Native Roots Cannabis Co Privacy Policy

YOUR PRIVACY AND TRUST ARE IMPORTANT TO US.

Your privacy and trust are important to us. This Privacy Policy (“Privacy Policy”) explains how NR Parentco, LLC (“Native Roots”), including its affiliates and its subsidiaries (collectively “Company” or “we” or “us”) collects, handles, stores and protects Personal Data, as defined by the Colorado Privacy Act of 2021 (“CPA”), about you when you use our website located at www.nativerootscannabis.com (the “Website”), and services accessed through our Website. It also provides information about your rights and how you can contact us if you have questions about how we handle your information.

A. Applicability

This Privacy Policy applies to:

  • The information we collect or that you provide when you access the Website;

  • Our practices for collecting, using, maintaining, protecting, and disclosing that information.

This Privacy Policy DOES NOT apply to information that:

  • We collect offline or through any other Company services; or

  • You provide to or is collected by any third party, whether you access any third-party app or website via the Website. Those websites and apps may have their own privacy policies, which we encourage you to read before providing information on or through them.

Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, do not use the Website or any services provided through the Website. This Privacy Policy may change from time to time; we will provide notice of such changes by changing the “Last Updated” date.

B. Age and Residency Restrictions

The Website is offered and available to anyone of legal age to purchase our products or services. Please do not use this Website if you are not at least 21 years of age. We do not knowingly collect Personal Data from anyone who does not meet our age requirements. If we learn we have collected or received Personal Data from an individual who does not meet our minimum age requirements, we will delete that information.

C. Personal Data We Collect and How We Collect It

We collect information in several ways. The type of information we collect depends on how you are interacting with us and which of the Website services you are using.

We collect Personal Data when you provide it directly to us. For example:

  • When you sign up for our newsletter, sign up for text updates, or ask us a question on our Website form, we may ask for contact information including, for example, your name, email address, or phone number (“Contact Data”);

  • From time to time, we may ask for your Personal Data in connection with sweepstakes, contests, or other promotions we or our partners sponsor (“Contest Data”);

  • We collect information when you make a purchase, online or in-person (“Purchase Data”);

  • We collect Personal Data when you report a problem with our services or Website. If you contact us, we may keep a record of that correspondence (“Help Data”);

  • If you fill out a Weed Diary, we will collect data about your preferences, experiences, mental state, and purchases, as you choose to provide them, which could include both personal data and sensitive data such as health data, all as defined by the CPA. You do not have to provide sensitive data in the Weed Diary (“Diary Data”).

  • If you fill out a survey that we request for research purposes, we may store your responses (“Survey Data”).

We also collect information automatically when you visit our Website:

  • Through our server logs and other technologies that collect system/device and usage information, including without limitation IP address, browser type, device type, time spent on pages, and similar information (“Site Data”); and

  • We may place cookies, web beacons, or other trackers on your browser; see Cookies and Other Technology below for more information.

We may also in rare cases collect information about you from third parties to verify your name and email address for marketing purposes.

D. Our Purpose in Collecting Personal Data

We use your Personal Data for our legitimate interests, including to provide and improve our services, administer our relationship with you and our business, for marketing, and to exercise our rights and responsibilities by law. In general, we also use the information we collect to (i) fulfill any other purpose for which you provide it; (ii) give you notices about your account including expiration and renewal notices; and (iii) carry out our obligations and enforce our rights arising from any contracts entered into between you and us.

More specifically:

  • We use Contact Data and Help Data to send you email marketing, text update, and to respond to your queries on our Website, as applicable. We share this Personal Data with hosting, CRM, email marketing, and SMS service providers.

  • We use Contest Data to administer our sweepstakes and other promotions. We may also share Contest Data with our CRM, partners, or joint venturers if they are involved in those promotions, or with event promoters and administrators depending on the event.

  • When you make a purchase from the Website, we provide the Purchase Data to third-party payment and logistics service providers to enable the transaction and deliveries to take place. We share Purchase Data with our third party CRM service provider. We do not receive, store, or maintain your financial information.

