Privacy Policy

1- Purpose

Canna Cabana is a subsidiary of High Tide Inc.

Protecting privacy and the confidentiality of personal data is a key aspect of the business operations of High Tide Inc. and its subsidiaries (collectively referred to as "the Company" or "we"). The appropriate, responsible, ethical, and lawful collection, use, storage, and disclosure of personal data is a core value of the Company.

This privacy policy explains how the company collects, uses, stores, protects and discloses personal data and applies to all personal data we collect.

By accessing our websites and services, you agree to the terms of this Privacy Policy and to the collection, use, and disclosure of your personal data in accordance with this Privacy Policy. If you do not agree to the terms of this Privacy Policy, you must immediately cease using our websites and services. You may withdraw your consent at any time.

We reserve the right to amend or update this Privacy Policy from time to time without prior notice. However, should significant changes be made to this Privacy Policy, we will endeavor to notify you, provided we have your contact information. Continued use of the company's websites or businesses constitutes acceptance of the current terms and conditions.

Questions or concerns regarding this privacy policy can be directed to our data protection officer at privacy@hightideinc.com.

2. Definitions

"Personal information" or "personal data" is information relating to an identifiable individual or group of individuals, including but not limited to: name, date of birth, address, income, email address, social security number, gender, rating, credit data, and results of criminal record checks. Anonymized or aggregated data that cannot be used to identify an individual is not considered personal data.

The term "consent" includes (i) express consent, whether given orally or in writing; (ii) implied consent, if it can reasonably be inferred from actions (or omissions).

3. Collection of personal data

This privacy policy applies to all personal data that we collect in the course of our business activities.

Personal data is collected in various ways, including:

  • When accessing our websites, you may be asked to provide information such as your date of birth and location for age-restricted content. Our websites may automatically collect information such as IP address, page requests, browser type, operating system, date and time of access, referring websites, and browsing behavior through cookies. This automatically collected information does not contain any directly identifiable information (e.g., name, address, telephone number, email address) and is used solely for statistical and analytical purposes.
  • When you purchase products or services , for example, when you place an order through our websites or register for services, we require your billing and shipping address, your email address, and/or your telephone number. We also maintain information about purchases, including the items purchased, the time and date of purchase, and your preferred delivery method.
  • When you communicate with us verbally, in writing, or electronically, some of our emails, for example, contain a "click-through URL" that links to content on our website. We track this click-through data to determine interest in specific topics and to measure the effectiveness of our customer communications. If you do not want this data to be collected and tracked, you should not click on these links.
  • When using our chat function on the website, all communication via our private chat function is fully recorded and stored in accordance with this privacy policy.
  • If you are applying for a position at the company.
  • When you enter our physical business premises, for example, our retail stores, warehouses and offices are monitored by cameras for security reasons and to comply with legal regulations.

In addition, we may obtain personal data from third-party providers, service providers, or public sources.

4. Use of personal data

The collection of personal data is solely for the purpose of conducting our business activities and improving our customer service.

The personal data we collect may only be used for the following purposes:

  • Business operations in Canada, the United States of America ("USA") and Europe, including improvements to our business processes and service offerings;
  • Handling of transactions between you and the company;
  • Marketing purposes including email marketing (with opt-out option) and targeted advertising on third-party websites;
  • Compliance with legal requirements, including those relating to response to investigations and subpoenas;
  • For the prevention of fraud, abuse and other criminal activities (e.g., when necessary to investigate payment fraud or violations of our terms of service);
  • For the purpose of personnel administration, including the maintenance of personnel files, the administration of social benefits and the processing of payroll, as well as
  • to contact employees or their emergency contacts.

If additional purposes are identified, your consent for the use of your personal data will be obtained separately.

5. Storage and Protection

We take all reasonable measures to protect personal data through appropriate physical and electronic security measures. The personal data we collect is stored in both paper and electronic form. Where required by law or by disaster recovery or business continuity policies, older records may be stored in a secure, off-site location.

