Privacy Policy

This Privacy Policy (Policy) describes how Cannazoom LLC (Cannazoom, we, us, or our) collects, uses, discloses, retains, and safeguards information about you when you access or use the Cannazoom website, mobile applications, marketplace, member portals, APIs, communications, and related services (collectively, the Platform). Because Cannazoom facilitates cannabis transactions in a highly regulated industry under the oversight of the Arizona Department of Health Services (AZDHS), we collect and retain certain sensitive information that is legally required to verify identity, enforce statutory purchase limits, prevent diversion, support recalls, and comply with the Arizona Smart and Safe Act (A.R.S. Title 36, Ch. 28.2), the Arizona Medical Marijuana Act (A.R.S. Title 36, Ch. 28.1), and A.A.C. Title 9, Chapters 17 and 18.

Identity and verification data: legal name, date of birth, government-issued ID image (driver license, state ID, passport, tribal ID), ID number, ID expiration, address printed on ID, AMMA registry identification card image and number, designated-caregiver documentation, selfie image, liveness video frames, biometric face-template hash (used solely to confirm the selfie matches the ID), and the identity-verification vendor match score and decision.

Contact and delivery data: email address, phone number, residential and delivery addresses, delivery instructions, geolocation captured at the point of order or delivery, signature capture, and a delivery-confirmation photograph or hash.

Transaction data: order history, products purchased (strain, form, weight, potency, batch ID), quantity, unit price, taxes (state, local, marijuana excise under A.R.S. Title 42, Ch. 5, Art. 12), fees, tips, delivery records, tokenized payment-method information (we do not store full primary account numbers — those are tokenized by our PCI-DSS-compliant processor), refunds, credits, and rewards-point activity.

Account and profile data: hashed credentials, multi-factor authentication settings, profile preferences, marketing-consent state, support correspondence, in-app messages, and survey responses.

Affiliate data: referral codes, click and conversion telemetry, payout records, tax-reporting information (W-9/W-8BEN), and banking details for ACH.

Brand/vendor data: business name, AZDHS license numbers, license expiration, principal contacts, banking and payout details, product catalogs, certificates of analysis (COAs), and recall communications.

Technical and device data: IP address, device identifiers, browser type and version, operating system, language, time zone, referrer URL, cookies, pixel tags, app event logs, crash reports, and analytics events.

Inferences: product preferences, fraud risk scores, eligibility status, and purchase-limit position derived from the foregoing.

Sensitive cannabis-purchase data: Information about cannabis purchases, AMMA status, and biometric identifiers is treated as sensitive personal information. We apply heightened administrative, technical, and physical safeguards and restrict internal access on a strict need-to-know basis.

• Directly from you when you register, verify identity, place an order, contact support, or submit reviews;
• From our identity-verification, age-verification, and AMMA-validation vendors;
• From payment processors and tokenization providers;
• From Retail Partners and seed-to-sale systems (e.g., METRC) regarding fulfillment, recalls, and purchase-limit position;
• From delivery agents (geolocation, photo, signature, ID re-scan);
• From device sensors and analytics SDKs;
• From affiliates and referrers who direct you to the Platform; and
• From public, governmental, and AZDHS records where lawful.

• Verify your age, identity, and eligibility to purchase cannabis under Arizona law;
• Validate AMMA registry identification cards for medical purchases;
• Process and coordinate orders, deliveries, returns, and recalls with Retail Partners;
• Enforce daily, transaction-level, and 14-day rolling purchase and possession limits required by A.R.S. §§ 36-2806.01 and 36-2852;
• Calculate, collect, and remit applicable taxes (transaction privilege, marijuana excise, and local taxes);
• Perform AZDHS-mandated recordkeeping, reporting, and audit responses;
• Detect, investigate, and prevent fraud, diversion, straw purchasing, account takeover, payment abuse, and chargeback abuse;
• Provide customer support and respond to inquiries, complaints, and adverse-event reports;
• Send transactional, compliance, safety, and (with consent) marketing communications;
• Operate the affiliate program and manage brand and vendor relationships, including issuing tax forms;
• Improve, secure, debug, and personalize the Platform and develop new features; and
• Comply with subpoenas, court orders, lawful regulatory requests, and applicable law.

