Privacy Policy

Last updated: February 23, 2026 (Round 8 Hardening)  |  Effective: February 23, 2026

1. Introduction and Scope

Country Road Drone Services, LLC ("Company," "we," "us," or "our") operates the DroneCommand agricultural spray operations management platform, available at dronecommand.online and related subdomains (the "Service"). This Privacy Policy explains how we collect, use, store, share, and protect personal information and other data in connection with the Service.

This Privacy Policy applies to:

• Account holders and account administrators ("Customers") who register for DroneCommand;
• Authorized users (pilots, managers, accountants, and other staff) who access the Service under a Customer's account;
• Individuals whose information is entered into the Service by a Customer (such as employees, contractors, and landowners);
• Visitors to our marketing website at countryroaddroneservices.com and dronecommand.online.

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

This Privacy Policy does not cover the practices of third-party services linked to or integrated with the Service, including Stripe, DriftWatch, Iowa BeeCheck, or weather data providers. Their respective privacy policies govern data they collect.

2. Information We Collect

We collect information in the following categories:

2.1 Account and Identity Information

• Full name and professional title;
• Business name, legal entity type, and business address;
• Email address (primary contact and login);
• Phone number;
• Account password (stored as a one-way cryptographic hash — we cannot recover your password);
• User role and permission level within your organization;
• Date account was created and last accessed.

2.2 Billing and Payment Information

• Subscription plan, billing cycle, and subscription status;
• Billing name and billing address (required for tax calculation);
• Stripe customer ID (a reference identifier linking your account to your Stripe payment profile);
• Transaction history: dates, amounts, plan, and payment status (success or failure);
• Invoice records.

We never collect, store, see, or process your full credit card numbers, card security codes (CVV/CVC), bank account numbers, or routing numbers. All payment method data is collected directly by and stored exclusively with Stripe, Inc. We receive only tokenized references and transaction confirmation data from Stripe.

2.3 Operational and Agricultural Data

The core data you create and manage through the Service includes:

• Spray operation records: Date, time, field location, product(s) applied, application rates, tank mixes, carrier volume, application method, weather conditions at time of spray, pilot name, drone identifier, and all other fields included in a spray record;
• Field and property records: Farm names, field names, landowner names and contact information, GPS coordinates, field boundary polygons, acreage calculations;
• Customer and landowner records: Names, addresses, phone numbers, email addresses, and notes;
• Chemical and product inventory: Product names, EPA registration numbers, application rates, inventory levels, lot numbers, and usage records;
• Job records: Job creation dates, dispatch information, assigned pilots, completion status, notes, and invoicing status;
• Invoice and financial records: Invoice amounts, job costs, payment status, and billing correspondence.

2.4 Usage and Technical Data

When you use the Service, we automatically collect:

• IP address and approximate geographic location (derived from IP);
• Browser type, version, and language;
• Operating system and device type;
• Pages and features accessed, time spent, and clickstream data;
• Session start and end times;
• Error logs, performance metrics, and diagnostic data;
• Referral source (how you arrived at the site).

This data is used to maintain, improve, and troubleshoot the Service and to detect security threats. We do not use it to build advertising profiles or sell it to advertisers.

2.4a Prohibited Data Categories

DroneCommand is not designed or authorized to store the following categories of sensitive personal data. Customers are prohibited from entering these data types into any field of the Service (see also Terms of Service Section 23.6):

• Protected health information (PHI) as defined by HIPAA — including medical diagnoses, treatment information, medication records, or any individually identifiable health information;
• Social Security numbers or other government-issued identification numbers (other than professional license numbers required for regulatory compliance);
• Payment account numbers (bank accounts, full credit card numbers) — Stripe handles payment data separately;
• Biometric identifiers.

We are not a HIPAA Business Associate and have not executed any Business Associate Agreement. If you enter prohibited data types into the Service, you do so in violation of our Terms and bear sole responsibility for any resulting privacy law violations.

2.5 Communications

When you contact us for support or other purposes, we collect: the content of your message or inquiry; email correspondence; and any attachments or screenshots you provide. We retain these records to resolve issues and improve our support.

2.6 Marketing Website

On our public marketing website (countryroaddroneservices.com, dronecommand.online), we may collect your name and email address if you submit a contact form or request a demo. We use this information to respond to your inquiry and, with your consent, send product updates. You may opt out of marketing emails at any time.

3. Geospatial and Agricultural Data — Special Considerations

DroneCommand handles GPS coordinates, field boundary data, and other geospatial information that is sensitive for agricultural businesses. We treat this data with particular care:

3.1 Field and Location Data

GPS coordinates and field boundary data you enter represents the locations of fields you operate or service. This data is: stored in our secure multi-tenant database; accessible only to Authorized Users within your account (subject to your role-based access controls); not shared with other DroneCommand customers, competitors, or third parties except as required by law or as described in Section 7; not used by us to analyze agricultural markets, track commodity trends, or for any purpose other than providing the Service to you.

