LEAFWELL PRIVACY NOTICE
Last Updated: 13 March, 2023
Welcome! We are Leafwell, a company dedicated to unlocking the therapeutic potential of cannabis through increasing access, research and education. This Privacy Notice explains how Leafwell, Inc. (“Leafwell”, “Company”, “we”, “us” or “our”) collects, uses, discloses, and otherwise processes personal information (as defined below) in connection with our websites (the “Sites”), including www.leafwell.com, www.medicalcard.io, and other websites we own and operate that link to this Privacy Notice, and the related content, platform, services, products, and other functionality offered on or through our services (collectively, the “Services”). It does not address our privacy practices relating to Leafwell employees and other personnel.
Leafwell is the controller of the personal information we hold about you in connection with your use of the Services. This means that we determine and are responsible for how your personal information is used.
In certain instances, we have contractually agreed to act as a “Business Associate” and only process such information on behalf of and under the instruction of the respective Facility or agency, who is the “Covered Entity”. This Privacy Notice does not apply to such processing, and we recommend you contact the Covered Entity with any questions regarding the processing of your protected health information.
WHAT IS PERSONAL INFORMATION?
When we use the term “personal information” in this Privacy Notice, we mean any data or information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or any other data or information that constitutes “personal data”, “personal information,” or “personally identifiable information.”
OUR COLLECTION AND USE OF PERSONAL INFORMATION
We collect personal information in a variety of ways. For example, you may provide us your personal information when you place an order, register for an account, make an online purchase, contact us or send us messages, subscribe to our mailing lists, newsletters or other forms of marketing communications, submit a job application, or use some other feature of our Service.
We may link or combine your activities and information collected from you on our websites and mobile apps with information we receive from third parties, as well as information we collect automatically through tracking technologies (defined below). This allows us to provide you with a personalized experience regardless of how you interact with us.
Personal Information Collected from You
We may collect the following categories personal information submitted to us by individuals through the Services:
- Contact Information, including first and last name, business email address, business postal address, employer, job title, your area of responsibility, company name, date of birth, gender, phone number, your country or region and communication preferences. We use this information to fulfill your request or transaction, to communicate with you directly, and to send you marketing communications in accordance with your preferences.
- Account Information, including first and last name, company name, employer, job title, business email address, user ID and password, profile information, affiliations, account balances, payment and purchase history information, and any other information you provide to us. We use this information to administer your account, provide you with the relevant service and information, communicate with you regarding your account and your use of the Service, and for customer support purposes. Please note we utilize a third-party provider to process payments on our behalf and do not accept payment directly through our Services.
- Product Information and Purchase Information, including your order history and billing and shipping address(es).
- Demographic Information, including your age and gender.
- Health Information, such as your medical claims, history, and l diagnosis or condition information, including Medicare claims you may share with us via Medicare’s Blue Button.
- Medical Cannabis Identification Card Information, including your full name, medical cannabis state identification number, physician name, and expiration date.
- Inquiry and Communications Information, including information provided in custom messages sent through the forms, in chat messages, to one of our email addresses, or via phone. This also includes contact information provided on our Services. We use this information to investigate and respond to your inquiries, and to communicate with you, to enhance the services we offer to our users and to manage and grow our organization.
- Newsletter and Marketing Emails, including email address and applicable interests and communication preferences. We use this information to manage our communications with you and send you information about products and services we think may be of interest to you. If you wish to stop receiving email messages from us, simply click the “unsubscribe link” provided at the bottom of the email communication. Note that you cannot unsubscribe from certain services-related email communications (e.g., account verification, confirmations of transactions, technical or legal notices).
- Study and Survey Information. If you fill out any forms or participate in Leafwell studies or surveys, we may collect your contact information (such as your name, email, and phone number, postal code), your Demographic Information, your Health Information, and any other information requested on the form, at sign up, or during the study.
- Feedback Information. We may also collect feedback and ratings you provide relating to our services or products. We use this information to communicate with you, to conduct market research, inform our marketing and advertising activities and improve and grow our business.
- Business Representative Contact Information. If you are a business representative, we collect your information in connection with the performance of the agreement or potential agreement with us. This information may include your first name, last name, company contact information (e.g. email, phone, address), job title, and any other information related to the performance of the agreement with us.
- Partner Program Information, including the information collected when you apply to be part of our General, Affiliate, or Research Partner Programs such as full name, email address, phone number, state of residence, company information, and feedback information.
