Privacy Policy

This Privacy Policy describes how CannaBooks Pro LLC (“Company,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects your personal information when you use the CannaBooks Pro platform (“the Service”). By using the Service, you consent to the practices described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

• Account Information: Full name, email address, and password when you register
• Organization Data: Business name, EIN, cannabis license number(s), state of operation, and business type
• Financial Data: Chart of accounts, journal entries, expenses, invoices, bills, payroll data, bank transactions, inventory records, budgets, and other financial information you input
• Compliance Data: 280E classifications, METRC integration data, state compliance configurations, and tax filings
• Documents: Receipts, invoices, and other files you upload for OCR processing
• Communications: Messages sent through the AI bookkeeper assistant, support requests, and feedback

1.2 Information Collected Automatically

• Device & Browser Data: IP address, browser type and version, operating system, device type, and screen resolution
• Usage Data: Pages visited, features used, actions performed, timestamps, and session duration
• Security Data: Login timestamps, IP addresses, user-agent strings, failed authentication attempts, and two-factor authentication events (collected for audit and security purposes)
• UTM & Referral Data: Campaign attribution parameters (utm_source, utm_medium, utm_campaign) stored in your browser session to measure advertising effectiveness

1.3 Information from Third Parties

• Plaid: Bank account names, balances, and transaction history when you connect bank feeds
• METRC: Inventory, transfer, and compliance data when you enable state tracking integration

2. How We Use Your Information

We use your information for the following purposes:

• Provide the Service: Process your financial data, generate reports, perform calculations, and deliver the features you use
• Account Management: Authenticate your identity, manage your subscription, and process payments
• AI Features: Power the AI bookkeeper assistant, expense classification, anomaly detection, and forecasting tools
• Security & Fraud Prevention: Detect unauthorized access, monitor for suspicious activity, enforce rate limits, and maintain audit logs
• Communications: Send transactional emails (welcome, billing, password reset, compliance reminders, member invitations) and respond to support requests
• Service Improvement: Analyze aggregated, anonymized usage patterns to improve features, performance, and user experience
• Legal Compliance: Comply with applicable laws, regulations, legal processes, or government requests

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Contract Performance: Processing necessary to provide the Service you subscribed to
• Legitimate Interests: Security monitoring, fraud prevention, service improvement, and analytics
• Legal Obligation: Compliance with applicable laws and regulations
• Consent: Where you have explicitly opted in (e.g., marketing communications)

4. Data Sharing & Disclosure

We may share your information only in the following circumstances:

4.1 Service Providers

We share data with trusted third-party providers who process it on our behalf under strict contractual obligations:

• Plaid — Bank account connection and transaction retrieval
• Amazon Web Services (AWS) — Cloud infrastructure, data storage, and hosting
• Anthropic — AI-powered features (data sent for processing is not retained by Anthropic for training purposes)

4.2 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including but not limited to subpoenas, court orders, or regulatory inquiries.

4.3 Business Transfers

If the Company is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy.

4.4 With Your Consent

We may share information with third parties when you explicitly authorize us to do so (e.g., sharing reports with your CPA through the client portal).

4.5 Aggregated & Anonymized Data

We may share aggregated, de-identified data that cannot reasonably be used to identify you or your business. This includes industry benchmarking data and anonymized usage statistics.

5. Cannabis-Specific Data Protections

We recognize the uniquely sensitive nature of cannabis business data given the federal regulatory landscape. We commit to the following:

• Your financial records, 280E classifications, cultivation batch data, METRC records, and compliance information are treated as strictly confidential
• We will not voluntarily share your data with law enforcement agencies without a valid, enforceable legal order (e.g., court order, warrant, or subpoena)
• We will not sell or share your cannabis-specific data with regulators, competitors, or any third party except as described in Section 4
• If we receive a legal demand for your data, we will attempt to notify you before disclosure unless legally prohibited from doing so
• Employee access to customer data is limited to authorized personnel on a need-to-know basis and is subject to audit logging

6. Data Security

We implement industry-standard technical and organizational measures to protect your data, including:

• TLS/SSL encryption for all data in transit
• AES-256 encryption for data at rest
• Secure AWS infrastructure with VPC isolation
• Role-based access controls with hierarchical permissions (viewer, bookkeeper, accountant, admin, owner)
• HMAC-SHA256 hashing for sensitive tokens (invitations, API keys)
• Bcrypt password hashing with salt
• Two-factor authentication (TOTP) support
• SOC 2-aligned audit trail with hash chain integrity verification
• Automated account lockout after repeated failed login attempts
• Security event logging with IP address and user-agent tracking

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and are not liable for breaches resulting from circumstances beyond our reasonable control, including sophisticated cyberattacks, zero-day vulnerabilities, or third-party service compromises.

7. Data Retention

We retain your information according to the following schedule:

• Active Accounts: Data is retained for the duration of your account and subscription
• After Account Deletion: Personal data is deleted within 30 days of account closure. Financial data and documents are deleted within 30 days unless you request an export
• Audit Logs: Security and audit logs are retained for 7 years as required for SOC 2 compliance and regulatory purposes
• Backup Copies: Data in backups is overwritten on a rolling 90-day cycle
• Legal Holds: Data subject to pending litigation or regulatory inquiry may be retained beyond the standard schedule as required by law

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (“right to be forgotten”)
• Data Portability: Request an export of your data in a machine-readable format (CSV, JSON)
• Restriction: Request that we limit how we process your data
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@cannabookspro.com. We will respond within 30 days (or 45 days for complex requests, with notice). We may require identity verification before processing your request.

9. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes, and the categories of third parties with whom we share it
• Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions
• Right to Opt-Out of Sale: We do not sell your personal information. If this changes, we will provide a “Do Not Sell My Personal Information” link
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
• Right to Correct: You may request correction of inaccurate personal information

To submit a CCPA request, email privacy@cannabookspro.com with the subject line “CCPA Request.”

10. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using the Service, you consent to the transfer of your information to the United States. Where required by applicable law (e.g., GDPR), we rely on Standard Contractual Clauses or other approved transfer mechanisms to ensure adequate protection of your data.

11. Cookies & Local Storage

We use the following browser storage mechanisms:

• localStorage: Authentication tokens (JWT) to maintain your session, theme preferences, and sidebar state. These are essential for the Service to function
• sessionStorage: UTM campaign parameters for attribution tracking (cleared when you close the tab)

We do not use third-party tracking cookies, advertising pixels, or cross-site tracking technologies. We do not participate in ad networks or behavioral advertising.

12. Children’s Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will promptly delete it. If you believe a child has provided us with personal information, contact us at privacy@cannabookspro.com.

13. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

14. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Notify affected users via email within 72 hours of discovering the breach
• Notify applicable regulatory authorities as required by law
• Provide a description of the breach, the data affected, and the steps we are taking to address it
• Offer guidance on steps you can take to protect yourself

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or prominent in-app notification at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the revised policy, you must stop using the Service and close your account.

16. Contact Us

For privacy-related questions, data requests, or concerns, contact us at:

CannaBooks Pro LLC
Email: privacy@cannabookspro.com

If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.