Privacy Policy

Last updated: 16 February 2026 Effective for: PRISM (the "App") Operated by: Soterra Labs Limited ("we," "us," or "our"), Company No. 16618829 Contact: hello@soterralabs.co.uk

1. Purpose of This Policy

This Privacy Policy explains how Soterra Labs collects, uses, and protects personal information when you use PRISM, our horticultural productivity app.

We are committed to safeguarding your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using PRISM, you agree to the terms of this Privacy Policy.

2. Who We Are

Soterra Labs Limited is an official Lancaster University spin-out company based in the United Kingdom, focused on developing digital tools that enhance productivity by revolutionising Maximum Pesticide Residue Level (MRL) Risk Management in global horticulture.

We act as the Data Controller for the personal data we collect through PRISM.

3. Information We Collect

We collect limited information to ensure the proper functioning of PRISM. We do not collect sensitive personal data (e.g., health, genetic, or biometric data) or any unnecessary personal identifiers. The specific categories of data we handle are described below.

3.1 Account & Authentication Data

When you register or sign in to PRISM, we collect:

  • Email address — used as your account identifier
  • Password — used for email/password sign-in
  • Auto-generated user ID — a unique identifier assigned to your account
  • Session tokens — stored in encrypted local storage (MMKV) on your device to keep you signed in

3.2 Location Data

  • GPS coordinates — collected on demand only when you choose to set a location for a crop. Location is accessed in the foreground only while the App is open.
  • We do not perform any background location tracking.

3.3 Crop & Agricultural Data

All crop data is entered by you and may include:

  • Crop name and type
  • Planting and harvest dates
  • Cover type
  • Crop location
  • Retailer
  • Custom MRL overrides
  • Notes

3.4 Product Application & Treatment Data

All treatment data is entered by you and may include:

  • Product applied
  • Application date
  • Pest or disease treated

3.5 Risk Assessment Data

PRISM computes risk assessments (risk levels, compliance status, and interval adherence) from the crop, product, and treatment data you enter. This derived data is not separately collected — it is calculated from your existing inputs.

3.6 Device Information (Local Only)

The following is stored locally on your device only and is not transmitted to our servers:

  • App version and build number
  • Colour scheme preference

3.7 What We Don't Collect

PRISM does not access or collect any of the following:

  • Camera, photos, or media files
  • Contacts or calendar data
  • Push notification tokens (PRISM does not send push notifications)
  • Analytics or behavioural tracking data
  • Advertising identifiers or SDKs
  • Background location data
  • Microphone or audio data
  • Health or biometric data

4. How We Use Your Information

We use collected data for the following purposes:

  • To operate and maintain PRISM, including account authentication and data synchronisation.
  • To compute risk assessments, compliance checks, and harvest interval calculations based on your crop and treatment data.
  • To provide crop and product reference data within the App.
  • To provide customer support and respond to enquiries.
  • To perform anonymised trend analysis to improve the App.

We do not use your data for marketing without your explicit consent.

5. Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR:

  • Performance of a contract: to provide and maintain access to PRISM.
  • Legitimate interests: to improve the App, monitor performance, and ensure reliability.
  • Consent: when you voluntarily provide information or opt into specific features.

You may withdraw consent at any time by contacting us at hello@soterralabs.co.uk.

6. Third-Party Services

PRISM uses the following third-party services to operate:

6.1 Supabase

We use Supabase as our backend infrastructure provider. Supabase handles:

  • Database storage — all user-created data (crops, treatments, risk assessments) is stored in a Supabase-hosted PostgreSQL database.
  • Authentication — account creation, sign-in, and session management.
  • Edge Functions — server-side processing for certain App features.

Supabase's privacy policy is available at supabase.com/privacy.

6.2 Map Services

PRISM displays maps when you view or set a crop location:

  • Google Maps (Android) — used for map tile display on Android devices. Only standard map tile requests are made; no user data is shared with Google. Google's privacy policy: policies.google.com/privacy.
  • Apple Maps (iOS) — used for map tile display on iOS devices via Apple MapKit. Map tile requests are handled by Apple; no user data is shared. Apple's privacy policy: apple.com/privacy.

6.3 What We Don't Use

PRISM does not include any:

  • Analytics SDKs (e.g., Google Analytics, Mixpanel)
  • Advertising trackers or ad networks
  • Crash reporting services (e.g., Sentry, Crashlytics)

Data may also be accessed by authorised Soterra Labs personnel or contracted developers working under strict confidentiality agreements for maintenance or improvement purposes.

7. Data Storage and Security

We use appropriate technical and organisational measures to protect your data from unauthorised access, disclosure, alteration, or destruction. These include:

  • Encryption in transit — all communication between the App and our servers uses HTTPS.
  • Encryption at rest (local) — session tokens and local data are stored in encrypted MMKV storage on your device.
  • Row-Level Security — our Supabase database enforces Row-Level Security (RLS), ensuring that each user can only access their own data.
  • Restricted access — only authorised personnel can access backend systems.

Your data is stored on servers located within the United Kingdom or the European Economic Area (EEA), ensuring compliance with UK GDPR standards.

7.1 Data Breach Notification

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with UK GDPR Articles 33 and 34. Notification will be sent to the email address associated with your account, and will include the nature of the breach, the data affected, and the steps we are taking in response.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy or as required by law.

  • Active accounts: Your data is retained for the lifetime of your account to provide the App's services.
  • Account deletion: You can permanently delete your account and all associated data at any time from the Settings screen within the App. This triggers an immediate and permanent cascade deletion of all your data from our servers.
  • Sign-out: Signing out of the App clears your local session tokens from the device.
  • Backups: Server backups containing personal data are purged within 30 days of account deletion.

When data is no longer needed, it will be securely deleted or anonymised.

9. Your Data Protection Rights

Under the UK GDPR, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure ("Right to be Forgotten"): Request deletion of your data. You can also delete your account directly from the Settings screen in the App, which will remove all of your data from our servers.
  • Restriction: Request limitation of data processing in certain circumstances.
  • Portability: Request transfer of your data to another service provider.
  • Objection: Object to certain types of processing (e.g., profiling).

To exercise any of these rights, visit our Account & Data Requests page or contact us at hello@soterralabs.co.uk. We will respond within one month as required by UK GDPR.

10. Children's Privacy

PRISM is intended for professional horticultural users and is not directed at individuals under 18.

We do not knowingly collect data from minors. If we discover that we have inadvertently collected such information, it will be deleted promptly.

PRISM may display or rely on information from third-party sources (e.g., pesticide manufacturers or regulatory bodies).

While we use reputable sources, we are not responsible for the privacy practices or content of those third parties.

Users should review the privacy policies of any external services they interact with.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, or legal obligations.

Any updates will be posted in the App and indicated by a new "Last updated" date. Continued use of PRISM after such changes constitutes acceptance of the revised Policy.

13. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise your rights, please contact us:

Soterra Labs Limited (Company No. 16618829) Email: hello@soterralabs.co.uk Address: Research and Enterprise Services, Lancaster University, Bailrigg, Lancaster, United Kingdom, LA1 4YT

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk.

For our full Terms and Conditions, please visit our Terms and Conditions page.

To request account deletion or a copy of your data, visit our Account & Data Requests page.
Prism Logo
Prism

Plan safer harvests with PRISM — track pesticide applications, monitor daily risk levels, and get guidance on whether your crops are likely to meet Maximum Residue Level requirements before picking.

PrivacyTermsAccount
© 2025-2026 All rights reserved.