- Employment Application Information, including your full name, contact and demographic information, educational and work history, resume, employment interests, information obtained during interviews and any other information you choose to provide, if you apply for employment.
Personal Information Automatically Collected
As is true of many digital properties, we and our third-party partners may automatically collect certain information from or in connection with your device when visiting or interacting with our Services, such as the list below and in the sub-sections here:
- Log Data, including internet protocol (IP) address, operating system, device type and version, browser type and version, browser id, the URL entered and the referring page/campaign, date/time of visit, other user agent string data, the time spent on our Services, and any errors that may occur during the visit to our Services). Log data may overlap with the other categories of data below.
- Analytics data, Including the electronic path you take to our services, through our services and when exiting our services, UTM source, as well as your usage and activity on our services, such as the time zone, activity information (first and last active date and time), usage history (flows created, campaigns scheduled, emails opened, total log-ins) as well as the pages, links, objects, products and benefits you view, click or otherwise interact with. We may also analyze the interaction between you and your customer using our Services.
- Location data (such as coarse geographic location we or our third-party providers may collect, such as via permissions within app operating system or browser functionality).
We and our third-party providers may use (i) cookies or small data files that are stored on an individual’s computer and (ii) other, related technologies, such as web beacons, pixels, embedded scripts, location-identifying technologies and logging technologies (collectively, “cookies”) to automatically collect this personal information. We may also use this information to distinguish you from other users of our Services. This helps us monitor and analyze how you use and interact with our Services. It also helps us and our partners to determine products and services that may be of interest to you. For more information about these practices and your choices regarding cookies, please see our Cookie Notice.
Personal Information from Third Parties
We also obtain personal information from third parties; which we often combine with personal information we collect either automatically or directly from an individual.
We may receive the same categories of personal information as described above from the following third parties:
- Leafwell Entities: We may receive personal information from other companies and brands owned or controlled by Leafwell, and other companies owned by or under common ownership as Leafwell. We use this information for our business purposes.
- Other Users or Individuals who Interact with our Services: We may receive your information from other users or other individuals who interact with our Services. For example, if you engage in one of our communications hosted on third-party platforms, we will be able to see any public communications made within that platform. We use this information to operate, maintain, and provide to you the features and functionality of the Service, as well as to communicate directly with you.
- Social Media: When an individual interacts with our Services through various social media networks, such as when someone “Likes” us on Facebook or follows us or shares our content on Google, Facebook, Twitter, or other social networks, we may receive some information about individuals that they permit the social network to share with third parties. The data we receive is dependent upon an individual’s privacy settings with the social network, and may include your profile information, profile picture, gender, username, user ID associated with your social media account, age range, language, country, and any other information you permit the social network to share with third parties. Individuals should always review and, if necessary, adjust their privacy settings on third-party websites and social media networks and services before sharing information and/or linking or connecting them to other services. We use this information to operate, maintain, and provide to you the features and functionality of the Service, as well as to communicate directly with you, such as to send you email messages about products and services that may be of interest to you.
- Service Providers: Our service providers that perform services solely on our behalf, such as marketing providers and payment processors, collect personal information and often share some or all of this information with us. The information may include contact information, demographic information, payment information, information about your communications and related activities, and information about your orders. We may use this information to administer and facilitate our services, your orders, and our marketing activities.
- Business Partners: We may receive your information from our business partners, such as companies that offer their products and/or services on our Services. We may use this information to administer and facilitate our services, your orders, and our marketing activities.
- Other Sources: We may also collect Personal Information about individuals that we do not otherwise have from, for example, publicly available sources, third-party data providers, brand partnerships, or through transactions such as mergers and acquisitions. We use this information to operate, maintain, and provide to you the features and functionality of the Service, as well as to communicate directly with you, such as to send you email messages about products and services that may be of interest to you.
Through the provision of our Services, we may also process deidentified information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer or household.
