🌿

Are you 21 or older?

You must be of legal age to view cannabis lab data.

Privacy Policy

Last updated: April 25, 2026

This Privacy Policy describes how Oxbow Edge LLC (d/b/a "OpenCOA," "we," "us," or "our") collects, uses, and protects your information when you use our cannabis lab data platform (the "Service"). Oxbow Edge LLC is a New York limited liability company and the data controller for the Service.

OpenCOA operates exclusively within the United States. We do not knowingly collect data from individuals outside the US. Our services are governed by US federal law and New York State law, including the New York SHIELD Act. International data protection regulations such as GDPR do not apply to our services.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Email address and password when you register
  • COA Uploads: Certificate of Analysis documents you upload to the platform
  • Favorites: COAs you save to your personal collection
  • Community Notes: Any notes or comments you submit on COA pages

1.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, and general interaction patterns
  • Device Information: Browser type, operating system, and device identifiers
  • Log Data: IP address, access times, and referring URLs

1.3 Cookies

We use only essential cookies required for the Service to function:

  • Session Cookies: To maintain your login state and CSRF protection
  • Preference Cookies: To remember your settings (e.g., theme preference)

We do not use advertising cookies, third-party tracking pixels, or analytics cookies that share data with external parties.

1.4 Analytics

We use Plausible Analytics, a privacy-focused, open-source analytics tool that we self-host on our own infrastructure. Plausible does not use cookies, does not collect personal information, and does not track you across websites.

  • What it collects: Page URL, referral source, browser, operating system, device type, and country (derived from IP address, which is never stored)
  • What it does NOT collect: Personal information, cookies, cross-site tracking data, or individual user profiles

All analytics data stays on our servers. No data is shared with third parties. For more information, see Plausible's Data Policy.

1.5 Payment Information

OpenCOA accepts two payment methods. We do not store full card numbers, CVVs, or bank credentials on our servers under either method.

  • Bitcoin Lightning (lifetime membership): Payments are routed via the Lightning Network. No traditional card or bank credentials are collected. We store only a transaction ID, payment date, and the USD-equivalent value at the time of payment, used to reconcile your account. OpenCOA does not hold or transact in cryptocurrency.
  • ACH / bank debit (recurring API Researcher tier): Processed by our ACH processor. Details in section 1.6.

1.6 Bank Account Information (ACH)

If you authorize an ACH debit, your routing and account numbers are entered on our authorization page and immediately forwarded to our ACH processor for tokenization. They are not stored on our servers or retained in application logs.

  • What we retain: The last 4 digits of your account number (for your reference), a tokenized identifier returned by the processor, and the rendered text of the authorization you consented to. Records are retained for at least two (2) years per NACHA operating rules.
  • What the processor retains: The full payment details necessary to process the transaction, governed by the processor's own privacy policy. The current ACH processor and a link to its privacy policy are available on request from privacy@opencoa.org.
  • No third-party sharing beyond the payment processor. We do not sell or share bank information with marketers, data brokers, or affiliates.

2. How We Use Your Information

We use your information solely to:

  • Provide and maintain the Service
  • Manage your account and authenticate your access
  • Process and display COA uploads after moderation
  • Send essential service communications (password resets, security alerts)
  • Detect and prevent abuse, fraud, or security incidents
  • Comply with legal obligations

We do NOT:

  • Sell your personal information to third parties
  • Share your data with advertisers or marketing companies
  • Use your data for profiling or automated decision-making
  • Send unsolicited marketing communications

3. Information Sharing

We share your information only in the following limited circumstances:

  • Service Providers: Hosting and infrastructure providers who process data on our behalf under strict confidentiality agreements
  • Legal Requirements: When required by law, court order, or government request
  • Safety: To protect the rights, safety, or property of OpenCOA or others
  • Business Transfers: In connection with a merger or acquisition (with advance notice to you)

Public Information: COAs you upload, once verified, become publicly accessible. Community notes you submit are visible to other users. Your email address is never displayed publicly.

4. Data Security

We implement administrative, technical, and physical safeguards to protect your information, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Secure password hashing (bcrypt)
  • Regular security assessments and monitoring
  • Access controls limiting employee access to personal data
  • Secure cloud infrastructure with industry-standard protections

4.1 New York SHIELD Act Compliance

In compliance with the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, we maintain a comprehensive data security program. In the event of a data breach affecting New York residents, we will:

  • Notify affected individuals within 30 days of discovery
  • Report to the New York Attorney General, Department of State, and State Police as required
  • Provide information about the breach and steps you can take to protect yourself

5. Data Retention

  • Account Data: Deleted when you delete your account
  • COA Uploads: Verified COAs remain publicly available indefinitely as part of our public data mission
  • Log Data: Retained for up to 12 months for security and troubleshooting
  • Deleted Content: Removed from active systems immediately upon deletion. May persist in encrypted backups for up to 90 days

6. Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and personal data
  • Export: Receive your data in a portable format
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise these rights, contact us at privacy@opencoa.org or through your account settings.

7. Age Restriction

This Service is intended for adults 21 years of age or older. We do not knowingly collect personal information from anyone under 21. If you are under 21, do not use this Service or provide any information. If we learn we have collected information from someone under 21, we will delete it promptly.

8. Cannabis Industry Privacy Considerations

Additional privacy practices specific to cannabis-related data:

  • Data Minimization: We collect only what is necessary to operate the Service.
  • No Third-Party Sharing: We do not sell or share your data with cannabis industry marketing companies.
  • Anonymous Browsing: You can browse public COAs without creating an account.

9. Third-Party Links

Our Service may contain links to external websites (e.g., research citations, lab websites). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy with a new "Last updated" date
  • Sending an email notification for significant changes
  • Displaying a prominent notice on the Service

Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact Oxbow Edge LLC:

OpenCOA operates in accordance with New York State cannabis regulations (9 NYCRR § 130) and verifies laboratory data against NYS Office of Cannabis Management (OCM) license records. This platform is informational only and does not facilitate sales or transactions.