Privacy Policy
Last updated: 23 April 2026
1. Who we are
CannaBuy (Pty) Ltd (“CannaBuy”, “we”, “us”) provides cannabis club management software including point-of-sale, inventory tracking, compliance reporting, and member management services. We are the responsible party (as defined in POPIA) for personal information processed through our platform.
Information Officer: hello@cannabuy.co.za
Registered address: South Africa
2. Information we collect
2.1 Account information
When you register, we collect your name, email address, password (hashed), and club details (club name, province, VAT number).
2.2 Member data (processed on your behalf)
When you use CannaBuy to manage your cannabis club, we process data on your behalf as an operator. This includes:
- Member names, contact details, and membership tier
- FICA documents (ID copies, proof of address) uploaded for verification
- SA ID numbers (encrypted at rest using AES-256-GCM)
- Transaction history and purchase records
- Gram usage and DAA compliance data
For this data, you are the responsible party and we act as your operator under POPIA.
2.3 Usage data
We automatically collect device information, browser type, IP address, pages visited, and interaction data to improve our service.
2.4 Cookies
We use essential cookies for authentication and session management. Non-essential cookies (analytics) require your consent via our cookie banner. You can change your preferences at any time.
3. How we use your information
We process personal information for the following purposes:
- Providing and maintaining the CannaBuy platform
- Processing transactions and managing club operations
- Generating compliance reports (DAA, VAT, FICA)
- Communicating with you about your account and service updates
- Improving our platform through aggregated usage analytics
- Complying with legal obligations under South African law
4. Legal basis for processing
We process personal information based on:
- Contract: Processing necessary to provide the CannaBuy service you subscribed to
- Legal obligation: Compliance with FICA, DAA, VAT, and SARS reporting requirements
- Legitimate interest: Platform improvement, security, and fraud prevention
- Consent: Non-essential cookies and marketing communications
5. How we protect your information
- All data is encrypted in transit (TLS 1.3) and at rest
- SA ID numbers are encrypted with AES-256-GCM before storage
- Row-level security (RLS) isolates club data between tenants
- Role-based access controls limit staff access to authorised functions
- Automated daily backups with 30-day retention
- Regular security audits and dependency updates
6. Who we share data with
We do not sell personal information. We share data only with:
- Supabase: Cloud database and authentication provider (data stored in EU/South Africa)
- Vercel: Application hosting and deployment
- Payment processors: To process subscription payments (when enabled)
- Legal authorities: When required by law, court order, or regulatory obligation
All third-party processors are bound by data processing agreements.
7. Data retention
- Active accounts: Data retained for the duration of your subscription
- Closed accounts: Anonymised after 30 days; financial records retained for 5 years as required by SARS
- FICA documents: Retained for 5 years as required by FICA compliance
- Backups: Automatically pruned after 30 days
8. Your rights under POPIA
Under the Protection of Personal Information Act, you have the right to:
- Access: Request a copy of your personal information
- Correction: Request correction of inaccurate information
- Deletion: Request deletion of your personal information (subject to legal retention requirements)
- Objection: Object to processing based on legitimate interest
- Withdraw consent: Withdraw consent for non-essential processing at any time
- Complain: Lodge a complaint with the Information Regulator (inforeg@justice.gov.za)
To exercise these rights, contact our Information Officer at hello@cannabuy.co.za. We will respond within 30 days.
9. International data transfers
Your data may be processed by our service providers outside South Africa. We ensure adequate protection through contractual safeguards and only use providers that meet internationally recognised security standards.
10. Children’s privacy
CannaBuy is not intended for use by persons under 18 years of age. Cannabis clubs must verify member age as part of their FICA obligations.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect.
12. Contact us
For privacy-related enquiries:
- Email: hello@cannabuy.co.za
- Information Officer: hello@cannabuy.co.za
- Information Regulator: inforeg@justice.gov.za | +27 (0)12 406 4818