  • We may internally use Site Data to improve the Website’s content and layout, to improve outreach, for our direct marketing, and to determine a general geographic and demographic profile of visitors to the Site. We also use Site Data for system administration, order verification, internal marketing, and system troubleshooting purposes. We share this Personal Data with our third party IT service providers to assist us in fulfilling this purpose.

  • We use Diary Data to improve our internal operations and to recommend other products we think you may like. We never sell your Diary Data to a third party; we store all Personal Data with a cloud service hosting provider, the only third party to process your Diary Data. We do not use Diary Data for targeted advertising, as defined by the CPA, but we do use Diary Data to improve our recommendations to you. If you submit a testimonial about one of our products, we will ask your permission before posting it publicly, pursuant to applicable law.

E. Cookies and Other Technologies

Cookies are small pieces of information that a website stores on your computer while you are viewing a website. We may use both session cookies (which expire once you close your web browser) and persistent cookies (most of which have an expiration date, based on the purpose of the cookie, at which point they self-delete) to provide you with a more personal and interactive experience on our Website. You may remove persistent cookies by following Internet browser help file directions. See below for your choices regarding these technologies. We generally use cookies and similar technologies as follows:

  • for “essential” or “functional” purposes, such as to enable various features of the Website like remembering passwords or staying logged in during your session;

  • for social media integration e.g., via third-party social media cookies, when you share information using a social media sharing button or “like” button on our Site, or when you engage with our content on or through a social networking website such as Facebook or Twitter;

  • for analytics purposes, consistent with our legitimate interests in how our Website is used or performs, how users engage with and navigate through the Website, what sites users visit before visiting our Website, how often they visit our Website, and other similar information;

  • subject to any consent required by law, for the purpose of displaying advertisements via retargeting to those users who have visited our Website, or for advertising to visitors to our Website; and

  • subject to any consent required by law, for the purpose of analyzing your feedback on our products on other platforms.

We do not perform targeted advertising, as defined by the CPA. While we may display advertisements to you on or off the Website, those advertisements are based on your interaction with the Website itself and not on your behavior across websites or applications.

F. Third-Party Information Collection

We share your information with third parties for the following purposes:

  • If you subscribe to text updates, we share your phone number with third parties to administer those updates; those third parties are under confidentiality agreements.

  • We may offer services in conjunction with a partner company. To provide co-branded services to you, we share your Personal Data with the applicable partner company to provide co-branded services. If data is being collected and/or maintained by any company other than us, you will be notified prior to the time of such data collection or transfer. If you do not want your data to be shared, you can choose not to allow the transfer by not using a particular service. Certain third parties may use automatic information collection technologies to collect information about you or your device.

  • We share your email address with third parties that help with our marketing efforts, such as email list administrators.

  • We share Personal Data and anonymized data with third party hosting and analytics companies to host the Website and services, and to improve our offerings.

  • We share your Personal Data with payment processors and third-party logistics providers for processing and shipping of your order from the Website.

  • Under confidentiality agreements, we may match user information with third party data.

  • Using your Personal Data, we may create and disclose anonymized user statistics (for example, 47% of our Website users are female) to describe our services to prospective partners, advertisers, or other third parties, and for other lawful purposes, so long as such anonymized data may not be re-identified or used to single out an individual.

  • We may share your information with third parties in special circumstances, such as when we believe in good faith that the law requires it, pursuant to a corporate transaction, or under circumstances described below.

  • We may disclose account information where we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating our Terms and Conditions of Use or who may be causing injury or interference with (intentionally or unintentionally) our rights or property, those of other Website users, or anyone else that could be harmed by such activities.

  • We do not sell your Personal Data to third parties for consideration. We do not share your Personal Data for targeted advertising.

G. Disclosure of Aggregated Information

We may disclose aggregated information about our users and information that does not identify any individual without restriction in any way permitted by applicable law.

H. Your Choices About Collection, Use, and Disclosure of Your Information

We strive to provide you with choices regarding the Personal Data you provide to us. This section describes mechanisms we provide for you to control certain uses and disclosures of your information.

