Privacy Policy
Last updated: July 16, 2026
1. About this policy and who we are
This Privacy Policy explains how personal data is processed in connection with the Shamba platform, our website, our mobile applications, and related services (together, the "Services"). It is a transparency notice provided under the General Data Protection Regulation (GDPR). It is not a contract, and it does not by itself set the legal basis for the processing carried out on behalf of the organizations that use Shamba.
Shamba is currently operated by Axiom Analytics ("Shamba", "we", "us", or "our"). Axiom Analytics is registered with the Netherlands Chamber of Commerce (KvK) under number 72367334 and has its business address at Lijndenstraat 26D, 1018 NV Amsterdam, the Netherlands. If the business is later transferred to a private limited company (B.V.), we will update this policy and, where required, notify affected organizations.
2. Our two roles: controller and processor
Shamba processes personal data in two distinct roles, and the role determines who is responsible and how you exercise your rights.
- As a processor. When an organization (for example a cooperative, producer group, NGO, company, or government programme, the "Customer") uses Shamba to record and manage information about its members, farmers, plots, and programmes, that Customer is the controller. It decides why and how the data is processed. We process that data (the "Customer Data") on the Customer's documented instructions under the Data Processing Terms in Annex 1 to our Terms of Service. We do not decide the purposes of that processing.
- As a controller. For a limited set of data we decide ourselves, we are the controller. This includes account and login information for the people who use the platform, website visitor data, support communications, security and audit logs, billing information, and our own marketing contacts.
Where we act as a processor, this policy describes our practices for transparency, but the responsible Customer's own privacy notice governs the processing. Sections that concern individual rights explain which party to contact.
3. Whose data this policy covers
- Authorized users of the platform, such as coordinators, field agents, and administrators invited by a Customer.
- Website visitors and people who contact us or request a demo.
- Farmers, members, and other participants whose information a Customer records in Shamba. These individuals usually do not have a Shamba account and often do not interact with us directly. Their information is generally provided to us by the Customer rather than collected from them by us (see Section 6).
4. Personal data we process
The categories below describe the data that may be processed through the Services. Not all of it applies to every person, and much of it is Customer Data that we process only as a processor.
- Account and identity data: name, email address and/or phone number (used to send one-time login codes), organization, role, and language preference.
- Farmer and participant data (Customer Data): names and contact details, household or membership details, identifiers assigned by the Customer, and, where the Customer records them, references to identity documents.
- Geospatial and farm data (Customer Data): plot boundaries and coordinates, farm attributes, crops, and related agricultural records.
- Field-collected data (Customer Data): survey responses, training records, input distributions, purchases, photos, and notes captured by field teams, including offline.
- Communications: messages, feedback, and support requests you send to us.
- Device and technical data: IP address, browser and operating system, device identifiers, and app version.
- Usage and log data: actions taken in the Services, timestamps, and security and audit logs.
- Location data: device location when a user actively uses location features such as mapping a plot.
- Cookies and similar identifiers: see Section 14.
A Customer may choose to record data that qualifies as a special category of personal data. Where it does, the Customer is responsible for identifying the appropriate legal basis and any additional conditions for that processing.
5. Purposes and legal bases
Where we act as a controller, we rely on the legal bases set out below. Where we act as a processor, the Customer determines the purpose and legal basis, and we process on its instructions.
| Purpose | Data | Legal basis | Our role |
|---|---|---|---|
| Hosting and managing farmer, plot, and programme records for a Customer | Customer Data | The Customer's own basis; we process on its instructions under the Data Processing Terms (Annex 1 to our Terms) | Processor |
| Creating accounts and authenticating users (one-time login codes) | Account and identity data | Performance of a contract and our legitimate interest in secure access | Controller |
| Securing the Services, preventing abuse, keeping audit logs | Device, usage, and log data | Legitimate interests (security) and legal obligation | Controller |
| Providing support and responding to requests | Contact and communications | Performance of a contract and legitimate interests | Controller |
| Operating and improving the Services using aggregated statistics and service telemetry | Aggregated and non-identifying technical data | Legitimate interests; identifiable Customer Data is not used for this without instruction | Controller / Processor |
| Website analytics and non-essential cookies, where used | Device, usage, and cookie data | Consent | Controller |
| Responding to demo requests and sending related communications | Contact data | Steps at your request and legitimate interests; consent for marketing where required | Controller |
| Meeting legal, tax, and accounting obligations | As required | Legal obligation | Controller |
6. Farmer and participant data
Most information about farmers and other participants is provided to us by a Customer, or collected by the Customer's field teams, rather than collected by us directly. For this data the Customer is the controller and decides the legal basis. That basis is often the performance of a contract or programme, the Customer's legitimate interests, or a legal obligation, and it is not necessarily consent. We do not assume that farmer data is collected on the basis of consent.
Because this data is generally not collected from the individual directly, the transparency obligations under Article 14 GDPR apply to the Customer as controller. The Customer is responsible for informing the individuals concerned, for example through a participant privacy notice, and for having a valid basis to record and share the data. Shamba supports the Customer in meeting these obligations but does not provide notices to participants on its own behalf.
