Privacy & Data Policy

Myco Ops, Inc. operates a multi-tenant cloud platform for commercial mushroom cultivation management. With respect to the data we handle, we act in two distinct capacities:

• Data Controller — for account and contact information collected during registration and platform use.
• Data Processor — for Customer Data submitted by customers in the course of using the Service.

Privacy inquiries: support@getmycoops.com

EU Representative: [To be appointed]

Data Protection Officer: support@getmycoops.com

2.1 Account and Registration Data

When you register or manage your account, we collect:

• Full name, email address, phone number, and job title
• Organization name, address, and billing information
• Account credentials (passwords are salted and hashed; we never store plaintext passwords)
• Communication and notification preferences

2.2 Operational and Customer Data

The core function of the platform involves storing your cultivation records:

• Cultivation records: species, strain, substrate composition, inoculation dates, environmental conditions, and harvest data
• Environmental sensor readings and monitoring logs
• Yield data, contamination events, and quality grades
• Cost inputs, inventory records, and supplier data
• Workflow metadata: stage transitions, timestamps, operator IDs, and QR/barcode scans

2.3 Usage and Technical Data

We collect the following technical data automatically:

• Device information (browser type, operating system, device identifiers)
• Log data: IP addresses, timestamps, pages accessed, and API call records
• Performance and error data for platform reliability monitoring
• Cookies and session tracking identifiers (see Section 10)

2.4 Third-Party Integration Data

If you connect third-party services (such as QuickBooks, Shopify, or WooCommerce), we receive data from those services as necessary to provide the integration. The scope of data received is determined by the permissions you grant within each third-party platform.

We use collected data for the following purposes:

• Service delivery — Providing, operating, and maintaining all platform features and functionality.
• Analytics and reporting — Generating dashboards, KPIs, and reports within your account.
• Platform improvement — Refining algorithms, developing new features, and optimizing recommendations using anonymized patterns.
• Communications — Sending transactional messages (account, billing, security) and optional communications described in Section 9 of the Terms of Service.
• Security — Detecting threats, monitoring for unauthorized access, and protecting platform integrity.
• Legal compliance — Meeting our obligations under applicable law and responding to lawful requests.

4.1 What We Aggregate

We derive anonymized, aggregated datasets from Customer Data across our customer base. Examples include:

• Yield averages by mushroom species, region, and season
• Substrate effectiveness benchmarks
• Environmental condition correlations
• Cost efficiency metrics and industry trends
• Contamination rate patterns by substrate and technique

4.2 Anonymization Process

Before any Aggregated Data is used or shared externally, we apply:

• Removal or cryptographic hashing of all direct identifiers
• Suppression or generalization of indirect identifiers
• k-anonymity (k≥5) and l-diversity protections
• Differential privacy techniques where appropriate
• A Data Protection Impact Assessment (DPIA) prior to each new aggregated data sharing category
• Independent re-identification risk testing

4.3 Recipients of Aggregated Data

Anonymized, aggregated datasets may be licensed to third parties including substrate and equipment suppliers, research institutions, agricultural technology companies, financial analysts, and government agencies. All recipients are contractually prohibited from attempting to re-identify individuals or organizations from the data.

4.4 What We Never Share

• We never sell identifiable Customer Data to any third party
• We never share raw, un-anonymized data with third parties
• We never share data for advertising or individual profiling purposes
• We never permit third parties to combine our data with other sources to re-identify customers

4.5 Opt-Out

You may opt out of third-party Aggregated Data licensing by toggling "Data Sharing" to Off in your account dashboard, or by emailing support@getmycoops.com. Opt-out takes effect within 30 days and does not affect your access to or pricing for the Service. Data already incorporated into anonymized, aggregated datasets prior to the opt-out effective date cannot be recalled.

Beyond the Aggregated Data licensing described in Section 4, we share data only in the following circumstances:

• Service providers — We engage third-party vendors (such as AWS, Stripe, and email delivery providers) who process data on our behalf under contractual data processing obligations. See Section 13 for the sub-processor list.
• Third-party integrations — When you connect external services, data flows to those services as required to deliver the integration. You control which integrations are active.
• Legal requirements — We may disclose data if required by law, regulation, court order, or to protect the rights, property, or safety of the Company or its users.
• Business transfers — In the event of a merger, acquisition, or sale of substantially all assets, Customer Data may be transferred to the successor entity. Affected customers will receive advance notice.

6.1 Primary Location

The Service is hosted in AWS infrastructure located in the United States (us-east-1 region). By using the Service, you acknowledge that your data will be processed in the United States.

