Privacy Policy

Policy No: GLT-Privacy Policy

Overview

Greenlight Therapeutics is committed to protecting the privacy and confidentiality of all customer information collected in the course of dispensary operations, including information pertaining to adult-use customers and qualifying medical patients. This policy establishes the standards by which Greenlight Therapeutics collects, uses, stores, protects, and shares customer information in compliance with Maryland Cannabis Administration (MCA) regulations. Certain data collection is required by Maryland law and cannot be waived.

Information We Collect

Greenlight Therapeutics collects personal information necessary to operate as a licensed cannabis dispensary in compliance with COMAR 14.17. This includes:

Identity and Age Verification – Full legal name, date of birth, government-issued photo ID information, and MCA patient or caregiver registry number (qualifying patients and registered caregivers only).

Transaction Information – Where express customer consent has been obtained, we may collect purchase history, product preferences, transaction amounts, and payment method type. This information is collected only where the customer has affirmatively opted in.

Medical Information (Qualifying Patients and Registered Caregivers Only) – Medical cannabis certification status, registry identification number, and caregiver relationship documentation where applicable.

Security and Operational Information – Video surveillance footage collected throughout our facility in compliance with COMAR 14.17 security requirements, and entry and exit logs.

How We Use Customer Information

Customer information collected by Greenlight Therapeutics is used for the following purposes:

Age and identity verification – To verify customer identity and age prior to any cannabis transaction, as required by COMAR 14.17.

Transaction processing – To process and complete sales transactions. Collection of purchase history and product preferences beyond what is required for regulatory compliance is conducted only with express customer consent.

Regulatory compliance – To comply with mandatory state reporting requirements, including entry of transaction data into METRC as required by the MCA.

Record retention – To maintain required records in accordance with Maryland cannabis regulations.

Safety and security – To ensure the safety and security of customers, staff, and the facility.

Customer communications – To communicate with customers regarding orders, including preorders and curbside pickup.

Customer Consent and Opt-In Choices

Certain information collected by Greenlight Therapeutics, including purchase history and product preferences, is collected only with express customer consent. Customers may withdraw consent at any time by notifying a registered agent or contacting Greenlight Therapeutics at the address listed in this policy. Withdrawal of consent does not affect information already collected or information required to be retained under Maryland cannabis regulations.

Registered agents are responsible for ensuring that opt-in consent is obtained and documented prior to collecting any non-mandatory customer information.

How Customer Information is Shared

Greenlight Therapeutics does not sell, rent, or trade customer information. Customer information is shared only in the following limited circumstances:

Required by law – Greenlight Therapeutics is required by Maryland law to report certain transaction and inventory data to the Maryland Cannabis Administration through the METRC tracking system. This reporting is mandatory and cannot be opted out of.

Legal compliance and law enforcement – Information may be disclosed when required by a valid court order, subpoena, or other legal process, or when necessary to comply with applicable federal, state, or local law.

Service providers – Limited information may be shared with trusted third-party service providers, including the point-of-sale system provider. These providers are contractually required to protect customer information and may only use it to provide services to Greenlight Therapeutics.

With customer consent – Customer information is not shared for any other purpose without explicit customer consent.

Medical Patient Confidentiality

Greenlight Therapeutics treats all medical patient information with heightened confidentiality. Information related to a qualifying patient or registered caregiver status, medical cannabis certification, or registry identification is:

  • Collected only as required for compliance with MCA regulations
  • Stored securely and separately from general customer records where applicable
  • Never disclosed to unauthorized third parties
  • Protected in accordance with applicable Maryland privacy laws

Registered agents must not discuss, share, or reference any qualifying patient's medical status, registry number, or certification outside of what is required to complete a compliant transaction.

Data Retention

Customer records are retained for the minimum period required by Maryland cannabis regulations and applicable law. Transaction records, identity verification records, and METRC-reported data are retained in accordance with COMAR 14.17 record retention requirements. Video surveillance footage is retained for the period required by MCA security regulations. Records must not be destroyed prior to the expiration of the applicable retention period.

Data Security

Greenlight Therapeutics implements reasonable physical, electronic, and procedural safeguards to protect customer information from unauthorized access, use, or disclosure. Access to customer records is restricted to authorized registered agents and management personnel only. Any suspected breach of customer data must be reported immediately to the General Manager and Executive Management.

Video Surveillance

Greenlight Therapeutics utilizes video surveillance throughout its facility as required by COMAR 14.17 security regulations. Surveillance is conducted for the safety and security of customers, staff, and company assets. Footage is stored securely and accessed only by authorized personnel or as required by law. Unauthorized access to or tampering with surveillance systems is prohibited.

Policy Responsibility

Executive Management – Own this policy, approve all revisions, and ensure organizational compliance with applicable privacy requirements.

General Manager – Ensure all registered agents are trained on this policy and that customer information is handled in accordance with it during daily operations.

Registered Agent – Handle all customer information in accordance with this policy during transactions, intake, and any customer interaction.