Privacy Policy

CannaComply ("we", "us", "our") provides a cannabis compliance management platform to Canadian cultivators and processors licensed under the Cannabis Act (S.C. 2018, c. 16) and Cannabis Regulations (SOR/2018-144). This Privacy Policy explains how we collect, use, and protect personal information. It is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA).

1. Information we collect

• Account information: name, email, password (stored as a one-way bcrypt hash)
• Facility information: business name, Health Canada licence number, licence type, address
• Operational data you input: plants, batches, rooms, SOPs, equipment, inspection records, documents you upload
• Technical information: IP address, browser type, access timestamps (audit logs)
• Payment information: processed by Stripe; we never see or store full payment card details

2. How we use your information

• Authenticate your account and provide the platform
• Maintain audit logs required by Cannabis Regulations
• Generate compliance reports for your facility
• Process subscription payments via Stripe
• Enable optional AI document scanning via Anthropic (Claude API)
• Send service-related notifications (security alerts, deadline reminders)

3. Sharing

We do not sell personal information. We share information only with:

• Stripe (payment processing) — stripe.com/privacy
• Anthropic (AI document scanning, only when you upload a document) — anthropic.com/legal/privacy
• Hosting providers (Render, Cloudflare) under standard data processing terms
• Legal authorities when required by Canadian law

4. Where data is stored

Customer data is stored on servers operated by Render (Oregon, USA) with PostgreSQL managed by Render. Static frontend assets are served from Cloudflare's global edge network. All data transmission is encrypted in transit using HTTPS/TLS. By using the Service, you consent to your data being processed and stored in the United States, subject to the protections of this Privacy Policy.

5. Retention

Account data is retained while your account is active. Compliance records are retained for at least seven (7) years after the date of the record, consistent with Cannabis Regulations recordkeeping requirements. You may request deletion of your account at any time; we will delete personal information except where retention is required by law.

6. Your rights under PIPEDA

You have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Withdraw consent (which may end your access to the Service)
• File a complaint with the Office of the Privacy Commissioner of Canada

7. Security

We use industry-standard security practices: bcrypt password hashing, JWT-signed session tokens, role-based access control, encrypted transit, and per-tenant data isolation. No system is perfectly secure; if we become aware of a breach affecting your data we will notify you promptly and in accordance with PIPEDA's breach notification requirements.

8. Cookies

We use a single session cookie to keep you signed in. We do not use third-party tracking cookies or advertising trackers.

9. Children

Our Service is intended for licensed adult professionals operating under federal cannabis licences. We do not knowingly collect information from anyone under 19.

10. Changes

We may update this policy. Material changes will be communicated by email or in-app notification at least 30 days before they take effect.

11. Contact

Privacy questions, access requests, or complaints: privacy@cannacomply.ca