3.2 Spray Records as Regulatory Records

Spray application records created in DroneCommand may constitute legally required regulatory records under Iowa Administrative Code Chapter 45.26 and equivalent statutes. You acknowledge that: you are solely responsible for the completeness, accuracy, and regulatory adequacy of records created in the Service; we do not verify or certify the compliance of records; we retain Regulatory Records for the minimum period required by applicable law (currently three years under Iowa IAC 45.26) for internal compliance purposes only, not as a service to you; and after account deletion, you will not have access to retained regulatory records — export your records before canceling.

3.3 DriftWatch and Apiary Data

When you use the DriftWatch or Iowa BeeCheck integrations, we query those services with your field location data to retrieve nearby sensitive crop and apiary registrations. We do not store the query results long-term beyond what is needed to display them to you in real time. We do not share your field coordinates with DriftWatch beyond what is necessary to perform the lookup.

3.5 DriftWatch Display Is Not a Safe-to-Spray Determination

IMPORTANT — DRIFTWATCH AND IOWA BEECHECK DISPLAY: When DroneCommand displays DriftWatch or Iowa BeeCheck results — including any indication such as "no sensitive crops found," "no registered apiaries nearby," or any visual map overlay — this display is provided for informational purposes only. It does NOT constitute a determination, recommendation, certification, or indication that it is safe, legal, or advisable to spray in that location. Specifically, such a display does NOT mean:

• That all sensitive crops, organic operations, or apiaries within the affected area are registered with FieldWatch or Iowa BeeCheck — registration is voluntary and many operations are not registered;
• That drift will not affect unregistered neighboring crops, apiaries, or natural areas;
• That you have satisfied your notification, consultation, or buffer zone obligations under applicable law;
• That the data displayed is current, accurate, or complete;
• That spraying is appropriate given current wind, temperature, or other environmental conditions.

You remain solely responsible for independently verifying conditions, providing required notifications to neighbors, complying with all setback and buffer zone requirements, and making all spray/no-spray decisions based on actual field conditions and your own professional judgment.

3.4 Agronomic Data Confidentiality

We recognize that crop types, field layouts, customer lists, and spray records may represent competitively sensitive business information. We do not use your operational data for any commercial purpose other than providing the Service. We do not sell, license, or share your operational data for market research, agronomic analytics, or any other commercial purpose.

4. Employee and Personnel Data

When you enter data about your employees, pilots, contractors, or other staff into DroneCommand (including names, contact information, time records, payroll data, hours worked, and certifications), the following applies:

4.1 You Are the Data Controller

With respect to personal data of your employees and contractors entered into the Service, you (the Customer) are the data controller under applicable privacy law, and we act as a data processor on your behalf. This means: you determine the purpose and scope of processing employee data; you are responsible for ensuring that processing is lawful (e.g., that you have a valid legal basis); you are responsible for providing required privacy notices to your employees about data processing through DroneCommand; and you are responsible for responding to employee rights requests relating to their personal data.

4.2 Our Role as Data Processor

We process employee personal data solely to provide the features of the Service (time tracking, payroll reporting, job dispatch, pilot assignment, etc.) as directed by you. We do not use employee personal data for any other purpose. We do not share employee personal data with third parties except as described in Section 7 and Section 8.

4.3 Your Obligations

You represent and warrant that you have obtained all legally required consents, provided all required notices, and have a lawful basis to process the personal data of your employees and contractors that you enter into the Service. You agree to indemnify us from any claims arising from your failure to comply with applicable employment or privacy law with respect to employee data processing.

4.4 Third-Party Data Subjects — Landowners, Farmers, and Customer Contacts

When you enter personal information about individuals who are not DroneCommand customers — including landowners whose fields you spray, farmers who hire your services, and other third-party contacts — into the Service, we process that information solely on your behalf as a data processor. You are the data controller for that information.

If one of those individuals contacts us seeking access to, correction of, or deletion of personal information you have entered about them into your DroneCommand account, we will:

• Forward their request to you promptly, as you are the data controller with decision-making authority over that data;
• Cooperate with your instructions regarding the request, subject to our legal obligations;
• Not unilaterally delete data from your account in response to a third-party request without your authorization, unless required to do so by a court order or applicable law — because that data may include regulatory records we are not authorized to destroy;
• Direct the individual to you as the appropriate party to respond to their privacy rights request.