To perform identity verification we may collect a selfie image, a liveness video, and a derived biometric face-template hash. The biometric template is used solely to confirm that the person presenting the ID is the lawful holder of the account, to deter impersonation and synthetic-identity fraud, and to satisfy AZDHS-style verification expectations. Biometric data is transmitted in encrypted form, processed by a contracted identity-verification vendor under written confidentiality and security obligations, and retained no longer than required for verification, fraud, dispute, regulatory, or audit purposes. We do not sell or rent biometric data, and we do not use it for advertising or profiling unrelated to verification and fraud prevention.

• Retail Partners that fulfill your order, who are the seller of record and the responsible AZDHS licensee;
• Delivery operators and drivers, who receive the information necessary to complete delivery and re-verify ID at the door;
• Payment processors, tokenization, fraud-scoring, and chargeback-management vendors;
• Identity-verification, age-verification, AMMA-validation, biometric, and KYC vendors;
• Compliance and seed-to-sale tracking software vendors (including METRC) as required by AZDHS;
• Cloud hosting, error-monitoring, analytics, and infrastructure providers;
• SMS, email, push-notification, and customer-support providers;
• Tax authorities and accounting and audit professionals;
• Legal, regulatory, and law-enforcement authorities, including AZDHS, the Arizona Attorney General, the Arizona Department of Revenue, and local law enforcement, when required by law, subpoena, court order, search warrant, regulatory inspection, or to protect rights, property, public safety, or the integrity of the Platform;
• Successors in a merger, acquisition, financing, reorganization, bankruptcy, or asset sale, subject to commercially reasonable confidentiality protections; and
• Other parties to whom you direct us to share information, or with your consent.

AZDHS requires marijuana establishments and dual-license marijuana establishments to retain identity, transaction, purchase-limit, recall, and audit records for prescribed periods (generally five (5) years under A.A.C. R9-18, and similar periods under R9-17 for medical). We and our Retail Partners maintain such records consistent with Arizona law and the laws of any future operating state. AZDHS inspectors and other authorized regulators may access records pursuant to law, and we will cooperate with lawful requests.

We retain personal information for as long as your account is active, as needed to provide the Platform, and as required to satisfy legal, regulatory, tax, accounting, audit, anti-fraud, public-health, and recordkeeping obligations. Retention periods for AMMA, adult-use, identity, and purchase-limit records are dictated by Arizona law and may exceed five (5) years. When a retention obligation expires and there is no legitimate business need, we delete, de-identify, or aggregate the data.

We implement administrative, technical, and physical safeguards designed to protect personal information, including but not limited to: role-based access controls, principle of least privilege, single sign-on with multi-factor authentication for staff, encryption in transit (TLS 1.2+) and at rest, payment tokenization through PCI-DSS-compliant processors, secret rotation, application-layer rate limiting, database row-level security (RLS) on all sensitive tables, audit logging, security event monitoring, vendor risk assessment, written incident-response procedures, periodic penetration testing, and employee training. No system can be guaranteed 100% secure, and we cannot and do not warrant absolute security; you provide information at your own risk.

We do not sell sensitive personal information, biometric information, or cannabis-purchase information for monetary consideration. We share personal information with service providers and Retail Partners as described above to operate the Platform and comply with law. Where applicable state laws define sale or share to include certain analytics or cross-context behavioral advertising activities, we honor opt-out rights described below, and we configure those vendors to act as service providers / processors to the maximum extent feasible.

We use cookies, local storage, pixels, SDKs, and similar technologies to authenticate users, remember preferences, measure engagement, enforce age-gating across sessions, prevent fraud, and improve the Platform. Categories include strictly necessary, functional, analytics, and (where you consent) marketing. You can control cookies through your browser settings; disabling strictly necessary cookies may break age-gating and verification and prevent access.