6.2 EEA, UK, and Switzerland Transfers

For transfers of personal data from the EEA, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, and the UK International Data Transfer Addendum (IDTA) where applicable.

6.3 Data Processing Agreement

A Data Processing Agreement (DPA) incorporating SCCs is available to customers upon request. Contact support@getmycoops.com.

6.4 Transfer Impact Assessments

Transfer impact assessments are conducted for cross-border data flows and are available to customers upon request.

7.1 Active Subscription

Customer Data is retained for the duration of the active subscription plus 30 days.

7.2 Post-Termination Deletion

After the 30-day export window following termination, Customer Data is deleted within 90 days from primary systems. Backup copies are purged within 12 months.

7.3 Aggregated Data

Anonymized, aggregated data is retained indefinitely as it does not contain identifiable information.

7.4 Account Data

Account-level records (billing history, legal notices) are retained for 6 years after account closure to meet financial and legal record-keeping obligations.

7.5 Usage Data

Usage logs containing identifiable information (such as IP addresses) are retained for 24 months.

If you are located in the EEA, UK, or Switzerland, you have the following rights with respect to your personal data:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate or incomplete personal data.
• Erasure — Request deletion of your personal data, subject to legal retention obligations.
• Restriction — Request that we limit processing of your data in certain circumstances.
• Portability — Receive your personal data in a structured, machine-readable format.
• Objection — Object to processing based on legitimate interests or for direct marketing.
• Automated Decision-Making — Not be subject to solely automated decisions that produce significant legal effects.

To exercise any of these rights, contact us at support@getmycoops.com or use the GDPR Rights Center within the platform. We respond within 30 days (extendable by 60 days for complex requests). We may require identity verification before processing certain requests. We do not charge a fee unless a request is manifestly unfounded or excessive.

We implement the following security controls to protect Customer Data:

• AES-256 encryption at rest for all stored data
• TLS 1.2 or higher for all data in transit
• Role-based access control (RBAC) with least-privilege enforcement
• Multi-factor authentication (MFA) for account access
• Strict tenant data isolation — no cross-tenant data access is possible
• Continuous monitoring and intrusion detection
• 72-hour security incident response procedures
• Third-party vendor security assessments
• Regular employee security training

No security system is absolutely impenetrable. In the event of a confirmed data breach, we will notify affected customers within 72 hours of becoming aware of the incident.

We use the following categories of cookies and tracking technologies:

• Strictly Necessary — Session management, authentication tokens, and security protections. These are required for the platform to function and cannot be disabled.
• Functional — User preferences and language settings to personalize your experience.
• Analytics — Internal feature usage tracking to understand how customers use the platform and improve the product. We do not use third-party analytics services for profiling.

We do not use advertising cookies or cross-site tracking technologies. A cookie preference banner is displayed on first visit. Rejecting optional analytics cookies does not affect any platform functionality.

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a minor has registered for an account, we will promptly delete the account and associated data. If you believe a minor has created an account, contact us at support@getmycoops.com.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete — Request deletion of personal information we have collected, subject to exceptions.
• Right to Correct — Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing — Our Aggregated Data licensing program may constitute a "sale" or "sharing" of personal information under California law. You may opt out as described in Section 4.5 or by using the "Do Not Sell or Share My Personal Information" link on our website.
• Right to Non-Discrimination — We will not discriminate against you for exercising any CCPA/CPRA rights.

To exercise California privacy rights, contact us at support@getmycoops.com.

We engage the following categories of sub-processors to operate the Service:

• AWS — Cloud hosting, storage, authentication, and email delivery infrastructure
• Stripe — Payment processing and subscription billing
• AWS SES — Transactional email delivery
• Support tooling — Customer support ticket management

Analytics processing is performed internally using our own systems. A current list of sub-processors is maintained at www.mycoops.io/sub-processors. We provide at least 30 days' notice before adding new sub-processors. Customers have a 15-day window to object to a new sub-processor, with the right to terminate if a reasonable objection cannot be resolved.

The Company conducts Data Protection Impact Assessments (DPIAs) in the following circumstances:

• Before introducing new categories of Aggregated Data sharing with third parties
• When making significant changes to existing processing activities
• Before adopting new high-risk technologies that process personal data

DPIAs are reviewed on an annual basis. Summaries of completed DPIAs are available to customers upon request by contacting support@getmycoops.com.

We may update this Privacy & Data Policy as our practices evolve. For material changes, we will provide at least 30 days' advance notice via email and in-app notification. The updated policy will be posted on this page with a revised "Last updated" date.

Continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes. If you disagree with the revised policy, you may terminate your subscription before the effective date.