You are responsible for: notifying landowners and third-party contacts that their information is stored in a cloud-based platform as part of your normal service disclosures; having a lawful basis for that processing; responding to privacy rights requests from those individuals; and ensuring your use of the Service to process third-party personal data complies with all applicable privacy laws (Iowa ICDPA, CCPA if applicable, and any other applicable law). See also Terms of Service Section 52.

5. How We Use Your Information

We use information collected through the Service for the following purposes:

5.1 Providing and Operating the Service

• Creating and maintaining your account;
• Processing subscription payments and managing billing;
• Storing, displaying, and enabling management of your spray records, field data, inventory, and other operational data;
• Generating reports, invoices, PDFs, and compliance documents;
• Enabling role-based access control for your team;
• Processing DriftWatch and Iowa BeeCheck lookups;
• Providing data export functionality.

5.2 Communications

• Sending transaction confirmations, invoices, and payment receipts;
• Sending payment failure notices, renewal reminders, and billing notifications;
• Sending account security alerts (e.g., password resets, unusual login activity);
• Responding to support requests;
• Sending product updates, feature announcements, and service notifications (opt-out available for non-essential communications).

5.3 Improving the Service

• Analyzing usage patterns (in aggregate and anonymized form) to understand how the Service is used and to identify opportunities for improvement;
• Debugging errors and resolving technical issues;
• Conducting internal research and development.

5.4 Security and Fraud Prevention

• Detecting and preventing unauthorized access, fraud, and abuse;
• Monitoring for suspicious activity and security threats;
• Enforcing our Terms of Service and Acceptable Use Policy.

5.5 Legal Compliance

• Retaining records as required by applicable law, including Regulatory Records under Iowa IAC 45.26;
• Retaining transaction records for tax and accounting purposes;
• Responding to valid legal process (subpoenas, court orders, regulatory requests);
• Asserting or defending legal claims.

5.5a Operational Data Limitations — Insurance, Labor, and Legal Proceedings

Your operational data stored in DroneCommand — including spray records, time records, acreage calculations, and financial records — may be relevant in third-party proceedings including insurance claims, wage disputes, regulatory audits, and civil litigation. We want to be clear about our role:

• Insurance claims: We do not certify spray records for crop insurance purposes. Records are only as accurate as what you entered. Discrepancies between DroneCommand records and other evidence are your concern, not ours;
• Labor/wage disputes: Time records in DroneCommand are only as accurate as what you or your staff entered. We are not responsible for compensation decisions made based on that data;
• Legal proceedings: We may be required to produce your records in response to valid legal process. We are not your advocate in any proceeding and will comply with legal process directed at us.

5.6 What We Do Not Do

We do not: sell your personal information to third parties; use your data for advertising or ad targeting; share your operational data (spray records, field locations, customer lists) with third parties for commercial purposes; use your data to train artificial intelligence or machine learning models without your express opt-in consent; or use your data to build products or services that compete with your business.

Operational Emails Not Used for Marketing: Email addresses stored in your operational records — including email addresses you enter for your customers, landowners, pilots, or employees — are used solely for the purpose of delivering the features of the Service (e.g., sending invoices or notifications to your customers on your behalf, or delivering job-related communications to your pilots, if such features are enabled). These email addresses are never used by us to send marketing communications, product promotions, or solicitations from us to your contacts. We recognize that your customer list is proprietary business information.

5.7 We Do Not Certify, Validate, or Approve Records

Processing, storing, and displaying your spray records and other operational data through DroneCommand does NOT constitute certification, validation, verification, or approval of those records for any regulatory, legal, insurance, or other purpose. We do not review your records for accuracy or completeness. We do not represent to any third party — including IDALS, EPA, FAA, insurers, or courts — that your records are accurate, complete, or compliant. The act of entering data into DroneCommand does not make that data more or less reliable than data maintained in any other format. You are solely responsible for the accuracy and completeness of data you enter.

6. Legal Basis for Processing

Where applicable law (such as the GDPR) requires us to identify a legal basis for processing personal data, we rely on the following:

Processing Activity	Legal Basis
Creating and maintaining your account	Performance of contract (providing the Service you subscribed to)
Processing payment and billing	Performance of contract; legal obligation (tax records)
Storing and processing operational data (spray records, field data)	Performance of contract
Sending transactional emails (receipts, alerts, notifications)	Performance of contract; legitimate interests
Sending marketing/product update emails	Consent (you may opt out at any time)
Fraud detection and security monitoring	Legitimate interests (protecting our platform and users)
Improving the Service (aggregate analytics)	Legitimate interests (improving our product)
Retaining Regulatory Records (spray records)	Legal obligation (Iowa IAC 45.26 and equivalent state laws)
Retaining transaction records	Legal obligation (U.S. tax and accounting law)
Responding to legal process	Legal obligation; legitimate interests (asserting/defending legal claims)

7. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

7.1 Service Providers (Subprocessors)

We share information with third-party service providers who assist us in operating the Service. These providers are contractually bound to use your data only as directed by us, to maintain appropriate security measures, and not to use it for their own commercial purposes. See Section 8 for our current subprocessor list.

