Privacy Policy
Last Updated: January 14, 2026
Dose'D LLC ("DOSE'D," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website (collectively, the "Service"). This policy applies to all users, including consumers and business/vendor accounts.
Table of Contents
- Part I: Information We Collect
- Part II: How We Use Your Information
- Part III: How We Share Your Information
- Part IV: Third-Party Services
- Part V: Data Security
- Part VI: Data Retention
- Part VII: Your Privacy Rights
- Part VIII: Children's Privacy / Age Restrictions
- Part IX: International Users
- Part X: Changes to This Policy
- Part XI: Contact Us
Part I: Information We Collect
1. Information You Provide Directly
1.1 Account Registration
When you create an account, we collect:
- Email address — For account authentication, communications, and password recovery
- Password — Securely hashed and stored; we never store plain-text passwords
- Date of birth — To verify you are 21 years of age or older (required)
- Username — Your public display name on the platform
- Profile photo (optional) — If you choose to upload one
1.2 Profile Information
You may optionally provide:
- Bio/description
- Location (city/state, not precise GPS)
- Experience level with hemp products
- Product preferences and interests
1.3 User-Generated Content
Content you create on the platform:
- Product reviews and ratings
- Check-ins at locations or with products
- Comments on reviews or articles
- Photos you upload
- Lists and collections you create
1.4 Order and Transaction Information
When you submit an order request:
- Shipping address — Full address for order fulfillment
- Phone number — For delivery notifications
- Order details — Products selected, quantities, special instructions
Note: DOSE'D does not process payments directly. All payments are handled by Stripe. We do not store your full credit card numbers.
1.5 Communications
- Messages you send to vendors through our in-app messaging system
- Customer support inquiries and correspondence
- Feedback and survey responses
1.6 Business Account Information
For vendor/business accounts, we additionally collect:
- Business name and DBA (if applicable)
- Business address
- Business phone number
- Business type and license information
- Tax identification information (for payment processing via Stripe Connect)
- Bank account information (processed and stored by Stripe, not DOSE'D)
- Product catalog information
- Business representative contact information
2. Information Collected Automatically
2.1 Device and Technical Information
- Device type — iPhone, Android device model
- Operating system — iOS version, Android version
- App version — Which version of DOSE'D you're using
- Unique device identifiers — For authentication and fraud prevention
- IP address — For security, fraud prevention, and general location
2.2 Usage Information
- Features and screens accessed
- Search queries
- Products viewed
- Time spent on the app
- Interaction patterns (taps, scrolls, navigation)
- Crash reports and error logs
2.3 Location Information
We collect general location based on IP address (city/region level). We do NOT collect precise GPS location unless you explicitly enable location services for specific features, in which case:
- You can disable location services at any time through your device settings
- Location is used only to show nearby vendors or enable location-based features
- We do not track your location when the app is not in use
3. Information from Third Parties
3.1 Social Sign-In
If you register or log in using Google or Apple:
- We receive your name and email address from these providers
- We do not receive or store your social media passwords
- We do not post to your social media accounts
3.2 Vendors/Business Partners
We may receive information from vendors regarding:
- Order fulfillment status
- Shipping tracking information
- Delivery confirmation
3.3 Payment Processor (Stripe)
Stripe may provide us with:
- Transaction status (success/failure)
- Partial payment method information (last 4 digits, card brand)
- Chargeback or dispute notifications
Part II: How We Use Your Information
4. Purposes of Data Processing
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide the Service — Account creation, authentication, core features | Account info, device info, usage data | Contract performance |
| Age Verification — Verify users are 21+ | Date of birth | Legal obligation, Legitimate interest |
| Order Fulfillment — Connect consumers with vendors, facilitate orders | Shipping address, phone, order details | Contract performance |
| Display User Content — Show reviews, check-ins, profiles | User content, profile info | Contract performance, Consent |
| Communications — Send notifications, updates, support responses | Email, push token, account info | Contract performance, Consent |
| Improve the Service — Analytics, feature development, bug fixes | Usage data, crash reports, feedback | Legitimate interest |
| Security & Fraud Prevention — Detect abuse, protect users | Device info, IP address, usage patterns | Legitimate interest, Legal obligation |
| Legal Compliance — Respond to legal requests, maintain records | Various, as required | Legal obligation |
| Marketing — Promotional emails, new features (with consent) | Email, preferences | Consent |
| Vendor Services — Process commissions, provide analytics | Business account info, transaction data | Contract performance |
5. Automated Decision-Making
We may use automated systems for:
- Age verification — Automatic rejection if date of birth indicates under 21
- Content moderation — Automated flagging of potentially inappropriate content (human review follows)
- Fraud detection — Automated flagging of suspicious activity
These automated decisions may be reviewed by humans upon request. If you believe an automated decision was made in error, contact us at support@dose-d.com.
