Privacy Policy

1. Who we are

Cowchow is operated by Cowchow Labs Ltd. ("Cowchow", "we", "us"), a company registered in Ireland.

• Registered address: Ballycleary, Kilmore, Wexford, Y35 XW50, Ireland
• Company registration number (CRO): 810807
• Contact for privacy matters: hello@cowchow.io

We are the data controller for the personal data described in this policy.

2. Who this policy covers

• Farm owners — people who create a Cowchow account, manage their farm, and (optionally) pay for a subscription.
• Operators — people invited by a farm owner to log feedings via the mobile app, authenticated by a join code.
• Visitors — anyone browsing our website at cowchow.io.

3. What we collect and why

We only collect what we need to run the service. We do not sell your data, run advertising, or use third-party tracking.

3.1 Account information (farm owners)

When you sign up, we collect:

• Email address
• First and last name
• A password (stored only as a salted hash, never in plain text)
• A subscription status (free or paid) once you start a paid plan

Why: to identify you, secure your account, send you operational emails (account confirmation, password resets, billing receipts), and apply the correct plan limits.

Legal basis (GDPR): performance of a contract (Article 6(1)(b)).

3.2 Farm data you create

Inside the app, you create content: cow groups, ingredients, diets, feeding logs, and similar records. This data is yours; we store it on your behalf.

Why: to provide the service.

Legal basis: performance of a contract.

3.3 Operator authentication data

When a farm owner invites an operator, the operator scans a QR code or enters a 6-digit code to authenticate. The mobile app then stores a long-lived device token in the operating system's secure preferences area on the operator's phone.

We store, on our servers, the token's identifier (not the secret itself), the linked farm, and the date of last use.

Why: so operators don't have to re-authenticate every session.

Legal basis: performance of a contract (authentication); legitimate interest (maintaining persistent sessions for usability and security).

3.4 Payment information

Subscription payments are processed by Stripe Payments Europe, Ltd. (Dublin, Ireland). Stripe collects and stores card numbers, billing addresses, and payment metadata directly. We never see or store your full card details.

We do store a Stripe customer ID and subscription status returned to us by Stripe, so we know which plan you're on.

Why: to bill you correctly and provide the right level of service.

Legal basis: performance of a contract; compliance with legal obligations (tax, accounting).

3.5 Camera permission (mobile app)

The mobile app requests camera access to scan QR codes during operator onboarding. The camera image is decoded on the device and never leaves the device — we receive only the decoded text (the join code itself).

You can deny camera permission and enter the code manually instead.

Legal basis: consent (you grant the OS permission); performance of a contract once you use it.

3.6 Technical and log data

When you or your operators use the service, our servers automatically record:

• IP address
• Browser type and version (or app version, on mobile)
• Pages or screens accessed
• Timestamps and request paths
• Errors and exceptions encountered

We use this data to keep the service secure, debug problems, and understand how features are used.

Why: security, fraud prevention, debugging, service improvement.

Legal basis: legitimate interest (Article 6(1)(f)). You have the right to object to this processing at any time — see Section 7.

3.7 Cookies

We use a small number of strictly necessary cookies on our own domains:

• A session cookie that keeps you logged in
• A CSRF token cookie that protects form submissions

When you subscribe, we redirect you to Stripe's hosted checkout and customer portal pages. Stripe sets its own cookies on its own domains during that flow — those are governed by Stripe's Privacy Policy, not this one.

We do not use analytics cookies, advertising cookies, or third-party trackers. There is no cookie banner because no consent-required cookies are set on our pages.

4. Who we share data with

We use a small number of trusted service providers ("sub-processors") to operate the service. They process data on our behalf, under contract, and only for the purposes we instruct.

We have a Data Processing Agreement (DPA) in place with every sub-processor, as required by Article 28 of the GDPR. Each agreement requires the processor to act only on our documented instructions, keep personal data confidential, implement appropriate technical and organisational security measures, assist us with data subject requests and breach notifications, restrict their own use of further sub-processors, and return or delete personal data when our contract with them ends.

We do not share your personal data with any other third parties unless we are legally required to (e.g. by court order, subpoena, or to comply with tax law).

5. International transfers

Most of your data stays in the EU. Where a sub-processor is based outside the EU (Google, Apple), we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal basis for the transfer.

In addition to the SCCs, we apply supplementary safeguards: encryption in transit (HTTPS/TLS) and at rest, minimising the personal data shared with non-EU sub-processors to what is strictly necessary for their function, and periodic transfer impact assessments to identify and mitigate risks specific to the destination country. Where we identify a material risk we cannot mitigate, we seek an EU alternative.

You can request copies of the SCCs by emailing hello@cowchow.io.

6. How long we keep your data

When you delete your account, we permanently remove your personal data from our active systems within 30 days. Backups are deleted on the rolling cycle above. Some records (invoices, tax data) we are legally required to retain for longer; these are kept securely and not used for any other purpose.

7. Your rights

Under the GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your data ("right to be forgotten"), subject to legal retention obligations
• Restrict how we process your data
• Object to processing based on legitimate interest
• Portability — receive your data in a machine-readable format and transfer it elsewhere
• Withdraw consent at any time (for processing based on consent)
• Lodge a complaint with the Irish supervisory authority, the Data Protection Commission (www.dataprotection.ie)

To exercise any of these rights, email hello@cowchow.io. We'll respond within 30 days.

Account deletion

How to remove your Cowchow data depends on which type of user you are.

If you are a farm owner, you can delete your farm and all associated data — cow groups, ingredients, diets, feeding logs, and operator memberships — directly from the dashboard at dashboard.cowchow.io. Deletion is immediate and irreversible. Subscription cancellation is handled in the same place.

To also remove your user account itself (your login, email, and name) after deleting the farm, email hello@cowchow.io from your registered email address with the subject line "Delete my account".

If you are an operator (you joined a farm using a 6-digit code), your personal data on our servers is limited to your name, email, and the device authentication tokens that keep you signed in. You have two ways to remove it:

1. Ask the farm owner to revoke your membership from the dashboard.
2. Email hello@cowchow.io directly.

Feeding logs you've created belong to the farm, not to you personally; they remain part of the farm's records unless the farm owner deletes the farm itself.

In all cases, removal from our active systems is immediate when self-served from the dashboard, and within 30 days when handled via email. Backups follow the rolling cycle in section 6. Records we are legally required to retain (e.g. invoices for tax purposes) are kept securely under the retention rules in section 6 and not used for any other purpose.

8. Security

We protect your data with industry-standard measures:

• All traffic uses HTTPS with modern TLS
• Passwords are stored as salted hashes (PBKDF2)
• Database backups are encrypted at rest
• Access to production systems is restricted to authorised personnel using two-factor authentication
• Application errors are monitored, with notice procedures in place for security incidents

If a breach occurs that is likely to result in a risk to your rights, we will notify the Data Protection Commission within 72 hours and, where required, notify you directly without undue delay.

9. Children

Cowchow is a tool for farm businesses. It is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with data, contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. When we make material changes, we will:

• Post the updated policy on this page with a new "Last updated" date
• Notify active account holders by email at least 14 days before the changes take effect

Your continued use of Cowchow after the effective date constitutes acceptance of the updated policy.

11. Contact

For any privacy-related question, request, or complaint:

If you are not satisfied with our response, you can lodge a complaint with the Data Protection Commission at www.dataprotection.ie.