7.2 Stripe (Payment Processing)

To process your subscription payment, we share your name, email address, and billing address with Stripe, Inc. Stripe independently collects your payment method details directly from you through their secure payment forms. Stripe's use of your data is governed by the Stripe Privacy Policy. We receive from Stripe: transaction confirmations, subscription status updates, your Stripe customer ID, and the last four digits and card type of your payment method (for display purposes only).

7.3 DriftWatch and Iowa BeeCheck

When you use the DriftWatch or Iowa BeeCheck integration, your field coordinates are transmitted to those services to retrieve nearby sensitive crop and apiary registrations. These queries are performed in real time; we do not permanently transmit your identity or full operational profile to these services. Their respective terms and privacy policies apply.

7.4 Legal Requirements and Government Process

We may disclose your information when required by law or legal process, including in response to:

• Valid subpoenas, court orders, search warrants, or other compulsory legal process;
• Requests from regulatory authorities (Iowa Department of Agriculture and Land Stewardship, EPA, FAA, or other government agencies) with lawful authority;
• Emergency situations involving an imminent threat to life or safety.

Notification: Where legally permitted, we will attempt to notify you before complying with such a request so you may seek a protective order or other relief. However, in some circumstances applicable law prohibits advance notification — for example, National Security Letters issued under 18 U.S.C. § 2709 include mandatory nondisclosure requirements. In those cases, we are legally prohibited from notifying you, and our failure to notify you does not constitute a violation of this Privacy Policy or these Terms.

Challenge: We will use commercially reasonable efforts to challenge requests that appear overbroad, improperly issued, or legally defective, to the extent we are permitted to do so under applicable law.

Compliance with valid legal process is not a breach of this Privacy Policy. We are not liable for disclosures made pursuant to valid legal process.

7.5 Protection of Rights

We may disclose information when we reasonably believe it is necessary to: investigate or prevent fraud, security threats, or violations of our Terms; protect the rights, property, or safety of Country Road Drone Services, LLC, our users, or the public; or enforce our Terms of Service.

7.6 Business Transfer

In the event of a merger, acquisition, sale of all or substantially all assets, corporate reorganization, or bankruptcy, your information may be transferred to the acquiring entity or successor. We will provide notice of any such transfer and, if applicable, inform you of any material changes to this Privacy Policy. If the acquiring entity intends to use your data in ways materially different from those described here, we will provide you with a choice before your data is subject to the different policies.

7.7 With Your Consent

We may share your information with third parties for purposes not described here if we have your explicit consent to do so.

8. Subprocessors

We use the following categories of third-party service providers (subprocessors) in connection with the Service:

Category	Purpose	Data Shared
Stripe, Inc.	Payment processing, subscription management, tax calculation	Name, email, billing address; payment method (stored only by Stripe)
Cloud Hosting Provider	Platform hosting, database storage, computing infrastructure	All User Data (encrypted at rest)
Email Service Provider	Delivery of transactional and notification emails	Name, email address, email content
FieldWatch / DriftWatch (Purdue University)	Sensitive crop and specialty crop registry lookup	Field coordinates (for lookup queries only)
Iowa BeeCheck (Iowa Honey Producers Association)	Beekeeper registry lookup	Field coordinates (for lookup queries only)
Weather Data Provider(s)	Weather data for operational planning	Field coordinates or zip codes (for weather queries)
Error Monitoring / Logging Service	Application error detection and debugging	Technical error data, anonymized usage context

We review our subprocessors to ensure they maintain appropriate data protection standards. We will update this list if we add material new subprocessors and will provide notice of significant changes to subprocessors that handle your personal data.

9. Multi-Tenant Data Isolation

DroneCommand is a multi-tenant platform. Each Customer organization operates in a logically isolated data environment ("tenant"). This means:

• Your organization's data — including spray records, field data, customer lists, and employee information — is logically separated from data belonging to other DroneCommand customers;
• Authorized Users within your account can only access data for which they have been granted permission by your account administrator, according to your configured role-based access controls;
• Our staff can access your data only where necessary to provide support, troubleshoot issues, or comply with legal obligations, and access is logged and controlled;
• No other Customer is authorized to access or view your data, and we maintain technical and access control mechanisms designed to enforce that separation.

