Record of Processing Activities (RoPA)
1. Purpose of This Document
This document serves as the Record of Processing Activities (RoPA) for Innovation Harvesters Inc. (d/b/a Homegrown) (“Company”). It documents how the Company collects, uses, stores, and processes personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).
This RoPA is intended to ensure transparency, accountability, and lawful processing by identifying:
•
The purposes of processing
•
Categories of personal data and data subjects
•
Legal bases for processing
•
Service providers involved in processing
•
Data retention practices
•
Security and safeguarding measures
2. Data Controller Information
Data Controller:
Innovation Harvesters Inc. (d/b/a Homegrown)
Innovation Harvesters Inc. (d/b/a Homegrown)
Nature of Business:
Community-based eCommerce platform connecting local vendors and shoppers.
Community-based eCommerce platform connecting local vendors and shoppers.
3. Categories of Data Subjects
•
Registered Users (Vendors and Shoppers)
•
Prospective Users
•
Website Visitors
•
Customers communicating with support
4. Categories of Personal Data Processed (High-Level)
•
Contact information (name, email address)
•
Account and profile data
•
Order and transaction metadata
•
Support communications
•
Technical and usage data (IP address, device type, browser information)
5. Legal Bases for Processing (GDPR Art. 6)
Depending on the context, processing is based on one or more of the following:
•
Performance of a contract (Art. 6(1)(b))
•
Legitimate interests in operating, securing, and improving the platform (Art. 6(1)(f))
•
Consent, where required for marketing or optional communications (Art. 6(1)(a))
•
Legal obligations, where applicable (Art. 6(1)(c))
6. Data Retention (Global Statement)
Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal and regulatory obligations, or to maintain appropriate business records. Data is deleted or anonymized in accordance with the Company’s internal data retention policies.
7. International Data Transfers (Global Statement)
Some service providers may process personal data outside the European Economic Area (EEA), including in the United States. Where applicable, such transfers are safeguarded using appropriate mechanisms, including Standard Contractual Clauses (SCCs) or equivalent protections.
8. Security Measures (Global Statement)
The Company and its service providers implement appropriate technical and organizational safeguards, including encryption in transit and at rest, access controls, and monitoring, to protect personal data against unauthorized access, disclosure, or loss.
9. Service Providers and Processing Activities
Each service provider below acts as a data processor, unless otherwise stated.
Technical Service Providers
Google Cloud Platform
Purpose of Processing
Mapping and geolocation functionality.
Mapping and geolocation functionality.
How We Use the Service Provider
APIs are used to generate static and dynamic maps, which may involve processing location-based data.
APIs are used to generate static and dynamic maps, which may involve processing location-based data.
Categories of Personal Data
Approximate location data derived from IP address or user-provided location.
Approximate location data derived from IP address or user-provided location.
Legal Basis
Legitimate interests (Art. 6(1)(f)).
Legitimate interests (Art. 6(1)(f)).
Data Sharing
The Company does not share identifiable personal data directly with Google.
The Company does not share identifiable personal data directly with Google.
Microsoft Azure
Purpose of Processing
Hosting, storage, and infrastructure for the Website and Services.
Hosting, storage, and infrastructure for the Website and Services.
How We Use the Service Provider
Azure is used to securely store and process application data, including databases, blob storage, and related services.
Azure is used to securely store and process application data, including databases, blob storage, and related services.
Categories of Personal Data
All platform data, including user account, order, and transactional information.
All platform data, including user account, order, and transactional information.
Legal Basis
Performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).
Performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).
Security Measures
Data is encrypted in transit and at rest.
Data is encrypted in transit and at rest.
Sanity
Purpose of Processing
Content management.
Content management.
How We Use the Service Provider
Sanity is used as a headless CMS for managing Website and Services content.
Sanity is used as a headless CMS for managing Website and Services content.
Categories of Personal Data
None directly.
None directly.
Legal Basis
Legitimate interests (Art. 6(1)(f)).
Legitimate interests (Art. 6(1)(f)).
Data Sharing
No user personal data is intentionally shared with Sanity.
No user personal data is intentionally shared with Sanity.
Vercel
Purpose of Processing
Website hosting and deployment.
Website hosting and deployment.
How We Use the Service Provider
Vercel hosts the public Website.
Vercel hosts the public Website.
Categories of Personal Data
Incidental technical data (e.g., IP address in server logs).
Incidental technical data (e.g., IP address in server logs).
Legal Basis
Legitimate interests (Art. 6(1)(f)).
Legitimate interests (Art. 6(1)(f)).
OpenAI
Purpose of Processing
Content generation and analysis.
Content generation and analysis.
How We Use the Service Provider
Used internally for content generation and analysis workflows.
Used internally for content generation and analysis workflows.
Categories of Personal Data
None intentionally shared.
