Scope & Who This Applies To

This Privacy Policy applies to business buyers, distributors, dispensaries, processors, and brokers engaging with our wholesale THCA products and services (collectively “Buyers”). It covers all websites, forms, order portals, email intake, COA submissions, support chats, and offline onboarding documents we control.

Data We Collect

• Business identity: legal entity name, DBA, tax ID, reseller/handler licenses, contact names/roles, location, and age-gating confirmations.
• Order & operations: RFQs, MOQs, shipping addresses, delivery windows, intake QC evidence (photos/weights), and dispute/claims records.
• Compliance documents: batch-matched COAs, chain-of-custody forms, and lab details (including accreditation numbers when provided).
• Payments: invoices, ACH/wire remittance confirmations, and reconciliation metadata (we do not store full bank credentials).
• Site telemetry: device/IP, pages visited, timestamps, cookie IDs; see our Cookie Policy.

How We Use Your Data

• To evaluate and fulfill wholesale orders: verify buyer eligibility, confirm destination-state compliance, coordinate logistics, and provide after-sale support.
• To meet legal & quality requirements: archive COAs, document safety panels, and maintain audit trails aligned with recognized standards (e.g., ISO/IEC 17025 COA expectations and industry best practices).
• To improve security & performance: detect fraud, prevent abuse, and enhance service reliability following frameworks such as NIST CSF.
• To communicate: send quotes, contracts, compliance updates, and product notices. Buyers can opt out of non-essential marketing.

Lawful Bases & Regional Rights

Where applicable, we process data under legitimate interest (B2B operations and fraud prevention), contract necessity (order fulfillment), and compliance obligations. If you are in the EEA/UK, your rights under the GDPR apply (access, rectification, erasure, restriction, portability, objection). See the GDPR text for details.

For California residents, CCPA/CPRA rights may apply (know, delete, correct, opt-out of “sale/share,” limit use of sensitive personal information). Enforcement is led by the California Privacy Protection Agency and the Attorney General.

Security & Access Controls

We apply layered controls, including role-based access, least-privilege administration, encryption in transit, and vendor due diligence. Our security program aligns to recognized frameworks (e.g., NIST CSF 2.0) and industry standards for information security management (e.g., ISO/IEC 27001). These frameworks provide guidance for managing cyber risk and improving controls; they are referenced here for transparency.

• Access & authentication: unique accounts, MFA for admins, and periodic entitlement reviews.
• Data segregation: production vs. test environments; limited use of live data in testing.
• Vendor oversight: security questionnaires, DPAs where required, and incident notification SLAs.
• Incident response: we follow an investigate–contain–notify playbook consistent with reputable guidance (e.g., FTC overview of NIST framework use).

Retention & Deletion

We retain B2B account and transaction records for as long as needed to manage orders, comply with tax and regulatory obligations, and support reasonable legal/audit inquiries. COAs and shipment documentation may be retained for extended periods to support product safety, recalls, or regulatory inquiries. Upon request and subject to exemptions, we will delete or de-identify personal data.

Sharing & Processors

We share data with service providers under written agreements (hosting, logistics, payment reconciliation, email, analytics). We restrict processing to documented purposes and require appropriate safeguards.

We may disclose data to authorities or third parties when required by law, to protect our rights, investigate fraud, or in connection with a merger or acquisition.

International Transfers

If data is transferred internationally, we use appropriate mechanisms (e.g., SCCs/IDTA or other recognized safeguards) and implement supplemental measures where necessary under GDPR.

Your Rights & Requests

Depending on your location, you may have rights to access, correct, delete, or port your data, object to or restrict processing, and opt out of sale/share (as defined by local law). To exercise these rights, contact us via the details below. We will verify your identity and respond within applicable timelines under GDPR or CCPA/CPRA.

Policy Changes

We may update this policy to reflect operational, legal, or regulatory changes (e.g., updates to NIST CSF or privacy regulations). Material changes will be announced on this page with a new “Last updated” date.

Contact & Compliance

Privacy & Compliance Team
Email: compliance@yourdomain.com
Response time: Typically 5–10 business days (faster for verified buyer accounts).

For legal questions about shipping compliance, see: Shipping & Packaging and Is THCA Legal in the USA?

FAQs

Do you sell or share buyer lists?

No. We do not sell buyer lists. We use processors to operate our services under contract.

Can I request deletion of my account?

Yes—subject to legal/audit retention requirements. We will de-identify where full deletion is not possible.

Where are COAs stored?

COAs are stored in secure systems with restricted access to authorized personnel only. Retention aligns with quality and compliance obligations.

How do you handle incidents?

We investigate, contain, and notify as required by law and contracts. Our program aligns with modern frameworks (e.g., NIST CSF 2.0).

What privacy laws do you reference?

We reference GDPR (EEA/UK) and CCPA/CPRA (California) among other regional laws and guidance.

Related Compliance Pages

Wholesale THCA Compliance · Testing & COA Standards · Licensing · Insurance & Risk · Claims & Disputes