SanoPrime

SanoPrime Privacy Policy

Effective Date: July 1, 2026 · Last updated: June 20, 2026

This Privacy Policy explains how SanoPrime Inc. ("SanoPrime," "we," "us") — a Delaware corporation, with its registered office at 1207 Delaware Ave, Suite 3200, Wilmington, DE 19806 — collects, uses, shares, and protects information when you use app.sanoprime.com, sanoprime.com, and our services (the "Platform").


Plain-Language Summary


1. The HIPAA Boundary, in Plain Terms

Two kinds of information exist on SanoPrime:

Clinical records (PHI). What happens in your visits — notes, certifications, clinical messages, transcripts — is created by your Provider and stored in a HIPAA-regulated clinical record system we operate for your Provider's practice as its business associate. Your rights in those records come from HIPAA and are described in your Provider's Notice of Privacy Practices, which is a separate clinical document. To get copies, use our Records Request Policy.

Marketplace data. Your account profile, bookings, payments to SanoPrime, Plus membership and visit history, messages to support, and how you use the site. This Privacy Policy governs that data.

Because you use a medical cannabis marketplace, even your marketplace data can reveal something about your health. We treat it with the care described in Section 7 (Consumer Health Data) no matter which state you live in.

2. Information We Collect

You give us: name, email, date of birth, mailing address and state, account credentials, Caregiver designations, booking selections, information you enter for Form Assist (used only to prepare your forms), payment information for purchases from SanoPrime (processed by our payment processor — we do not store full card numbers), your mobile number if you opt in to texts (with the date and time of your opt-in and the consent text you agreed to), and messages you send us.

Created when you use the Platform: booking and order history; Refund Guarantee status events; if you enroll in SanoPrime Plus and present your scan code at a dispensary — your visit records (store, time, discount applied) and the transaction total captured at validation, sent to us from the dispensary's scan; device and log data (IP address, browser type, pages viewed, timestamps); and cookie data described in our Cookie & Tracking Policy. We do not receive an itemized list of what you bought at a dispensary.

From others: payment confirmation results from processors, validation-scan records from participating dispensaries as described above, and delivery results from our email and text providers. We do not buy data about you from data brokers.

3. How We Use Information

We use marketplace data to: operate the Platform (accounts, bookings, scheduling, Caregiver permissions); sell and deliver Platform-Direct Form Assist; run SanoPrime Plus — confirming membership at validation scans, recording your visits and transaction totals, and showing your history in your account; administer the Refund Guarantee (including verifying Provider-issued refunds through payment records); provide support; send transactional messages (confirmations, reminders, receipts, security alerts); send marketing email only with an unsubscribe link in every message, and marketing texts only with your separate consent; keep the Platform secure and prevent fraud and abuse; meet legal obligations; and improve the Platform using analytics configured as described in Section 8.

AI features on the Platform run on cloud infrastructure under a signed business associate agreement. Visit transcription happens only with your per-visit consent, and source audio is purged after processing.

4. How We Share Information — and How We Don't

We never sell your personal information. We never share it for cross-context behavioral (targeted) advertising. And specifically for texting: we never sell your mobile information, and we never share your mobile information or text-message opt-in data with third parties or affiliates for their marketing or promotional purposes.

Dispensaries. We share nothing with dispensaries except what you initiate: when you present your scan code, the dispensary receives a yes-or-no confirmation of your account and active Plus status so it can apply its own discount. The dispensary never receives your clinical records, your certification status, your contact details through the scan, or your history at other stores. (The scan also never verifies your state medical marijuana certification or card — that check is the dispensary's own legal duty, handled directly between you and the dispensary.)

We share marketplace data only with:

5. Your Privacy Rights

Wherever you live in the US, you can ask us to:

How deletion works. Request deletion in account settings or by emailing support@sanoprime.com. A 30-day grace period runs first — your account is deactivated, and you can restore it during those 30 days by signing back in or emailing us. When the grace period ends, deletion is permanent, and your marketplace data — including Plus visit and spending history — is removed on the schedule in Section 10. Clinical records are different: they are your Provider's legal medical records, and HIPAA and state retention laws require keeping them for set periods. Deleting your account never deletes those records, and you can still request copies through our Records Request Policy.

How to exercise rights: use your account settings or email privacy@sanoprime.com. We verify your identity before acting (and verify an authorized agent's authority, where your state allows agents). We respond within the time your state's law sets — generally 45 days, extendable once with notice. We never discriminate against you for exercising rights. If we deny a request, we explain why, and where your state provides an appeal process, we tell you how to appeal.

6. State-Specific Disclosures (California and Similar Laws)

For residents of California and states with comparable privacy laws: in the last 12 months we have collected the categories in Section 2 (identifiers; customer records; commercial information, including Plus visit records and transaction totals; internet activity; geolocation at the state/city level from IP; inferences limited to service operation), for the purposes in Section 3. We disclose them only to the recipients in Section 4 for business purposes. We do not sell personal information and do not share it for cross-context behavioral advertising, and we have not done so; we have no actual knowledge of selling or sharing the personal information of anyone under 16. We collect sensitive personal information (account credentials; health-related inferences inherent in using this Platform) and use it only to provide the services you request, for security, and as the law permits — not to infer characteristics for other purposes, so no "Limit the Use of My Sensitive Personal Information" choice is required. Retention periods by category appear in Section 10 and our Data Retention & Deletion Schedule. California's "Shine the Light" law: we do not disclose personal information to third parties for their direct marketing.

7. Consumer Health Data

Some states — including Washington, Nevada, and Connecticut — give special protection to "consumer health data," which includes information revealing health conditions or treatment-seeking, such as use of a medical cannabis marketplace and your dispensary visit records. For everyone, regardless of state, we apply these protections to that data:

8. Cookies and Analytics

We use first-party essential cookies (sign-in, security, session integrity) and privacy-tuned analytics with IP anonymization to understand aggregate usage. No advertising pixels or trackers run on authenticated pages or any health-related pages, and we use no third-party advertising cookies anywhere on the Platform. Details, lifespans, and your controls — including the Global Privacy Control signal, which we honor — are in our Cookie & Tracking Policy. Declining analytics never affects your services.

9. Security

We protect your information with encryption in transit and at rest, role-based access controls, comprehensive access logging in the clinical record system, enforced two-factor authentication for Provider accounts, and monitoring. No system is perfectly secure; if a breach affects you, we will notify you as our Security Incident & Breach Notification Policy and the law require.

10. Retention

We keep marketplace data only as long as needed for the purposes in this policy, then delete or de-identify it on the timelines in our Data Retention & Deletion Schedule — for example, your profile and Plus history are deleted within 90 days after your 30-day deletion grace period ends, financial records are kept 7 years as the law expects, and clinical records follow medical-record retention law.

11. Children

The Platform is for adults 18 and older. A person under 18 receives services only through an adult Caregiver's account under our Minor Patients & Caregiver Policy. We do not knowingly collect personal information directly from children under 13; if you believe a child has provided us information, contact privacy@sanoprime.com and we will delete it.

12. Changes to This Policy

When we make material changes, we will email your account address and post the updated policy with a new effective date at least 30 days before it takes effect. Where a change requires new consent under your state's law, we will ask for it.

13. Contact Us

Privacy requests: privacy@sanoprime.com Security reports: security@sanoprime.com (report a vulnerability or security concern) Mail: SanoPrime Inc., Privacy, 1207 Delaware Ave, Suite 3200, Wilmington, DE 19806 (on file with the Delaware Secretary of State)


SanoPrime Privacy Policy — effective July 1, 2026.