FLOWHUB ECOMMERCE PLATFORM PRIVACY STATEMENT

Effective Date: December 18, 2024

Flowhub Holdings, Inc. (“Flowhub”, “we”, or “our”) provides an ecommerce platform (the “Platform”) that empowers its enterprise dispensary customers to build online storefronts, manage inventory, and process pickup orders.

The Platform is presented by Flowhub on behalf the dispensary (“Client”). This Platform Privacy Statement (“Privacy Statement”) explains how we collect, use, disclose, and otherwise process personal information on behalf of Client through the Platform. Client owns and controls all of the personal information collected and processed on the Platform. Any questions about or requests related to personal information collected and processed on the Platform should be directed to Client. This Privacy Statement does not apply to any other websites or other online services offered by Client that do not link to this Privacy Statement nor does this Privacy Statement apply to any websites or online services offered by Flowhub.

Personal Information We Collect

Personal information collected via the Platform. We collect personal information about Client’s end customers. The personal information we collect about end customers includes:

  • Personal information provided by end customers to create an account or purchase items as a guest*.* This may include first and last name, date of birth, phone number, state of residency, medical cannabis card status, government-issued identification card information, medical card information, physician details (where required by applicable state law), email address, password, and marketing preferences.
  • Transactional information, such as information relating to or needed to process end customers’ pickup orders through the Platform, including products purchased, purchase date, payment method, address, order numbers, and transaction history.
  • Payment information, such as payment method and ACH payment details. Any ACH payment details you use to make a purchase via the Platform is collected and processed directly by our payment processors, such as Greenbax. Greenbax may use end customers’ payment details in accordance with its privacy policy, available here.
  • Communications information, such as information provided in connection with questions, feedback or other interactions with us through the Platform.
  • Personal information about end customers’ use of the Platform. This may include information about end customers’ use of the Platform, including computer or mobile device operating system type and version number, manufacturer and model, device identifier, browser type, screen resolution, IP address, general location information such as city, state or geographic area; and information about end customers’ use of and actions on the Platform, such as pages you viewed, how much time was spent on a page, navigation paths between pages, information about activity on a page, access times, and length of access. This information is collected using cookies and similar technologies.

How We Use Personal Information

We use the personal information we collect at the instruction of Client and in accordance with our agreement with Client, to provide the Platform, and for related internal purposes, such as:

  • To maintain the Platform;
  • To provide information about the Platform, such as important updates or changes to the Platform;
  • To measure performance of and improve the Platform and develop new products and services;
  • To create anonymous, aggregated, or deidentified data that Flowhub may then use for marketing purposes and to analyze patterns to enhance Flowhub’s products and services and develop new ones; and
  • To respond to inquiries, complaints, and requests for Client support.

We may also use personal information as we believe necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Platform; (c) protect our rights, privacy, safety, or property and/or that of you or others; and (d) protect, investigate, and deter against fraudulent, harmful, unauthorized, unethical, or illegal activity.

How We Share Personal Information

We share the personal information we collect:

  • With Client;
  • With such third parties as Client may direct; and
  • With third-party service providers that help us manage and improve the Platform.

We may also share personal information with government, law enforcement officials or private parties as required by law, when we believe such disclosure is necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Platform; (c) protect our rights, privacy, safety, or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical, or illegal activity.

We may sell, transfer, or otherwise share some or all of Flowhub’s business or assets, including personal information that we process as part of the Platform, in connection with a business transaction (or potential business transaction) such as a merger, consolidation, acquisition, reorganization, or sale of assets or in the event of bankruptcy.

Age Limitations

The Platform is not intended for use by anyone under 18 years of age. If a parent or guardian becomes aware that his or her child has provided us with personal information without their consent, he or she should contact Client.

Security

Flowhub uses commercially reasonable physical, electronic, and procedural safeguards designed to safeguard the security of personal information. Flowhub cannot, however, guarantee that any safeguards or security measures will be sufficient to prevent an information security issue.

