B’leaf Wellness Centre Privacy Policy

 

Effective Date: 15 April 2026

B’leaf Wellness Centre (“B’leaf,” “we,” “us,” or “our”) values your privacy.  This Privacy Policy explains how we collect, use, and share information when you visit bleafma.com (the “Site”), contact us, or engage with our services.  It also describes your choices and rights under applicable laws, including California, Connecticut, and European Union privacy regulations.  If you do not agree with this Policy, please do not use the Site.

1. Information We Collect

1.1 Information You Provide

We collect personal information that you choose to provide, including:

  • Contact details: When you complete the “Send Us A Message” form, you provide your name, email address, subject and message.  We use this information to respond to your inquiries and provide customer service.

  • Age‑verification response: We display an age‑verification screen and may record whether you affirm that you are 21 years of age or older.  Our services are intended only for adults who are legally permitted to purchase cannabis products; we do not knowingly collect personal information from children under 13.

  • Order or account information (if offered in the future): Should we allow online ordering or account creation, we will collect information necessary to process orders, such as billing/shipping addresses, government‑issued identification where required by law, and payment details.

We ask that you do not provide sensitive personal information (e.g., health data, financial account numbers, or information about your race/ethnicity, religious beliefs, sexual orientation, or precise location) through our Site.  If you submit such information, you consent to our use and handling of it consistent with this Policy.

1.2 Information We Automatically Collect

When you visit the Site, we and our service providers may automatically collect information about your device and usage:

  • Technical data: IP address, device identifiers, browser type, operating system, referral URLs and system configuration.  Under Google’s Analytics terms, websites must disclose that Google may receive a visitor’s URL and IP address and may set cookies or device identifiers to process that data .

  • Usage information: Pages you view, links you click, time spent on the Site, and the date and time of your visit.  We use this data to administer the Site, analyze performance, and improve content.

  • Cookies and similar technologies: Our Site uses cookies, pixels and local‑storage objects.  Cookies may be necessary for functionality (e.g., remembering your age‑verification response) and are also used by analytics and advertising services.  See Section 5 (Cookies & Tracking Technologies) for details.

1.3 Information from Other Sources

If you interact with us on social media (e.g., Instagram or Facebook), we may receive your public profile information.  We may also receive customer lists from our in‑store point‑of‑sale system or marketing partners when permitted by law.  Should we upload hashed contact information to platforms such as Google for advertising (Customer Match), we will do so in compliance with Google’s policies requiring us to disclose that we share customer data with third parties to perform services and to obtain consent where required .

2. How We Use Information

We use the information we collect to:

  1. Provide services and respond to inquiries. We process your submissions, maintain your preferences, deliver our products and services, and communicate with you.

  2. Age verification and legal compliance. We restrict access to individuals 21 years or older and comply with applicable cannabis and data‑privacy laws.

  3. Improve and personalize our Site. We analyze usage data to understand how visitors interact with our content and to develop new features.

  4. Marketing and advertising. We may use your information to send promotional communications about B’leaf products (where lawful) and to tailor advertisements through remarketing or similar audiences.  When using your data segments in Google Ads, Google requires us to include a description of how we use your data to advertise online and to notify you that third‑party vendors (including Google) show our ads across the Internet, use cookies or device identifiers to serve ads based on past visits, and to provide opt‑out instructions .

  5. Security and fraud prevention. We use data to detect and prevent unauthorized access or other illegal activities.

  6. Legal obligations. We may process information to comply with regulations (e.g., age‑restricted product laws, consumer‑privacy laws), respond to lawful requests, and protect our rights.

We do not sell your personal information, and we do not use it for automated decision‑making that produces legal or similarly significant effects without human involvement.

3. Information Sharing

We share personal information only as described below:

  • Service providers: We use vendors to host our website, manage email communications, provide analytics (e.g., Google Analytics) and advertising services, process payments, and manage marketing.  These providers only receive the information needed to perform services on our behalf and are contractually obligated to protect it.

  • Third‑party advertising partners: When we use remarketing or Customer Match, we may share hashed contact information with Google and other advertising platforms to show you relevant ads.  Google’s Customer Match policy requires that our privacy policy disclose such sharing and that we obtain consent when required .  We also acknowledge that third‑party vendors (including Google) use cookies/device identifiers to serve ads based on past visits .