Part III: How We Share Your Information
6. Information Shared with Vendors
When you submit an order request to a vendor, we share only the minimum information necessary for order fulfillment:
- Your name (first and last)
- Your shipping address
- Your phone number (for delivery purposes only)
- Your order details (products, quantities, special instructions)
We do NOT share with vendors:
- Your email address — All communication goes through our in-app messaging
- Your payment information — Handled securely by Stripe
- Your browsing or purchase history
- Your account information or preferences
6.1 Vendor Data Use Restrictions
Our Terms of Service strictly prohibit vendors from misusing your data. Vendors may NOT:
- Add you to mailing lists or marketing databases
- Send you marketing materials, promotions, or solicitations
- Contact you for any purpose other than your specific order
- Share, sell, or transfer your information to anyone
- Build their own customer databases using your information
- Retain your data longer than needed for order fulfillment
Enforcement: Vendors who violate these restrictions face immediate account termination, forfeiture of payments, and potential legal action. If you believe a vendor has misused your data, please report it to support@dose-d.com immediately.
7. Publicly Visible Information
The following information may be visible to other users:
- Your username and profile photo
- Your bio (if provided)
- Reviews and ratings you post
- Check-ins (based on your privacy settings)
- Badges and achievements earned
- Lists you mark as public
You can control some of this visibility through your privacy settings in the app.
8. Service Providers
We share data with trusted service providers who help us operate the Service. These providers are contractually obligated to protect your data and use it only for the services they provide to us.
Part IV: Third-Party Services
9. Our Service Providers
9.1 Firebase (Google Cloud)
| Service | Purpose | Data Shared |
|---|---|---|
| Firebase Authentication | User login and account security | Email, password (hashed), auth tokens |
| Cloud Firestore | Database storage | All app data (encrypted at rest) |
| Cloud Storage | Image and file storage | Profile photos, product images |
| Cloud Functions | Backend processing | Transaction data, business logic |
| Firebase Analytics | Usage analytics | Anonymized usage data, device info |
Firebase Privacy Policy: https://firebase.google.com/support/privacy
9.2 Stripe
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe Payments | Process payments from consumers | Payment card info, billing address, email |
| Stripe Connect | Vendor payouts and commissions | Business info, bank account, tax ID |
Important: Full payment card numbers are processed directly by Stripe and never touch our servers. We only receive partial card information (last 4 digits, brand).
Stripe Privacy Policy: https://stripe.com/privacy
9.3 Brevo (formerly Sendinblue)
| Service | Purpose | Data Shared |
|---|---|---|
| Transactional Email | Order confirmations, password resets, notifications | Email address, name, relevant transaction info |
| Marketing Email | Newsletters and promotions (with consent) | Email address, name, preferences |
Brevo Privacy Policy: https://www.brevo.com/legal/privacypolicy/
9.4 Sentry
| Service | Purpose | Data Shared |
|---|---|---|
| Error Tracking | Crash reporting, bug identification | Device info, app state, error details, user ID (hashed) |
Note: Sentry data is used solely for fixing bugs and improving app stability. Personal information in error reports is minimized.
Sentry Privacy Policy: https://sentry.io/privacy/
9.5 Google Places API
| Service | Purpose | Data Shared |
|---|---|---|
| Address Autocomplete | Help users enter addresses accurately | Partial address as you type |
Google Privacy Policy: https://policies.google.com/privacy
10. Legal Disclosure
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court order, subpoena). This includes:
- Compliance with legal obligations
- Protection of our rights, privacy, safety, or property
- Protection of users or the public from harm
- Prevention of illegal activities
- Enforcement of our Terms of Service
Where legally permitted, we will attempt to notify you before disclosing your information.
11. Business Transfers
If DOSE'D is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.
Part V: Data Security
12. Security Measures
We implement appropriate technical and organizational measures to protect your data:
12.1 Technical Safeguards
- Encryption in transit — All data transmitted between your device and our servers uses TLS/HTTPS encryption
- Encryption at rest — Sensitive data stored in our databases is encrypted
- Password hashing — Passwords are hashed using industry-standard algorithms; we never store plain-text passwords
- Secure authentication — Firebase Authentication with support for multi-factor authentication
- Server-side validation — All sensitive operations are validated server-side
12.2 Organizational Safeguards
- Access controls — Employee access to user data is limited to those who need it
- Security monitoring — We monitor for suspicious activity and unauthorized access
- Incident response — We have procedures for responding to security incidents
- Vendor assessment — We assess the security practices of our service providers
13. Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users within 72 hours of discovering the breach (or as required by law)
- Describe the nature of the breach and the types of data affected
- Explain the steps we are taking to address the breach
- Provide recommendations for protecting yourself
- Report to relevant authorities as required by law
Part VI: Data Retention
14. Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Until account deletion + 30 days | Service provision, recovery period |
| User-generated content | Until deleted by user or account deletion | Service provision |
| Order/transaction records | 7 years after transaction | Legal and tax requirements |
| Communication logs | 2 years | Dispute resolution, compliance |
| Usage analytics | 26 months (anonymized) | Service improvement |
| Error logs | 90 days | Bug fixing, stability |
| Business account data | 7 years after account closure | Legal and tax requirements |
15. Account Deletion
When you request account deletion:
- 30-day grace period — You can cancel the deletion within 30 days
- Personal data deletion — After 30 days, your personal information is permanently deleted
- Content anonymization — Reviews may be anonymized (username removed) and retained for platform integrity
- Legal retention — Some data may be retained as required by law (e.g., transaction records)
- Backup systems — Data in backup systems may take up to 90 days to be fully purged
To delete your account, go to Settings > Data & Privacy > Delete Account.
