Privacy Policy

Turff Analytics ("Turff", "we", "us", or "our") is an Ontario corporation headquartered in Toronto. We respect your privacy and are committed to handling personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. This Privacy Policy explains what personal information we collect, how we use it, and the choices you have.

1. Scope

This policy applies to personal information we collect through our websites (including turff.ai), our cannabis analytics platform, and our sales and support interactions. It does not apply to third-party websites or services that we do not operate.

2. Information We Collect

We collect the following categories of personal information:

• Account and contact information — name, business email, job title, employer, telephone number, and other information you provide when creating an account, subscribing, or contacting us.
• Usage data — information about how you interact with the platform, including pages viewed, features used, timestamps, and device and browser metadata.
• Technical data — IP address, device identifiers, log data, and diagnostics collected automatically when you use the Services.
• Communications — records of correspondence with our sales and support teams.

We do not intentionally collect personal information about individual cannabis consumers. The market data processed through our platform is aggregated transactional and product data from retail and wholesale partners.

Sign-in and authentication providers

When you sign in to Turff using a third-party identity provider — currently Google (Google Workspace / Gmail) and Microsoft (Entra ID / Microsoft 365) — we receive a limited set of information from that provider to create and manage your Turff account. This information consists of:

• your full name as registered with the provider;
• your email address;
• a unique account identifier issued by the provider (used to match your sign-in to your Turff account);
• your profile picture, if one is available; and
• the domain of your organization (e.g., yourcompany.com), used to associate your account with your employer's Turff workspace.

We do not request, collect, or store your password. We do not access your Google or Microsoft mailbox, calendar, drive, contacts, or any other data held by those providers. We request only the minimum OAuth scopes required for authentication (openid, email, and profile for Google; openid, profile, email, and User.Read for Microsoft).

3. How We Use Personal Information

We use personal information to:

• provide, maintain, and improve the Services;
• authenticate users and secure accounts;
• process subscriptions and invoices;
• respond to inquiries and provide customer support;
• send transactional messages and, with your consent, marketing communications;
• analyze usage to improve product performance and develop new features; and
• comply with legal obligations and enforce our Terms of Service.

When you sign in using Google or Microsoft, we use the authentication information described above solely to verify your identity, create and maintain your user account, associate your account with the correct customer workspace, and communicate with you about your account, security, and the service. We do not use SSO information for advertising, profiling, or any purpose outside the provision of the Turff platform.

We do not transfer SSO information received from Google or Microsoft to any third party except as strictly required to operate the Turff service (specifically, to our hosting and error-monitoring sub-processors listed in Section 5). We do not sell, rent, or share SSO information for any other purpose, and we do not transfer it to data brokers, information resellers, or for advertising, retargeting, credit-worthiness, or lending decisions.

Compliance with Google API Services User Data Policy

Turff's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4. Legal Basis and Consent

Under PIPEDA, we rely on your consent — express or implied depending on the sensitivity of the information and the context — to collect, use, and disclose your personal information. You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent may limit our ability to provide the Services to you.

5. Sharing and Disclosure

We disclose personal information only in the following circumstances:

• Service providers — we use trusted third-party providers for hosting, analytics, customer support, email delivery, and payment processing. These providers are bound by contractual obligations to protect personal information and use it only for the purposes we specify. Current sub-processors include: Google Cloud Platform, Sentry, Mailgun, Tableau, Dagster, and dbt. Of these, only Google Cloud Platform (hosting) and Sentry (error monitoring) process SSO authentication data; Mailgun, Tableau, Dagster, and dbt do not.
• Corporate transactions — in connection with a merger, acquisition, financing, or sale of assets, subject to customary confidentiality protections.
• Legal requirements — where required by law, court order, or to protect the rights, property, or safety of Turff, our customers, or others.
• With your consent — for any other purpose disclosed to you at the time of collection or with your authorization.

We do not sell personal information.

6. Data Storage, Location, and International Transfers

Turff's production systems, including authentication data received from identity providers, are hosted on Google Cloud in North America (EST region).

Some service providers supporting Turff may process personal information outside of Canada, including in the United States. While in another jurisdiction, personal information may be subject to the laws of that jurisdiction, including lawful access requests by government authorities. We take contractual and technical measures — required of our service providers under PIPEDA — to ensure a comparable level of protection wherever your information is processed.

7. Data Retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, to comply with legal, accounting, or reporting requirements, or to resolve disputes and enforce our agreements. Typical retention periods are as long as your account remains active, plus 12 months after closure. When information is no longer required, we securely delete or anonymize it.

Authentication information received from identity providers is retained for as long as your Turff account is active. If your account is deleted or deactivated, associated SSO identifiers and profile information are removed from our active systems immediately upon account deletion and purged from backups within 90 days, except where retention is required to comply with legal, tax, or audit obligations. To request deletion at any time, contact our Privacy Officer using the details in Section 13.

8. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit, access controls, logging, and regular security reviews. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

9. Your Rights

Subject to applicable law, you have the right to:

• request access to the personal information we hold about you;
• request correction of inaccurate or incomplete information;
• withdraw consent to our collection, use, or disclosure of your information;
• request deletion of your personal information, subject to legal and contractual limits; and
• make a complaint about our handling of your personal information.

You may also revoke Turff's access to your Google or Microsoft account at any time:

• Google: visit myaccount.google.com/permissions and remove Turff.
• Microsoft: visit myapps.microsoft.com — or your administrator's app consent page — and remove Turff.

Revoking access will prevent further sign-ins via that provider but will not delete your Turff account. To delete your account, contact our Privacy Officer using the details below.

To exercise these rights, contact us using the details below. You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

10. Cookies and Tracking

Our websites use cookies and similar technologies to keep you signed in, remember your preferences, measure usage, and improve the Services. You can control cookies through your browser settings. Disabling cookies may affect the functionality of the Services.

11. Children

The Services are intended for business users and are not directed to individuals under the age of majority in their jurisdiction. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us and we will take appropriate steps to delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy on our website and update the effective date above. Where required by law, we will seek your renewed consent.

13. Privacy Officer and How to Contact Us

Turff's designated Privacy Officer under PIPEDA is responsible for this Privacy Policy and for responding to inquiries, requests, and complaints about our handling of personal information. The Privacy Officer can be reached at: