Privacy Policy

1. Introduction

This Privacy Policy explains how WeedBates / PatientEA ("we," "us," "our") collects, uses, and protects your personal information when you use WeedBates and PatientEA services (collectively, "Services").

Our Commitment: We are committed to protecting your privacy and handling your data with care, especially given the sensitive nature of cannabis-related services.

2. Information We Collect

2.1 Information You Provide

When you use our Services, you may provide:

• Account Information: Name, email address, phone number, date of birth
• Medical Information: Medical cannabis card details, state ID information (for identity verification)
• Payment Information: Payment card details (processed by Stripe), billing address
• Referral Information: Referral codes, referral links shared
• Communications: Messages, support requests, feedback

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on platform
• Device Information: IP address, browser type, operating system, device identifiers
• Location Data: With your consent, precise GPS location to show nearby stores and verify receipt proximity. Without consent, general location based on IP address only.
• Cookies & Tracking: Session cookies, analytics cookies, authentication tokens
• Receipt Data: Scanned receipt images, extracted product names, prices, and store information

2.3 Consent-Based Collection

During signup, we request consent for:

• Promotional Communications: SMS, email, and push notifications about offers and cashback (opt-in required)
• Location Tracking: GPS-based location for nearby deals, store alerts, and visit analytics (opt-in required)

You may withdraw consent at any time through your device settings or by contacting support.

2.3 Information from Third Parties

• Authentication Providers: Clerk (for user authentication and profile data)
• Payment Processors: Stripe (for payment verification and fraud prevention)
• Telehealth Providers: Licensed healthcare providers conducting medical evaluations

3. How We Use Your Information

We use your information to:

• Provide Services: Process DC card purchases, coordinate telehealth appointments, manage wallet credits
• Process Payments: Handle transactions, prevent fraud, issue refunds
• Manage Referrals: Track referral attributions, calculate and distribute referral bonuses
• Communicate with You: Send service updates, respond to inquiries, deliver notifications
• Improve Services: Analyze usage patterns, fix bugs, develop new features
• Ensure Security: Detect fraud, prevent abuse, enforce Terms of Service
• Comply with Laws: Meet legal obligations, respond to lawful requests

4. How We Share Your Information

4.1 Service Providers

We share information with trusted third-party service providers:

• Stripe: Payment processing (PCI-DSS compliant)
• Clerk: Authentication and user management
• ClickHouse: Analytics and event tracking (anonymized where possible)
• Licensed Telehealth Providers: Medical evaluations for cannabis cards
• Cloud Infrastructure: Vercel (hosting), Fly.io (API hosting), AWS S3 (file storage)

4.2 Legal Requirements

We may disclose information when required by law or to:

• Comply with subpoenas, court orders, or legal processes
• Enforce our Terms of Service
• Protect the rights, property, or safety of our company, users, or the public
• Respond to government requests (where legally obligated)

4.3 Business Transfers

If we are acquired, merge with another company, or undergo a business transition, your information may be transferred as part of that transaction.

4.4 Referral Program

When you refer a friend, we do not share the referee's personal information with you. You will only see anonymized referral statistics (e.g., "3 friends referred," "$3.00 earned").

4.5 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Data Retention

We retain your information for as long as:

• Your account is active
• Needed to provide Services to you
• Required to comply with legal obligations (e.g., tax records, audit trails)
• Necessary to resolve disputes or enforce agreements

Medical Information: Medical cannabis card data is retained for the card's validity period plus 7 years (standard healthcare record retention).

Wallet Transactions: Financial transaction records are retained for 7 years per IRS and financial regulations.

6. Your Privacy Rights

6.1 General Rights

You have the right to:

• Access: Request a copy of your personal information
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and data (subject to legal retention requirements)
• Portability: Receive your data in a structured, machine-readable format
• Opt-Out: Unsubscribe from marketing emails (service emails may still be sent)

6.2 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information (subject to exceptions)
• Right to opt-out of sale of personal information (we do not sell data)
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at support@patientea.com.

6.3 European Residents (GDPR)

While our services are primarily US-based, if you are in the European Economic Area (EEA), you may have additional rights under GDPR. We process data based on consent, contract performance, and legitimate interests.

7. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data encrypted in transit (TLS/HTTPS) and at rest (AES-256)
• Access Controls: Role-based access, principle of least privilege
• Authentication: Secure authentication via Clerk with multi-factor authentication support
• Payment Security: PCI-DSS compliant payment processing via Stripe (we do not store full card numbers)
• Monitoring: Real-time security monitoring and incident response
• Audits: Regular security audits and penetration testing

However: No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Cookies & Tracking Technologies

We use cookies and similar technologies for:

• Essential Cookies: Authentication, session management, security
• Analytics Cookies: Understanding usage patterns, improving user experience
• Referral Tracking: Attribution of referral links (query parameters like ?ref=CODE)

You can control cookies through your browser settings. Disabling certain cookies may limit functionality.

9. Third-Party Links

Our Services may contain links to third-party websites or services (e.g., telehealth provider portals). We are not responsible for the privacy practices of these third parties. Please review their privacy policies.

10. Children's Privacy

Our Services are not intended for individuals under 18 years old (or 21 in certain jurisdictions). We do not knowingly collect information from minors. If you believe we have collected data from a minor, contact us immediately at support@patientea.com.

11. Cannabis-Specific Privacy Considerations

Given the legal complexities of cannabis, we take additional precautions:

• No Federal Reporting: We do not voluntarily share cannabis-related data with federal authorities (though we comply with lawful requests)
• State Compliance: We follow state-specific privacy laws in jurisdictions where we operate
• Minimization: We collect only the minimum information necessary for medical card services
• Anonymization: Where possible, we anonymize analytics and referral data

12. Referral Program Privacy

Specific to our "Invite & Earn" referral program:

• Referral Codes: Your unique referral code is generated randomly and does not contain personal information
• Referee Privacy: We do not share the identity of people you refer with you (only anonymized counts)
• Attribution Tracking: We log referral links via query parameters (?ref=CODE) and cookies
• Earnings Visibility: You can see your total referral earnings but not individual referee purchases
• Anti-Fraud: We monitor referral patterns to detect abuse (e.g., self-referrals)

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Material changes will be communicated via email or in-app notification.

Your continued use of Services after changes indicates acceptance of the updated Privacy Policy.

14. Contact Us

For questions, concerns, or to exercise your privacy rights, contact us at:

• Email: support@patientea.com
• Name: Randall (Randy) Buchman, Founder & CEO
• Company: WeedBates / PatientEA

We will respond to privacy requests within 30 days (or as required by applicable law).