Privacy Policy — cannabud.ai

Last updated: 29/07/2025

This Privacy Policy explains how Mutable Potential Lda (“we”, “us”, “our”) handles personal data when you visit cannabud.ai, use our mobile application, access our online backoffice, contact us, or use our services. It also clarifies when we act as controller and when we act as processor on behalf of customers.

Controller: Mutable Potential Lda (NIF 517017849)
Address: R. Bernardo Santareno, n.º 27, Portugal
Email: team@mutablep.com

We process personal data in line with the General Data Protection Regulation (GDPR) and applicable Portuguese law. When we process data on behalf of a customer under a data processing agreement, the customer is the controller and we are the processor. If your data was supplied to our platform by one of our customers, please address requests directly to that customer.

1) Scope

This notice covers:

• Website visitors to cannabud.ai
• Mobile application users (iOS and Android)
• Online backoffice users and administrators
• Prospective and existing customers
• Individuals who contact us via forms, chat, email, phone or events
• Job applicants
• Features on our site and app such as contact forms, chat, cookies/consent tools and any analytics we may deploy

2) What we collect and why

Identification & contact details (e.g., name, email, company, phone)
— To respond to enquiries, provide requested services, manage accounts, and send opted-in updates.

Technical & device data (e.g., IP address, browser/OS, device type, error logs, device identifiers, app version)
— To deliver content, maintain security and stability, detect fraud/abuse, diagnose issues, and ensure app compatibility.

Usage data (e.g., pages/screens viewed, clicks/taps, session duration, referrers, feature usage patterns)
— To improve site/app performance, user experience and content relevance (consistent with your cookie/consent settings).

Location data (approximate location based on IP or, with permission, device location)
— To provide location-relevant features, comply with regional regulations, and prevent fraud.

Communications (emails, chat transcripts, support notes, in-app messages)
— To provide support, fulfil requests, and maintain appropriate records.

Customer content (data uploaded by customers into our services)
— Processed strictly to provide the contracted service, under the customer’s instructions (processor role).

Recruitment data (CVs, cover letters, interview logistics)
— To assess applications and manage the hiring process.

Legal bases
Depending on context: consent (e.g., non-essential cookies/marketing, camera access), contract or pre-contract steps, legal obligations, and legitimate interests (e.g., security, service improvement, fraud prevention).

3) Mobile Application

Our mobile application requires certain permissions to function properly:

Camera Permission
— Used exclusively to scan QR codes for operational actions within the app. Camera access is requested only when you initiate a QR code scanning action. No images are stored unless explicitly required for the operational task, and camera access can be revoked at any time through your device settings.

File/Photo Library Access
— Used to allow you to select and scan QR codes from existing images in your device gallery. This permission is requested only when you choose to upload an image containing a QR code. We do not access, scan, or store any other images from your device.

App-Specific Data Collection:

• App crash reports and performance metrics (to improve stability)
• Feature usage analytics (to understand how the app is used)
• Push notification tokens (only if you enable notifications)
• Local storage for offline functionality and caching

All app data transmission is encrypted using industry-standard protocols. The app does not access contacts, microphone, or other sensitive permissions unless future features require them (in which case, we will update this policy and request explicit consent).

4) Online Backoffice

Our online backoffice platform provides secure access to manage your account and services:

Security Measures:

• All data is encrypted in transit (TLS/HTTPS) and at rest
• Multi-factor authentication available for enhanced security
• Role-based access controls to limit data access
• Session management with automatic timeout for inactive users
• Audit logs of all significant actions

Data Usage:

• All data within the backoffice is processed solely for providing the requested services
• We do not share, sell, or use your backoffice data for any purpose without your explicit permission
• Customer data segregation ensures your information remains isolated from other users
• Regular security audits and penetration testing

5) Cookies & Consent (Yescookie)

We use cookies and similar technologies to run the site and, with your consent, for additional purposes (e.g., audience measurement). We operate a consent banner using Yescookie, which lets you grant, refuse, or withdraw consent at any time. Your choices are recorded to demonstrate compliance. You can also control cookies through your browser settings.

The mobile app may use similar tracking technologies (like mobile advertising IDs) subject to your device settings and consent preferences.

A detailed list of cookie categories and third-party cookies (if any) is provided in our Cookie Policy.

6) Our Providers (who process data for us)

We use third-party providers to operate, secure, and support our website, app, and backoffice. They act as processors under contracts that require confidentiality, security, and GDPR-compliant safeguards:

Hostinger — hosting and infrastructure for cannabud.ai (storage, delivery of web content, basic server logging).

WordPress — our content management system and website framework (including core, themes, and plugins we select).