Additional Uses of Personal Information
We may use personal information we collect to:
- Fulfill or meet the reason the information was provided, such as to fulfill our contractual obligations, to deliver the Services you have requested and to process transactions, including providing you with a white paper you have requested or an online product demonstration;
- Manage our organization and its day-to-day operations;
- Verify your identity and entitlement to products or Services, when you contact us or access our Services;
- Communicate with individuals, including via email, text message, social media and/or telephone calls;
- For marketing and advertising purposes, including to market to you or offer you through email, direct mail, phone or text message information and updates on products or services we think that you may be interested in (where applicable, we may send you marketing messages if you have given us your consent to do so or where we have relied on the soft opt-in rule);
- Administer, improve and personalize our Services, including by recognizing an individual and remembering their information when they return to our Services;
- Process payment for our Services;
- Facilitate customer benefits and services, including customer support;
- Identify and analyze how individuals use our Services;
- Conduct research and analytics on our customer and user base and our Services;
- Improve and customize our Services to address the needs and interests of our user base and other individuals we interact with;
- Test, enhance, update and monitor the Services, or diagnose or fix technology problems;
- Help maintain the safety, security and integrity of our property and Services, technology assets and business;
- Prevent, investigate or provide notice of fraud or unlawful or criminal activity;
- Comply with contractual and legal obligations and requirements;
- To fulfill any other purpose for which you provide personal information; and
- For any other lawful purpose, or other purpose that you consent to.
Where you choose to contact us, we may need additional information to fulfill the request or respond to inquiries. We may provide you with additional privacy-related information where the scope of the inquiry/request and/or personal information we require fall outside the scope of this Privacy Notice. In that case, the additional privacy notice will govern how we may process the information provided at that time.
OUR DISCLOSURE OF PERSONAL INFORMATION
We may also share, transmit, disclose, grant access to, make available, and provide personal information with and to third parties, as follows:
- Leafwell Entities: We may share personal information with other companies owned or controlled by Leafwell, and other companies owned by or under common ownership as Leafwell, which also includes our subsidiaries (i.e., any organization we own or control) or our ultimate holding company (i.e., any organization that owns or controls us) and any subsidiaries it owns, particularly when we collaborate in providing the Services.
- Marketing Providers: We coordinate and share personal information with our marketing providers in order to communicate with individuals about the Services we make available.
- Customer Service and Communication Providers: We share personal information with third parties who assist us in providing our customer services and facilitating our communications with individuals that submit inquiries.
- Other Service Providers: In addition to the third parties identified above, we engage other third-party service providers that perform business or operational services for us or on our behalf, such as website hosting, infrastructure provisioning, IT services, analytics services, employment application-related services, payment processing services, and administrative services.
- Ad Networks and Advertising Partners: We work with third-party ad networks and advertising partners to deliver advertising and personalized content on our Services, on other websites and services, and across other devices. These parties may collect information directly from a browser or device when an individual visits our Services through cookies or other data collection technologies. This information is used to provide and inform targeted advertising, as well as to provide advertising-related services such as reporting, attribution, analytics and market research. Please see our Cookie Notice for more information.
- Business Partners: From time to time, we may share personal data with our business partners or we may allow our business partners to collect your personal information. Our business partners will use your information for their own business and commercial purposes, including to send you any information about their products or services that we believe will be of interest to you.
- Business Transaction or Reorganization: We may take part in or be involved with a corporate business transaction, such as a merger, acquisition, joint venture, or financing or sale of company assets. We may disclose personal information to a third party during negotiation of, in connection with or as an asset in such a corporate business transaction. Personal information may also be disclosed in the event of insolvency, bankruptcy or receivership.
- Legal Obligations and Rights: We may disclose personal information to third parties, such as legal advisors and law enforcement:
- in connection with the establishment, exercise, or defense of legal claims;
- to comply with laws or to respond to lawful requests and legal process;
- to protect our rights and property and the rights and property of others, including to enforce our agreements and policies;
- to detect, suppress, or prevent fraud;
- to protect the health and safety of us and others; or
- as otherwise required by applicable law.
- With Your Consent: We may disclose personal information about an individual to certain other third parties or publicly with their consent or direction. For example, with an individual’s consent or direction we may post their testimonial on our Sites or service-related publications.
CONTROL OVER YOUR INFORMATION
You may control your information in the following ways:
- Email Communications Preferences. You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications. You may not opt-out of service-related communications (e.g., account verification, transactional communications, changes/updates to features of the Services, technical and security notices).
- Modifying or Deleting Your Information. If you have any questions about reviewing, modifying, or deleting your information, you can contact us directly at email@example.com. We may not be able to modify or delete your information in all circumstances.
