Rad Dad Labs LLC — Privacy Policy
Version: 1.1 (merged pre-lawyer draft) Effective Date: [TO BE INSERTED ON EXECUTION] Last Updated: [TO BE INSERTED ON EXECUTION]
This Privacy Policy describes how Rad Dad Labs LLC ("Rad Dad Labs," "we," "us," or "our") handles personal information in connection with the Rad Dad Labs hosted service available at raddadlabs.com (the "Service"). The legacy host labs.raddadlabs.com now redirects to raddadlabs.com.
The Service is a business-to-business product. Our customers are legal entities — brands, retailers, and distributors operating in regulated retail categories. The individuals whose information we process are the people who administer those entities' accounts, plus end users who follow a barcode-keyed link to view a Certificate of Analysis or recall notice.
This Policy is written to satisfy, by default, every U.S. state comprehensive consumer privacy law in effect as of the Effective Date, including the laws of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. Washington's My Health My Data Act is addressed in Section 11.
In this Policy, "personal information" and "personal data" carry the meanings given in applicable U.S. state privacy laws.
1. Scope
This Policy applies to information collected through:
- raddadlabs.com (the marketing site and the barcode-keyed COA pages at raddadlabs.com/c/{barcode})
- labs.raddadlabs.com (legacy COA host; now redirects to raddadlabs.com)
- The Brand portal, the Retailer Shopify application, and the Distributor portal
- Marketing emails and transactional emails we send
This Policy does not apply to:
- Third-party websites linked from the Service, including the websites of brands whose COAs are hosted off-platform
- The Stripe-hosted checkout flow, which is governed by Stripe's privacy policy in addition to ours
- Any retailer's storefront, which is governed by the retailer's own privacy policy
This Policy applies to website visitors, business contacts, prospects, and personnel of customers acting in their business capacity. It does not govern a customer's relationship with its own end consumers. Each customer is solely responsible for its own consumer privacy obligations. See Section 6.
2. Information We Collect
2.1 Account Information
When a customer registers, we collect:
- Legal entity name and any DBA
- Audience role (Brand, Retailer, Distributor)
- Administrator name, email address, and telephone number
- State of formation and EIN (last four digits stored visibly in the application UI; full EIN stored in restricted-access internal KYC storage)
- State hemp or cannabinoid license or permit number
- Business address and business telephone number
2.2 Verification Information (Tier 2 / pre-conversion)
Before activation of a paid tier, we collect:
- Uploaded copy of the customer's state hemp or cannabinoid license, ATC retail or wholesaler permit, LDH processor permit, or equivalent
- FinCEN BOI report acknowledgment (we do not collect the BOI report itself)
- W-9 only where Rad Dad Labs may issue a Form 1099 to the customer in the future
2.3 Payment Metadata
We do not store payment card numbers, expiration dates, or card verification values. Stripe processes and stores payment instrument data under Stripe's own controls. We retain:
- Stripe customer ID and Stripe subscription ID
- Last four digits of the payment method and card brand (returned to us by Stripe for display purposes)
- Billing address
- Invoice and receipt history
- Dispute, refund, and chargeback metadata returned by Stripe
2.4 Product, Barcode, and Permit Data
- For Brand customers: registered GS1 or equivalent barcodes; batch identifiers; pointers to COA PDFs (URL or uploaded file); recall flag status; product descriptive metadata as submitted
- For Retailer customers: Shopify store domain; the product variants whose barcodes match a registered Brand registration; the value written to the
rdlabs.coa_urlmetafield - For Distributor customers: the retailer entities the distributor serves; uploaded permit documents and permit metadata (agency, permit number, expiration date, holder); permit status alerts
2.5 Access Logs
We log access to the COA router endpoint and to administrative portals. Logs include:
- Barcode requested
- Timestamp
- Truncated source IP address (last octet zeroed)
- User agent string
- HTTP response code
- Dashboard actions taken and API calls
We retain access logs for seven (7) years as a regulatory audit record. See Section 7.
2.6 Communications and Marketing
Email and form submissions you send to us, support tickets, sales conversations, survey responses, and marketing contact details.
2.7 Website Visitor Data
IP address, browser type, referrer, pages viewed, and information collected through cookies and similar technologies. See Section 2.8.
2.8 Cookies and Similar Technologies
We use a small number of strictly necessary cookies for authentication and session management. The marketing site may also use cookies for aggregate site analytics. We do not use cookies for cross-site advertising, behavioral profiling, or sale of personal information.
Where required by law, we present a banner allowing you to manage non-essential cookies. We honor "Global Privacy Control" signals as an opt-out of any sale or sharing.
2.9 Information We Do Not Collect
- COA contents. We host COA PDFs at the brand's election and we serve a redirect URL. We do not parse, index, or read the contents of any COA.
- Sensitive personal information as defined under California, Connecticut, Colorado, or other state law (race, religion, biometric data, precise geolocation beyond IP-level, contents of communications, genetic data, etc.).
