Privacy Policy - Culextion

Note: This Privacy Policy is intended to provide transparency about our data practices. It is not a substitute for professional legal counsel. If you have specific legal questions about your data rights, we recommend consulting a qualified attorney.

1. Information We Collect

We collect information that you and your organization's administrator provide when using our platform. Culextion does not offer public signups -- all accounts are provisioned by an authorized administrator within your organization.

Account Information

Name, email address, and user role (as entered by your administrator)
Authentication credentials (passwords are hashed and never stored in plaintext)
Multi-factor authentication (TOTP) enrollment status, if enabled

Business Data

When you use Culextion, you and your team enter business operations data, including but not limited to:

Inventory records, production logs, and batch tracking data
Sales records and distribution information
Compliance records (cannabis regulatory data, GMP quality records)
Electronic signatures tied to compliance workflows
Task assignments, notes, and internal communications within the platform

Automatically Collected Information

Audit logs: The platform automatically records user actions (logins, data changes, approvals, electronic signatures) to maintain a tamper-evident audit trail required by regulatory frameworks
Usage data: Basic session information such as login timestamps, browser type, and IP address for security monitoring
Local storage data: The application stores operational state in your browser's local storage to enable offline functionality and performance

Information We Do Not Collect

We do not collect payment or credit card information (billing is handled externally)
We do not use third-party analytics or advertising trackers
We do not use cookies beyond essential session management
We do not collect data from individuals who are not provisioned users of the platform

2. How We Use Information

We use the information we collect for the following purposes:

Provide and operate the service: To deliver the ERP platform functionality you and your organization rely on, including inventory management, compliance tracking, production records, and reporting
Maintain security: To authenticate users, enforce role-based access controls, detect unauthorized access attempts, and maintain audit trails
Regulatory compliance support: To generate records, reports, and audit trails that assist your organization in meeting cannabis regulatory requirements (Illinois IDFPR/METRC) or FDA/GMP requirements (21 CFR Part 111/117)
Improve the service: To identify and fix bugs, improve performance, and develop new features
Communicate with you: To respond to support requests, notify you of important changes to the service, and provide system notifications

We do not use your data to build user profiles, serve advertisements, or train machine learning models.

3. Data Storage and Security

We take the security of your data seriously. Here is how we protect it:

Infrastructure

Database hosting: Your data is stored in PostgreSQL databases managed by Supabase, hosted on Amazon Web Services (AWS) infrastructure located in the United States
Application hosting: The web application is served via Vercel, a US-based hosting platform with a global edge network

Encryption

In transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security)
At rest: Database storage is encrypted using AES-256 encryption

Access Controls

Row-Level Security (RLS): Database-level tenant isolation ensures that each organization can only access its own data
Role-Based Access Control (RBAC): Users are assigned access levels (e.g., Admin, Full Access, Read Only) that restrict what data and actions are available to them
Multi-Factor Authentication (MFA): Optional TOTP-based MFA is available for additional account security
Immutable audit logs: All significant user actions are logged in append-only audit trails that cannot be modified or deleted by any user, including administrators

Security Practices

Subresource Integrity (SRI) on external scripts
HTTP Strict Transport Security (HSTS) headers
Input validation and XSS protections
Account lockout mechanisms after repeated failed login attempts

4. Data Sharing

We do not sell, rent, or trade your data to any third party.

We may share data only in the following limited circumstances:

Infrastructure providers: Supabase (database hosting) and Vercel (application hosting) process your data as necessary to provide their services. These providers are contractually bound to protect your data and use it only for the purpose of delivering their services
Law enforcement: We may disclose data if required to do so by a valid legal process, such as a subpoena, court order, or government investigation. We will notify you of such requests to the extent permitted by law
Regulatory bodies: If required by cannabis regulatory authorities (e.g., Illinois Department of Financial and Professional Regulation, METRC) or food safety regulators (e.g., FDA) under applicable law, we may be required to provide access to certain compliance records
With your consent: We may share data if you explicitly direct us to do so (for example, when you export data and share it with a third party)

5. Data Retention

We retain your data for as long as your organization's account is active and as needed to provide the service.

After account termination, we retain data for the minimum period required by applicable regulations:

Cannabis compliance records (Culextion IL): Retained for a minimum of 5 years, as required by Illinois cannabis regulations
GMP/FDA records (Culextion GMP): Retained for a minimum of 6 years, consistent with 21 CFR Part 111 record-keeping requirements
Audit logs: Retained for the same period as the associated compliance records

After the applicable retention period has elapsed, data will be permanently deleted upon the client's request. If no deletion request is made, we will securely delete the data within a reasonable timeframe after the retention period expires.

6. Your Rights

You have the following rights regarding your data:

Access: You may request a copy of the personal and business data we hold about you or your organization
Export: You can export your data at any time using the in-app export functionality. You may also request a full data export by contacting us
Correction: You may request correction of any inaccurate personal information we hold about you
Deletion: You may request deletion of your data, subject to any applicable regulatory retention requirements described above
Portability: Upon request, we will provide your data in a standard, machine-readable format

To exercise any of these rights, contact us at daniel@culextion.com. We will respond to requests within 30 days.

7. Children's Privacy

Culextion is a business-to-business platform designed for use by organizations in regulated industries. The service is not directed at individuals under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will promptly delete it.

8. Illinois-Specific Disclosures

Culextion is operated from Illinois and serves organizations operating under Illinois law. The following disclosures apply to Illinois residents:

Personal Information Protection Act (PIPA): We comply with the Illinois Personal Information Protection Act (815 ILCS 530). We implement and maintain reasonable security measures to protect personal information from unauthorized access, use, modification, or disclosure
Breach notification: In the event of a data breach involving personal information of Illinois residents, we will provide notice within 60 days of discovering the breach, consistent with Illinois law. Notification will be sent to affected individuals and, where required, to the Illinois Attorney General
Biometric data: Culextion does not collect biometric information (fingerprints, facial geometry, voiceprints, etc.) and is not subject to the Illinois Biometric Information Privacy Act (BIPA)

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify active users via email or an in-app notification
Provide at least 30 days' notice before material changes take effect

Your continued use of the platform after changes take effect constitutes acceptance of the updated policy.

10. Contact Information

If you have any questions, concerns, or requests related to this Privacy Policy or your data, please contact us:

Email: daniel@culextion.com
Website: culextion.com