CHILDREN’S PERSONAL INFORMATION
Our Services are not directed to, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 16. If an individual is under the age of 16, they should not use our Services or otherwise provide us with any personal information either directly or by other means. If a child under the age of 16 has provided personal information to us, we encourage the child’s parent or guardian to contact us to request that we remove the personal information from our systems. If we learn that any personal information we collect has been provided by a child under the age of 16, you can contact us directly at firstname.lastname@example.org. and we will promptly delete that personal information.
LINKS TO THIRD-PARTY WEBSITES OR SERVICES
Our Services may include links to third-party websites, plug-ins and applications. Except where we post, link to or expressly adopt or refer to this Privacy Notice, this Privacy Notice does not apply to, and we are not responsible for, any personal information practices of third-party websites and online services or the practices of other third parties. To learn about the personal information practices of third parties, please visit their respective privacy notices.
UPDATES TO THIS PRIVACY NOTICE
We may update this Privacy Notice from time to time. When we make changes to this Privacy Notice, we will change the date at the beginning of this Privacy Notice. If we make material changes to this Privacy Notice, we will notify individuals by email to their registered email address, by prominent posting on our Services, or through other appropriate communication channels. All changes shall be effective from the date of publication unless otherwise provided.
If you have any questions or requests in connection with this Privacy Notice or other privacy-related matters, please send an email to email@example.com.
If you are located in the European Economic Area, United Kingdom, and Switzerland, please contact us using the following information:
We may choose or be required by law to provide different or additional information relating to the processing of personal information (as defined below) about residents of certain countries, regions or states. Please refer below for additional information that may be applicable to you:
California: California consumer privacy laws may provide their residents with additional rights regarding our use of their personal information. To learn more about California residents’ privacy rights, visit CCPA and CPRA Privacy Notice for California Residents. The California “Shine the Light” law gives residents of California the right under certain circumstances to request information from us regarding the manner in which we share certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes. To opt out of the sharing of your personal information with third parties for their own direct marketing purposes, please email us at firstname.lastname@example.org.
Nevada: If you are a resident of the State of Nevada, Chapter 603A of the Nevada Revised Statutes permits a Nevada resident to opt out of future sales of certain covered information that a website operator has collected or will collect about the resident. Although we do not currently sell covered information, please contact us at email@example.com with the subject line “Nevada Opt Out Request” to submit such a request.
EUROPEAN ECONOMIC AREA, UNITED KINGDOM OR SWITZERLAND
Controller: Leafwell, Inc, a company duly incorporated and organized under the laws of United States of America, having its registered address at 9100 South Dadeland Blvd, Suite 1701, Miami, FL 33156, is the “controller” responsible for the processing of personal data in connection with our Service. This means that we determine and are responsible for how your personal data is used.
Legal Basis for Processing
We only process and retain your personal information as permitted under applicable law. For example, we will only process your information where we have established a lawful basis to do, as follows:
- We have a legitimate interest which we believe outweighs your interests or fundamental rights and freedoms. This applies to the following processing activities:
- When we communicate: To respond to your inquiries and, on some occasions, keep records in case of complaints or legal claims.
- When you use our Services: When you access and use our Services, we process technical and analytics data to see if and how our Services can be improved, so that we can offer you a better user experiences in the future.
- Global Suppression List: Avoid contacting you again if you have withdrawn your consent to marketing-related activities.
- Marketing to existing customers (unless you have consented to such marketing): To find, customize and offer products and services we hope you find useful and relevant, i.e., provide you with excellent customer service.
- Sharing personal information with other parties: To run our business efficiently and securely.
- Your consent: Wherever you clearly consent to the processing, for example when you sign up for our newsletters, or submit an application for a medical cannabis card. Here, your consent is implied, meaning that you consent by submitting a particular form. We also rely on your consent for using cookies and other technologies on our website and here you explicitly agree to these. Note that your default setting depends on your location (country), as the rules for using such technologies vary across jurisdictions.
- We are subject to a legal obligation: For any processing where we need to comply with laws and regulations related to bookkeeping, accounting, taxation and employment, for example for keeping records.
We may collect, process, and disclose personal information about you as described in the Our Collection and Use of Personal Information and Our Disclosure of Personal Information sections of the Privacy Notice. The tables at Annex 1 and Annex 2 set out further detail about the categories of personal information we collect about you and how we use that information when you use the Service, as well as the legal basis which we rely on to process the personal information and how we disclose that personal information.
