Privacy Policy

Last updated: February 7, 2026

This Privacy Policy describes how OpenCOA ("we," "us," or "our") collects, uses, and protects your information when you use our cannabis lab data platform (the "Service"). We are committed to protecting your privacy, especially given the sensitive nature of cannabis-related data.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Email address and password when you register
  • COA Uploads: Certificate of Analysis documents you upload to the platform
  • Favorites: COAs you save to your personal collection
  • Community Notes: Any notes or comments you submit on COA pages

1.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, and general interaction patterns
  • Device Information: Browser type, operating system, and device identifiers
  • Log Data: IP address, access times, and referring URLs

1.3 Cookies

We use only essential cookies required for the Service to function:

  • Session Cookies: To maintain your login state and CSRF protection
  • Preference Cookies: To remember your settings (e.g., theme preference)

We do not use advertising cookies, third-party tracking pixels, or analytics cookies that share data with external parties.

1.4 Payment Information

If you purchase a membership, payments are processed by Stripe, a third-party payment processor. We do not store your full credit card number, CVV, or billing details on our servers.

  • What we store: Transaction ID, payment date, amount, and last 4 digits of your card (for your reference only)
  • What Stripe stores: Full payment details necessary to process the transaction, governed by Stripe's Privacy Policy

2. How We Use Your Information

We use your information solely to:

  • Provide and maintain the Service
  • Manage your account and authenticate your access
  • Process and display COA uploads after moderation
  • Send essential service communications (password resets, security alerts)
  • Detect and prevent abuse, fraud, or security incidents
  • Comply with legal obligations

We do NOT:

  • Sell your personal information to third parties
  • Share your data with advertisers or marketing companies
  • Use your data for profiling or automated decision-making
  • Send unsolicited marketing communications

3. Information Sharing

We share your information only in the following limited circumstances:

  • Service Providers: Hosting and infrastructure providers who process data on our behalf under strict confidentiality agreements
  • Legal Requirements: When required by law, court order, or government request
  • Safety: To protect the rights, safety, or property of OpenCOA or others
  • Business Transfers: In connection with a merger or acquisition (with advance notice to you)

Public Information: COAs you upload, once verified, become publicly accessible. Community notes you submit are visible to other users. Your email address is never displayed publicly.

4. Data Security

We implement administrative, technical, and physical safeguards to protect your information, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Secure password hashing (bcrypt)
  • Regular security assessments and monitoring
  • Access controls limiting employee access to personal data
  • Secure cloud infrastructure with industry-standard protections

4.1 New York SHIELD Act Compliance

In compliance with the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, we maintain a comprehensive data security program. In the event of a data breach affecting New York residents, we will:

  • Notify affected individuals within 30 days of discovery
  • Report to the New York Attorney General, Department of State, and State Police as required
  • Provide information about the breach and steps you can take to protect yourself

5. Data Retention

  • Account Data: Retained while your account is active, plus 24 months after deletion for legal compliance
  • COA Uploads: Verified COAs remain publicly available indefinitely as part of our data archive mission
  • Log Data: Retained for up to 12 months for security and troubleshooting
  • Deleted Content: Removed from active systems within 30 days; may persist in encrypted backups for up to 90 days

6. Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and personal data
  • Export: Receive your data in a portable format
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise these rights, contact us at privacy@opencoa.org or through your account settings.

7. Age Restriction

This Service is intended for adults 21 years of age or older. We do not knowingly collect personal information from anyone under 21. If you are under 21, do not use this Service or provide any information. If we learn we have collected information from someone under 21, we will delete it promptly.

8. Cannabis Industry Privacy Considerations

We recognize that cannabis consumers have heightened privacy concerns due to the evolving legal landscape. We are committed to:

  • Data Minimization: Collecting only what is necessary to operate the Service
  • No Third-Party Sharing: Never selling or sharing your data with cannabis industry marketing companies
  • Anonymous Browsing: You can browse public COAs without creating an account
  • Transparency: Being clear about what we collect and why

9. Third-Party Links

Our Service may contain links to external websites (e.g., research citations, lab websites). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy with a new "Last updated" date
  • Sending an email notification for significant changes
  • Displaying a prominent notice on the Service

Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights:

OpenCOA operates in accordance with New York State cannabis regulations (9 NYCRR ยง 130) and verifies laboratory data against NYS Office of Cannabis Management (OCM) license records. This platform is informational only and does not facilitate sales or transactions.