1. Introduction

This Data Protection and Privacy Policy sets out how OpenTrace, through its Ask ADZA platform, collects, processes, stores, protects, and governs data. It reflects our commitment to handling data responsibly, transparently, and in full compliance with applicable legal and regulatory frameworks. OpenTrace operates across multiple jurisdictions and aligns its practices with the General Data Protection Regulation (GDPR), as well as relevant national and regional data protection laws, including those applicable across African countries where the platform is used. Beyond compliance, this policy reflects a broader institutional position: that data should be handled with integrity, restraint, and accountability, particularly in contexts where trust in data systems is critical. This policy applies to all users of the Ask ADZA platform, all data processed within the system, and all personnel and partners who interact with that data.

2. Definitions

For the purposes of this policy, personal data refers to any information relating to an identified or identifiable individual. Processing refers to any operation performed on data, including collection, storage, organization, analysis, or deletion. A data subject is the individual to whom personal data relates. OpenTrace acts as a data controller where it determines the purpose and means of processing data, and as a data processor where it processes data on behalf of partners under formal agreements. Additional terms such as pseudonymization and anonymization are used in accordance with standard regulatory definitions, referring respectively to methods of reducing identifiability and fully removing identifying characteristics from data.

3. Scope of Application

This policy applies to all aspects of the Ask ADZA platform and OpenTrace’s data operations. It covers all users who access or interact with the platform, all datasets that are ingested into or processed within the system, and all employees, contractors, and partners who are granted access to data. The policy applies across all jurisdictions in which OpenTrace operates. It covers both personal data, which is collected in limited and controlled circumstances, and non-personal data, which constitutes the primary focus of the platform.

4. Legal Basis for Processing

OpenTrace processes data on clearly defined legal grounds. In most cases, processing is based on legitimate interest, particularly where it is necessary to operate, maintain, and improve the Ask ADZA platform. These interests are carefully balanced against the rights and freedoms of users. Processing may also be carried out where it is necessary for the performance of a contract, such as when providing access to the platform or fulfilling obligations to institutional partners. In certain cases, processing is required to comply with legal or regulatory obligations. Where appropriate, OpenTrace relies on user consent, particularly in relation to account creation or optional data inputs. Users retain the right to withdraw consent at any time, and such withdrawal will not affect the lawfulness of processing carried out prior to withdrawal.

5. Categories of Data Processed

OpenTrace intentionally limits the scope of personal data it collects. Where personal data is processed, it typically includes basic information such as a user’s name, email address, organizational affiliation, and login credentials. The platform is not designed to process sensitive personal data, and such data is neither requested nor intentionally collected. In addition to personal data, OpenTrace processes technical and usage data to support system functionality and security. This includes information such as IP addresses, device and browser metadata, system logs, and user interaction patterns within the platform. The core of Ask ADZA’s operations, however, relies on non-personal data. This includes agricultural datasets, climate indicators, market data, and socio-economic information. These datasets are sourced from public institutions, research organizations, and formal partnerships, and are processed in structured and controlled ways. In some cases, OpenTrace generates derived or reconstructed datasets. These may include harmonized datasets, interpolated values, or modeled indicators. Such data is clearly documented, traceable to its sources, and distinguished from original datasets to ensure transparency and analytical integrity.

6. Data Protection by Design and by Default

OpenTrace embeds data protection principles directly into the design and operation of the Ask ADZA platform. This means that privacy and security considerations are not added retrospectively but are integrated from the outset. The system is designed to minimize the collection and exposure of personal data. Data pipelines are structured and controlled, ensuring that only validated and necessary data is processed. Default system settings are configured to limit data collection and restrict access, ensuring that only authorized users can interact with sensitive components of the system. This approach ensures that data protection is maintained consistently, regardless of how the platform evolves.

7. Data Collection and Ingestion Controls

All data entering the Ask ADZA system is subject to strict controls. Data sources are verified before ingestion, and datasets undergo validation processes to ensure accuracy, consistency, and relevance. Each dataset is structured according to defined schemas and is accompanied by metadata that captures its origin, transformation history, and intended use. OpenTrace does not rely on uncontrolled or unverified data collection methods. In particular, the platform does not scrape data from the internet or rely on opaque third-party data sources. This is a deliberate design choice aimed at maintaining trust and ensuring that all outputs are grounded in reliable data. Data lineage is a core feature of the system. Every dataset can be traced from its source through each stage of processing, enabling full transparency and auditability.