Marketing and Advertising
From time to time we may contact you with information about our services, including sending you marketing messages and asking for your feedback on our Services. Most marketing messages we send will be by email. For some marketing messages, we may use personal data we collect about you to help us determine the most relevant marketing information to share with you.
We may send you marketing messages if you have given us your consent to do so or where we have relied on the soft opt-in rule (where applicable). If you wish to unsubscribe from such communication, please see the details set out above under Control over Your Information of the Privacy Notice.
We will usually store the personal information we collect about you for no longer than necessary for the purposes set out in this Privacy Notice, and in accordance with our legitimate business interests and applicable law. For example, if your personal information is subject to the EU GDPR or UK GDPR, the criteria used to determine the period for which personal data about you will be retained varies depending on the legal basis under which we process the personal data:
- Contract. Where we are processing personal data is based on contract, we generally will retain your personal data for the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from our contractual relationship.
- Legitimate Interests. Where we are processing personal data based on our legitimate interests, we generally will retain such information for a reasonable period of time based on the particular interest, taking into account your fundamental interests and your rights and freedoms.
- Consent. Where we are processing personal data based on your consent, we generally will retain your personal data until you withdraw your consent, or otherwise for the period of time necessary to fulfill the underlying agreement with you or provide you with the applicable service for which we process that personal data.
- Legal Obligation. Where we are processing personal data based on a legal obligation, we generally will retain your personal data for the period of time necessary to fulfill the legal obligation.
- Legal Claim. We may need to apply a “legal hold” that retains information beyond our typical retention period where we face threat of legal claim or intent to establish a claim. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.
In all cases, in addition to the purposes and legal bases, we consider the amount, nature and sensitivity of the personal data, as well as the potential risk of harm from unauthorized use or disclosure of your personal data.
Storing and Transferring Your Personal Information
Security. We implement appropriate technical and organizational measures to protect your personal information against accidental or unlawful destruction, loss, change or damage. Leafwell protects your personal information, such as electronic medical records, on servers with strictly controlled and encrypted access. All personnel are highly trained prior to being granted access, and may only do so via our secure channels. We will never send you unsolicited emails or contact you by phone requesting your account ID, password, credit or debit card information or national identification numbers.
International Transfers of Your Personal Information. The personal information we collect may be transferred to and stored in countries outside of the jurisdiction you are in where we and our third-party service providers have operations, including in the United States. If you are accessing our Services from the EEA, UK or Switzerland, your personal information will be processed outside of the EEA, the UK and Switzerland.
In the event of such a transfer, we ensure that: (i) the personal information is transferred to countries recognised as offering an equivalent level of protection; or (ii) the transfer is made pursuant to appropriate safeguards, such as standard contractual clauses adopted by the European Commission. If you wish to enquire further about these safeguards used, please contact us using the details set out at the end of this Privacy Notice.
Your Rights in Respect of Your Personal Information
In accordance with applicable privacy law, you have the following rights in respect of your personal data that we hold:
- Right of access. You have the right to obtain:
- confirmation of whether, and where, we are processing your personal data;
- information about the categories of personal data we are processing, the purposes for which we process your personal data and information as to how we determine applicable retention periods;
- information about the categories of recipients with whom we may share your personal data; and
- a copy of the personal data we hold about you.
- Right of portability. You have the right, in certain circumstances, to receive a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another person.
- Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete personal data we hold about you without undue delay.
- Right to erasure. You have the right, in some circumstances, to require us to erase your personal data without undue delay if the continued processing of that personal data is not justified.
- Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal data if the continued processing of the personal data in this way is not justified, such as where the accuracy of the personal data is contested by you.
- Right to withdraw consent. There are certain circumstances where we require your consent to process your personal data. In these instances, and if you have provided consent, you have the right to withdraw your consent. If you withdraw your consent, this will not affect the lawfulness of our use of your personal data before your withdrawal.
You also have the right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. There may be compelling reasons for continuing to process your personal data, and we will assess and inform you if that is the case. You can object to marketing activities for any reason.
If you wish to exercise one of these rights, please contact us using the contact details in this Privacy Notice.
Due to the confidential nature of data processing we may ask you to confirm your identity when exercising the above rights.
You also have the right to lodge a complaint to your local data protection authority. If you are based in the European Union, information about how to contact your local data protection authority is available here. If you are based in the UK or Switzerland, your local data protection authorities are the UK Information Commissioner’s Office (https://ico.org.uk/global/contact-us) and the Swiss Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact/address.html)