7. How data is shared
7.1 Within the Customer's workspace
Customer Data is visible to the authorized users of that Customer according to the access the Customer configures, and only within the projects and records those users are permitted to see. It is shared with another organization only where the Customer, as controller, has arranged that sharing.
7.2 Subprocessors and service providers
We use a limited number of service providers to run the Services. See Section 8.
7.3 Legal requirements
We may disclose data where we are legally required to do so, for example in response to a valid order from a competent authority. Where we act as a processor and the request concerns Customer Data, we will, unless legally prohibited, inform the Customer rather than respond on our own account.
7.4 Business transfer
If the business operating Shamba is transferred, including a transfer of the Axiom Analytics business to a newly formed company, data may transfer as part of that business. We will provide notice and ensure the receiving entity is bound by equivalent protections.
8. Subprocessors
We engage subprocessors to provide parts of the Services. They act on our instructions and are bound by data protection terms. The categories are:
- Cloud hosting and database infrastructure
- Object and file storage
- Email and messaging delivery, including one-time login codes
- Map, satellite, and geospatial data providers
- Error monitoring and, where used, product analytics
A current list of named subprocessors is available to Customers on request. We will give Customers advance notice of a new or replacement subprocessor so that they can object, as set out in the Data Processing Terms in Annex 1 to our Terms of Service.
9. International transfers
We host and process personal data primarily within the European Economic Area (EEA). Some subprocessors, or Customers using the Services from outside the EEA, may involve processing in other countries. Where personal data is transferred outside the EEA to a country without an adequacy decision, we rely on appropriate safeguards, in particular the European Commission's Standard Contractual Clauses together with any additional measures needed. Customers may request information about the safeguards that apply to a specific transfer.
10. Retention
Where we are a controller, we retain data as follows, unless a longer period is required by law:
- Account data: for the life of the account, then deleted or anonymized within 90 days of account closure.
- Support communications: up to 24 months after the request is resolved.
- Security and server logs: up to 12 months.
- Demo and marketing contacts: until you object or withdraw consent, and in any case reviewed at least every 24 months.
- Billing and tax records: for the statutory retention period, which in the Netherlands is generally 7 years.
- Backups: held on a rolling basis and overwritten within approximately 35 days.
Where we are a processor, we retain Customer Data for the duration of the Customer's use of the Services and, after the agreement ends, we return or delete it in line with the Data Processing Terms in Annex 1 to our Terms of Service, subject to a short period for backups to expire.
11. Security
We take appropriate technical and organizational measures to protect personal data, taking into account the state of the art, the costs of implementation, and the risks involved. These measures include encryption of data in transit and at rest, access controls and authentication, logging, regular review of our practices, and procedures for handling security incidents. No service can be guaranteed to be completely secure, and we cannot promise absolute security, but we work to reduce risk and to respond promptly if an incident occurs.
12. Your rights
Subject to conditions in applicable law, you have the right to access your personal data and to request its rectification or erasure, to restrict or object to processing, to data portability, and, where we rely on consent, to withdraw that consent at any time.
How to exercise these rights depends on our role:
- Data where we are the controller (for example your account or a demo request): contact us using the details in Section 17.
- Farmer or participant data recorded by a Customer (data where we are a processor): the Customer is the controller. Please contact that organization. If a request reaches us, we will forward it to the responsible Customer and assist them in responding.
13. Automated decision-making
We do not make decisions producing legal or similarly significant effects about individuals based solely on automated processing. The Services may present indicators, validations, or analytics, for example a mapping or land-related indicator, but these are decision-support tools. Any decision about a farmer or participant, such as eligibility, payment, or programme participation, is made by the responsible Customer, which is expected to apply human judgment.
14. Cookies and similar technologies
We distinguish between our website and the authenticated platform.
- The platform uses only what is strictly necessary to run the Services and keep you signed in, such as session tokens and local storage. It does not use these for advertising.
- The website uses strictly necessary cookies and may use limited analytics. Non-essential cookies are set only with your consent, which you can give or refuse and later change. You can also control cookies through your browser settings.
15. Children and age
Shamba is a tool for organizations and their staff. Accounts are intended for people aged 18 or over, and we do not knowingly create accounts for children. Records that a Customer keeps about participants may in some programmes relate to young people. Where that is the case, the Customer, as controller, is responsible for having a valid legal basis and for any additional protections that apply to minors under applicable law.
16. Changes to this policy
We may update this policy as our practices or legal obligations change. We will post the updated version here and change the "Last updated" date. For material changes we will provide additional notice where appropriate, for example by email or in the platform. Because this policy is a transparency notice rather than a contract, continued use of the Services is not treated as acceptance of changes.
17. Contact and supervisory authority
For questions about this policy or to exercise your rights in respect of data for which we are the controller, contact us:
Axiom Analytics
Lijndenstraat 26D
1018 NV Amsterdam, the Netherlands
Chamber of Commerce (KvK): 72367334
Email: privacy@shamba.com
If you are in the EEA and believe your concern has not been resolved, you have the right to lodge a complaint with a data protection supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens. If we act as a processor, complaints about Customer Data should ordinarily be directed to the Customer that controls the data.