While we implement robust technical controls to enforce tenant isolation, no software system is infallible. We do not represent that cross-tenant data access is technically impossible under all failure conditions — we represent that it is unauthorized and that we implement controls to prevent it. In the event of a data isolation failure that exposes your data to another tenant — whether caused by a software bug, configuration error, or any other cause — we will: (a) investigate and remediate upon discovery; (b) notify you in accordance with Section 20; and (c) take appropriate corrective action. Our liability for cross-tenant data exposure caused by a software defect in our platform is subject to the limitation of liability provisions in our Terms of Service, but we do not disclaim responsibility for isolation failures caused by our own software defects.

10. Data Security

We implement appropriate technical and organizational security measures designed to protect your data against unauthorized access, disclosure, alteration, and destruction.

10.1 Technical Measures

• Encryption in Transit: All data transmitted between your browser and our servers is protected with TLS 1.2 or higher (HTTPS). We do not permit unencrypted HTTP connections to the Service.
• Encryption at Rest: Sensitive data fields in our database are encrypted at rest using industry-standard encryption algorithms.
• Password Security: Passwords are stored using a one-way cryptographic hash with a unique salt. We cannot retrieve your plain-text password.
• Payment Data: Payment card data never passes through our servers. All payment information is handled directly by Stripe, a PCI DSS Level 1 Certified Service Provider.
• Multi-Tenant Isolation: Strict technical controls separate data between customer tenants (see Section 9).
• Access Controls: Role-based access controls limit employee and administrator access to User Data on a need-to-know basis. All staff access to customer data is logged.
• Infrastructure Security: Our hosting infrastructure is protected by firewalls, intrusion detection systems, and automated security monitoring.
• Backups: Regular automated database backups with geographic redundancy. Backup data is encrypted.

10.2 Organizational Measures

• Access to production systems is restricted to authorized personnel on a need-to-know basis;
• Employees and contractors who access Customer data are subject to confidentiality obligations;
• We conduct security reviews of our infrastructure and code as we deem appropriate given the size and nature of our operations;
• Access to Customer data by our staff is logged and subject to internal access controls.

10.3a Insider Threat Limitations

While we implement internal controls to prevent unauthorized access to Customer data by our own personnel, we cannot guarantee that all insider threats will be detected or prevented. In the event that an employee, contractor, or other person with authorized system access abuses that access to view, copy, exfiltrate, or misuse Customer data, we will: (a) investigate upon discovery; (b) take immediate remediation steps including revoking access; (c) notify affected Customers in accordance with Section 20; and (d) cooperate with law enforcement. However, our liability for insider data breaches is subject to the limitation of liability provisions in the Terms of Service. We are not liable for harm caused by a rogue employee's unauthorized conduct beyond what our reasonable organizational controls should have prevented — specifically, we are not liable for insider threats that: (i) circumvented reasonable access controls; (ii) involved unauthorized use of legitimately-granted access in ways we could not reasonably anticipate; or (iii) occurred despite reasonable monitoring and access restriction practices.

10.3 Limitations and No Warranty of Security

No security system is 100% impenetrable, and we do not warrant or guarantee the security of your data. While we implement security measures we consider reasonable and appropriate for our platform, we cannot and do not guarantee that: unauthorized parties will never gain access to your data; security measures will prevent all data breaches; our measures meet any specific security standard or certification level; or our infrastructure will be free from vulnerabilities. Risks include sophisticated cyberattacks, zero-day vulnerabilities, social engineering attacks, and other threats beyond our complete control. This Section 10 describes security measures we employ as of the date of this policy; it does not create any contractual commitment or warranty that these specific measures are in place at any given time. We update and change our security practices over time, and the specific measures described may change without updating this Policy.

You are responsible for: maintaining the security of your account credentials; using strong, unique passwords not used on other services; enabling any two-factor authentication features we may offer; logging out of your account on shared or public devices; not sharing your credentials with unauthorized persons; and promptly reporting suspected unauthorized access to [email protected].

10.4 Social Engineering and Support Impersonation

Social engineering attacks — in which an attacker impersonates a legitimate account holder to obtain account access through our support channels — are a known security risk. Our support procedures include identity verification steps designed to reduce this risk. However, no verification process is foolproof, and we are not liable for account access granted in good faith to a party who successfully impersonated you through our support channels using information they obtained independently.

To reduce this risk: (a) never share your account credentials with anyone, including people claiming to be our support staff — we will never ask for your password; (b) if you contact our support team, be prepared to verify your identity using account details that only you would know; (c) if you receive unsolicited contact from someone claiming to be our support staff and requesting access to your account, treat it as a potential phishing attempt and contact us directly at [email protected] to verify; and (d) if you believe your account was accessed through a social engineering attack, contact us immediately. We will investigate and take remediation steps. Our liability for account takeovers resulting from successful social engineering is subject to the limitation of liability provisions in our Terms of Service, including circumstances where such an attack circumvented our reasonable verification procedures.