We retain personal data for a specific period of time, depending on the type of data and the purpose for which it was collected:

  • Transaction data will be retained for at least seven (7) years from the date of the transaction for tax and audit purposes.
  • Marketing data will be stored until you withdraw your consent or object to its use.
  • Account-related data will be retained for two (2) years after account inactivity, unless otherwise required by law.
  • Security records will be kept for at least sixty days, or longer if required by local regulations.

We may engage third-party service providers to store and process personal data on our behalf. Both the company and our service providers and/or their agents may use servers or other facilities located outside the jurisdiction in which you provide your personal data—including, but not limited to, the USA. Government agencies, courts, law enforcement, security, or regulatory authorities of the USA or other foreign jurisdictions may, in accordance with applicable local laws, obtain access to or require disclosure of personal data. We take reasonable steps to ensure that your personal data receives an adequate level of protection in the countries where it is processed, including through appropriate written data processing agreements and/or data transfer agreements with our service providers.

6. Disclosure of personal data

Subject to section 8 below, we will under no circumstances sell, share or otherwise disclose your personal data without your prior consent.

We may sell, share, or otherwise disclose personal data that has been appropriately anonymized or pseudonymized. For example, we may sell, share, or disclose information about your use of company websites and your purchases, but only after this information has been separated from any personal data that could be used to identify you.

7. Data subject's access to personal data

You have the right to access, update, review and correct the personal data that is in our possession and under our control.

Your right to access, update, and correct your personal data is limited under certain circumstances. Access may be denied, for example, if:

  • Personal data also includes personal data of third parties;
  • The personal information is subject to attorney-client privilege, confidentiality in legal proceedings, or other legally recognized privileges;
  • Access to personal data would reveal sensitive business information; or,
  • The information was compiled as part of a formal dispute resolution procedure.

Requests for access to personal data can be submitted via email to the company's Data Protection Officer at privacy@hightideinc.com. The company will respond within a reasonable timeframe and either provide the requested information or explain why the information must be withheld.

If you are dissatisfied with a response from the company's data protection officer, contact the relevant local data protection authority.

8. Collection, use and disclosure without consent

We may collect, use and/or disclose your personal data without your consent under certain legally regulated circumstances.

The company may collect your personal data without your knowledge or consent in cases where, for example:

  • The collection of personal data is clearly in your interest and consent cannot be obtained in time;
  • The personal data is provided to the company in the context of your employment, business activities or profession, and the collection is carried out in accordance with the purposes for which the data was provided;
  • The personal data were collected for the purpose of a legally required disclosure, or
  • The personal data is publicly accessible and has been determined by applicable regulations.

The company may use your personal data without your knowledge or consent in cases where, for example:

  • Information that comes to our attention in the course of our work and that we reasonably believe may be useful in investigating a violation of the laws of Canada, a province, or a foreign jurisdiction, whether already committed, in the process of being committed, or about to be committed, and that information is used for the purpose of investigating such violation;
  • The use serves the purpose of acting in an emergency that threatens the life, health or safety of a person;
  • The information contained in a witness statement and whose use is necessary for the assessment, processing or settlement of an insurance claim;
  • The information was provided to the company in the course of your employment, business transactions or profession, and its use is consistent with the purpose for which the information was provided;
  • The personal data were collected for the purpose of a legally required disclosure, or
  • The personal data is publicly accessible and defined in the applicable regulations.

The company may disclose your personal data without your knowledge or consent in cases where, for example:

  • If the information is passed on to a lawyer or solicitor representing the company;
  • For the purpose of collecting a claim you have against the company;
  • To comply with a summons, warrant, or order issued by a court, person, or authority with jurisdiction to disclose information, or to comply with court rules regarding the production of documents;
  • If the personal data is disclosed to a government agency that has requested this data;
  • If personal data is shared with another organization to investigate a breach or violation of the laws of Canada or any other province, and it is reasonably expected that disclosure with your knowledge or consent would jeopardize that investigation;
  • Disclosure is required by law; or
  • The personal data is publicly accessible and defined in the applicable regulations.