You may opt out of marketing emails by clicking the unsubscribe link in any marketing email or by adjusting account preferences. You may opt out of SMS marketing by replying STOP to any marketing text message; reply HELP for help. Message and data rates may apply. Frequency varies. You will continue to receive transactional, compliance, safety, recall, delivery, fraud, and account communications after opting out of marketing, because such communications are required to operate the Platform lawfully.

Depending on your state of residence, you may have rights to (a) confirm whether we process your personal information; (b) access a copy of your personal information; (c) correct inaccuracies; (d) request deletion; (e) request portability; (f) opt out of sale or share or targeted advertising as those terms are defined by state law; and (g) limit the use of certain sensitive personal information. To exercise these rights, contact us at privacy@mycannazon.com. We will verify your request using reasonable means (which may include matching identity to existing records) and respond within the time required by applicable law (generally 45 days). You may designate an authorized agent to act on your behalf with appropriate proof.

Important — AZDHS records exception: We may be unable to delete or modify information required to be retained under AZDHS rules, AMMA, the Smart and Safe Arizona Act, tax law, or anti-fraud law, including identity-verification records and transaction records. We will inform you when this exception applies. We do not discriminate against users who exercise privacy rights.

If you reside in or transact in Arizona, your personal information is handled in a manner consistent with the Arizona Smart and Safe Act (A.R.S. §§ 36-2850 et seq.), the Arizona Medical Marijuana Act (A.R.S. §§ 36-2801 et seq.), and the rules of AZDHS at A.A.C. Title 9, Chapters 17 and 18. Identity, transaction, recall, and purchase-limit records may be inspected, copied, or transmitted to AZDHS and other authorized regulators pursuant to law. AMMA registry identification information is handled in accordance with the confidentiality protections of A.R.S. § 36-2810 to the extent applicable.

The Platform is intended exclusively for adults and is not directed to children. We do not knowingly collect personal information from anyone under eighteen (18), in compliance with the Children Online Privacy Protection Act, 15 U.S.C. § 6501 et seq. We do not permit adult-use cannabis purchases by anyone under twenty-one (21) or medical purchases by anyone under eighteen (18) without a qualifying AMMA card and lawful caregiver designation. If we learn that we have collected personal information from a person under eighteen (18) in violation of this Policy, we will delete it promptly and terminate the account.

In the event of a confirmed personal-data breach, we will notify affected users and applicable regulators in accordance with A.R.S. § 18-552 (Arizona breach-notification statute) and any other applicable federal or state breach-notification laws. Notice will describe the nature of the breach, the categories of information involved, and the steps you may take to protect yourself.

We may disclose personal information when we believe in good faith that disclosure is necessary or appropriate to: (a) comply with applicable law, lawful subpoena, court order, search warrant, or AZDHS or other regulatory inspection or directive; (b) protect the rights, property, or safety of Cannazoom, our users, Retail Partners, drivers, or the public; (c) detect, prevent, or address fraud, diversion, or security issues; or (d) enforce these terms. We may not be permitted to notify you of certain requests where prohibited by law.

The Platform may include links to third-party websites, apps, and services that we do not control. We are not responsible for the privacy practices or content of such third parties. We encourage you to review their privacy policies before providing personal information.

The Platform is intended for use by residents of the United States in jurisdictions where Cannazoom operates. It is not intended for users located outside the United States, and we make no representation that the Platform is appropriate or lawful in any other jurisdiction. If you access the Platform from outside the United States, you do so at your own risk and are solely responsible for compliance with local law, and you consent to the transfer of your information to, and processing in, the United States.

Some browsers transmit Do Not Track signals. Because there is no industry consensus on how to interpret these signals, the Platform does not currently respond to them. We honor opt-outs through the channels described above.

We may update this Policy from time to time. Material changes will be communicated through the Platform or by email, and the Last updated date will be revised. Material changes to sensitive-data handling, biometric processing, or sharing practices may require renewed consent or affirmative acknowledgment.

For privacy questions or rights requests, contact:

Cannazoom LLC — Privacy Team
Email: privacy@mycannazon.com
Address: [Insert Registered Business Address], Arizona