SanoPrime Privacy Policy
Effective Date: July 1, 2026 · Last updated: June 20, 2026
This Privacy Policy explains how SanoPrime Inc. ("SanoPrime," "we," "us") — a Delaware corporation, with its registered office at 1207 Delaware Ave, Suite 3200, Wilmington, DE 19806 — collects, uses, shares, and protects information when you use app.sanoprime.com, sanoprime.com, and our services (the "Platform").
Plain-Language Summary
- Your medical records are not covered by this policy — they have stronger protection. Visit notes, certifications, and other clinical records belong to your Provider's practice and are protected health information (PHI) under HIPAA. Your Provider's Notice of Privacy Practices covers them. This policy covers your marketplace account data.
- We never sell your personal information, and we never share it for targeted advertising.
- We never sell your mobile information, and we never share your mobile information or text-message opt-in data with third parties or affiliates for their marketing or promotional purposes.
- Dispensaries see almost nothing. When you choose to present your scan code, a dispensary sees only a yes-or-no confirmation of your account and Plus status — never your clinical information, certification status, or history at other stores.
- We use first-party essential cookies and privacy-tuned analytics only. No ad pixels run on logged-in or health-related pages.
- You can access, correct, delete, and export your information. Account deletion has a 30-day grace period, then it is permanent, with limits the law sets for medical records.
- Questions or requests: privacy@sanoprime.com.
1. The HIPAA Boundary, in Plain Terms
Two kinds of information exist on SanoPrime:
Clinical records (PHI). What happens in your visits — notes, certifications, clinical messages, transcripts — is created by your Provider and stored in a HIPAA-regulated clinical record system we operate for your Provider's practice as its business associate. Your rights in those records come from HIPAA and are described in your Provider's Notice of Privacy Practices, which is a separate clinical document. To get copies, use our Records Request Policy.
Marketplace data. Your account profile, bookings, payments to SanoPrime, Plus membership and visit history, messages to support, and how you use the site. This Privacy Policy governs that data.
Because you use a medical cannabis marketplace, even your marketplace data can reveal something about your health. We treat it with the care described in Section 7 (Consumer Health Data) no matter which state you live in.
2. Information We Collect
You give us: name, email, date of birth, mailing address and state, account credentials, Caregiver designations, booking selections, information you enter for Form Assist (used only to prepare your forms), payment information for purchases from SanoPrime (processed by our payment processor — we do not store full card numbers), your mobile number if you opt in to texts (with the date and time of your opt-in and the consent text you agreed to), and messages you send us.
Created when you use the Platform: booking and order history; Refund Guarantee status events; if you enroll in SanoPrime Plus and present your scan code at a dispensary — your visit records (store, time, discount applied) and the transaction total captured at validation, sent to us from the dispensary's scan; device and log data (IP address, browser type, pages viewed, timestamps); and cookie data described in our Cookie & Tracking Policy. We do not receive an itemized list of what you bought at a dispensary.
From others: payment confirmation results from processors, validation-scan records from participating dispensaries as described above, and delivery results from our email and text providers. We do not buy data about you from data brokers.
3. How We Use Information
We use marketplace data to: operate the Platform (accounts, bookings, scheduling, Caregiver permissions); sell and deliver Platform-Direct Form Assist; run SanoPrime Plus — confirming membership at validation scans, recording your visits and transaction totals, and showing your history in your account; administer the Refund Guarantee (including verifying Provider-issued refunds through payment records); provide support; send transactional messages (confirmations, reminders, receipts, security alerts); send marketing email only with an unsubscribe link in every message, and marketing texts only with your separate consent; keep the Platform secure and prevent fraud and abuse; meet legal obligations; and improve the Platform using analytics configured as described in Section 8.
AI features on the Platform run on cloud infrastructure under a signed business associate agreement. Visit transcription happens only with your per-visit consent, and source audio is purged after processing.
4. How We Share Information — and How We Don't
We never sell your personal information. We never share it for cross-context behavioral (targeted) advertising. And specifically for texting: we never sell your mobile information, and we never share your mobile information or text-message opt-in data with third parties or affiliates for their marketing or promotional purposes.
Dispensaries. We share nothing with dispensaries except what you initiate: when you present your scan code, the dispensary receives a yes-or-no confirmation of your account and active Plus status so it can apply its own discount. The dispensary never receives your clinical records, your certification status, your contact details through the scan, or your history at other stores. (The scan also never verifies your state medical marijuana certification or card — that check is the dispensary's own legal duty, handled directly between you and the dispensary.)
We share marketplace data only with:
- Your Provider, when you book — the information needed to schedule and conduct your visit. Clinical information then lives in the HIPAA-regulated record system described in Section 1.
- Service providers working for us under contracts limiting their use of your data: cloud infrastructure hosting (US data centers), payment processing, email delivery, text-message delivery, and analytics. They may use your data only to provide their service to us, never for their own marketing.
- Authorities or parties when the law requires it — for example, a valid subpoena, court order, or legal hold — or when necessary to protect someone's safety or the Platform's security. Where the law allows, we tell you before disclosing.
