Legal
Privacy Policy
Last updated
Summary
Maize Drones operates the website at maizedrones.com. This page explains what information we collect, why, where it is stored, who else processes it on our behalf, how long we keep it, and how you can ask us to access, correct, or delete it.
In plain English: we collect the email you give us to send Field Notes, the application details you submit if you apply to the members program, and the minimum we need to keep the site secure and operational. Our infrastructure runs on Cloudflare and our emails are sent through Resend. We do not run third-party advertising or tracking, our visitor analytics are cookieless and never store your raw IP address, and we do not sell, rent, trade, or share your personal information.
This policy applies to the website only. It does not cover future Maize Drones hardware, mobile or desktop applications, or business relationships governed by a separate written agreement; those will have their own published privacy statements when they exist.
Who we are
Maize Drones is an agricultural-technology company based in British Columbia, Canada, building autonomous crop-monitoring drones. For the information collected through this website, Maize Drones is the organization that decides why and how your personal information is handled, and is accountable for it.
We have designated a Privacy Officer who is accountable for our compliance with this policy and with applicable privacy law. You can reach our Privacy Officer at hello@maizedrones.com for any privacy question, request, or complaint.
What information we collect
We collect only what we need to run the site and the services it offers. We do not ask for your age, date of birth, or any special-category information, and we do not buy personal information about you from data brokers. Specifically:
- Email address — when you subscribe to Field Notes, apply to the members program, or sign in as a member or administrator. Stored in our Cloudflare D1 database; required to deliver the service you signed up for.
- Name and (optional) organisation, role, and message — only when you submit a members-program application. The free-text message field is limited to a short note and is used to evaluate your application and respond to you.
- IP address and browser User-Agent — handled carefully and for security only. For visitor analytics, your IP is never stored; it is combined with the day, your User-Agent, and a rotating server-side salt into a one-way SHA-256 hash that cannot be reversed back to you and does not persist across salt rotations. Your raw IP address is stored only in a security audit log of administrator actions and sign-in requests, and is briefly used as a short-lived rate-limiting key to block abuse. When we verify a Cloudflare Turnstile challenge, your IP is sent to Cloudflare as part of that check. User-Agent strings in the audit log are stored only as a salted hash.
- Coarse country — when an administrator shares a members-only post with you through an expiring link, we record the two-letter country your request comes from (for example, “CA” or “US”) to understand how those links are used. We do not store your full IP address for this purpose.
- Page-view counts — aggregated, cookieless, bucketed by the hour, and de-duplicated using the same one-way hash described above. No individual viewer is identifiable from these counts.
- Authentication and security tokens — magic-link sign-in tokens, newsletter confirmation tokens, share-link tokens, and Turnstile tokens are stored only as SHA-256 hashes; the raw tokens live briefly in transit (in the email or key-value store) and are single-use. Passwords, where used, are stored as scrypt hashes with a server-side pepper — never in plain text.
- Email delivery records — when we send you a transactional or newsletter email, we keep a delivery log containing the recipient address and delivery status so we can debug failures and avoid sending duplicates.
We do not use third-party advertising trackers, do not embed cross-site analytics, and do not load any code from Google Analytics, Meta Pixel, or similar platforms. Video embeds use YouTube’s privacy-enhanced mode, which defers cookies until you actively play a video.
At a glance: what we collect, why, and for how long
The table below summarises each category of personal information we handle, the reason we handle it, the legal basis, how long we keep it, and who processes it on our behalf.