11. Data Retention Schedule

We retain different categories of data for different periods, based on operational necessity and legal requirements:

Data Category	Retention Period	Reason
Account and user profile data	Duration of active account, then 60 days	Operational necessity; post-cancellation export window
Spray operation records (Regulatory Records)	Minimum 3 years from date of record	Iowa Administrative Code Chapter 45.26 and equivalent state laws; retained even after account deletion
All other operational data (field records, inventory, customer records, time records)	Duration of active account, then 60 days	Operational necessity
Payment transaction records and invoices	7 years from transaction date	U.S. federal and state tax and accounting requirements
Usage and technical logs	Up to 12 months	Security monitoring, debugging
Support communications	3 years from the date of creation of the support record (not from the date of the most recent interaction — the clock does not reset with each new contact on the same account)	Dispute resolution, service improvement. Each support interaction creates a record retained 3 years from that record's creation. Subsequent contacts on unrelated topics create new records with their own 3-year periods; they do not extend the retention period of earlier records.
Free trial account data (non-converted)	60 days after trial expiration	Post-trial export window; then permanently deleted
Marketing contact inquiries	Until opt-out plus 30 days	Marketing communications

Important: After the applicable retention period, data is permanently and irreversibly deleted from our production systems. We are not able to recover deleted data. Export your data before canceling your account.

Regarding Retained Regulatory Records: Spray application records retained after account deletion are maintained in an archived state solely for legal compliance purposes. They are not accessible to you after account deletion and cannot be used to restore your account or provide you with access to any data. If you need records for a regulatory audit, export them before canceling.

12. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies in the Service:

Cookie Type	Purpose	Can You Disable?
Essential Session Cookies	Authentication and login state management. Required for the platform to function.	No — disabling will prevent login and use of the platform
CSRF Protection Tokens	Security tokens to prevent cross-site request forgery attacks. Required for security.	No — required for security
Preference Cookies	Remember user interface preferences (e.g., dismissed notifications, display settings).	Yes — clearing browser cookies removes these without affecting core functionality

What we do NOT use: We do not use third-party advertising cookies, cross-site tracking cookies, analytics cookies that report to third-party advertising networks, or any cookies for behavioral advertising or audience profiling within the application.

On our public marketing website, we may use basic analytics to understand page traffic (such as page view counts and referring sources). If we use such analytics, they will be privacy-respecting tools that do not build individual user profiles. We do not use Google Analytics or Meta Pixel on the DroneCommand application itself.

13. Your Privacy Rights — General

Regardless of your location, you have the following rights with respect to your personal data:

13.1 Right of Access

You may request a copy of the personal data we hold about you. Most of your operational data is directly accessible within the Service dashboard. For a comprehensive data export, use Settings → Export Data, or contact us.

13.2 Right to Correction

You may correct inaccurate or incomplete personal data at any time through your account settings or through the data entry tools within the Service. Note: we do not allow editing of spray records after they are finalized, as they are Regulatory Records subject to immutability requirements under Iowa IAC 45.26. For correction requests involving Regulatory Records, contact us at [email protected].

13.3 Right to Deletion

You may request deletion of your account and associated personal data. We will delete non-regulatory data upon receiving a valid deletion request. However, we cannot delete: Regulatory Records required to be retained by law; transaction records required for tax compliance; or data subject to a legal hold or litigation preservation obligation. To request deletion, contact [email protected].

13.4 Right to Export / Portability

You may export your data at any time through Settings → Export Data in PDF, CSV, and Excel formats. This includes spray records, field records, customer records, and inventory records.

13.5 Right to Opt Out of Marketing

You may opt out of non-essential marketing emails at any time by clicking the unsubscribe link in any email or by contacting us at [email protected]. You cannot opt out of essential transactional communications (payment receipts, payment failure notices, security alerts, account notifications) as these are necessary for the operation of your account.

13.6 How to Exercise Your Rights

To exercise any of your privacy rights, contact us at [email protected]. We will respond within thirty (30) days of receipt (or within the timeframe required by applicable law). We may need to verify your identity before processing certain requests. We will not discriminate against you for exercising your privacy rights.

14. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information.

