Privacy Policy

Personal Information:

• Email address
• First and last name
• Date of birth (DOB)
• Phone number
• Patient ID
• Membership details (e.g., plan type)
• Store information (for registered store clients: store name, representative, location)
• Recommendation provider details
• Medical recommendation documents and images
• Recommendation expiration dates
• Pass creation data for Samsung Wallet / Apple Wallet (where applicable)
• QR code information for Medi Pass and other ID passes

Technical Information:

• IP addresses
• Browser and device information
• Cookie data
• Usage statistics
• Authentication tokens (including JSON Web Tokens, a.k.a. JWTs)
• Allowed file types for uploads: png, jpg, jpeg, gif, txt
• System and server logs (Flask logs, IP addresses, user agent details)

3.1 Data Storage Locations

We utilize Google Cloud Platform services for data storage and processing. Your information may be processed and stored in various locations globally, including:

• United States (Primary)
• European Union
• Asia Pacific Region

Additionally, user-generated files and images may be stored in Google Drive when you authorize our application to link with your Google account. We adhere to Google's security and compliance standards for such integrations.

3.2 Transfer Safeguards

We implement the following safeguards for international data transfers:

• Standard Contractual Clauses (SCCs)
• Data Processing Agreements (DPAs)
• Privacy Shield certification (where applicable)
• End-to-end encryption for data in transit
• Regular audits of data protection measures

4.1 Core Service Providers

4.2 Service Provider Compliance

• All providers maintain SOC 2 Type II certification (or equivalent)
• Regular security assessments and audits
• Contractual data protection obligations
• Data processing agreements in place

5.1 Technical Security Measures

• Encryption:
  
  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • Encrypted backup storage
  • Encryption of QR codes, .pkpass files (Apple Wallet), and .wpk files (Samsung Wallet)
• Access Controls:
  
  • Multi-factor authentication (MFA)
  • Role-based access control (RBAC)
  • Least privilege principle
• Network Security:
  
  • Web application firewall (WAF)
  • DDoS protection
  • Regular penetration testing
• HTTP Security Headers:
  
  • Strict-Transport-Security (HSTS)
  • Content-Security-Policy (CSP)
  • X-Content-Type-Options, X-Frame-Options, etc.
• Reverse Proxy & HTTPS Enforcement:
  
  • All traffic is served via HTTPS, forcing secure connections (TLS/SSL) at the server level.
  • Requests pass through an Nginx reverse proxy, which adds security headers and logs all requests.
  • Automatic redirects from HTTP to HTTPS to ensure encrypted communication.
• API Rate Limiting:
  
  • Default limits of 300 requests per day and 100 requests per hour per IP address.
  • Certain endpoints have additional per-minute restrictions (e.g., 3 to 5 requests per minute) to further mitigate brute-force attempts, DDoS attacks, and other malicious activities.
  • Configurations are reviewed periodically to balance performance and security.

5.2 Organizational Security Measures

• Employee Training:
  
  • Annual security awareness training
  • HIPAA compliance training
  • Data protection best practices
• Security Policies:
  
  • Incident response procedures
  • Change management policies
  • Access review processes

6.1 HIPAA Compliance

We are not a HIPAA-covered entity because we do not meet the definition of:

• A healthcare provider transmitting health information electronically
• A health plan
• A healthcare clearinghouse

Nevertheless, we strive to implement HIPAA-grade security measures to protect sensitive information and maintain the trust of our clients and users. Our safeguards include:

• Encryption of All Medical Data:
  Ensuring that all medical information is encrypted both in transit and at rest using industry-standard encryption protocols.
• Secure Access Controls:
  Employing multi-factor authentication, role-based access permissions, and other secure access controls to restrict unauthorized access to sensitive data.
• Comprehensive Audit Logging:
  Maintaining detailed audit logs for all access and modifications to medical and administrative data to enable accountability and transparency.
• Regular Security Assessments:
  Conducting routine security risk assessments and implementing necessary updates to address potential vulnerabilities and ensure compliance with applicable data protection standards.

6.2 Special Category Data Protection

• Separate encryption keys for medical data
• Restricted access to authorized personnel only
• Additional authentication for medical data access
• Automated data purging based on retention policies

6.3 State Medical Marijuana Program Compliance

We recognize and respect that different states in the United States have specific laws and regulations governing the possession, distribution, and use of medical marijuana. In order to remain compliant with these state programs, we:

• Verify the authenticity of medical marijuana recommendations based on each state's regulatory framework.
• Maintain updated knowledge of state-specific rules regarding the collection, handling, and storage of medical marijuana information.
• Prohibit unauthorized access to or disclosure of patient data that is collected in connection with these programs.
• Implement policies and procedures to address state inspection requests, audits, and compliance reviews.