  • Analytics providers: We use Google Analytics to analyze usage.  Google requires us to disclose our use of Analytics and how it collects and processes data .  For more information on how Google uses data when you visit sites using its services, please see How Google uses information from sites or apps that use our servicesAttachment.png.

  • Legal compliance and protection: We may disclose information if required by law, court order or governmental request, or to enforce our agreements, protect our rights or the rights of others, and investigate fraud or security issues.

  • Business transfers: If B’leaf participates in a merger, acquisition or sale of assets, your information may be transferred.  We will notify you and obtain consent where required.

We do not knowingly share data regarding individuals under the age of 21 or children under 13.

4. Cookies & Tracking Technologies

4.1 First‑Party Cookies

We use cookies to remember your age‑verification status, store your preferences (e.g., cookie consent choices) and improve user experience.

4.2 Google Analytics

Google Analytics sets cookies to measure visits and behaviour.  Google’s terms require us to have and abide by a privacy policy that discloses the use of cookies or device identifiers, explains how Google Analytics collects and processes data, and explains how users can opt out .  You can control cookies by adjusting your browser settings or by installing Google’s opt‑out browser add‑onAttachment.png.  For GA4, we have enabled IP‑anonymization to reduce personal data collection.

4.3 Advertising Cookies & Remarketing

Our Site may use Google Ads remarketing and audience segments to show ads to people who previously visited our Site.  When using these features, Google requires us to tell you that:

  • We use your data to advertise online.

  • Third‑party vendors, including Google, show our ads on sites across the Internet.

  • Third‑party vendors, including Google, use cookies or device identifiers to serve ads based on someone’s past visits to our Site .

  • You can opt out of Google’s use of cookies/device identifiers for personalised advertising by visiting Google Ads SettingsAttachment.png or, alternatively, by visiting the Network Advertising Initiative opt‑out pageAttachment.png or changing your device settings .

4.4 Customer Match and Enhanced Conversions

We may upload hashed first‑party customer data (e.g., email addresses) to Google to create Customer Match lists or enable enhanced conversions.  Google’s Customer Match policy states that we must disclose in our privacy policy that customer data may be shared with third parties to perform services and obtain consent where required .  We only upload data collected directly from our customers, and we prohibit using this data to target minors under 13 

4.5 EU User Consent & Consent Mode

For visitors from the European Economic Area (EEA), the United Kingdom and Switzerland, we adhere to Google’s EU User Consent Policy.  We obtain your consent before storing or accessing cookies or other information on your device and before collecting personal data for personalised ads.  We also identify all parties (including Google) that may receive end‑user data and provide a way to revoke consent .  We implement Google Consent Mode v2 using a certified Consent Management Platform, which allows us to respect your preferences while maintaining measurement accuracy.

5. Your Rights & Choices

5.1 General Rights (GDPR and Similar Laws)

If you are located in the European Union, United Kingdom or a jurisdiction with comparable data‑protection laws, you have the right to:

  • Be informed about our data‑processing activities.

  • Access the personal data we hold about you.

  • Rectify inaccurate or incomplete data.

  • Erase personal data (“right to be forgotten”).

  • Restrict or object to our processing of your data.

  • Data portability – receive your personal data in a structured, commonly used format.

  • Not be subject to automated decision‑making producing legal or similarly significant effects .

To exercise these rights, please contact us using the information in Section 10.  We will respond within one month or as required by law and may request verification of your identity.

5.2 California Privacy Rights (CCPA/CPRA)

If you reside in California, you have rights under the California Consumer Privacy Act and its amendments:

  • Right to know/access: You may request to know the categories of personal information we have collected, the categories of sources, the business or commercial purposes for collection, the categories of third parties to whom we disclose information, and the specific pieces of personal information we have collected.

  • Right to delete: You may request that we delete personal information we have collected from you.

  • Right to correct: You may request correction of inaccurate personal information.

  • Right to opt out of selling or sharing: We do not sell personal information for monetary consideration.  If we engage in cross‑context behavioural advertising, you may opt out via our cookie banner or by sending us a request.  Our Site honours browser‑based Global Privacy Control (GPC) signals as requests to opt out of selling or sharing personal information.

  • Right to limit use/disclosure of sensitive personal information: We do not use sensitive personal information for purposes beyond those permitted by law.

  • Non‑discrimination: We will not discriminate against you for exercising your rights.