Your Choices Regarding Your Personal Information

Client is the data controller/data owner of end users’ personal information processed through the Platform. As the data controller/data owner, Client is responsible for receiving and responding to end users and others’ requests to exercise any rights afforded to them under applicable data protection law. Flowhub will assist its customers in responding to such requests as set forth in our agreement with Client.

Data Retention

Flowhub may retain personal information for as long as necessary to (a) provide the Platform; (b) comply with legal obligations; (c) resolve disputes; and (d) as otherwise detailed in the terms of our agreement with Client.

Third Party Products and Services

The Platform may integrate with or enable access to third party tools. End users that register, install, or access any third-party tools may be required to accept privacy notices provided by those third parties. Please review those notices carefully, as Flowhub does not control and cannot be responsible for these providers’ privacy or information security practices.

Changes to this Privacy Statement

Flowhub reserves the right to modify this Privacy Statement at any time. The Platform, laws, regulations, and industry standards as well as our business operations may evolve which may make changes to this Privacy Statement appropriate. Flowhub will post the changes to this page. Flowhub encourages you to review the Privacy Statement to stay informed. Continued use of the Platform following the effective date of any changes to this Privacy Statement indicates your agreement to such changes.

Contact Us

If you have any questions about this Privacy Statement, you can contact us at privacy@flowhub.com.

FLOWUB ECOMMERCE PLATFORM

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) supplements the Agreement and is entered into as of the Addendum Effective Date by Flowhub Holdings, Inc. with its principal place of business at 1630 Welton St #905, Denver, CO, 80202 (“Vendor”), and the enterprise customer identified in the Agreement (“Client”).

This DPA, including its appendices, supplements and forms part of the Agreement.

  1. Definitions For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.

    1. Addendum Effective Date means the effective date of the Agreement.
    2. Agreement means the contract entered into by and between the parties.
    3. Applicable Data Protection Laws means U.S. state data protection laws applicable to the confidentiality, privacy and/or security of Personal Information or processing thereof under the Agreement, including, without limitation, the CCPA.
    4. CCPA means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.
    5. Information Security Incident means a breach of Vendor’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information in Vendor’s possession, custody or control.
    6. Personal Information means any information that Client provides to Vendor for the provision of the Services that constitutes “personal information”, “personally identifiable information”, “personal data” or similar information governed by the CCPA or other Applicable Data Protection Laws.
    7. Services means those services and activities to be supplied to or carried out by or on behalf of Vendor for Client pursuant to the Agreement**.**
    8. Subprocessors means third parties engaged by Vendor who are authorized under this DPA to process Personal Information in relation to the Services.

  2. Duration and Scope of DPA

    1. This DPA will, notwithstanding the expiration of the Agreement, remain in effect until, and automatically expire upon, Vendor’s deletion of all Personal Information.
    2. Appendix 1 (California Annex) to this DPA applies to Personal Information or the processing thereof subject to the CCPA.

  3. Personal Information Processing

    1. Vendor will process Personal Information only in compliance with Applicable Data Protection Laws and only as necessary to perform its obligations and exercise its rights under the Agreement.
    2. Notwithstanding the foregoing, Client grants Vendor the right to create and/or derive from Personal Information deidentified, anonymized and/or aggregated data (“Anonymized Data”) that does not identify Client or any individuals and, both during and after the term of the Agreement, to use, publicize, or share with third parties such Anonymized Data to improve Vendor’s products and services, including for training purposes, and for its other legitimate business purposes. Anonymized Data shall be considered Vendor’s data.

  4. Security

    1. Vendor Security Measures. Vendor will implement and maintain commercially reasonable technical and organizational measures designed to protect Personal Information against Information Security Incidents. Such security measures shall comply with Applicable Data Protection Laws.
    2. Information Security Incidents. If Vendor becomes aware of an Information Security Incident, Vendor will (a) notify Client of the Information Security Incident without undue delay after becoming aware of the Information Security Incident and (b) take reasonable steps to identify the cause of such Information Security Incident, minimize harm and prevent a recurrence. Notifications made pursuant to this Section 4.2 will describe, to the extent possible, details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Vendor recommends Client take to address the Information Security Incident.