6.4 Additional Details About Recommendation Processing and Storage

Our platform facilitates the submission and processing of medical marijuana recommendations from authorized healthcare providers. Here is how we manage these recommendations:

• Document Verification: Recommendations are checked for legitimacy and validity based on the information provided by the issuing provider and applicable state regulations.
• Secure Storage: Valid recommendations are encrypted and stored in secure, access-controlled databases to ensure confidentiality and compliance with relevant regulations.
• Expiration Tracking: Recommendation records include expiry dates, after which we notify users (where legally allowed) or remove expired data from active use to maintain compliance with retention rules.
• Restricted Access: Only authorized users (e.g., the patient, legitimate store or service providers, and designated staff) may view recommendation details, in accordance with applicable state privacy laws.

6.5 Scope of Medical Data

While we handle medical marijuana recommendations, we do not store or transmit detailed medical conditions or diagnoses. The information we process is limited to data necessary for verifying the validity of the recommendation itself (e.g., issuing provider details, expiration date, and patient ID). By design, we do not collect or maintain comprehensive patient health records or diagnostic information.

7.1 Types of Cookies Used

7.2 Cookie Control

We use cookies that are essential to the security and functionality of our services, including user authentication and session management. These cookies are strictly necessary, and the service cannot function without them.

If you do not wish to accept essential cookies, you will not be able to use our services. By continuing to use our platform, you acknowledge the use of these strictly necessary cookies. For other optional cookies (e.g., analytics or preferences), you may manage your browser settings or use our consent tool to opt out if desired.

7.3 Additional Cookie Clarifications

• JWT Cookies (Medi+, Medi Pass, Admin, Register):
  We use JSON Web Tokens (JWTs) stored in session cookies for each application segment. These cookies validate user identity and session status.
  • Medi+ and Medi Pass: Ensure that patients and store clients access their respective dashboards securely.
  • Admin and Register: Single authorization only (no refresh tokens), locked to a single authorized Google account for enhanced security and to prevent unauthorized access.
• CSRF Cookies:
  For certain requests (e.g., form submissions or data changes), CSRF tokens are set and validated to mitigate cross-site request forgery. These tokens are stored in separate security cookies and must match the tokens in request headers for the request to succeed.
• Single Google Account Restriction (Admin/Register):
  For enhanced security, only one preauthorized Google account is allowed to authenticate in the Admin and Register portals. This ensures that unauthorized individuals cannot manage user registrations or access administrative tools.

8.1 Your Rights

• Right to Access:
  
  • Request copies of your personal data
  • Verification required within 30 days
• Right to Rectification:
  
  • Correct inaccurate information
  • Complete incomplete information
• Right to Erasure:
  
  • Request data deletion
  • Subject to legal retention requirements
  • Processed within 30 days
• Right to Restrict Processing:
  
  • Limit how we use your data
  • Maintain but not process data
  • Temporary or permanent restrictions
• Right to Data Portability:
  
  • Receive data in structured format
  • Transfer data to another provider
  • Direct transfer where technically feasible
• Right to Object:
  
  • Object to processing for specific purposes
  • Object to direct marketing
  • Object to automated decision-making

8.2 Exercise Your Rights

• How to Submit a Request:
  Submit your request via email to support@synap.cloud.
• Provide Verification Information:
  To protect your data and comply with legal requirements, we will need to verify your identity. You may be asked to provide information such as:
  • Your full name
  • Email address associated with your account
  • Additional verification details (e.g., proof of authorization if acting as an authorized agent)
• Specify the Right Being Exercised:
  Clearly indicate the specific right(s) from subsection 8.1 you wish to exercise.
• Processing Time:
  We will respond to verifiable requests within 30 days of receipt. If additional time is required, we will notify you of the extension and explain the delay.
• Authorized Agents:
  If you are submitting a request on behalf of another person, please provide proof of authorization, such as a signed permission letter or valid power of attorney.
• Limitations:
  Certain rights may be subject to limitations or exemptions as allowed by law. We may retain data to comply with legal obligations, resolve disputes, or enforce agreements.
• Additional Assistance:
  If you have questions about your rights or need assistance, please contact us at support@synap.cloud.

8.3 Data Deletion Requests from Patients

• Requesting Deletion of Medical Data:
  Patients may request the complete or partial deletion of their medical recommendation information by contacting us at support@synap.cloud and providing the necessary identifying details.
• Verification and Authorization:
  We will verify that the request comes from the patient (or an authorized agent). If additional documents or proof of identity are required, we will contact you for further information.
• Retention Exceptions:
  While we strive to honor all patient requests, certain data may be retained if required by state or federal law, regulatory obligations, or for legal compliance (e.g., audit logs).
• Removal from Active Systems:
  Upon verified requests, we will securely remove the patient's recommendation data from active systems and update backups as per our data retention policies.
• Confirmation:
  Patients will receive a confirmation once their data has been deleted or anonymized, along with any relevant explanation of partial deletions that are legally mandated to be retained.

