Privacy Policy

1. Introduction

BakedBot AI LLC ("BakedBot," "we," "our," or "us") operates an agentic commerce platform for the cannabis industry, including the website bakedbot.ai, AI-powered business tools, and associated services (collectively, the "Platform").

This Privacy Policy explains how we collect, use, disclose, and protect personal information from:

• Business customers — cannabis brands, dispensary operators, and their staff who use our Platform.
• End customers — cannabis consumers who interact with brands and dispensaries powered by BakedBot.
• Business contacts — prospective dispensary and brand partners we identify for outreach.
• Visitors — anyone who accesses our public-facing website or marketing pages.

By using the Platform, you agree to the practices described in this Policy. If you do not agree, please discontinue use.

2. Information We Collect

2.1 Business Customer Accounts

When a brand or dispensary registers for the Platform, we collect:

• Name, email address, and phone number of account holders and staff
• Business name, license number, and business address
• Role and permissions within the organization
• Billing information (credit card data is tokenized; we do not store raw card numbers)
• Google account tokens (Calendar, Drive) when you authorize those integrations — stored with AES-256 encryption
• Content you create, upload, or generate on the Platform (brand guides, campaigns, blog posts, playbooks)

2.2 End Customer Data (Cannabis Consumers)

When consumers interact with brands or dispensaries powered by BakedBot, we may process:

• Name, email address, and phone number
• Date of birth (required for age verification — cannabis law mandates 21+)
• Delivery address and location data
• Order history and transaction records
• Payment method (processed and tokenized by our payment partners; see Section 4)
• Loyalty program activity and reward balances
• SMS opt-in consent and communication preferences
• Product preferences and browsing behavior on brand-powered pages

2.3 Business Contacts (B2B Outreach)

As part of our sales and partnership outreach — primarily in New York — we collect business contact information from publicly available sources, including:

• Business name, website, and state license data (NY Office of Cannabis Management public records)
• Professional email addresses and phone numbers obtained via third-party data providers (Apollo.io)
• Publicly posted business social profiles

This data is used solely to contact licensed cannabis operators about BakedBot services. We honor all opt-out requests immediately.

2.4 Automatically Collected Data

When you use the Platform, we automatically collect:

• IP address and approximate location (city/region)
• Browser type, operating system, and device identifiers
• Pages visited, features used, and time spent
• Session identifiers (stored in session cookies — see Section 8)
• Error logs and performance telemetry
• AI agent interaction logs (tool calls, response latency, estimated token usage)

3. How We Use Your Information

We use the information we collect to:

• Provide the Platform — operate AI agents, process campaigns, sync POS data, generate content, and deliver analytics.
• Process orders and payments — fulfill cannabis orders through licensed dispensary partners.
• Verify age and comply with cannabis law — confirm that end customers are 21 or older before facilitating any transaction.
• Send marketing communications — deliver SMS and email campaigns on behalf of brands and dispensaries, always with prior consent and in compliance with TCPA.
• Improve AI agents and platform features — analyze usage patterns, run evaluations, and improve recommendation quality.
• Operate loyalty programs — track points, tier advancement, and reward redemption.
• Ensure compliance — review campaign content for regulatory compliance (state advertising restrictions, medical claim prohibitions, age-gating requirements).
• Communicate with you — send account notifications, billing information, and support responses.
• Detect fraud and maintain security — monitor for unauthorized access and protect platform integrity.
• Meet legal obligations — respond to lawful requests from regulatory and law enforcement agencies.

4. How We Share Your Information

We do not sell your personal information. We share data only as described below:

Service Providers

• Payment processors — CannPay and Authorize.net process and tokenize payment card data. Raw card numbers never touch our servers.
• SMS provider — Blackleaf delivers text messages on behalf of dispensary customers. Message logs are retained per TCPA requirements.
• Email provider — Mailjet and SendGrid deliver email campaigns and transactional notifications.
• AI providers — Google (Gemini models) and Anthropic (Claude models) process conversation and content generation requests. We transmit the minimum data needed; see each provider's data processing terms.
• POS integration — Alleaves POS receives and sends order and inventory data for participating dispensaries.
• Loyalty platform — Alpine IQ processes loyalty program data for participating dispensaries.
• Analytics and error tracking — Firebase (Google) and Sentry receive usage telemetry and error logs.
• B2B data enrichment — Apollo.io provides professional contact data for licensed cannabis business outreach.

Dispensary Partners

When an end customer places an order or interacts with a dispensary through BakedBot, the relevant customer data (name, contact info, order details) is shared with that licensed dispensary for order fulfillment and compliance recordkeeping.

Legal and Regulatory

We may disclose information to law enforcement, regulators (including state cannabis control agencies), or other third parties when required by law, court order, or to protect the safety of our users or the public.

Business Transfers

If BakedBot AI LLC is acquired, merges, or transfers assets, personal information may be transferred as part of that transaction. We will notify affected users before any such transfer takes effect.

5. SMS and Text Communications (TCPA)

BakedBot powers SMS marketing campaigns for licensed cannabis brands and dispensaries. By providing your phone number and opting in, you consent to receive text messages, which may include:

• Promotional offers and product announcements
• Order confirmations and delivery updates
• Loyalty program notifications
• Win-back and re-engagement messages

Message frequency varies. Standard message and data rates may apply.

