Privacy Policy

BudStacks is a B2B Software-as-a-Service platform operated by Budstacks Lda ("BudStacks", "we", "us"). This policy explains how we handle personal data in two distinct capacities:

• As controller — for personal data relating to website visitors, prospective customers, billing contacts, and operator administrators (e.g. people who interact with budstack.to, sign up, contact us, or sign in to manage a tenant).
• As processor — for personal data that licensed operators ("operators", "tenants") store on the platform about their own end-customers and patients. The operator is the controller of that data; BudStacks processes it only on the operator's documented instructions, in accordance with the Data Processing Agreement (DPA).

BudStacks is not a healthcare provider, pharmacy, or dispensary. We do not sell, advertise, dispense, or recommend cannabis or cannabis products to consumers.

When you interact with BudStacks directly, we collect:

• Account data: name, email, organisation, role, password credentials handled by our authentication provider (Clerk).
• Billing data: billing contact, VAT/tax number, payment method tokens (handled by our payment processor; we do not store full card numbers).
• Communications: emails, support tickets, contact form submissions.
• Technical data: IP address, browser, device, pages visited, timestamps. Collected via essential cookies for security and via analytics cookies only with your consent.

When operators use BudStacks to run their storefronts, we process the data they upload or that flows through the platform, which may include:

• End-customer / patient identifiers, contact details, addresses
• Special category data (GDPR Article 9): health-related data such as prescriptions, condition references, KYC verifications
• Order, payment, and shipment metadata
• Authentication and audit data

The operator is the controller. BudStacks processes this data strictly as instructed by the operator under the DPA, including the Article 28(3) obligations: confidentiality, security, sub-processor controls, breach notification, audit cooperation, and deletion / return of data on termination.

Patients and end-customers seeking to exercise their rights should contact the operator directly (the operator is their controller). BudStacks will assist the operator in responding.

We process your personal data for the following purposes and lawful bases:

• Provide and operate the service — performance of contract (GDPR Article 6(1)(b))
• Respond to enquiries and support requests — performance of contract / legitimate interests (Article 6(1)(b)/(f))
• Send service and security notifications — performance of contract / legal obligation (Article 6(1)(b)/(c))
• Send marketing emails — consent (Article 6(1)(a)); opt-out in every message
• Analytics on website usage — consent (Article 6(1)(a)) via cookie banner
• Comply with legal, tax, accounting and regulatory obligations — legal obligation (Article 6(1)(c))
• Defend legal claims and protect platform integrity — legitimate interests (Article 6(1)(f))

We use vetted sub-processors to deliver the service. The current list, including each vendor's purpose, region, and transfer mechanism, is published at /legal/subprocessors. Operators are notified of material additions or changes at least 30 days before they take effect, and may object as set out in the DPA.

We do not sell personal data. We share data only with sub-processors, with public authorities where required by law, or with your explicit instruction.

Personal data may be transferred outside the EEA / UK to sub-processors in the United States and other jurisdictions. Where transfers occur, we rely on appropriate safeguards: EU Standard Contractual Clauses (and the UK addendum), adequacy decisions where applicable, and additional technical and organisational measures. Specific transfer mechanisms are listed alongside each sub-processor.

We retain personal data only for as long as necessary for the purposes above:

• Active account data — duration of the contract
• Billing and tax records — 10 years (legal obligation)
• Support tickets — 3 years
• Audit logs — 12 months unless a longer period is required by law or contract
• Marketing data — until you opt out or 24 months of inactivity
• Operator-controlled data — per the operator's instructions and DPA

We implement appropriate technical and organisational measures including: encryption in transit (TLS 1.2+) and at rest, scoped IAM access, audit logging, isolated tenant data partitions, regular dependency scanning, principle of least privilege, and incident response procedures. We notify operators of personal data breaches affecting their data within 72 hours of discovery.

Under the GDPR / UK GDPR you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase data where applicable ("right to be forgotten")
• Restrict or object to processing
• Data portability
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with a supervisory authority (e.g. CNPD in Portugal, ICO in the UK)

To exercise these rights, email privacy@budstacks.io. If your data is held by an operator (you are their patient or customer), please contact the operator first; we will assist them in responding.

We use essential cookies to make the site work, and request your explicit consent for analytics and preference cookies. See our Cookie Policy for the full list and to manage your choices.

Material changes are recorded in the legal changelog and operators are notified by email at least 30 days before they take effect.

Privacy enquiries: privacy@budstacks.io
Data Protection Officer: dpo@budstacks.io
Postal: Budstacks Lda, Lisbon, Portugal