Jump to section15 parts
What this means in practice
We collect what we need to run a social cannabis directory — your account, your reviews, basic device telemetry. We don't sell your personal information. We don't run third-party ad-tech. You can export, correct, or delete your data at any time from your account screen, or by emailing privacy@getblazed.ca.
The short version
A snapshot of every data flow on Blazed — for skimmers and for the auditors who skim before they audit.
| Category | Why we have it | How long |
|---|---|---|
| Account identity (email, username, password hash, age) | Authenticate you and prove you cleared age verification. | Until you close the account, plus 30 days. |
| Profile content (display name, bio, avatar, region) | Power the social parts of Blazed. | Until you remove it or close the account. |
| Reviews, ratings, lists, sparks, comments | The Service. This is the directory. | Until you delete the content or your account. |
| Device & request telemetry (IP, user-agent, referrer) | Security, abuse prevention, basic analytics. | 90 days for raw logs; aggregated metrics indefinitely. |
| Email engagement (open / click pixels) | Tell us if our transactional and digest emails are useful. | 12 months. |
| Producer / shop claim packets | Verify a business owns the listing they want to edit. | Three years from claim approval. |
Who & where this applies
This policy applies to personal information Blazed Cannabis Co. (the “Controller”) processes when you interact with getblazed.ca, our mobile apps, or our APIs — anywhere you are, in any country.
Several privacy regimes overlap here, and we honour whichever one gives you the stronger right:
- Canada (federal)
- Personal Information Protection and Electronic Documents Act (PIPEDA), 2000.
- Quebec
- Act respecting the protection of personal information in the private sector, as modernised by Law 25 (formerly Bill 64).
- British Columbia, Alberta
- Personal Information Protection Acts (PIPAs) where substantially similar to PIPEDA.
- United States
- California Consumer Privacy Act / Privacy Rights Act(CCPA/CPRA), and the comprehensive state laws now in force in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and others where applicable.
- EU / EEA / UK
- General Data Protection Regulation (GDPR) and UK GDPR where you access Blazed from those territories.
- Children
- U.S. Children's Online Privacy Protection Act(COPPA). See Section 13.
What we collect
We deliberately collect as little as we can while still running a real product.
You give it to us
- Account. Email address, password (stored as a salted bcrypt hash — never in plaintext), username, declared date of birth used for age verification, and your home region.
- Profile. Display name, bio, avatar image, cannabis preferences, follow graph.
- Content. Reviews, photos, ratings, sparks, lists, comments, and the metadata that ties them to a strain, product, producer, or shop.
- Communications. Anything you send to hello@getblazed.ca, legal@getblazed.ca, or another team address; support thread history.
- Business claims. For licensed producers and retailers — proof-of-licence documentation, contact details for the listed business representative.
We collect it as you use the Service
- Device & request data. IP address, browser and OS, referring URL, page paths, timestamps, error stack traces.
- Performance vitals. Anonymised page-load and interaction timings, used to keep the product fast.
- Email engagement. Whether you opened a Blazed email or clicked one of its links.
We never collect
- Precise geolocation. We use coarse region from IP only, and only for analytics and provincial age rules.
- Government identification numbers (SIN, SSN, driver's licence). Age verification is by declared date of birth plus account history; we don't need or want your ID.
- Payment card numbers. We don't take payment for use of the Service.
- Biometric data, health records, or content from microphones and cameras you didn't explicitly upload.
How we collect it
We use four collection channels and try not to invent a fifth:
- Direct input. Forms — sign-up, profile, review composer, claim flow, contact emails.
- Server logs. Every request to Blazed creates a structured log line on our servers (hosted by Vercel). We retain raw logs for 90 days, then drop them.
- First-party cookies & local storage. A session cookie to keep you signed in, an age-gate cookie to remember you cleared verification, and theme preference. See Section 8.
- First-party analytics pings. Aggregated, no cross-site identifiers. See Section 8.
Why we use it
We process personal information to:
- Run the Service — show you the right strain pages, save your lists, surface reviews from people you follow.
- Verify that every signed-in account belongs to an adult of legal cannabis age.
- Maintain integrity — fight spam, brigading, account theft, and review manipulation.
- Send transactional email (sign-in confirmations, password resets, claim approvals) and, only if you've opted in, community digests.
- Improve the product — figure out which articles get read, which onboarding flows leak, which strain searches fail.
- Meet legal obligations under the Cannabis Act and the privacy laws listed in Section 2.
We do not sell your personal information. We do not “share” it for cross-context behavioural advertising — language that has a specific meaning under CCPA and which we have no need to trigger.
Legal basis & consent
For users in Canada, our processing rests on the PIPEDA grounds of consent (explicit at sign-up, ongoing through your continued use) and the legitimate-purpose carve-outs for fraud detection and security incident response.
For users in the EU/UK, the lawful bases are:
- Contract
- Account creation, authentication, content hosting, support — we cannot deliver the Service without processing this data.
- Legitimate interests
- Security telemetry, anti-abuse, basic analytics, balanced against your reasonable expectations.
- Consent
- Marketing email, optional analytics where local law requires opt-in. You can withdraw consent at any time without losing access to the Service's core functions.
