Privacy Policy
1- Intent
Grasscity is a subsidiary of High Tide Inc.
Protecting the privacy and confidentiality of personal information is an important aspect of how High Tide Inc. and its subsidiaries (collectively, the “Company”, “we”) conduct business. Collecting, using, storing, and disclosing personal information appropriately, responsibly, ethically, and in accordance with applicable laws and regulations, is a core value of the Company.
This Privacy Policy explains how the Company collects, uses, stores and protects, and discloses personal information, and applies to all personal information we collect.
By accessing our websites and services, you are consenting to the terms of this Privacy Policy and to our collection, use and disclosure of your personal information as set out in this Privacy Policy. If you do not consent and agree to the terms of this Privacy Policy, you must immediately cease using our websites and services. You may withdraw your consent at any time.
We reserve the right to amend or update this Privacy Policy from time to time, without notice to you. However, if we make material changes to this Privacy Policy, we will try to notify you, provided we have your contact information. Your continued use of Company websites or Company stores indicates your agreement to the terms of the Privacy Policy, as amended from time to time.
Any questions or concerns regarding this Privacy Policy can be addressed to our appointed Privacy Officer at [email protected].
2. Definitions
“Personal information” or “personal data” means information about an identifiable individual or group of individuals including, without limitation: name, date of birth, address, income, e-mail address, Social Insurance Number, gender, evaluation, credit records, and the results of criminal background checks. Personal information does not include anonymized or aggregated data that cannot be used to identify a specific person.
“Consent” includes (i) express consent communicated orally or in writing; (ii) implied consent where consent may reasonably be inferred from the action (or inaction) of the individual.
3. Collection of Personal Information
This Privacy Policy applies to all personal information we collect in the course of conducting our business.
Personal information is collected through a variety of interactions, including but not limited to:
- When you access our websites. For example, our age-gated websites require you to disclose your date of birth and location. Our websites may automatically collect information such as your IP address, page requests, browser type, operating system, time and date of access, referral sites, and browsing actions, including through depositing “cookies” on your device. This automatically collected information does not include personally identifiable information (e.g., name, address, phone number, email), but is used for statistical and analytical purposes only.
- When you transact with us to obtain products or services. For example, we may require your billing and shipping addresses, email addresses, and/or telephone number when you place an order or sign up for services through our websites. We also maintain information related to purchases including items purchased, time and date of purchase, and preferred delivery methods.
- When you engage with us through oral, written or electronic communications. For example, in some of our email messages, you may find a “click-through URL” linked to content on our sites. We track the click-through data to help us determine interest in particular topics and to measure the effectiveness of our customer communications. If you prefer not to be tracked in this way, you should not click on such links.
- When you interact with our website chat function. Any communication through our private chat function will be recorded in full and stored in accordance with this Privacy Policy.
- When you apply for employment with the Company.
- When you access our physical business premises. For example, our retail stores, warehouses, and offices are equipped with closed circuit camera systems for security purposes and to comply with regulatory requirements.
We may also collect or receive personal information from service providers and other third parties we work with, or from public sources.
4. Use of Personal Information
We collect and use personal information solely for the purposes of conducting our business and improving our market knowledge to better serve our customers.
Personal Information we collect is only to be used for the following purposes:
- Conducting our business in Canada, the United States of America (“USA”), and Europe, including improving our business operations and service offerings;
- Fulfilling transactions between you and the Company;
- Marketing, including the sending of email marketing materials (from which you may choose to “opt-out” at any time), and for targeted advertising hosted on third party websites;
- Complying with legal and regulatory requirements, including responding to regulatory investigations and legal subpoenas;
- To prevent fraud, misuse, and other criminal activities (for example, where necessary to investigate payment fraud or violations of our Terms of Service);
- Human resources purposes, including maintaining employment files, administering benefits, and processing payroll; and
- Contacting employees or their emergency contacts.
If additional purposes are identified, we will seek your consent of to use your personal information for those additional purposes.
5. Storage and Protection
We take every reasonable precaution to protect personal information through appropriate physical and electronic security measures. We maintain personal information that we collect through a combination of paper and electronic files. Where required by law, disaster recovery or business continuity policies, older records may be stored off-site, in a secure location.
We retain personal information for specific durations based on the type of information and the purpose of its collection:
- Transaction data is retained for a minimum of seven (7) years following the date of the transaction, for tax and audit purposes.
- Marketing data is retained until you withdraw your consent or opt-out.
- Account-related data is retained for two (2) years following account inactivity, unless otherwise required by law.
- Security footage is retained for a minimum of sixty days, or longer as required by local regulations.
We may use third-party service providers to store and process personal information on our behalf. Any of the Company, our service providers, and/or either’s agents may use servers or other facilities located outside of the jurisdiction in which you provide your personal information, including but not limited to the USA. The government, courts, law enforcement, security, or regulatory agencies of the USA or other foreign jurisdictions may be able to obtain access to or disclosure of personal information as permitted by local laws. We take reasonable steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which it is processed, including through appropriate written data processing terms and/or data transfer agreements with our service providers.
6. Disclosure of Personal Information
Subject to section 8 below, under no circumstances will we sell, distribute, or otherwise disclose your personal information, without your prior consent.
We may sell, distribute or otherwise disclose personal information that has been suitably anonymized or pseudonymized. For example, we may sell, distribute, or disclose information regarding your use of Company websites and your purchases, but only after having separated such information from any personal information that could be used to identify you.
7. Access to Personal Information by the individual
You have the right to access, update, review and correct personal information in our custody and control.
Your right to access, update, and correct your personal information is limited in some circumstances. Access may be denied if, for example:
- The personal information includes personal information of a third party;
- The personal information is subject to solicitor-client privilege, litigation privilege, or other privileges recognized by law;
- Access to the personal information would reveal sensitive commercial information; or,
- The information was generated in the course of a formal dispute resolution process.
