Effective May 11, 2026
Privacy Policy
How CannAgent collects, uses, and protects data on behalf of the licensed cannabis retailers who run the platform.
Who we are
CannAgent is a product of Sureel Ventures LLC, a Washington limited liability company. When this policy says “we,” “our,” or “CannAgent,” that means Sureel Ventures LLC operating the CannAgent platform. Our parent-entity privacy policy for non-CannAgent business (consulting, marketing) lives at sureelai.com/privacy.
What this policy covers
CannAgent has two distinct sets of users:
- Licensed cannabis retailers (our customers) — the dispensary business that subscribes to CannAgent and runs the platform inside its store.
- End-customers of those dispensaries— adults who shop at the retailer’s store and whose loyalty / transaction / preference data is stored inside the retailer’s CannAgent tenant.
CannAgent acts as a data processorfor end-customer data on behalf of the dispensary, which is the data controller. End- customers whose data lives in a CannAgent tenant should refer to the dispensary’s own privacy policy for the controller-level practices.
What we collect
About retailer customers (the dispensary business)
- Business contact information (legal entity name, address, license number, owner’s email + phone)
- State cannabis license details for compliance reporting + Metrc integration
- Subscription billing data (paid via Stripe — see “Sub-processors” below)
- Platform usage analytics (login times, feature interactions — aggregate, no end-customer detail)
On behalf of retailers, about end-customers
- Identity verification artifacts as required by state cannabis law (typically date of birth, ID type, expiration — never the ID image itself unless required by state law)
- Purchase history (line items, prices, discounts, tax) — required for state cannabis recordkeeping
- Loyalty points and tier status
- Phone number and email (only when end-customer has explicitly opted in to receive SMS / email)
- Marketing-opt-in status and consent timestamps
CannAgent does NOT collect: end-customer payment card details (Stripe tokenization; we never see PAN/CVV), biometric data, Social Security numbers, or protected health information.
How we use it
- Operate the CannAgent platform on behalf of the retailer
- Process transactions, update inventory, calculate tax + excise, and submit state-track-and-trace records (Metrc and equivalents)
- Send transactional notifications (receipts, order-ready SMS, password resets) when the recipient has opted in
- Detect fraud and security incidents
- Improve the product through aggregate analytics
- Respond to lawful regulator requests (state cannabis enforcement, tax authorities, court orders)
We do not use end-customer data to train AI models. We do not sell end-customer data. We do notshare end-customer data across retailer tenants — every dispensary’s data is logically isolated.
Sub-processors
We rely on the following third-party service providers (“sub-processors”) to operate the platform:
| Sub-processor | Service | Location | Attestation |
|---|---|---|---|
| Vercel Inc. | Hosting + CDN | USA | SOC 2 Type II |
| Neon Inc. | Postgres database | USA | SOC 2 Type II |
| Clerk Inc. | Identity / auth | USA | SOC 2 Type II |
| Stripe Inc. | Payment processing | USA | PCI DSS Level 1 |
| Anthropic PBC | AI inference | USA | SOC 2 Type II |
| Resend Inc. | Transactional email | USA | SOC 2 Type II |
We notify customers 30 days in advance of adding any new sub-processor with access to customer or end-customer data.
How long we keep it
Retention varies by data type and applicable law:
- Transaction records — 7 years per state cannabis recordkeeping rules (WAC 314-55-083 for Washington customers; analogous rules in NJ, AZ, MI, CO)
- End-customer accounts — for the life of the retailer’s subscription, then archived per the retailer’s instructions
- Audit log — indefinite (regulatory + forensic value)
- Application + access logs — 30 days (Vercel platform), 7 days (Neon query log)
- Marketing-opt-in records — for the life of the opt-in, plus 3 years after opt-out (CAN-SPAM Act safe-harbor)
Your rights
Depending on where you live, you may have legal rights to access, correct, delete, or limit how your personal information is used. The biggest umbrellas:
- California (CCPA / CPRA) — right to know, right to delete, right to correct, right to opt out of “sale” or “sharing”
- European Union / UK (GDPR + UK GDPR) — Article 15 (access), Article 16 (rectification), Article 17 (erasure), Article 20 (data portability), Article 21 (object)
- Other US states — Virginia, Colorado, Connecticut, Utah, and other state laws extend similar rights
To exercise any of these rights, email doug@cannagent.ai with the subject line “Privacy Request” and describe what you want. We respond within 30 days (or 45 if the request is complex, with notice).
Do Not Sell or Share (CCPA)
CannAgent does not sell personal information for money. We do not “share” personal information for cross-context behavioral advertising as those terms are defined by CCPA / CPRA. We use only first-party analytics and never broker end-customer data to third parties.
California residents can confirm or request changes by emailing doug@cannagent.ai with subject line “Do Not Sell or Share — CCPA Request.”
Security
We follow industry-standard practices: encryption at rest (AES-256), encryption in transit (TLS 1.2+), multi-factor authentication on all administrative accounts, per-tenant data isolation, and continuous dependency vulnerability scanning. Full details are in our Information Security Policy, available on request.
If we discover a security incident affecting your data, we notify you within 72 hours of confirmation, consistent with CCPA / GDPR / applicable state-cannabis rules.
Children
Cannabis is restricted to adults 21 and over in every state where CannAgent operates. We do not knowingly collect data from anyone under 21. If you believe a minor’s data is in our system, email doug@cannagent.ai and we will delete it.
Changes
We may update this policy to reflect changes in our practices or applicable law. Material changes will be communicated via email to the retailer’s primary admin at least 30 days before they take effect. The “Effective” date at the top of this page reflects the most recent update.
Contact
Privacy questions, data-subject requests, and DPA / sub-processor inquiries: doug@cannagent.ai.
Sureel Ventures LLC — a Washington limited liability company. Terms of Use.