- Health, medical, biometric, or genetic information from consumers.
- Information from children under 18 years of age. The Service is not directed to children and we do not knowingly collect their personal information. If we learn we have inadvertently collected such information, we will delete it.
- Consumer personal data transmitted by customers into the Service in violation of the Terms of Service. If a customer transmits consumer personal data in breach of the Terms, we treat that as a customer breach, not as a category we intentionally collect.
3. Sources of Information
We collect information directly from you when you sign up, complete onboarding, communicate with us, use the Service, or visit our website. We also receive limited information from sub-processors performing services on our behalf (for example, Stripe transmits billing metadata after a transaction).
4. How We Use Information
We use the information described in Section 2 to:
- Provide, operate, secure, maintain, and improve the Service
- Authenticate accounts and prevent fraud
- Process payments through Stripe and manage billing
- Onboard customers and conduct Know Your Customer (KYC) review
- Send transactional and account communications (account confirmations, permit expiration alerts, recall notifications, billing notices, security notices)
- Provide customer support
- Send marketing communications, where permitted, with the ability to opt out at any time
- Analyze usage to improve the Service
- Detect, investigate, and prevent fraud, abuse, and security incidents
- Comply with legal obligations and respond to lawful requests
- Defend and enforce our legal rights
- Maintain audit logs sufficient to support customer or regulator-initiated trace requests
We do not use the information to:
- Sell or rent personal information to third parties
- Share personal information for cross-context behavioral advertising as defined under California law and equivalent state laws
- Engage in targeted advertising
- Make decisions that produce legal or similarly significant effects about an individual through solely automated processing
- Train any general-purpose machine learning model on Customer Content
5. Lawful Bases (where required)
For customers and individuals to whom GDPR-style framing applies, we rely on the following bases:
- Contract: to provide the Service to the customer entity that has agreed to our Terms of Service
- Legitimate interests: to secure the Service, prevent fraud, and operate the audit log
- Legal obligation: to comply with tax, accounting, and regulatory obligations
- Consent: for any optional marketing communications
Customers may withdraw consent for optional communications at any time.
6. How We Share Information
We share information only as described below.
6.1 Sub-processors
We engage the following sub-processors as of the Effective Date of this Policy. The current list is maintained in the Rad Dad Labs Data Processing Addendum and may be published at raddadlabs.com/sub-processors.
| Sub-processor | Function | Region | Status |
|---|---|---|---|
| Vercel, Inc. | Hosting and edge delivery | United States | Active |
| Supabase, Inc. | Database, file storage, authentication | United States | Active |
| Stripe, Inc. | Payment processing | United States | Active |
| Resend, Inc. | Transactional and alert email delivery | United States | Active |
| Cloudflare, Inc. | Edge cache, DDoS protection, WAF | United States | Pending engagement |
We commit each sub-processor to confidentiality and data protection obligations no less protective than this Policy. See the DPA for the change-notice procedure and the customer objection process.
6.2 Customer-Directed Sharing
The Service, by design, exposes a barcode-to-COA-URL mapping to anyone who follows the redirect URL. That redirect is the product. Brand customers control the underlying COA URL and may change it at any time. Retailer customers control the rendering of the rdlabs.coa_url metafield on their storefront.
6.3 Recall Notifications
When a Brand customer flags a barcode for recall, we notify each connected Retailer and Distributor through the email address on file. Notification recipients can identify the Brand, the affected barcode, and the recall reason as supplied by the Brand.
6.4 Professional Advisors
We may share information with our professional advisors (legal, accounting, insurance, tax) under confidentiality obligations.
6.5 Legal and Safety
We may disclose information to comply with a subpoena, court order, or other lawful request; to enforce our Terms; to protect the rights, property, or safety of Rad Dad Labs, our customers, or others; or in connection with a merger, acquisition, financing, or sale of assets, subject to the recipient's commitment to honor this Policy. We evaluate every government or law-enforcement request and challenge those we believe to be overbroad. If a recipient in a corporate transaction has a privacy policy materially less protective than this Policy, we will notify customers and provide a meaningful choice consistent with applicable law.
6.6 No Sale or Targeted Advertising
We do not sell personal information, share personal information for cross-context behavioral advertising, or engage in targeted advertising as defined under any applicable state privacy law.
7. Customer Responsibility for Downstream Consumer Privacy
If a consumer follows a barcode-keyed URL, the consumer interacts with the Service for the duration of the redirect, then is delivered to the customer's COA hosting location. The customer (typically the Brand) is responsible for any disclosures, consents, or privacy obligations owed to the consumer at the destination. The Service does not present a privacy interaction to consumers and does not collect direct-to-consumer personal information beyond the access log described in Section 2.5.
Customers are responsible for ensuring that any direct-to-consumer use of the redirect link, recall notice page, or any rendering of the rdlabs.coa_url metafield on their storefront complies with the privacy laws applicable to their consumer relationships, including but not limited to the state laws enumerated in the introduction to this Policy.