Requests for access to personal information can be made to the Company’s Privacy Officer by email at [email protected]. The Company will respond within a reasonable time frame and will provide either the requested information or an explanation for why the information must be withheld.
If you are dissatisfied with a response from the Company’s Privacy Officer, you should contact your local privacy authority.
8. Collection, Use and Disclosure without Consent
We may collect, use, and/or disclose your personal information without your consent under specific circumstances according to law.
The Company may collect your personal information without your knowledge or consent in circumstances where, for example:
- Collection of the personal information is clearly in your interests and consent cannot be obtained in a timely manner;
- The personal information is provided to the Company by in the course of your employment, business or profession, and the collection is consistent with the purposes for which the information was provided;
- The personal information is collected for the purpose of making a disclosure required by law; or
- The personal Information is publicly available and specified by applicable regulations.
The Company may use your personal information without your knowledge or consent in circumstances where, for example:
- In the course of its activities, we becomes aware of information that we have reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, and the information is used for the purpose of investigating that contravention;
- The use is for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual;
- The information is contained in a witness statement and the use is necessary to assess, process or settle an insurance claim;
- The information was provided to the Company in the course of your employment, business or profession and the use is consistent with the purposes for which the information was provided;
- The personal information was collected for the purpose of making a disclosure required by law; or
- The personal information is publicly available and specified by applicable regulations.
The Company may disclose your personal information without your knowledge or consent in circumstances including, for example:
- Where the information is disclosed to a barrister or solicitor representing the Company;
- For the purpose of collecting a debt owed by you to the Company;
- To comply with a subpoena or a warrant issued or order made by a court, person or body with jurisdiction to compel the disclosure, or to comply with rules of court relating to the production of records;
- Where the personal information is disclosed to a government institution that has made a request for the information
- Where the personal information is disclosed to another organization for purposes of investigating a breach of an agreement or contravention of the laws of Canada or another province, and it is reasonable to expect that disclosure with your knowledge or consent of the individual will compromise such investigation;
- Disclosure is required by law; or
- The personal information is publicly available and specified by the applicable regulations.
EU and UK GDPR Addendum
This Addendum to the Privacy Policy applies to website users resident in the United Kingdom (“UK”) and European Economic Area (“EEA”) and is intended to conform with the requirements of the General Data Protection Regulation (“GDPR”) effective in those jurisdictions.
The types of personal data we collect and process, the purposes for which we collect and process personal data, and the period of retention for personal data, are set out in the body of this Privacy Policy.
We collect and process personal data under several legal bases, including:
- With your consent, which you have the right to withdraw (see below);
- For the purposes of performing contracts with you (including, for example, processing orders through our e-commerce platforms);
- For the purposes of compliance with our legal and regulatory obligations;
- For the purposes of protecting the integrity of our business, including where required for the establishment, exercise, or defense of legal claims; and
- To better serve your interests as a customer, including to recognize your purchasing preferences and tailor our offerings to your specific interests and objectives.
Individuals in the EEA and UK have certain rights, in addition to those in the body of this Privacy Policy, regarding their personal information, including:
- The right of access: you have a right to request a copy of your personal data from us. We may charge a small fee for this service.
- The right of rectification: you have the right to request that we correct any of your personal data in our possession, and that you believe is inaccurate. You have a right also to request that we complete personal data about you that you believe is incomplete.
- The right to object to processing:
a. Generally: you have the right to object to the processing of your personal data; however, that right is limited where we have compelling legitimate grounds for the processing that override your individual interests, or where we require your personal data for the establishment, exercise, or defense of a legal claim or claims.
b. Direct Marketing: where your personal information is processed for direct marketing purposes, you have a right to object to the processing of your personal data for such purposes.
- The right to restrict processing: you have a right to request that we restrict the processing of your personal data, under certain conditions.
- The right of erasure: you have a right to have your personal data in our custody and control deleted, under certain conditions. For example, this right may apply where:
a. The personal data is no longer necessary for the purposes for which it was collected, and you have withdrawn your consent;
b. You have objected to the processing of the personal data, and there are no overriding legitimate grounds for the processing;
c. The personal data was unlawfully processed; or
d. The personal data must be erased for compliance with a legal obligation in accordance with European Union law or the laws of a member state.
The right of data portability: you have the right to request that we transfer the personal data of yours that we have collected, to you or to another organization, under certain conditions.
- The right to withdraw consent: you have the right to withdraw your consent at any time where we have relied on your consent to process your personal data, under certain conditions.
- The right to complain to privacy authorities: you have the right to complain to a Data Protection Authority about our collection, use, and processing of your personal data. For more information, please contact your local data protection authority in the EEA or UK, as applicable.
For more information, or to submit a request, please contact our Privacy Officer at [email protected]
Data Transfers
Your personal data may be transferred to, and stored on, computer servers located outside of your place of residence, including outside of the EEA or UK, where the data protection laws may differ from those of your jurisdiction. If you are in the EEA or UK and choose to provide your data to us, we may transfer that data to Canada, the United States, or other jurisdictions, and process that information in those locations. Your consent to this Privacy Policy and Addendum is consent to such transfers.
We take all reasonable steps necessary to ensure that your personal data is treated securely and to a degree consistent with data protection under the GDPR. We will not transfer your personal data without adequate controls in place (e.g., contractual stipulations or requiring certifications) to protect your personal data.
We may revise this Addendum from time to time, including as required by the GDPR. We will provide you with notice of any substantial changes hereto (provided we have your contact information in our possession) and will seek your consent to same. If we have informed you of changes to this Addendum (or the Privacy Policy), and you do not consent to such changes, you must immediately cease using or accessing our websites.