9.1 Notification Timeline

In the event of a data breach that compromises the security of personal or sensitive information, we are committed to taking swift and transparent action in compliance with applicable laws, including the California Consumer Privacy Act (CCPA) and California Civil Code Section 1798.82.

• Affected Users:
  We will notify affected individuals as soon as reasonably possible, but no later than 72 hours after discovering the breach, unless otherwise required or delayed by law enforcement requests.
• Authorities:
  Where applicable, we will notify relevant authorities, such as the California Attorney General, within the required timeframe if the breach affects more than 500 California residents.
• Regular Updates:
  Ongoing updates will be provided to affected users during the investigation process to ensure transparency and keep them informed of any significant developments.

9.2 Notification Content

In the event of a data breach, affected individuals will be notified promptly with a clear and comprehensive explanation of the following:

• Nature of the Breach:
  A concise description of what happened, including the type of incident (e.g., unauthorized access, ransomware attack, or data leak) and when it was discovered.
• Categories of Data Affected:
  Specific details about the types of personal or sensitive data exposed (e.g., names, email addresses, medical records, or financial information).
• Approximate Number of Individuals Affected:
  An estimate of the number of people impacted by the breach to help contextualize the scope of the incident.
• Likely Consequences:
  An outline of the potential risks or impacts on individuals, such as identity theft, fraud, or other adverse outcomes.
• Measures Taken or Proposed:
  Actions we have taken or plan to take to contain and address the breach, such as shutting down unauthorized access, enhancing security, or conducting audits.
• Contact Point for More Information:
  Details on how affected individuals can reach us for support. This point of contact can be found in Section 1 of this privacy policy.
• Recommendations for Affected Individuals:
  Practical steps for users to protect themselves, such as resetting passwords or placing fraud alerts on accounts.

By providing clear and actionable information, we aim to minimize potential harm and empower affected individuals to respond effectively to the breach.

10.1 Age Restrictions

Our services are designed for use by individuals who are at least 18 years old. We are committed to protecting the privacy of children in compliance with the Children's Online Privacy Protection Act (COPPA) and applicable laws. Specifically, we comply with the following guidelines:

• No Collection of Data from Minors:
  We do not knowingly collect, use, or disclose personal information from individuals under the age of 18. If we discover that a minor has provided us with personal information, we will take immediate steps to delete such data.
• No Targeted Content or Marketing:
  We do not target our services, content, or marketing efforts toward children under 18 years of age.
• Restricted Account Creation:
  Account registration and access to our services are strictly limited to users who confirm they are at least 18 years old during the signup process.
• Parental Guidance and Reporting:
  If you believe we have inadvertently collected information from a minor, please contact us immediately at support@synap.cloud so we can investigate and take appropriate action, including data deletion.

10.2 Verification and Deletion

If we discover that we have inadvertently collected information from a minor, we will take swift and decisive action to protect their privacy and ensure compliance with COPPA and other applicable laws:

• Immediate Data Deletion:
  All personal information collected from the minor will be securely deleted from our systems to prevent further use or disclosure.
• Parental Notification (When Possible):
  We will make reasonable efforts to notify the parent or legal guardian, informing them of the situation and the actions we have taken.
• Account Termination:
  If the minor has created an account, we will immediately deactivate and delete the account to ensure no further interactions occur.
• Prevention of Future Collection:
  We will review our systems, processes, and controls to prevent any future data collection from minors, including updates to verification methods and safeguards.

We enforce rate limits for API requests, currently set to 300 requests per day and 100 requests per hour per IP address. Additionally, certain endpoints may enforce stricter limits (e.g., 35 requests per minute) to protect sensitive actions such as logins or administrative tasks.

These rate limits help ensure overall service stability and protect against malicious activities, including brute-force attempts and denial-of-service attacks. Limits may be updated periodically based on performance requirements and evolving security needs.