To opt out: Reply STOP to any message at any time. You will receive one confirmation message and no further texts. To re-subscribe, reply START.

For help: Reply HELP or contact us at privacy@bakedbot.ai.

We maintain TCPA-compliant opt-in records and honor opt-outs within the timeframes required by law.

6. AI Agents and Automated Processing

Our Platform uses AI agents (including Smokey, Craig, Deebo, Leo, Linus, and others) to assist business customers with tasks such as content creation, campaign review, compliance checking, and competitive intelligence. When you interact with these agents:

• Your conversation content and requests are processed by large language model providers (Google, Anthropic).
• Interaction logs are retained to improve agent quality and for troubleshooting.
• Compliance agents (Deebo) analyze campaign content against state regulations — this may involve reviewing business-created text and images.
• No automated agent decision carries irreversible consequences without human review. Agents surface recommendations; humans approve actions.

We do not use AI agents to make automated decisions about creditworthiness, employment eligibility, or any other high-stakes personal determination.

7. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

• Authentication cookies (__session) — Required to maintain your logged-in state. Session-scoped; deleted when you close your browser or sign out.
• Age verification cookies — Record that a visitor has confirmed they are 21 or older on brand and dispensary menu pages.
• Analytics — Firebase Analytics collects anonymized usage data to help us understand feature adoption and performance.
• Error tracking — Sentry may set identifiers to correlate error reports with session context.

You can disable cookies in your browser settings. Disabling authentication cookies will prevent you from signing in to the Platform.

8. California Residents — CCPA / CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

• Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete — Request deletion of personal information we hold about you, subject to legal exceptions (e.g., cannabis transaction records required by state law).
• Right to Correct — Request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing — We do not sell or share personal information for cross-context behavioral advertising. This right is not currently applicable.
• Right to Limit Use of Sensitive Personal Information — We only use sensitive personal information (date of birth, payment data) as necessary to provide services and comply with cannabis regulations.
• Right to Non-Discrimination — Exercising your privacy rights will not result in denial of service, different prices, or degraded quality.

To submit a request: Email privacy@bakedbot.aiwith the subject "California Privacy Request." We will respond within 45 days. We may ask you to verify your identity before fulfilling the request.

Authorized agents may submit requests on your behalf with a signed written authorization or power of attorney.

9. New York Residents — SHIELD Act

New York's SHIELD Act requires businesses that handle private information of New York residents to implement reasonable data security safeguards and to notify affected residents of any breach of private information.

Our safeguards include:

• AES-256 encryption for sensitive credentials and OAuth tokens
• Tokenized payment processing (raw payment data never stored)
• Role-based access controls — staff can only access data relevant to their role
• Firebase Security Rules enforcing organizational data isolation
• Continuous monitoring and automated alerting for security anomalies

In the event of a data breach affecting New York residents, we will provide notification as required by the SHIELD Act, including to the New York Attorney General if 500 or more New York residents are affected.

10. Cannabis Industry Compliance

Because our Platform operates in the regulated cannabis industry, additional data practices apply:

• Age verification (21+) — All consumer-facing brand and dispensary pages are age-gated. We collect date of birth to verify the 21+ requirement mandated by state cannabis law. Age verification records may be retained for compliance audit purposes.
• Transaction recordkeeping — Cannabis regulations in New York, California, and other states require that dispensaries maintain transaction records for a minimum of 7 years. We store and retain order data for participating dispensaries in accordance with these requirements.
• State regulatory access — Licensed dispensaries may be required to provide transaction data to the New York Office of Cannabis Management, the California Department of Cannabis Control, or equivalent state agencies. BakedBot facilitates compliance with such requirements.
• Minor protection — We do not knowingly collect personal information from anyone under 21 years of age. If we discover that a minor has provided information, we will delete it promptly.

11. Data Security

We implement security measures appropriate to the sensitivity of the data we process, including:

• AES-256 encryption for stored OAuth tokens and sensitive credentials
• TLS encryption for all data in transit
• Tokenized payment processing — payment card data is processed by PCI-compliant third parties
• Firebase Authentication with secure session management
• Role-based access control — users only access data scoped to their organization and role
• Automated anomaly detection and alerting
• Regular security testing and access control reviews

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your information.

12. Data Retention

• Cannabis transaction records — Retained for 7 years as required by state cannabis regulations.
• Account and business data — Retained for the duration of your account plus 2 years after closure, unless a deletion request is submitted and no regulatory hold applies.
• SMS opt-in records — Retained for 4 years per TCPA requirements.
• AI agent interaction logs — Retained for 90 days for quality improvement, then anonymized or deleted.
• Security and audit logs — Retained for 2 years.
• B2B outreach contacts — Retained until an opt-out is received or outreach is concluded, whichever is sooner.

13. Third-Party Links and Services

The Platform may contain links to third-party websites (e.g., dispensary websites, payment portals, public cannabis data sources). This Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party service you use.

14. Changes to This Policy

We may update this Privacy Policy periodically. If we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email or an in-platform notice. Continued use of the Platform after changes take effect constitutes your acceptance of the revised Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information:

For California privacy requests, please include "California Privacy Request" in the subject line.
For New York SHIELD Act inquiries, please include "NY Privacy Request" in the subject line.