- Legal obligation
- Responding to a valid court order, regulator request, or statutory disclosure obligation.
Who else touches your data
We use a small set of vetted service providers to run the Service. Each has a written processing agreement that limits them to processing your information for Blazed's purposes.
| Provider | What they do | Where |
|---|---|---|
| Supabase | Primary database, authentication, object storage for uploaded photos. | Canada (ca-central-1) |
| Vercel | Application hosting, edge compute, request logs. | Global edge, primary region in North America |
| Vercel Analytics & Speed Insights | First-party performance and visit metrics; no cross-site identifiers. | Same as Vercel |
| Resend | Transactional email delivery (sign-in, password reset, claim flow). | United States |
| Sentry (when enabled) | Error monitoring for crashes; user IDs scrubbed before transmission. | United States / EU |
We will update this table when a subprocessor is added, removed, or relocated. Material changes go out by email to signed-in users at least 30 days in advance.
Where your data lives
The primary database and object store sit in Canada (Supabase ca-central-1). Application servers and edge cache run on Vercel with a North American primary region. Some subprocessors — notably the email and error-monitoring providers — process metadata in the United States.
When personal information leaves Canada we rely on the contractual protections required by PIPEDA, Quebec Law 25, and (for EU/UK personal data) the European Commission's Standard Contractual Clauses. We will provide the relevant transfer documents on request — email privacy@getblazed.ca.
Your rights
Depending on where you live, you have some combination of the rights below. We honour every applicable one without checking which province or state you're writing from.
- Access
- Ask us for a copy of the personal information we hold about you, and the categories we've shared with subprocessors.
- Correct
- Edit anything that's wrong. Most of this you can do yourself from your account screen.
- Delete
- Erase your account and the personal information tied to it. Aggregated, de-identified analytics may persist.
- Port
- Receive your data in a structured, machine-readable format — we deliver JSON.
- Object & restrict
- Object to processing based on legitimate interests; ask us to pause non-essential processing while a dispute is sorted out.
- Opt out (CCPA / CPRA)
- Opt out of sale or sharingof personal information. Already done by default — we don't engage in either — but the right remains explicit.
- Withdraw consent
- Pull back any consent you've given for optional processing (marketing email, analytics where consent-based).
- Automated decision-making
- Ask whether a decision affecting you was made by an automated system, request human review, and contest the outcome — this is a Law 25 right; we extend it to everyone.
- Complain to a regulator
- The Office of the Privacy Commissioner of Canada (priv.gc.ca), the Commission d'accès à l'information du Québec, the California Privacy Protection Agency, or your local DPA. We'd rather you tell us first so we can fix it.
To exercise any right, email privacy@getblazed.ca. We'll acknowledge within five business days and respond fully within 30 days. You can have an authorised agent submit on your behalf — we'll just ask for proof of authorisation.
Retention & deletion
We hold personal information only as long as we need it to run the Service or to meet a legal obligation. The default windows:
- Active accounts
- For as long as the account exists.
- Closed accounts
- Profile and public content are removed immediately. Backups roll off within 30 days.
- Server / request logs
- 90 days from creation.
- Email delivery logs
- 12 months from send.
- Producer / shop claims
- Three years from claim approval, for audit purposes.
- Support correspondence
- Two years from last reply.
When a retention window ends, the data is irreversibly deleted or fully anonymised (no key, no possibility of re-identification).
Security practices
Security isn't a checkbox; it's an ongoing engineering discipline. Today the controls in place include:
- TLS 1.2+ for every byte in transit. HSTS preloaded.
- Encrypted at rest in the database and object store. Passwords stored as bcrypt hashes with per-user salts.
- Row-level security policies on every Supabase table that holds user data — your data is reachable only by your session.
- Two-factor authentication on every administrative account with access to production data.
- Audit logs of administrative access, retained for six months.
- A coordinated disclosure programme — write to security@getblazed.ca if you find a vulnerability.
If we ever have a breach
We will notify affected users without unreasonable delay, and in any event within the windows required by Canadian (PIPEDA, Law 25), state, and EU/UK law. The notice will tell you what happened, what data was implicated, and what we're doing about it.
Children & under-age users
Blazed is for adults of legal cannabis age. We do not knowingly collect personal information from anyone under that age, and we do not knowingly collect personal information from any user under 13 in any jurisdiction (COPPA threshold).
If you believe a child has created an account or submitted information, please email privacy@getblazed.ca and we will remove the account and erase the associated data on confirmation.
Contact our privacy team
For privacy questions, rights requests, or correspondence with our Privacy Officer:
- privacy@getblazed.ca
- Privacy Officer, Blazed Cannabis Co.
c/o Legal, Toronto, Ontario, Canada - EU Representative
- Available on request for users in the EU / EEA / UK.
We also operate a separate Cannabis Act compliance address for regulatory reports relating to listed producers and retailers.
Updates to this policy
When a change is material — new data category, new subprocessor, new lawful basis, or a change to your rights — we notify signed-in users in the product and by email at least 30 days before the update takes effect. Minor edits (typo fixes, clarifications that don't change a practice) ship with a bump to the “Last updated” date at the top of this page.
A live archive of previous versions is available on request from privacy@getblazed.ca.