12.1 CalOPPA Compliance

In accordance with the California Online Privacy Protection Act (CalOPPA), we are committed to maintaining transparency and user rights. To ensure compliance, we:

• Allow Anonymous Website Visits:
  Users can access certain areas of our website without being required to create an account or provide personal information, supporting privacy-conscious browsing.
• Provide Conspicuous Privacy Policy Access:
  Our Privacy Policy is prominently displayed and accessible from our website's homepage or any relevant page, ensuring users can easily review our data practices.
• Notify Users of Privacy Policy Changes:
  We provide timely updates to users whenever there are significant changes to our Privacy Policy, ensuring transparency about how personal information is collected, used, and shared.
• Allow Personal Information Updates:
  Users can review and update their personal information to ensure accuracy and relevance, fostering greater control over their data.
• Disclose Tracking Practices:
  We clearly outline our practices regarding cookies and other tracking technologies, including what is collected and how it is used, enabling users to make informed decisions about their data.

12.2 CCPA (CPRA) Compliance

In compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), we ensure the following rights for California residents:

• Right to Delete Personal Information:
  You may request the deletion of your personal information, subject to certain exceptions (e.g., when data is necessary for legal or operational purposes).
• Right to Opt-Out of Information Sales:
  You can opt out of the sale or sharing of your personal information with third parties for business purposes, and we provide a "Do Not Sell or Share My Personal Information" link on our website to facilitate this.
• Right to Non-Discrimination for Exercising Rights:
  You will not be denied services, charged different prices, or subjected to discrimination for exercising your privacy rights under the CCPA/CPRA.
• Annual Disclosure of Data Sharing Practices:
  We provide an annual report summarizing our data collection, sharing, and processing practices to ensure transparency and compliance with California regulations.
• Right to Know What Personal Information is Collected:
  You have the right to request detailed information about the personal data we collect, use, disclose, and share, including the categories of information and specific data collected about you.

By upholding these rights, we empower California residents with greater control over their personal information while fostering trust and transparency in our services.

12.3 Additional Compliance Measures

To ensure robust adherence to privacy and data protection regulations, we implement the following measures:

• Regular Compliance Audits:
  We conduct routine internal and external audits to verify that our privacy practices meet or exceed regulatory requirements and industry standards.
• Staff Training on Privacy Regulations:
  All relevant employees receive comprehensive training on privacy laws and data protection practices, ensuring they understand their responsibilities and the importance of safeguarding user information.
• Documentation of Compliance Procedures:
  We maintain detailed records of our compliance policies, procedures, and actions to demonstrate adherence to applicable laws and to facilitate accountability.
• Updates for New Regulations:
  Our team actively monitors changes in privacy laws and regulations, ensuring our policies and practices are updated promptly to remain in full compliance.

These measures underscore our commitment to maintaining the highest standards of privacy and regulatory compliance across all aspects of our operations.

12.4 State-Specific Privacy Rights Regarding Medical Marijuana Information

In addition to federal and California-specific laws, we recognize that states may enact unique privacy protections for individuals who participate in medical marijuana programs. To address these requirements, we:

• Honor Program-Specific Requests:
  If your state's medical marijuana program grants you additional rights (e.g., extended record confidentiality or expedited data removal), you may contact us at support@synap.cloud to exercise those rights.
• Comply with Legal Obligations:
  In states with mandated reporting or data-handling obligations, we implement necessary procedures to remain compliant with local requirements.
• State Privacy Law Updates:
  We routinely monitor updates in state-level legislation that impact medical marijuana data handling and will modify our practices and this Privacy Policy to align with any new or revised requirements.
• Contact for More Information:
  If you have questions about how your state's laws protect your medical marijuana information, please reach out to us so we can clarify or direct you to the relevant statutes.

13.1 Update Process

To ensure our policies remain up-to-date and transparent, we adhere to the following update procedures:

• Regular Policy Reviews:
  We conduct periodic reviews of our Privacy Policy to ensure it reflects current practices, regulatory requirements, and technological advancements.
• User Notification of Material Changes:
  When significant updates are made, we inform users by clearly highlighting the changes within the Privacy Policy and on our website.
• 30-Day Notice for Significant Changes:
  For major updates that impact user rights or data handling practices, we provide at least 30 days' notice to allow users time to review and understand the changes.
• Email Notifications to Registered Users:
  Registered users will periodically receive email updates summarizing key changes to ensure they are informed even if they do not visit our website.

13.2 Version Control

We maintain thorough records of all Privacy Policy updates to ensure transparency and accountability.

• Specify Version Date Requested:
  To help us locate the correct document, users must specify the exact version date or time frame they are requesting.
• Archive Maintained for 5 Years:
  We securely store an archive of all Privacy Policy versions for a minimum of five years to ensure compliance with legal and regulatory requirements.
• Previous Versions Available Upon Request:
  Users can request access to earlier versions of our Privacy Policy to review changes and understand past practices.
• Email support@synap.cloud for Access:
  Requests for previous versions can be made by contacting our support team, ensuring a straightforward and reliable process.

These version control measures ensure transparency in our practices and allow users to access historical records as needed.