None intentionally shared.
Legal Basis
Legitimate interests (Art. 6(1)(f)).
Legitimate interests (Art. 6(1)(f)).
SendGrid
Purpose of Processing
Transactional email delivery.
Transactional email delivery.
How We Use the Service Provider
Used to send order confirmations, account notifications, and service-related emails.
Used to send order confirmations, account notifications, and service-related emails.
Categories of Personal Data
Email address, name, order details.
Email address, name, order details.
Legal Basis
Performance of a contract (Art. 6(1)(b)).
Performance of a contract (Art. 6(1)(b)).
PayTheory
Purpose of Processing
Payment processing.
Payment processing.
How We Use the Service Provider
PayTheory processes credit card transactions on behalf of the Company.
PayTheory processes credit card transactions on behalf of the Company.
Categories of Personal Data
Payment method token, card type, last four digits, expiration date.
Payment method token, card type, last four digits, expiration date.
Legal Basis
Performance of a contract (Art. 6(1)(b)).
Performance of a contract (Art. 6(1)(b)).
Note
The Company does not store full credit card numbers.
The Company does not store full credit card numbers.
Google Analytics
Purpose of Processing
Website and platform analytics.
Website and platform analytics.
How We Use the Service Provider
Used to understand aggregate usage patterns and improve the Website.
Used to understand aggregate usage patterns and improve the Website.
Categories of Personal Data
Anonymized usage data, including IP address.
Anonymized usage data, including IP address.
Legal Basis
Legitimate interests (Art. 6(1)(f)).
Legitimate interests (Art. 6(1)(f)).
Marketing Service Providers
Mailchimp
Purpose of Processing
User surveys and feedback collection.
User surveys and feedback collection.
How We Use the Service Provider
Used to send surveys to users and collect responses.
Used to send surveys to users and collect responses.
Categories of Personal Data
Email address, survey responses.
Email address, survey responses.
Legal Basis
Consent (Art. 6(1)(a)).
Consent (Art. 6(1)(a)).
Zoho (Email Marketing)
Purpose of Processing
Email newsletters.
Email newsletters.
How We Use the Service Provider
Used to send newsletters to users who have subscribed.
Used to send newsletters to users who have subscribed.
Categories of Personal Data
Email address.
Email address.
Legal Basis
Consent (Art. 6(1)(a)).
Consent (Art. 6(1)(a)).
Hotjar
Purpose of Processing
Website usage analytics and optimization.
Website usage analytics and optimization.
How We Use the Service Provider
Used to analyze user interactions and identify usability issues.
Used to analyze user interactions and identify usability issues.
Categories of Personal Data
Device type, operating system, browser, screen size, IP address.
Device type, operating system, browser, screen size, IP address.
Legal Basis
Legitimate interests (Art. 6(1)(f)).
Legitimate interests (Art. 6(1)(f)).
Internal Tools
Microsoft Office
Purpose of Processing
Internal communications and documentation.
Internal communications and documentation.
How We Use the Service Provider
Used for email, documents, spreadsheets, and internal collaboration.
Used for email, documents, spreadsheets, and internal collaboration.
Categories of Personal Data
Contact information and incidental personal data.
Contact information and incidental personal data.
Legal Basis
Legitimate interests (Art. 6(1)(f)).
Legitimate interests (Art. 6(1)(f)).
Jira
Purpose of Processing
Task and issue tracking.
Task and issue tracking.
How We Use the Service Provider
Used to manage internal work and track technical issues.
Used to manage internal work and track technical issues.
Categories of Personal Data
Incidental personal data related to debugging or support requests.
Incidental personal data related to debugging or support requests.
Legal Basis
Legitimate interests (Art. 6(1)(f)).
Legitimate interests (Art. 6(1)(f)).
Slack
Purpose of Processing
Internal team communication.
Internal team communication.
How We Use the Service Provider
Used for internal messaging and collaboration.
Used for internal messaging and collaboration.
Categories of Personal Data
Incidental personal data shared during internal discussions.
Incidental personal data shared during internal discussions.
Legal Basis
Legitimate interests (Art. 6(1)(f)).
Legitimate interests (Art. 6(1)(f)).
Intercom
Purpose of Processing
Customer support and incident management.
Customer support and incident management.
How We Use the Service Provider
Intercom is used to manage support communications, respond to inquiries, and resolve issues reported by users.
Intercom is used to manage support communications, respond to inquiries, and resolve issues reported by users.
Categories of Personal Data
Email address, name (if provided), message content, attachments, technical metadata (IP address, device, browser).
Email address, name (if provided), message content, attachments, technical metadata (IP address, device, browser).
Legal Basis
Performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).
Performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).
10. Review and Updates
This RoPA is reviewed periodically and updated as necessary to reflect changes in processing activities, service providers, or applicable laws.