- A successor in a merger, acquisition, or asset sale, under this policy's protections, with notice to you.
5. Your Privacy Rights
Wherever you live in the US, you can ask us to:
- Access / know the personal information we hold about you;
- Correct inaccurate information;
- Delete your information (see how deletion works, below);
- Export your information in a portable format — our data-export tools support this; and
- Opt out of marketing email (one click in any message) and marketing texts (reply STOP). We do not sell personal information or use it for targeted advertising, so there is nothing to opt out of there — and we honor the Global Privacy Control signal as an opt-out where the law gives it that effect.
How deletion works. Request deletion in account settings or by emailing support@sanoprime.com. A 30-day grace period runs first — your account is deactivated, and you can restore it during those 30 days by signing back in or emailing us. When the grace period ends, deletion is permanent, and your marketplace data — including Plus visit and spending history — is removed on the schedule in Section 10. Clinical records are different: they are your Provider's legal medical records, and HIPAA and state retention laws require keeping them for set periods. Deleting your account never deletes those records, and you can still request copies through our Records Request Policy.
How to exercise rights: use your account settings or email privacy@sanoprime.com. We verify your identity before acting (and verify an authorized agent's authority, where your state allows agents). We respond within the time your state's law sets — generally 45 days, extendable once with notice. We never discriminate against you for exercising rights. If we deny a request, we explain why, and where your state provides an appeal process, we tell you how to appeal.
6. State-Specific Disclosures (California and Similar Laws)
For residents of California and states with comparable privacy laws: in the last 12 months we have collected the categories in Section 2 (identifiers; customer records; commercial information, including Plus visit records and transaction totals; internet activity; geolocation at the state/city level from IP; inferences limited to service operation), for the purposes in Section 3. We disclose them only to the recipients in Section 4 for business purposes. We do not sell personal information and do not share it for cross-context behavioral advertising, and we have not done so; we have no actual knowledge of selling or sharing the personal information of anyone under 16. We collect sensitive personal information (account credentials; health-related inferences inherent in using this Platform) and use it only to provide the services you request, for security, and as the law permits — not to infer characteristics for other purposes, so no "Limit the Use of My Sensitive Personal Information" choice is required. Retention periods by category appear in Section 10 and our Data Retention & Deletion Schedule. California's "Shine the Light" law: we do not disclose personal information to third parties for their direct marketing.
7. Consumer Health Data
Some states — including Washington, Nevada, and Connecticut — give special protection to "consumer health data," which includes information revealing health conditions or treatment-seeking, such as use of a medical cannabis marketplace and your dispensary visit records. For everyone, regardless of state, we apply these protections to that data:
- We collect and use it only to provide the services you request and as this policy describes, with your consent where the law requires consent (your Plus enrollment and your choice to present the scan code are that consent for visit records);
- We never sell consumer health data and never use it for targeted advertising;
- We restrict our service providers by contract;
- You may access it, withdraw consent (stop presenting the scan code, or cancel Plus, at any time), and have it deleted subject to the medical-record limits in Section 5, by emailing privacy@sanoprime.com; and
- We do not use geofencing around health facilities.
8. Cookies and Analytics
We use first-party essential cookies (sign-in, security, session integrity) and privacy-tuned analytics with IP anonymization to understand aggregate usage. No advertising pixels or trackers run on authenticated pages or any health-related pages, and we use no third-party advertising cookies anywhere on the Platform. Details, lifespans, and your controls — including the Global Privacy Control signal, which we honor — are in our Cookie & Tracking Policy. Declining analytics never affects your services.
9. Security
We protect your information with encryption in transit and at rest, role-based access controls, comprehensive access logging in the clinical record system, enforced two-factor authentication for Provider accounts, and monitoring. No system is perfectly secure; if a breach affects you, we will notify you as our Security Incident & Breach Notification Policy and the law require.
10. Retention
We keep marketplace data only as long as needed for the purposes in this policy, then delete or de-identify it on the timelines in our Data Retention & Deletion Schedule — for example, your profile and Plus history are deleted within 90 days after your 30-day deletion grace period ends, financial records are kept 7 years as the law expects, and clinical records follow medical-record retention law.
11. Children
The Platform is for adults 18 and older. A person under 18 receives services only through an adult Caregiver's account under our Minor Patients & Caregiver Policy. We do not knowingly collect personal information directly from children under 13; if you believe a child has provided us information, contact privacy@sanoprime.com and we will delete it.
12. Changes to This Policy
When we make material changes, we will email your account address and post the updated policy with a new effective date at least 30 days before it takes effect. Where a change requires new consent under your state's law, we will ask for it.
13. Contact Us
Privacy requests: privacy@sanoprime.com Security reports: security@sanoprime.com (report a vulnerability or security concern) Mail: SanoPrime Inc., Privacy, 1207 Delaware Ave, Suite 3200, Wilmington, DE 19806 (on file with the Delaware Secretary of State)
SanoPrime Privacy Policy — effective July 1, 2026.