  5. Data Subject Rights

    1. Client’s Responsibility for Requests. If Vendor receives any request from an individual in relation to the individual’s Personal Information, Vendor will notify Client in writing of such requests promptly and in no event later than five (5) days of Vendor’s receipt thereof, and Vendor shall not take any action in response to such request except in accordance with Client’s written instructions.
    2. Vendor’s Data Subject Request Assistance. Vendor will (taking into account the nature of the processing of Personal Information) provide Client with commercially reasonable assistance as necessary for Client to perform its obligation under Applicable Data Protection Laws to fulfill requests by individuals to exercise their rights under Applicable Data Protection Laws within any deadlines imposed thereunder.

  6. Audits

    1. Client may audit Vendor’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Applicable Data Protection Laws.
    2. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Client’s audit request and Vendor has certified in writing that there are no known material changes in the controls audited, Client agrees to accept such report in lieu of requesting an audit of such controls or measures.
    3. The audit must be conducted during regular business hours and may not unreasonably interfere with Vendor’s business activities.
    4. Any audits are at Client’s expense unless the audit identifies noncompliance with this DPA in any material respect, in which case Vendor will reimburse Client for all of its out of pocket costs and expenses associated with the audit.

  7. Subprocessors

    1. Consent to Subprocessor Engagement. Subject to this DPA, Client generally authorizes the engagement of the following Subprocessors: third party technology software providers and cloud storage providers engaged by Vendor to support its performance of the Services.
    2. Subprocessors protections. When engaging any Subprocessor, Vendor will enter into a written contract with such Subprocessors containing data protection obligations not less protective than those in this DPA with respect to Personal Information. Vendor shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
    3. Opportunity to Object to Subprocessor Changes. When Vendor engages any new Subprocessor during the term of the Agreement, Vendor will notify Client of the engagement at least 30 days prior to such engagement. If Client objects to such engagement in a written notice to Vendor within 30 days of being informed thereof on reasonable grounds relating to the protection of Personal Information, Client and Vendor will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Client may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Vendor and receive a refund of any prepaid fees under the Agreement.

  8. Termination

    Upon termination of Client’s access to the Services, Vendor shall delete or cause the deletion of all Personal Information in the care, custody or control of Vendor and any Subprocessor as soon as reasonably practicable, except to the extent retention thereof is required by law.

  9. Miscellaneous

    Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. The requirements of this DPA are in addition to and not in lieu of the requirements of the Agreement. To the extent of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern.

  10. Legal Effect

    This DPA shall take effect and become legally binding on the parties on the Addendum Effective Date.

Appendix 1

California Annex

  1. Vendor shall not retain, use, or disclose any Personal Information that constitutes “personal information” under the CCPA (“CA Personal Information”) for any purpose other than for the specific purpose of providing the Services, or as otherwise permitted by CCPA, including retaining, using, or disclosing the CA Personal Information for a commercial purpose (as defined in CCPA) other than providing the Services.
  2. Vendor shall not (a) sell any CA Personal Information; (b) retain, use or disclose any CA Personal Information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the CA Personal Information for a commercial purpose (as defined in the CCPA) other than provision of the Services; or (c) retain, use or disclose the CA Personal Information outside of the direct business relationship between Vendor and Client. Vendor hereby certifies that it understands its obligations under this Section 2 and will comply with them.
  3. Provision of the Services encompasses the processing authorized in Section 3 of the DPA.
  4. Notwithstanding anything in the Agreement, the parties acknowledge and agree that Vendor’s access to CA Personal Information is not part of the consideration exchanged by the parties in respect of the Agreement.