14.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: Name, email address, IP address, account identifiers;
• Commercial Information: Subscription plan, purchase history, billing information;
• Professional / Employment Information: Business name, professional role, employee records entered by Customers;
• Internet or Other Electronic Network Activity: Usage logs, pages visited, features used, error logs;
• Geolocation Data: IP-derived approximate location; GPS field coordinates and field boundary data entered by Customers;
• Inferences: Account activity patterns used for security monitoring.

We do not collect: Social Security numbers; financial account numbers (processed by Stripe); precise real-time geolocation from mobile devices; biometric data; or data from minors under 16.

14.2 Purposes of Collection

We collect personal information for the purposes described in Section 5 of this Privacy Policy.

14.3 Sharing / Disclosure of Personal Information

We disclose personal information to service providers (subprocessors) as described in Sections 7 and 8. We do not sell personal information within the meaning of the CCPA. We do not share personal information for cross-context behavioral advertising.

14.4 California-Specific Rights

• Right to Know: You have the right to know what personal information we collect, use, disclose, and sell about you;
• Right to Delete: You have the right to request deletion of personal information we collected from you, subject to certain exceptions (including retention required by law);
• Right to Correct: You have the right to request correction of inaccurate personal information;
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for behavioral advertising. No opt-out is required, but you may submit a request to confirm;
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information (to the extent applicable under CPRA) beyond what is necessary to provide the Service;
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.

14.5 Submitting Requests

California residents may submit requests by contacting us at [email protected]. We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice). You may designate an authorized agent to submit requests on your behalf.

15. EU and UK Residents (GDPR / UK GDPR)

DroneCommand is primarily designed for U.S.-based agricultural drone operators. We do not currently market to individuals in the European Economic Area (EEA) or United Kingdom (UK). However, to the extent any EEA or UK residents use the Service, the following applies:

15.1 Data Controller

Country Road Drone Services, LLC, 3308 330th St, Smithland, IA 51056, USA ([email protected]) acts as the data controller for personal data collected directly from users. For personal data entered by Customers on behalf of their employees, the Customer is the data controller and we act as data processor.

15.2 GDPR Rights

EEA and UK residents have the following rights under the GDPR / UK GDPR:

• Right of access (Art. 15 GDPR): Obtain a copy of your personal data;
• Right to rectification (Art. 16 GDPR): Correct inaccurate personal data;
• Right to erasure / "right to be forgotten" (Art. 17 GDPR): Request deletion, subject to legal retention obligations;
• Right to restriction of processing (Art. 18 GDPR): Request that we limit processing in certain circumstances;
• Right to data portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format;
• Right to object (Art. 21 GDPR): Object to processing based on legitimate interests;
• Right not to be subject to automated decision-making (Art. 22 GDPR): See Section 19.

15.3 International Data Transfers

Your personal data is processed and stored in the United States. If you are located in the EEA or UK, your data will be transferred to and processed in the United States, which is not deemed to provide an equivalent level of data protection as the EEA or UK. We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for international data transfers where required. Contact us for more information.

15.4 Supervisory Authority

EEA residents have the right to lodge a complaint with their national data protection supervisory authority. UK residents have the right to lodge a complaint with the Information Commissioner's Office (ICO).

16. Iowa and Other U.S. State Residents

Iowa enacted the Iowa Consumer Data Protection Act (ICDPA), which may provide Iowa residents with certain rights regarding personal data. As our business is based in Iowa and primarily serves Iowa-based businesses, we aim to comply with the ICDPA's requirements, including:

• Right to access personal data we process about you;
• Right to delete personal data provided by you (subject to retention exceptions);
• Right to portability: Obtain a copy of your personal data in a portable and readily usable format;
• Right to opt out of targeted advertising and sale of personal data: We do not engage in targeted advertising or sell personal data.

Iowa residents may submit rights requests to [email protected]. We will respond within 90 days as required by the ICDPA. If you are a resident of another U.S. state with a consumer data protection law (Virginia, Colorado, Connecticut, Texas, etc.), you may have similar rights; contact us for assistance.

17. Children's Privacy (COPPA)

The Service is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. Account holders must be at least 18 years of age. If you believe we have inadvertently collected personal information from a child under 13, please contact us at [email protected] immediately, and we will take steps to delete such information as required by the Children's Online Privacy Protection Act (COPPA).

Regarding Authorized Users: Customers are responsible for ensuring that individuals added to their accounts as Authorized Users are at least 18 years of age (or 16, the minimum working age for light agricultural work under federal law, if applicable to your operations). We do not verify the ages of individual Authorized Users; this responsibility rests with the Customer.

18. International Data Transfers

Country Road Drone Services, LLC is based in Iowa, USA, and our infrastructure is hosted in the United States. If you access the Service from outside the United States, be aware that your information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence. By using the Service, you consent to this transfer.