Supplementary agreement to the EU and UK GDPR

This supplementary agreement to the privacy policy applies to website users residing in the United Kingdom ("UK") and the European Economic Area ("EEA") and is intended to meet the requirements of the General Data Protection Regulation ("GDPR") applicable in these countries.

The types of personal data we collect and process, the purposes for which we collect and process personal data, and the retention period for personal data are set out in this privacy policy.

We collect and process personal data on several legal bases, including:

  1. With your consent, which you can withdraw at any time (see below);
  2. To fulfill contracts with you (e.g., to process orders via our e-commerce platforms);
  3. To fulfill our legal and regulatory obligations;
  4. To protect the integrity of our company, including, if necessary, to establish, exercise, or defend legal claims; and
  5. To better serve your interests as a customer, including understanding your purchasing preferences and tailoring our offerings to your specific interests and goals.

Individuals in the EEA and the United Kingdom have certain rights regarding their personal data in addition to the rights mentioned in this privacy policy, including:

  1. Right to information: You have the right to request a copy of your personal data from us. We may charge a small fee for this service.
  2. The right to rectification: You have the right to request that we correct any personal data we hold about you that you believe is inaccurate. You also have the right to request that we complete any personal data about you that you believe is incomplete.
  3. The right to object to processing:

a. In general, you have the right to object to the processing of your personal data; however, this right is limited if we have compelling legitimate grounds for the processing which override your personal interests, or if we need your personal data for the establishment, exercise or defense of a legal claim.
b. Direct marketing: If your personal data is processed for direct marketing purposes, you have the right to object to the processing of your personal data for such purposes.

  1. Right to restriction of processing: You have the right, under certain conditions, to request the restriction of the processing of your personal data.
  2. The right to erasure: You have the right, under certain conditions, to request the erasure of your personal data that is in our possession and control. This right may apply, for example, in the following cases:

a. The personal data are no longer needed for the purposes for which they were collected, and you have withdrawn your consent;
b. You have objected to the processing of your personal data, and there are no overriding legitimate grounds for the processing;
c. The personal data were processed unlawfully, or
d. The personal data must be erased to comply with a legal obligation under the law of the European Union or the law of a Member State.

The right to data portability: You have the right, under certain conditions, to request that we transfer the personal data we have collected from you to you or to another organization.

  1. Right to withdraw consent: You have the right to withdraw your consent at any time, provided that we have relied on your consent for the processing of your personal data, under certain conditions.
  2. Right to lodge a complaint with a data protection authority: You have the right to lodge a complaint with a data protection authority regarding our collection, use, and processing of your personal data. For further information, please contact your local data protection authority in the EEA or UK, as applicable.

For further information or to submit a request, please contact our Data Protection Officer at privacy@hightideinc.com

Data transmissions

Your personal data may be stored on and transferred to computer servers located outside your place of residence, including outside the EEA or the UK, where data protection laws may differ from those in your jurisdiction. If you are located in the EEA or the UK and choose to provide us with your data, we may transfer and process that data in Canada, the United States, or other countries. Your acceptance of this Privacy Policy and Supplemental Agreement constitutes consent to such transfers.

We take all reasonable measures to ensure that your personal data is processed securely and in accordance with the GDPR data protection regulations. We will not transfer your personal data without appropriate safeguards (e.g., contractual agreements or necessary certifications) to protect your personal data.

We may revise this addendum from time to time, including when required by the GDPR. We will inform you of any material changes to this addendum (provided we have your contact details) and obtain your consent. If we have informed you of changes to this addendum (or the privacy policy) and you do not agree to these changes, you must immediately cease using and accessing our websites.