Privacy Policy — LeafPulse

    The short version: Your data is yours. We access your POS data read-only to power your analytics. We never sell your data, never share it with competitors, and never use it for advertising. When you leave, your data is deleted within 90 days.
  

🔒

Read-only access

We can see your POS data. We cannot touch it.

🚫

We don't sell data

Never have, never will. Full stop.

🏗️

Isolated per tenant

Your data is siloed. Other businesses can't see it.

🗑️

Deleted on exit

Cancel and your data is gone within 90 days.

1. What Data We Collect

POS and business data. To provide the Service, LeafPulse connects to your point-of-sale system and collects:

Transaction records (sales volume, product sold, price, timestamp)
Inventory records (SKUs, quantities, strain information, cost data)
Cash reconciliation data (register totals, variance records)
Location performance data for multi-location accounts

Account information. When you create a LeafPulse account, we collect:

Name, business name, email address, phone number
Billing information (processed by our payment provider — we do not store raw card data)
POS system type and API credentials (stored encrypted)

Usage analytics. We collect information about how you use the LeafPulse dashboard:

Pages and features accessed, session duration
Browser type, operating system, device type
IP address and general location (city/region level)

What we do NOT collect. LeafPulse does not collect or store your dispensary customers' personal information. We do not need it. Our analytics operate on transaction-level business data, not individual customer profiles.

2. How We Use Your Data

To provide the Service. The primary use of your data is to power the LeafPulse analytics platform — velocity tracking, margin analysis, trend detection, and all other features you've subscribed to.

To improve the product. We may use aggregated, de-identified data (e.g., industry-wide patterns across our user base) to improve our algorithms and add new features. This data cannot be traced back to your business.

To communicate with you. We use your email to send account-related communications: billing notifications, product updates, and critical service alerts.

We do NOT:

Sell your data to any third party
Share your business data with other LeafPulse customers
Use your data for advertising or behavioral targeting
Share your data with cannabis industry vendors, distributors, or competitors
Provide your data to regulators or law enforcement without a lawful order

3. Data Retention

While your account is active. We retain your POS data and account information for the duration of your subscription to provide continuous analytics and historical trend data.

After cancellation. If you cancel your subscription, your data is retained for 30 days in case you wish to reactivate. After 30 days, deletion begins automatically and is completed within 90 days of your account closure date.

Data export. Before cancelling, you may request an export of your data in a standard format (CSV). Contact privacy@leafpulse.io to initiate an export.

Billing records. We are required to retain basic billing records (invoice amounts, dates, account identifiers) for up to 7 years for legal and accounting compliance. These records contain no POS data.

4. POS Data Handling

Read-only connections. LeafPulse accesses your POS system using read-only API credentials or scheduled secure data exports. We have no ability to write data back to your POS or modify your records in any way.

Encrypted in transit and at rest. All data transferred between your POS system and LeafPulse is encrypted using TLS 1.2+. Data stored in our systems is encrypted at rest using AES-256.

Tenant isolation. Your data is stored in a dedicated, isolated data environment. No other LeafPulse customer can access your data. Isolation is enforced at the infrastructure level, not just the application level.

Credential storage. POS API credentials are stored encrypted using industry-standard key management. Credentials are never logged, never included in error reports, and never visible to LeafPulse employees in plain text.

Compliance separation. LeafPulse does not store, process, or interact with any data that falls under cannabis-specific regulatory reporting requirements (e.g., Metrc seed-to-sale tracking). We operate exclusively on business intelligence data.

5. Third-Party Services

LeafPulse uses a small number of trusted third-party services to operate:

Hosting infrastructure: Cloud hosting for our application servers and data storage. Hosted in the United States.
Payment processing: Stripe or equivalent PCI-compliant payment processor. We do not store raw payment card data.
Email delivery: Transactional email provider for account notifications.
Error monitoring: Application monitoring to detect and fix bugs. Error reports are scrubbed of sensitive business data before logging.

We do not use third-party advertising networks, behavioral tracking tools, or data brokers. We do not embed social media tracking pixels.

6. Cookies

LeafPulse uses a minimal number of cookies, strictly necessary to operate the Service:

Session cookies: Required to maintain your login state across pages. These expire when you close your browser or log out.
CSRF protection tokens: Required to protect forms from cross-site request forgery attacks.

We do not use advertising cookies, third-party tracking cookies, or persistent behavioral tracking of any kind.

The LeafPulse marketing landing page may use a minimal analytics cookie to count unique visitors. This data is aggregated and not linked to your account or personal identity.

7. Your Rights

You have the following rights with respect to your data:

Access: You can request a summary of the data LeafPulse holds about you at any time.
Export: You can request a machine-readable export of your business data in CSV format.
Correction: You can update your account information directly within the platform, or request correction of any inaccurate data.
Deletion: You can request deletion of your account and all associated data. Deletion is completed within 90 days of the request. Billing records required by law are retained per Section 3.
POS disconnection: You can revoke LeafPulse's access to your POS system at any time through your account settings. This will suspend the Service but does not automatically delete historical data.

To exercise any of these rights, contact us at privacy@leafpulse.io. We respond to all data requests within 10 business days.

8. Data Security

We take security seriously because your data is sensitive business intelligence:

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
POS credentials are stored using encrypted key management — not accessible in plain text by any employee
Access to production systems is restricted to essential personnel and requires multi-factor authentication
Security practices are reviewed and updated regularly

In the event of a data breach that affects your data, we will notify you within 72 hours of becoming aware of the breach.

9. Changes to This Policy

We may update this Privacy Policy as the Service evolves. We will notify you of material changes via email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Contact — Privacy Questions

Questions, concerns, or data requests:

Email: privacy@leafpulse.io

We are real people. We respond to privacy inquiries personally, not with form letters. Expect a reply within 2 business days for general questions, and within 10 business days for formal data requests.

LeafPulse
Cannabis Analytics Platform
New Mexico, United States