8. Retention
| Category | Retention period |
|---|---|
| Account information (Section 2.1) | Lifetime of the Account; up to 12 months after termination for accounting and dispute resolution |
| Verification information (Section 2.2) | Lifetime of the Account; 7 years after termination for the state license / permit copy, given regulatory inquiry windows |
| Payment metadata (Section 2.3) | 7 years (tax and accounting) |
| Product, barcode, and permit data (Section 2.4) | Lifetime of the Account; up to 12 months after termination |
| Access logs (Section 2.5) | 7 years as an audit record |
| Communications and support tickets | 3 years from last interaction |
| Marketing contact data | Until you unsubscribe or otherwise request deletion |
| Backups | Rolling backups overwrite according to backup retention windows; deletion in primary stores is followed by deletion in backups within those windows (target: 90 days) |
After the applicable retention period, we delete or de-identify the information. De-identified data may be retained indefinitely for service operation and benchmarking.
We may retain information longer where required by law, to enforce our agreements, to defend against claims, or to satisfy legitimate ongoing business needs.
9. Security
We use commercially reasonable administrative, technical, and physical safeguards to protect information, including encryption in transit (TLS), encryption at rest for sensitive fields, role-based access control, principle-of-least-privilege secrets management, audit logging, and security review of sub-processors. No system is perfectly secure. In the event of a security incident affecting personal information, we will notify affected customers consistent with the DPA and applicable law.
10. Your Rights
Subject to applicable law and verified identification, individuals may have the right to:
- Access the personal information we hold about them
- Correct inaccurate personal information
- Delete personal information, subject to legal retention obligations
- Portability — receive a copy in a structured, commonly used format
- Opt out of sale, sharing for cross-context behavioral advertising, targeted advertising, and certain profiling (we do not engage in any of these by default; the right is preserved in case our practices change)
- Limit the use of sensitive personal information under CCPA
- Appeal a denial of a request, where applicable state law provides for it
- Authorized agent submission under CCPA and other state laws that permit it
- Non-discrimination for exercising privacy rights
10.1 Note on B2B Context
Most state comprehensive privacy laws either exclude business-to-business contact data, exclude data processed in a commercial or employment context, or both. Where an exemption applies, the rights above may be limited. We will not refuse to consider a verifiable request solely because we believe an exemption applies; we will respond on the merits, to the extent applicable.
10.2 How to Submit a Request
Send a request to privacy@raddadlabs.com. Identify the entity or Account the request relates to and the right being exercised. We will respond within 45 days, with one 45-day extension when reasonably necessary, and will inform you of the extension within the initial period.
10.3 Verification
We may need to verify identity before fulfilling a request. For B2B customers, verification will typically be through the administrator email associated with the Account, or through other information we already hold about you.
10.4 Appeals
If we decline a request in whole or part, you may appeal by replying to our decision within 60 days. We will respond to appeals within 60 days.
10.5 State-Specific Notices
- California (CCPA / CPRA): California residents may make requests under the CCPA as described above. California's "Do Not Sell or Share My Personal Information" requirement does not apply because we do not sell or share personal information for cross-context behavioral advertising. We do not knowingly collect sensitive personal information; if we do, we use it only for purposes permitted without offering an opt-out (such as performing the service requested, security, and fraud detection).
- Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia: Residents may exercise rights as described above. Appeal rights, where provided by the applicable state law, are available by replying to the response email or writing to privacy@raddadlabs.com with "Appeal" in the subject line.
11. Washington My Health My Data Act and Equivalent Consumer Health Privacy Laws
The Service is not a health platform. We do not collect biometric, health, mental health, reproductive health, or precise geolocation data. We do not infer health status from any data we process. If a customer registers in Washington and Customer Content includes anything that could be characterized as consumer health data under the Washington My Health My Data Act or the Connecticut, Colorado, or Nevada equivalents, the customer is responsible for the corresponding consumer disclosures and consents.
If you believe Rad Dad Labs has collected such data from you, contact privacy@raddadlabs.com.
12. International Users
The Service is offered in the United States. We do not direct the Service to, or transfer personal data outside of, the United States as a matter of course. If you access the Service from outside the United States, your information will be processed in the United States, which may have different data protection rules than your country. If we begin to offer the Service internationally or use a sub-processor that processes data outside the United States, we will update this Policy and the DPA accordingly.
13. Changes to This Policy
We may update this Policy. The "Last Updated" date at the top reflects the most recent revision. Material changes will be communicated through the Service or by email to the Account administrator at least thirty (30) days before they take effect. Material changes affecting Customer Data covered by the DPA are also governed by the change notice procedures in the DPA.
14. Contact
Rad Dad Labs LLC 2280 Wisteria Street Baton Rouge, LA 70806 privacy@raddadlabs.com