We take steps to ensure that transfers comply with applicable law, including implementing Standard Contractual Clauses with applicable service providers where required. Contact us at [email protected] if you have questions about international data transfers.

19. Automated Decision-Making

We do not use automated decision-making processes (including profiling) that produce legal effects or similarly significant effects concerning individual users. Subscription billing is handled by Stripe using automated systems, but decisions about account access are ultimately governed by these Terms and confirmed payment status.

If we were to implement automated decision-making in the future that produces significant legal or similarly significant effects, we will update this Privacy Policy and provide required notices.

20. Data Breach Response

Despite our security measures, no system is 100% secure. In the event of a data breach that affects your personal data, we will:

20.1 Internal Response

• Immediately investigate the scope, cause, and impact of the breach;
• Take steps to contain the breach and prevent further unauthorized access;
• Preserve evidence for forensic analysis;
• Assess which data was accessed and which users are affected.

20.2 User Notification

• We will notify affected users without undue delay, and where required by applicable law — including within 72 hours for EEA/UK supervisory authority notification under GDPR Article 33, where technically and operationally feasible — or within the timeframe required by applicable U.S. state breach notification law (including Iowa Code § 715C);
• The 72-hour timeframe for GDPR supervisory authority notification is a legal requirement for notifying regulators, not a contractual commitment to notify individual users within 72 hours; individual user notification will occur as soon as reasonably practicable after we have sufficient information to provide a meaningful notification;
• Individual User Notification Commitment: Once we have confirmed: (a) that a reportable breach has occurred; (b) which specific accounts are affected; and (c) sufficient details to provide a meaningful notification — we commit to notifying affected individual users within thirty (30) calendar days of that confirmation, unless law enforcement specifically requests a delay to avoid compromising an active investigation. If law enforcement requests a delay, we will notify users as soon as law enforcement confirms it is permissible to do so. This 30-day commitment runs from the date we confirm the above three conditions, not from the date we first become aware of a potential security event. We may not be able to identify all affected users within 30 days of initial discovery if the breach investigation is complex; in that case we will provide a preliminary notification describing the known scope and update affected users as additional details are confirmed;
• Notification will include, to the extent then known: a description of the nature of the breach; categories and approximate number of records and individuals affected; the likely consequences; the measures we have taken or propose to take to address the breach; and contact information for further inquiries.

20.3 Regulatory Notification

Where required by applicable law, we will notify relevant data protection authorities (including Iowa Attorney General, if applicable, and relevant state attorneys general) within required timeframes.

20.4 Limitations

Our liability for data breaches is subject to the limitation of liability provisions in our Terms of Service. We are not liable for breaches caused by your failure to maintain account security, use of compromised devices, or sharing of credentials with unauthorized persons.

21. Do Not Track

Some browsers transmit a "Do Not Track" (DNT) signal to websites. We do not currently respond to DNT signals because there is no industry standard for how they should be honored for SaaS applications. Within the DroneCommand application, we do not use tracking cookies for advertising purposes, so DNT signals have no material effect on how we process your data within the platform.

22. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or the features of the Service. When we make material changes, we will provide notice using at least one of the following methods:

• Post the revised Privacy Policy on this page with an updated "Last updated" date;
• Send email notice to the email address associated with your account at least thirty (30) days before material changes take effect; and/or
• Display a prominent in-app notification within the Service when you log in, at least thirty (30) days before material changes take effect.

Where required by applicable law (such as GDPR or the Iowa ICDPA), we will obtain your consent before processing your data under materially different terms.

Your responsibility to stay informed: You are responsible for keeping your email address current and for monitoring for in-app notifications when you log in. If you did not receive email notice of a material change because: (a) the email was delivered to your spam folder; (b) you provided an outdated email address; or (c) you were not logging into the Service regularly, we are not liable for your lack of awareness of the change — provided we sent the notice to the email address on file and/or displayed in-app notice for at least thirty (30) days before the change took effect.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the revised terms. If you do not agree, you must stop using the Service and cancel your subscription.

23. Contact Us

For questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

• Company: Country Road Drone Services, LLC
• Address: 3308 330th St, Smithland, IA 51056
• Email: [email protected]
• Phone: (712) 420-0871
• Business Hours: Monday–Friday, 8:00 AM – 5:00 PM Central Time

We will respond to privacy inquiries within thirty (30) days of receipt, or within the timeframe required by applicable law.

For billing and payment data questions, please also contact Stripe directly through the Stripe Customer Portal or at support.stripe.com.

---

This Privacy Policy was last updated on February 23, 2026 (Round 8 Hardening), and is effective as of that date. By using DroneCommand, you acknowledge that you have read and understood this Privacy Policy.

← Back to DroneCommand