Privacy
Policy.

1. Introduction

GOTTA ("Company," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website, interact with our services, or engage in business transactions with us.

As a licensed cannabis brand in Massachusetts and New Jersey, we are subject to enhanced data handling and recordkeeping obligations under 935 CMR 500 (Massachusetts Cannabis Control Commission regulations), N.J.A.C. 17:30 (New Jersey Cannabis Regulatory Commission regulations), Massachusetts General Laws Chapter 93H (data privacy), 201 CMR 17.00 (Standards for the Protection of Personal Information), and applicable New Jersey data protection laws.

By using our website or engaging with our services, you consent to the data practices described in this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

• Contact information (name, email address, phone number, business address)
• Business credentials (state cannabis license number, license type, license status) for wholesale, licensing, and trade applicants
• Age verification information (date of birth or age confirmation)
• Employment and agent registration information for employees and contractors
• Transaction and order information for B2B wholesale purchases
• Communications you send to us (emails, inquiries, feedback)
• Any other information you voluntarily provide through forms or correspondence

2.2 Information Collected Automatically

• IP address and approximate geographic location
• Browser type, version, and operating system
• Device identifiers and characteristics
• Pages visited, time spent on pages, and navigation paths
• Referring URLs and search terms used to find our website
• Cookies, web beacons, and similar tracking technologies (see Section 7)

2.3 Information from Third Parties

• State regulatory databases (license verification)
• METRC seed-to-sale tracking system data as required by state regulators
• Background check information for employees (CORI in Massachusetts)
• Business verification services

3. How We Use Your Information

We use collected information for the following purposes:

• Verifying that users are 21 years of age or older as required by law
• Verifying the licensing status of B2B customers and business partners
• Processing wholesale orders and managing business relationships
• Complying with state regulatory requirements, including recordkeeping obligations under 935 CMR 500.105(11) and N.J.A.C. 17:30-9.11
• Maintaining records in the METRC track-and-trace system as required by state law
• Responding to your inquiries and providing customer support
• Improving our website, products, and services
• Sending business communications related to orders, products, and regulatory updates
• Detecting, preventing, and addressing fraud, security issues, and technical problems
• Complying with legal obligations and responding to lawful requests from government authorities

4. Disclosure of Your Information

We may share your information in the following circumstances:

4.1 Regulatory Authorities

IMPORTANT: As a licensed cannabis brand, we are required by law to maintain certain records and make them available to state regulatory authorities upon request. This includes:

• The Massachusetts Cannabis Control Commission (CCC) pursuant to 935 CMR 500.105(11)
• The New Jersey Cannabis Regulatory Commission (CRC) pursuant to N.J.A.C. 17:30-9.11
• Local licensing authorities in jurisdictions where we operate

We are required to maintain records for a minimum of two (2) years and produce them upon regulatory demand.

4.2 Law Enforcement

We may disclose your information to law enforcement agencies when required by law, subpoena, court order, or other legal process. We will endeavor to provide you with notice of such disclosure unless prohibited by law.

Note Regarding Federal Law Enforcement: Because cannabis remains illegal under federal law, there exists a possibility that records maintained by cannabis businesses could be subject to federal subpoena or investigation. We will exercise all legally available protections to safeguard your information, but we cannot guarantee immunity from federal legal processes.

4.3 Service Providers

We may share information with trusted third-party service providers who assist us in operating our website, conducting our business, or providing services to you, including:

• Website hosting and IT infrastructure providers
• Payment processing services
• Email and SMS marketing providers (Klaviyo, Attentive/Postscript)
• Analytics services
• Legal, accounting, and compliance advisors

All service providers are contractually obligated to protect your information and use it only for the purposes for which it was disclosed.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, dissolution, or similar corporate transaction, your information may be transferred as part of that transaction, subject to applicable regulatory approvals required for cannabis license transfers.

5. Data Security

We implement administrative, technical, and physical safeguards to protect your personal information in compliance with Massachusetts 201 CMR 17.00 and applicable New Jersey data protection standards. These measures include:

• Encryption of personal information in transit and at rest
• Access controls limiting data access to authorized personnel only
• Regular security assessments and monitoring
• Secure storage of physical records in locked, access-controlled areas
• Employee training on data privacy and security procedures
• Maintenance of a Written Information Security Program (WISP) as required by M.G.L. c. 93H

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. Specific retention periods include:

• Regulatory records: Minimum two (2) years as required by 935 CMR 500.105(11) and N.J.A.C. 17:30-9.11, or longer if required by subsequent regulatory guidance
• METRC track-and-trace data: Retained in accordance with state regulatory requirements
• Employee records: Retained for the duration of employment and for a minimum of three (3) years following separation
• Transaction records: Retained for a minimum of seven (7) years for tax and compliance purposes
• Website analytics data: Retained for up to twenty-four (24) months

7. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience and analyze website usage. Types of cookies we use include:

• Essential cookies: Required for website functionality, including age verification
• Analytics cookies: Help us understand how visitors interact with our website
• Preference cookies: Remember your settings (state of residence, age verification)

You can control cookie preferences through your browser settings. Disabling certain cookies may limit website functionality, including the age verification gate required by law.

8. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information:

• Right to access: Request a copy of the personal information we hold about you
• Right to correction: Request correction of inaccurate or incomplete personal information
• Right to deletion: Request deletion of your personal information, subject to legal retention requirements
• Right to opt-out: Opt out of marketing communications at any time
• Right to data portability: Request your data in a portable format where technically feasible

To exercise any of these rights, please contact us at info@florentlabs.com. We will respond to your request within thirty (30) days. Please note that certain data cannot be deleted due to regulatory recordkeeping requirements.

9. Do Not Track Signals

Our website does not currently respond to "Do Not Track" (DNT) signals from web browsers. We will update this policy if we adopt a DNT standard in the future.

10. Children’s Privacy

Our website and services are not intended for individuals under the age of 21. We do not knowingly collect personal information from anyone under 21 years of age. If we learn that we have collected personal information from a person under 21, we will promptly delete that information.

11. Data Breach Notification

In the event of a data breach involving your personal information, we will notify you in accordance with:

• Massachusetts General Laws Chapter 93H, Section 3 (notification to affected residents and the Attorney General)
• New Jersey Security Breach Notification Act (N.J.S.A. 56:8-163)
• Any additional notification requirements under applicable cannabis regulations

12. Third-Party Links

Our website may contain links to third-party websites (dispensary locators, social media platforms, lab partners). We are not responsible for the privacy practices or content of those websites. We encourage you to read the privacy policies of any third-party websites you visit.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on our website with a revised "Last Updated" date. We encourage you to review this Privacy Policy periodically. Your continued use of our website after any changes constitutes acceptance of the updated policy.

14. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data privacy rights, please contact us at:

GOTTA · Attn: Privacy Officer
115 East 11th Avenue, Roselle, NJ 07203
Email: info@florentlabs.com