What we collect
Three categories of data:
- Inquiry-form submissions. When you submit the contact form on the homepage, we receive your company name, your name, your email, the volume bracket you indicated, and the free-text message. Cloudflare also adds your country (from IP geolocation, country-level only) and the IP address itself for rate-limiting and spam-defence purposes.
- Anonymised analytics (Google Analytics 4). Page views, referrer, session metadata, country at country-level. We have configured GA4 to anonymise IP addresses, disable Google Signals (no cross-device user tracking), and disable ad personalisation signals.
- Admin authentication data (admin-only). If you sign in to the CMS at
/admin/login, we store your email, the hashed magic-link token (15-minute TTL, single-use), the hashed session ID, your TOTP secret (if enrolled), and an activity log (sign-in events with IP, country, city, region, user-agent).
What we don’t collect
- No third-party advertising cookies, ad-network pixels, or remarketing tags.
- No tracking of individual users across sessions or devices.
- No sale, rental, or sharing of personal data with third parties.
- No collection of children’s data — the site is B2B and not directed at users under 18.
- No payment information is stored on this site (we do not process payments).
Where data goes
Inquiry-form submissions are emailed to export@cannabless.org via Resend (transactional email service, US-hosted, EU/US adequate-protection compliant) and additionally posted to our internal Google Chat space via webhook for real-time team-awareness.
Analytics is sent to Google (GA4 — Mountain View, US) per the privacy posture above. Admin sign-in activity is stored only in our Cloudflare D1 database (Cloudflare global edge).
Server access logs are handled by Cloudflare Workers in line with Cloudflare’s privacy policy.
How long we keep data
- Inquiry submissions: Indefinitely, in the inbox at export@cannabless.org, until you request deletion. Used for ongoing supply discussions.
- Analytics: 14 months, Google Analytics 4 default retention.
- Magic-link tokens: 15 minutes; single-use.
- Admin sessions: 8 hours from sign-in.
- Admin activity log: Indefinitely. Used for security review.
Cookies
We set the following cookies on this site:
cb_admin— HttpOnly, Secure, SameSite=Lax. Only set when a user signs in to/admin. Holds the hashed admin session reference._ga,_ga_*— Google Analytics 4 client ID and session tracking. First-party cookies, anonymised IP, no Google Signals.
Legal basis & applicable law
Our customer base is concentrated in regulated medical-cannabis import markets, so the regimes that drive most of our practical compliance work — and where we hold the highest bar for data-subject rights — are the European Union, the United Kingdom, California, and Australia. Thailand PDPA applies in addition, because CannaBless is a Thailand-registered entity.
- EU GDPR & UK GDPR — primary customer-facing regime. Apply when data subjects are physically in the EU/EEA or the UK. We process inquiry data on the legal basis of contract (Article 6(1)(b), responding to your inquiry) or legitimate interest (Article 6(1)(f), rate-limiting, spam-defence, B2B follow-up). No marketing-consent processing.
- California CCPA / CPRA — applies to California residents. We do not sell or share personal information for cross-context behavioural advertising. Deletion requests actioned via the contact below.
- Australia Privacy Act 1988 + Australian Privacy Principles — applies to data subjects in Australia. Our most active inquiry pipeline is with Australian licensed importers, so APP compliance is operationally central to how we handle the channel.
- Thailand PDPA (Personal Data Protection Act B.E. 2562) — corporate primary regime. CannaBless is the data controller; PDPA Section 19 disclosure: data is collected for the purposes stated above and used for no other purpose without further notice. We do not currently collect sensitive personal data of any category.
Cross-border data transfers
Some of the data we process leaves Thailand because the services we use (Resend for email, Google for analytics, Cloudflare for edge routing) are operated outside Thailand:
- Resend (US) — transactional email delivery. Operates under standard contractual clauses for international transfers.
- Google LLC (US) — GA4 analytics. Certified under the EU-US Data Privacy Framework, with standard contractual clauses for additional regimes.
- Cloudflare (global edge) — request routing, DDoS protection, geo-routing. Standard contractual clauses; regional data-localisation suites available where required.
Under Thailand PDPA Sections 28 & 29, cross-border transfer requires equivalent protection or other suitable measures. The standard contractual clauses with each of the processors above satisfy the “suitable measures” threshold.
Your rights
Whichever regime applies to you, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion (“right to be forgotten”)
- Request a copy of your data in portable form
- Object to processing for marketing or analytics
- Withdraw consent at any time (where consent is the basis relied on — withdrawal doesn’t affect processing already carried out lawfully)
- Lodge a complaint with the supervisory authority of your jurisdiction: the Personal Data Protection Committee of Thailand, your national EU/EEA data protection authority, the UK Information Commissioner’s Office, the California Attorney General, or the Office of the Australian Information Commissioner.
To exercise any of these rights, write to contact@cannabless.org. We respond within 30 days (PDPA, GDPR, CCPA all converge on this timeframe). There is no charge for routine requests.
Geographic restrictions
The site is geo-restricted from jurisdictions where regulated medical-cannabis supply isn’t legally established (see /unavailable). The geo-block is implemented at the Cloudflare edge using country-level IP geolocation; your IP itself is not stored beyond the standard Cloudflare access log.
Contact
Privacy questions, deletion requests, or any other data-protection matter: contact@cannabless.org.
Last reviewed . Material changes are reflected here as they happen.