Our privacy policy must include a comprehensive description of our information practices, including categories of personal information collected, sources, purposes, third parties, and consumer rights .  We update this policy annually and provide notice of any material changes.  For California residents, we also describe how the Site responds to Do Not Track signals; we honour browser‑based Global Privacy Control signals but otherwise do not change our practices when receiving a standard “Do Not Track” header.

5.3 Connecticut Residents (CTDPA)

If you reside in Connecticut, you have rights under the Connecticut Data Privacy Act:

  • Right to access your personal information.

  • Right to correct inaccuracies.

  • Right to delete personal information.

  • Right to opt out of the sale of personal data or targeted advertising.  We do not sell personal data, but if we use targeted advertising, you may opt out by using our cookie preferences or sending a request.

  • Universal Opt‑Out (Global Privacy Control). Starting 1 January 2025, Connecticut law requires companies to respect universal opt‑out signals.  If your browser or extension broadcasts a Global Privacy Control signal, our Site will treat it as a request to opt out of data sales.

5.4 Children’s Privacy (COPPA)

Our Site is not directed to children under 13.  We do not knowingly collect personal information from children.  If we discover that we have inadvertently collected a child’s personal information without parental consent, we will delete it promptly.  The Children’s Online Privacy Protection Act (COPPA) requires parental consent before collecting personal information from children under 13 .  Parents who believe their child has provided personal information may contact us to request deletion.

6. Data Security

We employ reasonable administrative, technical and physical safeguards to protect your information.  Measures include:

  • Encryption. We use TLS (Transport Layer Security) to encrypt information transmitted between your browser and our Site.  Sensitive information (e.g., payment details) is stored securely with appropriate encryption.

  • Malware protection and access controls. We maintain anti‑malware software, restrict downloads of unauthorized software, and limit access to personal data to authorized personnel with a need to know .

  • Authentication and passwords. We enforce strong password policies and multi‑factor authentication where appropriate .

  • Regular security assessments. We review our systems, update software, and audit logs to detect vulnerabilities and unauthorized access.

Despite these measures, no method of transmission or storage is 100 % secure.  You are responsible for using secure passwords and protecting your devices.

7. Data Retention

We retain personal information as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce agreements.  The retention period depends on the type of data:

  • Contact form submissions: typically retained for up to 2 years after our last communication unless a longer period is required for legal compliance.

  • Marketing lists: retained until you unsubscribe or request deletion.

  • Age‑verification logs: retained as required by cannabis regulations.

  • Analytics data: retained for the period configured in Google Analytics (currently 14 months) or as required for security and auditing.

We periodically review our retention practices and securely dispose of data no longer needed.

8. International Transfers

We are located in the United States.  By using the Site, you understand that your information may be transferred to and processed in the United States and other countries.  We rely on standard contractual clauses or other approved transfer mechanisms for cross‑border transfers where required by law.

9. Do Not Track & Global Privacy Control

Some browsers include a Do Not Track (DNT) signal.  Because there is no common industry standard for interpreting DNT signals, our Site does not respond to them.  However, we do recognize Global Privacy Control signals from your browser or extension as a request to opt out of the sale or sharing of personal information.

10. How to Exercise Your Rights or Contact Us

To exercise any privacy right described above (access, correction, deletion, opt out) or to ask questions about this Policy, please contact us:

  • Email: contact@bleafma.comAttachment.png

  • Phone: (413) 277‑0599

  • Mail: B’leaf Wellness Centre, 24 W Main St, Ware, MA 01082

When submitting a request, please provide sufficient information that allows us to verify your identity (e.g., your name, the email used to contact us, and the nature of your request).  We will respond within the time frames required by applicable law.  Agents submitting requests on behalf of another individual must provide proof of authorization.

11. Updates to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements or for other reasons.  When we make material changes, we will post the updated policy on this page and update the “Effective Date” at the top.  Your continued use of the Site after changes are posted constitutes your acceptance of the updated policy.

Summary of Key Google Requirements Included in This Policy

  • We disclose our use of Google Analytics and how it collects and processes data.

  • We describe how we use audience data (remarketing) and that third‑party vendors, including Google, show ads across the Internet and use cookies/device identifiers.

  • We provide instructions on how users can opt out of Google’s use of cookies or device identifiers via Ads Settings or the Network Advertising Initiative opt‑out page.

  • We disclose sharing customer data with third parties for services and obtain consent where required.

  • We obtain consent and follow the EU User Consent Policy for cookies and personalized ads.

By visiting bleafma.com, you acknowledge that you have read and understood this Privacy Policy.