| Information | Purpose | Legal basis | Retention | Who processes it |
|---|---|---|---|---|
| Subscriber email, status & preferences | Deliver Field Notes; manage your opt-in | Consent | Until you unsubscribe | Cloudflare, Resend |
| Applicant name, email, organisation & message | Evaluate and respond to your application | Consent; legitimate operation | While active; deleted on request | Cloudflare, Resend |
| Member / administrator account email | Authenticate you to the members area | Consent; legitimate operation | While your account is active | Cloudflare |
| Magic-link & session records | Sign you in and keep you signed in | Strictly necessary; security | Sign-in links 15 minutes; invites 7 days; sessions 7 days | Cloudflare |
| Raw IP & hashed User-Agent (security audit log) | Security forensics for admin and sign-in actions | Legitimate security interest | 12 months | Cloudflare |
| IP / email as a rate-limiting key | Block automated abuse of public forms | Legitimate security interest | Up to one hour (the limiting window) | Cloudflare |
| Cookieless visitor hash (page-view counts) | Aggregate page-view counts and de-duplicate them | Legitimate operation; non-identifying | Indefinitely, as anonymous aggregates | Cloudflare |
| Coarse country (share-link opens) | Understand how shared member posts are accessed | Legitimate operation | With the share-link analytics | Cloudflare |
| Recipient email & delivery status (email log) | Confirm delivery and prevent duplicate sends | Legitimate operation | 12 months, then deleted | Cloudflare, Resend |
| Beta-tester form responses | Collect farmer beta-program interest | Consent | Per Tally and our form settings | Tally |
How we use your information
- Sending the Field Notes newsletter you subscribed to, and the double-opt-in confirmation email that precedes it.
- Reviewing and responding to members-program applications.
- Authenticating members and administrators through magic-link sign-in.
- Preventing automated abuse (rate-limiting by IP and email, and Cloudflare Turnstile bot challenges on public forms).
- Keeping a security audit log of administrator actions and sign-in requests, with sensitive fields redacted server-side before any record is written.
- Producing aggregate, anonymous page-view counts for our own operational understanding.
We do not build advertising profiles, do not score your behaviour, and do not make automated decisions that produce legal or similarly significant effects about you.
Our basis for using your information
For most of what we do, our basis is your consent — given when you subscribe, apply, or sign in. The Field Notes newsletter uses express, double-opt-in consent: your subscription starts as “pending” and only becomes active after you click the confirmation link in the email we send you. For keeping the site secure and operational — authentication, abuse prevention, the security audit log, and delivery logging — our basis is our legitimate interest in running a safe, reliable service, balanced against your privacy.
You can withdraw your consent at any time. For the newsletter, use the one-click unsubscribe link in any Field Notes email. For other uses, email our Privacy Officer at hello@maizedrones.com. Withdrawing consent does not affect processing we already carried out, and some limited security records may be retained where the law allows us to keep them.
Cookies
We set only two cookies, both first-party and both strictly necessary to operate the site. We do not set any advertising, analytics, personalisation, or third-party cookies, so we do not show a cookie consent banner.
| Cookie | Purpose | Lifetime | Flags |
|---|---|---|---|
session | Keeps you signed in after a magic-link sign-in (members and administrators only). | 7 days | HttpOnly; Secure; SameSite=Lax; Path=/ |
csrf | Protects state-changing form submissions against cross-site request forgery using a double-submit token. | 24 hours | Secure; SameSite=Strict; Path=/ ; not HttpOnly (read by the page’s own script to complete the double-submit check) |
The csrf cookie is deliberately not HttpOnly because the page’s own JavaScript must read it to send a matching value back to us, which is how the double-submit protection works. It contains a random token only — no information about you.
Email and your choices
Our commercial emails — the Field Notes newsletter and related messages — are sent only to people who have opted in, and every one of them identifies us as the sender and includes a working way to unsubscribe. We honour every unsubscribe request immediately, and in any case well within the time limits set by Canada’s anti-spam law (CASL) and the United States CAN-SPAM Act.
The fastest way to stop receiving Field Notes is the one-click unsubscribe link at the bottom of any newsletter email; supporting email clients can also unsubscribe you with a single action using the standard list-unsubscribe header we include. You can also email our Privacy Officer at hello@maizedrones.com to be removed.
Who we share information with
We do not sell, rent, trade, or otherwise share your personal information for anyone else’s marketing. We share information only with the service providers below, who process it on our behalf under their published data-processing terms, and only as far as they need to in order to provide their service to us. We may also disclose information where we are legally required to do so.
| Service provider | What it processes | Where | Privacy terms |
|---|---|---|---|
| Cloudflare, Inc. | Hosting and all request traffic — edge compute (Workers), database (D1), key-value store (KV), object storage (R2), the Turnstile bot challenge, and the CDN this site runs on. | Global edge network | cloudflare.com/privacypolicy |
| Resend, Inc. | Sends our newsletter and transactional emails; receives the recipient address and the message body we render. | United States | resend.com/legal/privacy-policy |
| Tally | Hosts the farmer-beta-tester signup form linked from the “Follow the project” page; receives whatever you submit through that form. | On Tally’s infrastructure | tally.so/help/privacy-policy |
When a post contains a video, the embed is loaded from YouTube’s privacy-enhanced domain only if and when you play it; at that point YouTube (Google) may receive information as described in Google’s privacy policy. We will update this list before adding any new service provider that handles personal information.