8. Data Processing and AI Governance

Data within Ask ADZA is processed within a controlled analytical environment. Outputs are generated exclusively from structured and validated datasets, and the system does not produce responses based on unverified or speculative information. The platform does not engage in automated decision-making that has legal or similarly significant effects on individuals. It does not profile users or make decisions that impact individuals without human oversight. All analytical models used within the system are subject to rigorous validation processes. This includes testing for overfitting and underfitting, applying cross-validation techniques, and conducting regular reviews to ensure accuracy and reliability.

9. Data Storage and Security

OpenTrace stores data within secure cloud environments that meet high standards of security and reliability. Data is encrypted both at rest and in transit, ensuring that it is protected against unauthorized access. Access to data is strictly controlled through role-based access mechanisms. Only authorized personnel are granted access to specific datasets, and all access is logged and monitored. Additional security measures, such as multi-factor authentication, are implemented to further protect the system. OpenTrace aligns its practices with recognized industry standards and continuously monitors its systems for vulnerabilities or potential risks.

10. Data Retention

Data is retained only for as long as it is necessary to fulfill its intended purpose. Retention periods are determined based on operational needs, legal obligations, and contractual requirements. When data is no longer required, it is either securely deleted or anonymized. OpenTrace also maintains structured archiving processes to ensure that retained data remains compliant and accessible only where appropriate.

11. Data Subject Rights

OpenTrace respects the rights of individuals in relation to their personal data. Where applicable, users have the right to access their data, request corrections to inaccurate information, request deletion of their data, and restrict or object to processing. Users may also request a copy of their data in a portable format. All such requests are handled within established timelines, typically within 30 days, and in accordance with applicable legal requirements.

12. Data Sharing and Transfers

OpenTrace does not sell or trade personal data. Data may be shared with third parties only where it is necessary to provide the platform, comply with legal obligations, or fulfill contractual agreements. Where third-party service providers are engaged, they are required to adhere to strict data protection standards and are bound by formal agreements.

In cases where data is transferred across borders, OpenTrace ensures that appropriate safeguards are in place. This includes the use of standard contractual clauses and other mechanisms to ensure that data protection standards remain consistent regardless of location.

13. Data Breach Management

OpenTrace maintains a structured approach to managing data breaches. In the event of a breach, immediate steps are taken to contain the incident and assess its impact. Where required, relevant supervisory authorities are notified within the legally mandated timeframe, and affected individuals are informed where there is a significant risk to their rights and freedoms. Remedial actions are implemented to prevent recurrence.

14. Third-Party Processors

All third-party processors engaged by OpenTrace are subject to due diligence and must meet defined data protection standards. Formal Data Processing Agreements are established to ensure compliance with applicable laws and to clearly define responsibilities.

15. Cross-Border and African Data Governance

OpenTrace operates with a strong awareness of data sovereignty considerations, particularly within African contexts. The organization is committed to ensuring that data originating from African countries is handled in ways that respect local regulations and support local value creation. This includes aligning with regional frameworks, supporting institutional capacity, and avoiding extractive data practices.

16. Ethical Data Use

OpenTrace’s approach to data is grounded in ethical principles. The organization does not engage in exploitative data practices and does not treat data as a commodity to be traded. Instead, data is used to support decision-making, strengthen systems, and create long-term value for the ecosystems in which OpenTrace operates.

17. Governance and Accountability

OpenTrace maintains internal governance structures to oversee data protection and compliance. This includes designated responsibilities for monitoring compliance, conducting audits, and ensuring that policies are implemented effectively. All personnel are trained on data protection principles and are expected to adhere to internal protocols.

18. Policy Updates

This policy is reviewed periodically to ensure that it remains aligned with evolving legal requirements and system developments. Updates are communicated as appropriate.

19. Contact

For any questions, concerns, or requests related to data protection, users and partners may contact OpenTrace directly through designated communication channels.