Tawk.to — live-chat and messaging on the website (handling chat messages, metadata necessary to deliver the chat, and, if you provide them, your contact details).

Mobile App Providers:

• App stores (Apple App Store, Google Play) for distribution
• Push notification services (if enabled)
• Crash reporting and analytics services (configured for privacy)

Notes:

• Server access logs (e.g., IP, request timestamp, user-agent, status code) are used for security and operational purposes.
• Some WordPress plugins may process limited data to provide their features; we only enable plugins that are necessary or beneficial and configure them to minimise data.
• If we add analytics, email, or other tools in future, they will appear in the Cookie Policy and (if materially relevant) this Privacy Policy.

International transfers: If a provider stores/handles data outside the EEA, we use appropriate safeguards (e.g., EU Standard Contractual Clauses) and limit transfers to what’s necessary for the service.

We do not sell personal data.

7) Data Sharing and Disclosure

We may share personal data only in these circumstances:

• With your consent or at your direction
• With service providers acting as our processors (listed above)
• To comply with legal obligations or valid legal requests
• To protect rights, safety, and security (ours, yours, or others’)
• In connection with a business transaction (merger, acquisition, sale of assets) with appropriate confidentiality agreements

We never share personal data for third-party marketing purposes.

8) Security

We maintain appropriate technical and organisational measures:

• TLS/HTTPS encryption in transit
• Encryption at rest for sensitive data
• Access controls and least-privilege permissions
• Security monitoring and intrusion detection
• Regular security patching and updates
• Incident response procedures
• Employee training on data protection
• Regular backup procedures with encrypted storage
• Vulnerability scanning and penetration testing

We design for privacy by default and by design and review safeguards periodically.

9) Retention

We keep personal data only as long as needed for the purposes described or to meet legal/accounting requirements:

• Operational server logs: up to 30 days (unless longer retention needed for security investigations)
• Account data: duration of account plus legal retention period
• Marketing data: until consent withdrawn or inactivity period reached
• Customer content: as per customer instructions or contract terms
• Backups: subject to rotation schedules, typically 30-90 days

Where processing relies on consent, we delete data when consent is withdrawn unless another legal basis applies.

10) Your Rights

Under the GDPR, you have the right to:

• Access your personal data
• Rectification of inaccurate or incomplete data
• Erasure (“right to be forgotten”) in certain circumstances
• Restriction of processing
• Data portability in machine-readable format
• Object to processing (including direct marketing)
• Withdraw consent at any time (where processing relies on consent)
• Complain to the Comissão Nacional de Proteção de Dados (CNPD)

To exercise your rights, contact team@mutablep.com. We will respond within 30 days.

11) Features You May Use

Contact forms & email: If you contact us, we process the data you provide to handle your request and keep relevant records.

Live chat (Tawk.to): When you use chat, the content of your messages is processed to provide support. The chat widget may process technical metadata (e.g., timestamps, device/browser details) required to deliver the service. Please avoid sharing sensitive information via chat.

Accounts/login: We process login credentials and apply security measures (e.g., optional 2FA). Account data is deleted after closure, subject to legal retention. Users should export their data before requesting deletion.

Newsletters/marketing: We will send electronic communications only with your consent or as permitted by law. We log opt-ins to demonstrate compliance and maintain suppression lists to honour opt-outs.

QR Code Scanning: When you scan QR codes through the app, we process only the encoded data for the intended operational purpose. No additional image data is retained.

12) Children

Our services are not directed to children under 16. If you believe a child provided us personal data, please contact us immediately and we will take appropriate action to delete such information.

13) Data Protection Officer

While not legally required to appoint a DPO, we have designated a privacy contact who can be reached at team@mutablep.com for any data protection queries or concerns.

14) Cross-Border Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards:

• EU-approved Standard Contractual Clauses
• Adequacy decisions where applicable
• Your explicit consent for specific transfers (where legally appropriate)

15) Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects. Any analytics or personalization features are designed to improve user experience and can be opted out of.

16) Changes

We may update this notice from time to time. Material changes will be:

• Posted here with a new “Last updated” date
• Communicated via email (for registered users)
• Highlighted through in-app notifications (where applicable)

Continued use of our services after changes constitutes acceptance, except where re-consent is legally required.

17) Contact

Mutable Potential Lda
R. Bernardo Santareno, n.º 27, Portugal
Email: team@mutablep.com
NIF: 517017849

For urgent privacy matters, please include “URGENT: Privacy” in your email subject line.

This privacy policy is provided in English for convenience. In case of any discrepancy with Portuguese legal requirements, the Portuguese version prevails.