Where your information is processed
Cloudflare operates a global network, so your request may be served from the data centre closest to you. Some of our service providers — including Resend, which sends our email, and Cloudflare’s Turnstile verification — process information in the United States. This means your personal information may be stored or processed outside your province or country, including in the United States, where it may be subject to the laws of those jurisdictions. We use reputable providers and rely on their published data-processing terms to keep your information protected wherever it is handled, and we remain accountable for it.
How long we keep your information
We keep personal information only as long as we need it for the purpose we collected it, or as long as the law requires:
- Subscribers — kept until you unsubscribe (every Field Notes email contains a one-click unsubscribe link), then marked unsubscribed and excluded from all future broadcasts.
- Members and applications — kept while your account is active. Application decisions are retained for our own records and can be deleted on request.
- Magic-link tokens — 15 minutes for sign-in and 7 days for invitations; deleted once used or expired.
- Sessions — 7 days, stored in Cloudflare KV; invalidated when you sign out.
- Unsubscribe tokens — up to 90 days, so the links in your emails keep working.
- Security audit log — 12 months, then deleted.
- Email delivery records — 12 months, then deleted.
- Page-view counts — retained indefinitely as anonymous, hour-bucketed aggregates that contain no personal information.
Your rights and how to exercise them
You have the right to ask us to:
- Access the personal information we hold about you;
- Correct information that is inaccurate or incomplete;
- Delete information we no longer need to keep; and
- Withdraw your consent to our use of your information.
To make any of these requests, email our Privacy Officer at hello@maizedrones.com from the email address you used with us, and tell us what you would like us to do. We may ask you for enough information to confirm your identity before we act, so that we do not disclose your information to anyone else. We will respond within 30 days; if we need more time, we will let you know. There is no charge to exercise these rights, and we will not treat you differently for doing so. For the newsletter, the quickest option remains the unsubscribe link in any Field Notes email.
California and other U.S. state residents
We do not sell or share your personal information, and we do not use it for cross-context behavioural advertising. Because we do not sell or share personal information, we do not provide a “Do Not Sell or Share My Personal Information” link — there is nothing to opt out of. As a matter of policy, we honour the same access, correction, and deletion requests described above for residents of California and other U.S. states, regardless of whether a particular state law currently applies to us. To make a request, email our Privacy Officer at hello@maizedrones.com.
Children
This website is intended for an adult, professional audience — farmers, agronomists, investors, and industry professionals — and is not directed to children. We do not ask for anyone’s age, and we do not knowingly collect personal information from children under the age of 13. If you believe a child under 13 has provided us with personal information, please contact our Privacy Officer and we will delete it promptly.
How we protect your information
We follow strong, industry-standard practices to protect your information, including: transport security everywhere (HTTPS with HSTS); session cookies that are HttpOnly, Secure, and cryptographically signed; magic-link and other tokens stored only as SHA-256 hashes; scrypt password hashing with a server-side pepper; rate-limiting on public endpoints; Cloudflare Turnstile bot challenges on submission forms; CSRF double-submit token validation with constant-time comparison; a strict Content Security Policy; and an append-only security audit log with sensitive fields redacted before any record is written. No system can be perfectly secure, but we work hard to keep yours safe. If you discover a vulnerability, please email hello@maizedrones.com with the subject line “Security disclosure” and we will respond within 5 business days.
If a data breach happens
If a breach of security safeguards involving your personal information creates a real risk of significant harm to you, we will notify you and report the breach to the relevant privacy regulator — the Office of the Privacy Commissioner of Canada, and, for Quebec residents, the Commission d’accès à l’information — as required by law, and we will keep records of breaches as the law requires.
Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify registered members and subscribers by email at least 14 days before the change takes effect.
Contact and complaints
For any privacy question, request, or complaint, email our Privacy Officer at hello@maizedrones.com. We will do our best to resolve your concern directly. If you are not satisfied with our response, you may also contact the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner for British Columbia, or — for Quebec residents — the Commission d’accès à l’information du Québec.