Privacy Policy

Canary LP | A Division of GrowDirect | Last Updated: February 16, 2026

1. Introduction & Scope

This Privacy Policy describes how GrowDirect and its Canary LP division (collectively, "GrowDirect," "we," "us," or "our") collects, uses, discloses, and protects information when you:

• Visit our website or use our online services
• Use the Canary LP fraud detection platform or related services
• Communicate with us via email, phone, or other channels
• Interact with us at conferences, events, or through other business relationships

Applicability: This Privacy Policy applies to personal information collected by GrowDirect. It does NOT apply to:

• Information collected by third parties (even if linked from our website)
• Employment-related information about GrowDirect employees, contractors, or applicants
• Business contact information used solely for business-to-business communications

2. Information We Collect

2.1 Information You Provide Directly

Category	Examples
Account Information	Name, email address, phone number, business name, job title, billing address, payment information
Transaction Data	Purchase history, payment details, merchant transaction data (when using Canary services)
Communications	Messages, emails, support tickets, feedback, survey responses, conference interactions
Business Information	Company details, industry type, business size, use case information, integration preferences

2.2 Information Collected Automatically

When you use our website or services, we automatically collect certain technical information:

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages visited, links clicked, time spent on pages, referring/exit pages
• Cookies & Similar Technologies: See Section 5 below for details
• API & Integration Data: API calls, authentication tokens, integration logs, error messages

2.3 Information from Third Parties

We may receive information from third-party sources, including:

• Square Inc.: Merchant transaction data, payment details, merchant account information (when you connect your Square account to Canary services)
• Data Enrichment Services: Business information, industry classifications, publicly available data
• Analytics Providers: Aggregated usage statistics, demographic information

3. Healthcare Data & HIPAA Compliance

Business Associate Relationship

When Canary LP processes PHI on behalf of a pharmacy or healthcare provider (a "Covered Entity"), we act as a Business Associate under HIPAA. In such cases:

• We execute a Business Associate Agreement (BAA) with the Covered Entity
• We implement appropriate administrative, physical, and technical safeguards to protect PHI
• We use and disclose PHI only as permitted by the BAA and HIPAA regulations
• We report security incidents and breaches in accordance with HIPAA requirements

PHI We May Process

When providing services to pharmacies, Canary LP may process limited PHI, including:

• Patient identifiers (hashed or pseudonymized when possible)
• Prescription information (medication names, NDC codes, prescriber information)
• Transaction details (payment method, copay amounts, dates of service)
• Fraud detection indicators (refill patterns, prescriber anomalies, payment switching)

De-Identification & Anonymization

Wherever possible, Canary LP uses de-identified or anonymized data that does not constitute PHI under HIPAA. We employ:

• Hashing: One-way cryptographic hashing of patient identifiers
• Aggregation: Statistical aggregation across multiple patients to prevent re-identification
• Data Minimization: Limiting PHI collection to only what is necessary for fraud detection

Your HIPAA Rights

If you are a patient of a pharmacy using Canary services, you have rights under HIPAA, including:

• Access: Right to access PHI maintained by your pharmacy
• Amendment: Right to request amendments to inaccurate PHI
• Accounting: Right to an accounting of certain PHI disclosures
• Restriction Requests: Right to request restrictions on PHI uses and disclosures

To exercise these rights, please contact your pharmacy directly. Canary LP cannot respond to individual patient requests for PHI access or amendment.

4. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Description
Service Delivery	Provide, operate, and maintain the Canary fraud detection platform; process transactions; detect and prevent fraudulent activity
Account Management	Create and manage user accounts; authenticate users; provide customer support; communicate about your account
Service Improvement	Analyze usage patterns; develop new features; improve fraud detection algorithms; conduct research and development
Security	Protect against security threats; detect and prevent fraud, abuse, or illegal activity; enforce our Terms of Use
Legal Compliance	Comply with applicable laws, regulations, and legal processes; respond to law enforcement requests; protect our rights and property
Marketing	Send promotional emails and newsletters (with your consent); conduct market research; personalize your experience

Legal Bases for Processing (GDPR/International Users)

For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data protection regulations, we process personal data based on:

• Contractual Necessity: Processing is necessary to perform our contract with you
• Legitimate Interests: Processing is necessary for our legitimate business interests (fraud prevention, service improvement, security)
• Legal Obligation: Processing is required to comply with applicable law
• Consent: You have provided explicit consent (e.g., for marketing communications)

5. Cookies & Similar Technologies

We use cookies, web beacons, and similar tracking technologies to enhance your experience and collect usage information.

