Privacy Policy - Retail Software Interface

Effective Date: February 26, 2026

1. Information and Scope

This Privacy Policy applies to the PowerLeaf Retail Software Interface (“Retail Interface”), which is a software layer integrated within or alongside participating licensed cannabis retailers’ online menu environments.

PowerLeaf, Inc. (“PowerLeaf,” “Company,” “we,” “us,” or “our”) provides software tools that reorganize, structure, and present publicly available laboratory ingredient data and retailer-supplied product information based on user-selected contextual preferences.

PowerLeaf does NOT:

Cultivate, manufacture, distribute, label, or sell cannabis products
Process payments for cannabis purchases
Conduct age verification
Control retail inventory, pricing, or fulfillment
Provide medical or legal advice

All purchases occur directly between the user and the licensed retailer and are governed by the retailer’s own policies.

This Privacy Policy governs data processed by PowerLeaf within the Retail Interface only.

2. Definitions

“Personal Information” means information that identifies, relates to, describes, or could reasonably be linked to a particular individual, as defined under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

“De-Identified Data”means information that cannot reasonably identify or be linked to an individual and is subject to safeguards preventing re-identification.

“Aggregated Data”means compiled data derived from multiple users that does not identify any specific individual.

3. Categories of Personal Information Collected

During the preceding twelve (12) months, PowerLeaf may have collected:

Identifiers

IP address
Online identifiers
Device identifiers

Internet / NetworkActivity Information

Session interaction data
Filtering selections
Product categorization interactions
Clickstream activity within the Retail Interface
Referring URLs

Preference Information

Voluntarily selected contextual preferences
Mood or activity filter selections
Interface customization selections

PowerLeaf does NOT collect:

Payment card information
Government-issued identification
Age verification documentation
Medical records
Biometric data

Such information is collected, if at all, solely by the licensed retailer.

4. Source of Information

Information is collected:

Directly from user interaction within the Retail Interface
Automatically through session technologies and analytics tools
From participating retailer systems solely to facilitate display of inventory data (no payment data is accessed)

5. Purposes for Processing

PowerLeaf processes Personal Information to:

Operate and maintain the Retail Interface
Improve algorithmic organization of retail menus
Enhance user experience and interface functionality
Conduct internal analytics and performance monitoring
Maintain platform security
Comply with legal obligations

6. Data Minimization

PowerLeaf collects only data reasonably necessary to operate and improve the Retail Interface.

Where practicable, we:

Limit retention of identifiable information
Utilize pseudonymization techniques
Separate identifiable data from analytics datasets

7. De-Identified & Aggregated Data Commercialization

PowerLeaf may generate De-Identified Data and Aggregated Data derived from Retail Interface interactions.

Such datasets:

Do not identify individual consumers
Cannot reasonably be re-identified
Do not contain direct identifiers
Are subject to technical and organizational safeguards

PowerLeaf may use, license, disclose, or commercialize De-Identified Data and Aggregated Data for:

Industry analytics
Retail trend reporting
Software development and refinement
Research initiatives
Participation in data marketplaces
Strategic partnerships

This activity does NOT constitute the sale of Personal Information under CPRA.

8. Sale or Sharing of Personal Information

PowerLeaf does not sell Personal Information.

PowerLeaf does not share Personal Information for cross-context behavioral advertising.

9. Disclosure to Service Providers

PowerLeaf may disclose Personal Information to service providers supporting:

Cloud hosting
Analytics
Security monitoring
Infrastructure management

All service providers are contractually obligated to:

Process data solely for specified purposes
Maintain confidentiality
Implement reasonable security safeguards
Comply with applicable privacy laws

10. Subprocessors

PowerLeaf maintains internal records of subprocessors engaged to support Retail Interface operations.

Subprocessors are subject to written agreements requiring:

Confidentiality obligations
Data protection safeguards
Processing limitations
Compliance with applicable laws

11. Information Security Governance

PowerLeaf maintains an internal information security governance framework designed to protect the confidentiality, integrity, and availability of information processed within the Retail Interface.

Safeguards include:

Administrative controls
Technical safeguards
Physical safeguards
Periodic risk assessments
Role-based access controls
Vendor security reviews
Logging and monitoring systems

PowerLeaf’s practices are designed to align with generally accepted industry standards for cloud-based SaaS platforms.

12. Security of Information

We implement commercially reasonable safeguards including:

Encryption of data in transit
Role-based access controls
Least-privilege permissions
Secure infrastructure environments
Monitoring for anomalous behavior

However, no digital system is completely secure. While we use industry best practices, we cannot guarantee absolute security.

13. Security Incident Response

PowerLeaf maintains documented internal procedures to detect, investigate, contain, and remediate potential security incidents.

In the event of a suspected or confirmed incident, we will:

Investigate and assess impact
Implement containment measures
Engage appropriate technical experts
Coordinate with participating retailers when appropriate
Implement corrective safeguards

14. Data Breach Notification

If Personal Information processed by PowerLeaf is subject to a security breach as defined under applicable law, PowerLeaf will provide notification to affected individuals and regulatory authorities as required by law.

Retailers remain responsible for breach notification relating to information they independently collect or control.

Nothing here in constitutes an admission of liability.

15. California Privacy Rights

California residents may have rights to:

Know what Personal Information is collected
Access specific pieces of Personal Information
Request deletion
Request correction

Requests may be submitted to privacy@powerleaf.com.

We will verify identity prior to fulfilling requests.

16. Automated Processing Disclosure

The Retail Interface utilizes automated systems and algorithmic categorization models to organize product information based on laboratory data and user-selected context inputs.

Such processing:

Does not produce legal effects
Does not determine eligibility for purchase
Does not constitute medical advice

17. International Users

The Retail Interface is operated in the United States. If accessed from outside the U.S., information may be transferred to and processed in the United States.

18. Data Retention

Personal Information is retained only as long as reasonably necessary to fulfill business purposes or comply with legal obligations.

De-Identified and Aggregated Data may be retained indefinitely.

19. Children's Privacy

The Retail Interface is intended for individuals 21 years of age or older.

PowerLeaf does not knowingly collect Personal Information from individuals under 21.

20. Privacy by Design

PowerLeaf incorporates privacy considerations into system design and development processes, including:

Data minimization
Segregation of identifiable data
De-identification techniques
Periodic privacy risk evaluations

21. Changes to This Policy

PowerLeaf may update this Privacy Policy periodically. Continued use constitutes acceptance.

22. Contact

PowerLeaf, Inc.
privacy@powerleaf.com