technology underlying SAM AI responses. |
| LOPDGDD | Ley Orgánica 3/2018 — Spanish data protection law implementing GDPR. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Processor | An entity that processes personal data on behalf of the controller. |
| Pseudonymisation | Processing personal data so that it can no longer be attributed to a specific person without additional information held separately. |
| SAM AI | "BX’s AI-powered agricultural assistant chatbot, built on the open-source Flowise framework and self-hosted by BX on BX’s own GCP infrastructure." |
| SCCs | Standard Contractual Clauses — EU Commission-approved clauses for international data transfers. |
| TIA | Transfer Impact Assessment — a mandatory risk assessment for restricted cross-border data transfers post-Schrems II. |
| UK GDPR | "The UK's retained version of the GDPR, as amended by the Data Protection Act 2018." |
| Vaulting / Bloqueo | The Spanish-law process of isolating data subject to erasure for 3 years before permanent deletion. |
| Zero Data Retention (ZDR) | A vendor API setting ensuring no query data is stored or used for model training. |