Part VII: Your Privacy Rights
16. Rights for All Users
Regardless of your location, you have the right to:
- Access — Request a copy of the personal information we hold about you
- Correction — Update or correct inaccurate information
- Deletion — Request deletion of your personal information
- Opt-out — Unsubscribe from marketing communications
17. California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know — Request what personal information we collect, use, disclose, and sell about you
- Right to Delete — Request deletion of your personal information (subject to legal exceptions)
- Right to Correct — Request correction of inaccurate personal information
- Right to Opt-Out of Sale — We do not sell your personal information
- Right to Opt-Out of Sharing — We do not share your information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Information — We only use sensitive personal information for purposes permitted by law
- Right to Non-Discrimination — We will not discriminate against you for exercising your rights
Categories of Personal Information Collected
Per CCPA requirements, here are the categories of personal information we may collect:
- Identifiers — Name, email, username, IP address, device ID
- Personal information (Cal. Civ. Code 1798.80) — Name, address, phone number
- Commercial information — Transaction history, products viewed
- Internet/network activity — Browsing history, search queries, interactions
- Geolocation — General location from IP address
- Professional/employment info — Business account owner information
- Inferences — Preferences and characteristics derived from the above
18. European Users (GDPR)
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):
- Right of Access (Article 15) — Obtain confirmation and a copy of your data
- Right to Rectification (Article 16) — Correct inaccurate data
- Right to Erasure (Article 17) — "Right to be forgotten" in certain circumstances
- Right to Restriction (Article 18) — Restrict processing in certain circumstances
- Right to Data Portability (Article 20) — Receive your data in a machine-readable format
- Right to Object (Article 21) — Object to processing based on legitimate interests
- Right to Withdraw Consent — Withdraw consent at any time where processing is based on consent
Legal Bases for Processing: We process your data based on: contract performance (to provide the Service), consent (for marketing), legitimate interests (for security and improvement), and legal obligations (for compliance).
19. How to Exercise Your Rights
To exercise any of your privacy rights:
- In-App: Settings > Data & Privacy (for data export, deletion, and some preferences)
- Email: support@dose-d.com with the subject "Privacy Rights Request"
We will verify your identity before processing requests. We aim to respond within 30 days (or sooner if required by law).
Part VIII: Children's Privacy / Age Restrictions
20. Age Requirement
DOSE'D is intended exclusively for users who are 21 years of age or older.
We do not knowingly collect personal information from anyone under 21 years of age. If we learn that we have collected personal information from someone under 21, we will:
- Immediately delete the account and all associated data
- Notify the user (if possible) that their data has been deleted
If you believe we have collected information from someone under 21, please contact us immediately at support@dose-d.com.
Part IX: International Users
21. Data Transfers
DOSE'D is based in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.
By using the Service, you consent to the transfer of your information to the United States. We implement appropriate safeguards for international data transfers, including:
- Standard Contractual Clauses with service providers
- Privacy Shield certifications where applicable
- Appropriate technical and organizational measures
22. Country-Specific Provisions
If you are located in a country with specific data protection laws (such as GDPR for EU/EEA residents, LGPD for Brazilian residents, or POPIA for South African residents), the provisions in Section 18 apply to you, and we will comply with applicable local requirements.
Part X: Changes to This Policy
23. Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
How We Notify You
- Material changes: We will notify you via email and/or in-app notification before significant changes take effect
- Minor changes: We will update the "Last Updated" date at the top of this policy
We encourage you to review this Privacy Policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.
Part XI: Contact Us
24. How to Reach Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: support@dose-d.com
Subject Line: Include "Privacy" or "Privacy Rights Request" for faster routing
Mailing Address:
Dose'D LLC
Attn: Privacy
Pennsylvania, United States
We aim to respond to all inquiries within 30 days.
25. Complaints
If you believe your privacy rights have been violated, you have the right to lodge a complaint with your local data protection authority:
- California residents: California Attorney General (oag.ca.gov)
- EU/EEA residents: Your local Data Protection Authority
We encourage you to contact us first so we can try to resolve your concerns directly.