Privacy Policy

CannaBaseAI (“we”, “us”, “the Service”) lets adults of legal age in jurisdictions where cannabis is legal scan product labels, log their experiences, and share reviews with the community. This policy explains what data we collect, how we use it, who we share it with, and the choices you have.

• Account information. Email address, username, password (hashed by our auth provider), avatar, and optional state of residence and sex. We rely on a 21+ self-attestation age gate at first launch and do not collect date of birth from new users.
• Scans and reviews. Photos you upload of cannabis product labels, the AI-extracted fields (brand, strain, THC/CBD, etc.), optional dispensary names, optional “nug shot” photos, ratings, written notes, and selected effect/flavor tags.
• Community activity. Comments you post, helpful votes you give and receive, the users you follow, and notifications generated from those actions.
• Device + diagnostic data. Standard request metadata such as IP address, browser/app user agent, and timestamps; we do not track your location beyond city-level inference from your IP.

We do not collect health records, medical conditions, prescription information, biometric identifiers, or precise GPS location.

• To provide and improve the core scan-and-log functionality.
• To run AI inference on the photos you submit (see “Third-party services” below) and return enriched product data.
• To power the community feed, follow graph, comments, and notifications.
• To send you transactional emails about activity on your account.
• To detect and prevent abuse, spam, or violations of our Terms.

We do not sell your data. We do not use your data to serve third-party advertising. We do not share your reviews or scans with insurers, employers, or law enforcement except where required by valid legal process.

We process your data through the following providers, each acting as a sub-processor under contract:

• Supabase — authentication, database, and storage for your scans, reviews, and uploaded photos.
• OpenAI — vision model used to read product labels in the photos you submit. Photos and extracted text are sent to OpenAI’s API; per their data policy, API content is not used to train their models.
• Anthropic (Claude) — used as a fallback to enrich strain metadata when public sources don’t cover the strain.
• Leafly — public strain database we read from to populate type, terpene, and effect information.
• Resend — sends transactional notification emails.
• Vercel — hosts the web application and edge network.

Reviews you publish to the community feed (rating, notes, effects, flavors, optional “nug shot”, dispensary name) are visible to other signed-in users. Your scan history, wishlist, and stats remain private to you and are only used in aggregate, anonymized form for the “all users” toggle on the Stats page.

• Edit or delete a review. Use the History or Community tabs to change or remove anything you’ve published.
• Hide your profile. Toggle “Hide from directory” in account settings to remove yourself from public user listings.
• Delete your account. Tap Settings → Danger zone → Delete account. Account deletion permanently removes your scans, reviews, comments, votes, and follow graph; some anonymized aggregate data may persist where required for fraud prevention or compliance.
• Email opt-out. Each notification type has its own email toggle in account settings.

Account and content data are retained while your account is active. When you delete your account, your data is removed within 30 days except where we are legally required to retain it (e.g., transaction records or fraud-prevention logs) for up to one year.

All traffic between your device and our servers is encrypted with TLS. Passwords are stored as one-way hashes by our auth provider. Photos and metadata are stored in access-controlled cloud storage. No system is perfectly secure; if we become aware of a breach affecting your account we will notify you in line with applicable law.

CannaBaseAI is restricted to users who are at least 21 years old (or the local minimum age for cannabis use, where higher) and who reside in a jurisdiction where cannabis is legal for them. We do not knowingly collect data from anyone under 21. If you believe a minor has created an account, contact us and we will delete it.

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it.

We operate from the United States. If you use the Service from outside the U.S., your information will be transferred to and processed in the U.S., which may have different data protection laws than your country of residence.

We may update this policy from time to time. Material changes will be highlighted at the top of this page and, where appropriate, announced via in-app notification. The “Last updated” date above reflects the current version.

Questions, requests, or complaints: email paul@paulorized.com.