  1. Promotions by the Company. When you sign up for various services on our Website, you are agreeing to receive marketing and promotional materials from us. We may deliver marketing and communications to you across various platforms such as e-mail, text messaging, and direct mail. Where required by law, we will ask you to explicitly opt in to receive such marketing from us. If we send you marketing communications, it will include instructions on how to opt out of receiving those communications in the future. If you do not want us to use your telephone number or e-mail address to promote our own or third parties’ products or services, you can also opt-out by sending us an email at Legal@nativeroots.com.

  2. Colorado Privacy Act Rights. Under the CPA, Consumers (as defined in the CPA) have the following rights in their Personal Data:

    • If we ever sell Personal Data or processes Personal Data for targeted advertising, as defined by the CPA, you have the right to opt out of such sale or advertising.

    • To access, correct inaccuracies in, delete, confirm the processing of, or port in a commonly usable format, Personal Data that we collect and maintain about you. You also have the right to revoke your consent to processing of any sensitive Personal Data we may have about you by requesting deletion of your Diary Data.

  3. Exercising your Rights. To exercise your rights under the CPA, please email us at the address below or use this webform. We reserve the right to authenticate your request, retain certain Personal Data to verify your request was completed, or refuse or comply with your request in a modified way as permitted by the CPA. If we refuse or modify your request, we will tell you why and how you may appeal our decision.

I. Loyalty Club

If you participate in the Native Roots Loyalty Club, we will provide you with customized deals, discounts, and recommendations. The following additional provisions apply to our use of your Personal Data in our Loyalty Club.

  • We still collect Contact Data, Purchase Data, Site Data, in addition to other kinds of Personal Data depending on your activities on our Website or participation in Contests. We do not sell your Personal Data from the Loyalty Club, nor do we engage in targeted advertising as defined by the CPA.

  • We use your Purchase Data and Contact data obtained through the Loyalty Club to suggest products and deals you might like.

  • We share the same categories of Personal Data as disclosed in Sections D and F above. We do not provide Personal Data to Data Brokers.

  • We provide all Loyalty Club benefits, including points, wallet, and rewards.

  • If you ask for deletion of your Loyalty Club account, we will remove your Contact Data and prevent a Loyalty Club account from being created with that Personal Data again, subject to our requirements under the CPA and other applicable privacy laws such as HIPAA.

  • If you request deletion of your Loyalty Club account, you will lose all accrued but unused points, rewards, and your wallet. The value of your participation in the Loyalty Club to us is the data that your purchases provide us over time, for which we compensate you with custom deals, discounts, and recommendations; without that data, we are unable to provide you with Loyalty Club discounts, points, and rewards. You will still be able to take advantage of our general sales and deals, but without knowledge of your specific preferences through the Loyalty Club, we cannot customize offers to you.

J. Data Security and Retention

We take the security of your data seriously and we use appropriate technologies and procedures to protect it according to the risk level and the service provided. We have implemented measures designed to secure your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. Financial information will be encrypted using SSL technology.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access any part of the Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the internet and mobile platforms is not completely secure. Although we do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted through our Website. Any transmission of Personal Data is at your own risk. We are not responsible for circumvention of any privacy settings or security measures we provide.

We retain your Personal Data for the period we reasonably believe necessary to fulfill the purpose for which you provided it, usually 4 years from your last interaction with us, whether making a purchase, opening an email, using your account, participating in contests, or similar actions. If you are a medical customer, we retain your Personal Data for at least 6 years from the date of your last interaction with us.

K. Your Rights

Outside of the CPA, when provided by applicable law, you may have rights to access your Personal Data and ask us to rectify, erase or restrict use of your Personal Data. You may also have rights to object to your Personal Data being used, to ask for the transfer of Personal Data you have made available to use, and to withdraw consent to use your Personal Data. We will honor your rights under applicable data protection laws. If you believe you have rights under applicable law that you would like to exercise, please contact us at the email address below.

L. Contact Information

If you have any questions, comments, complaints, or suggestions in relation to data protection of this Privacy Policy, or any other concerns about the way in which we process data about you, please contact us at:

NR Parentco, LLC

Attn: Legal Department 3150 S. Sheridan Blvd, Unit 1

Denver, CO 80227

Telephone: 970-830-4770

Email: Legal@nativerootsdispensary.com