Types of Cookies We Use

Cookie Type	Purpose	Opt-Out
Essential Cookies	Required for website functionality; authentication; session management	Cannot be disabled
Performance Cookies	Collect anonymous usage statistics; identify errors; improve website performance	Browser settings
Functional Cookies	Remember your preferences; personalize your experience; save your settings	Browser settings
Analytics Cookies	Analyze how visitors use our website; generate reports on website activity	Browser settings or opt-out links
Marketing Cookies	Track visitors across websites; deliver targeted advertising; measure ad effectiveness	Browser settings or opt-out links

Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to:

• View what cookies are stored and delete them individually
• Block all cookies from all websites
• Block cookies from specific websites
• Receive a notification before a cookie is stored

Note: Disabling certain cookies may affect website functionality.

6. How We Share Your Information

We do NOT sell your personal information. We may share your information with the following third parties:

Service Providers

We share information with third-party service providers who perform services on our behalf:

• Cloud Hosting: AWS, Google Cloud (infrastructure and data storage)
• Payment Processing: Stripe, Square (payment processing and fraud detection)
• Analytics: Google Analytics, Mixpanel (website analytics and usage tracking)
• Customer Support: Zendesk, Intercom (customer support and helpdesk)
• Email Services: SendGrid, Mailchimp (transactional and marketing emails)

These service providers are contractually obligated to protect your information and use it only for the purposes for which it was disclosed.

Business Transfers

If GrowDirect is involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal process (subpoena, court order, search warrant)
• Government or law enforcement requests
• Requests to protect the safety, rights, or property of GrowDirect or others
• Regulatory inquiries (DEA, FDA, state pharmacy boards, etc.)

With Your Consent

We may share your information with other third parties when you explicitly consent to such sharing.

7. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption: TLS/SSL encryption for data in transit; AES-256 encryption for data at rest
• Access Controls: Role-based access controls; multi-factor authentication; principle of least privilege
• Security Monitoring: Intrusion detection systems; automated threat monitoring; regular security audits
• Secure Development: Security code reviews; penetration testing; vulnerability scanning
• Employee Training: Regular security and privacy training for all employees
• Incident Response: Written incident response plan; breach notification procedures

Important: While we use commercially reasonable security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information.

8. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Periods

• Account Data: Retained for the duration of your account plus 7 years after account closure (for legal and audit purposes)
• Transaction Data: Retained for 7 years in compliance with financial recordkeeping requirements
• PHI (if applicable): Retained in accordance with HIPAA requirements (minimum 6 years from creation or last use)
• Marketing Data: Retained until you opt out or withdraw consent
• Analytics Data: Aggregated analytics data may be retained indefinitely

After the retention period expires, we securely delete or anonymize your information.

9. Your Privacy Rights

General Rights

Subject to applicable law, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Portability: Request a machine-readable copy of your information
• Objection: Object to certain processing activities (such as direct marketing)
• Restriction: Request restriction of processing under certain circumstances

California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA), including:

• Right to know what personal information is collected, used, and shared
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising privacy rights

European Privacy Rights (GDPR)

If you are in the EEA or UK, you have rights under the General Data Protection Regulation (GDPR), including:

• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority
• Right to data portability
• Right to object to automated decision-making

Exercising Your Rights

To exercise any of these rights, please contact us at privacy@growdirect.com. We will respond to your request within the timeframe required by applicable law (typically 30-45 days).

10. International Data Transfers

GrowDirect is based in the United States. If you access our services from outside the United States, your information may be transferred to, stored in, and processed in the United States and other countries where we or our service providers operate.

Data Protection Frameworks: We comply with applicable cross-border transfer mechanisms, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) / Addendum
• Appropriate safeguards as required by GDPR Article 46

11. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information as soon as possible. If you believe we have inadvertently collected information from a child, please contact us at privacy@growdirect.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email if the changes are material (if you have provided an email address)
• Post a prominent notice on our website for 30 days after the change

Your continued use of our services after changes are posted constitutes your acceptance of the updated Privacy Policy.

13. Contact Us