Version 2.0 - Updated 2026-05-30
Account Information: When you create an account, we collect your email address and any profile information you provide through our authentication provider (Clerk). We also store your account tier role (consumer or business) and, for business-tier accounts, your marketing consent timestamp and the policy version you consented to at sign-up.
Device & Browser Data: We automatically collect device type (mobile, tablet, desktop), operating system, browser type, and screen resolution to optimize your experience.
Usage Data: We collect anonymized usage data including pages visited, products and dispensaries viewed, click interactions, search queries performed on our platform, and the page from which you arrived (referrer). IP addresses are hashed using SHA-256 with a salt and are never stored in raw form.
Approximate Location: We derive your approximate city and region from your IP address (not precise GPS coordinates) to show relevant dispensary results. This information is stored only in aggregate with anonymized analytics data.
Precise Location (opt-in only): If you use the "Near Me" feature, your browser will prompt you for GPS access. This location data is used only in your browser to calculate distances to dispensaries. We do not store your precise GPS coordinates on our servers.
Preferences: We store your favorites, follows, and other preferences to personalize your experience.
Consent Records: We log your consent choices (acceptance or declination of analytics tracking, business-tier marketing consent, and the policy version in effect at consent time) for compliance and audit purposes.
We use your information to: provide and improve the Service; personalize your browsing experience; maintain your favorites and follows; sort dispensaries by proximity when you opt in; communicate service updates; analyze aggregate usage patterns (device types, popular products, geographic distribution of users) to improve the platform; detect and prevent abuse; and, for business-tier accounts only, send marketing communications under the terms described in Section 5. We do not sell your personal information to third parties.
THC Minnesota offers two free account tiers:
You can change your tier at any time through your account settings. Switching from business to consumer revokes your marketing consent prospectively (we stop sending marketing communications going forward) but does not retroactively delete records of communications already sent.
When you first visit THCMinnesota.com, we present a consent banner. You may accept or decline analytics tracking. Declining analytics does not affect your ability to browse the site or use core features.
When you sign up for an account or change your tier to business, you are presented with a separate, explicit consent request for marketing communications under Section 5. Marketing consent is granular and revocable.
Precise geolocation ("Near Me") requires separate, explicit browser permission and can be revoked through your browser settings at any time.
You can change any consent preference at any time by:
This section applies only to business-tier accounts. Consumer-tier accounts do not receive marketing communications and may skip this section.
By selecting business-tier access, you consent to receive marketing communications from the named parties listed in Section 6. Marketing communications may include:
Marketing communications are sent by email to the address associated with your account. Frequency is intended to be no more than weekly per named party under normal operation.
Each marketing email includes an unsubscribe link that revokes your consent to receive further marketing communications from that named party. You may also revoke all marketing consent at once by switching your account tier from business to consumer in your account settings.
Revoking marketing consent does not affect your account's other privacy protections, your ability to use the Service, or the retention of data described in Section 9.
We record your consent decision with a timestamp and the version of this policy in effect at the time of consent. If we materially change Section 5 or Section 6 of this policy, we will treat your prior consent as expired and ask you to re-consent on your next login.
The following entities are authorized to send you marketing communications under your business-tier consent. No other party is authorized to receive your contact information for marketing purposes under this policy.
Both entities are owned and operated by common ownership. We will update this section if additional named parties are added in a future policy version; any addition will trigger a re-consent request as described in Section 5.
We do not share your contact information with any third party for marketing purposes outside the named parties listed in this section.
Your data is stored securely using industry-standard encryption via Supabase (hosted on AWS). Authentication is handled by Clerk, a SOC 2 Type II certified identity provider. Analytics data is stored separately from account data and cannot be linked to your identity. Marketing consent records are stored in a dedicated audit table separate from your account record. We implement reasonable security measures to protect your information, but no system is completely secure.
We understand the sensitivity of cannabis-related data. We do not track or store information about cannabis purchases. We do not share your browsing activity or favorites with dispensaries, law enforcement, or any third party. Your product browsing is anonymized - we cannot link click tracking data back to your identity. We have no information about whether you purchase or consume cannabis products. Approximate location data derived from IP addresses is stored only alongside anonymized session fingerprints.
Business-tier marketing communications described in Section 5 are sent based on your account email and do not incorporate or reference your browsing activity, favorites, or product views. Marketing is generic-broadcast, not behavioral targeting.
We use the following third-party services: Clerk for authentication, Supabase for data storage, Railway for hosting, Resend for transactional and marketing email delivery, and ip-api.com for IP-based city/region geolocation (IP addresses are sent to this service server-side only; no user data beyond the IP is shared). Each service has its own privacy policy governing its handling of data. None of these services is authorized to send you marketing communications on its own behalf.
We use essential cookies for authentication and session management. We use browser sessionStorage to remember your analytics consent choice for the duration of your browsing session. We do not use advertising cookies, third-party tracking cookies, or persistent local storage for tracking purposes.
Account data is retained as long as your account is active. Anonymized analytics data (click events, page views) is retained for up to 24 months for aggregate trend analysis and is then deleted. Consent records are retained for 36 months for compliance purposes. Marketing consent records are retained for 36 months following revocation to demonstrate compliance with your consent and revocation timestamps.
You may request deletion of your account and all associated data at any time by contacting us. Deletion includes removal of your marketing consent record after the 36-month retention period in Section 11.
You may export your favorites, follows, and consent history.
You may decline or revoke consent for analytics tracking, business-tier marketing, or geolocation at any time.
Under Minnesota law, you have the right to know what personal information we collect and to request its deletion.
The Service is not intended for anyone under 21 years of age. We do not knowingly collect information from anyone under 21. If we learn that we have collected information from a person under 21, we will delete it promptly.
This policy is versioned. The current version is shown at the top of this page. We may update the policy at any time.
Non-material changes (typo corrections, clarifying language that does not affect your rights or our data handling) will be applied immediately and noted in a changelog without re-consent.
Material changes that affect any of the following will trigger a re-consent request on your next login:
We will notify registered users of material changes via email. Continued use of the Service after a material change without re-consenting may limit your account to consumer-tier access.
Privacy questions, consent inquiries, deletion requests, and unsubscribe issues that the in-email link cannot resolve may be directed to hello@thcminnesota.com.
For legal inquiries directed specifically to Hammer Forge Apps LLC or Uniflora Holistics LLC, use info@thcminnesota.com.
