WM Delivery Data Processing Addendum

Last updated October 30, 2023

WM Delivery Data Processing Addendum

This WM Delivery Data Processing Addendum (“Addendum”) forms an integral part of your agreement with Weedmaps for the access to and use of the WM Delivery Features, which also includes the Weedmaps Commercial Terms of Use as well as the applicable Supplemental Product Terms, the Weedmaps Privacy Policy, and any other terms or agreements that make up the WM Collective Terms of Service (the “Agreement”), as applicable, and reflects the parties’ agreement with respect to the Processing of Personal Data. In the event of any conflict between this Addendum (as amended, restated, supplemented, or otherwise modified from time to time), and any other part of the Agreement, the terms of this Addendum will control. Capitalized terms used but not defined herein shall have the meaning set forth in the WM Collective Terms of Service.

You hereby enter into this Addendum on behalf of the Business you represent, and, to the extent required by Applicable Law, on behalf of any affiliated entit(y/ies) to the extent that Weedmaps Processes Personal Data where such affiliated entit(y/ies) qualify as a Data Controller of such Personal Data. You acknowledge and agree that, for the purposes of this Addendum, Weedmaps acts as the Data Controller of Weedmaps Personal Data, and you act as the Processor or Service Provider of such Data. You act as the Data Controller of Business Personal Data, and Weedmaps acts as the Processor or Service Provider of such Data.

By using the WM Delivery Features, you and Weedmaps (the “Part(y/ies)”) agree as follows:

  1. Privacy and Security of Data. If either Party receives, Processes, or has any access to the other’s Personal Data, the Service Provider Party will, at all times, comply with its obligations under Applicable Law relating to the Processing of any of the Data Controller Party’s Personal Data, and will implement and maintain all appropriate technical, administrative, physical, and organizational measures (including, at a minimum, those measures detailed in this Data Processing Addendum and the requirements and obligations set forth in Exhibit A - Data Security Requirements, below) sufficient to (i) ensure a level of confidentiality and security appropriate to the risks represented by the Processing and the nature of Business Data or Weedmaps Data; and (ii) prevent unauthorized or unlawful Processing of Business Data or Weedmaps Data, and accidental loss, disclosure or destruction of, or damage to, Business Data or Weedmaps Data.

  2. Processing of the other Party’s Data. Weedmaps will only Process Business Data and you will only Process Weedmaps Data in accordance with the Section 4 (Delivery) of the Supplemental Product Terms.

  3. Processing of Business Personal Data. Weedmaps will only collect, use, retain or disclose Business Personal Data in accordance with Section 4 (Delivery) of the Supplemental Product Terms. Weedmaps maintains a Privacy Policy describing its privacy practices with respect to Personal Data. Weedmaps will not Process, sell, or otherwise make Business Personal Data available for its own commercial purposes; provided, that Weedmaps may Process Business Personal Data related to a Delivery to the extent required to provide the WM Delivery Features.

    • 3.1. California Law Certification. Weedmaps warrants and certifies that it understands the CCPA’s restrictions and prohibitions on selling or sharing Personal Data and retaining, using, or disclosing Business Personal Data outside of the Parties’ direct business relationship and as specifically permitted by the Agreement, and that it will comply with such restrictions and prohibitions. Weedmaps also warrants that it has no reason to believe any CCPA requirements or restrictions prevent it from performing under the Agreement.

    • 3.2. Subprocessing. Weedmaps may use Subprocessors in connection with Business Data related to the WM Delivery Features only if (i) each such Subprocessor qualifies as a Service Provider under the CCPA; (ii) each such Subprocessor agrees to comply with the terms set forth herein as applicable to Weedmaps to the extent Subprocessor Processes Business Personal Data; and (iii) Weedmaps will not make any disclosures to the Subprocessor that Applicable Law would treat as a sale or disclosure.

  4. Processing of Weedmaps Personal Data. You will only collect, use, retain or disclose Weedmaps Personal Data in accordance with Section 4 (Delivery) of the Supplemental Product Terms. You agree to make publicly available and adhere to a privacy policy describing your privacy practices with respect to Personal Data. You will not Process, sell, or otherwise make Weedmaps Personal Data available for your own commercial purposes; provided, that you may Process Weedmaps Personal Data related to a Delivery solely to the extent disclosed to and authorized by the User at the point of collection.

    • 4.1. California Law Certification. You warrant and certify that you understand the Agreement and the restrictions and prohibitions set forth in the CCPA, on selling or sharing Personal Data and retaining, using, or disclosing Weedmaps Personal Data outside of your and Weedmaps’ direct business relationship and as specifically permitted by the Agreement, and that you will comply with such restrictions and prohibitions. You also warrant that you have no reason to believe any CCPA requirements or restrictions prevent you from performing under the Agreement. You must promptly notify Weedmaps of any changes to the CCPA requirements that may adversely affect your performance under the Agreement.

    • 4.2. Subprocessing. You may use Subprocessors in connection with Weedmaps Data you gain access to in connection with the WM Delivery Features only if (i) each such Subprocessor qualifies as a Service Provider under the CCPA; (ii) each such Subprocessor agrees to comply with the terms set forth herein as applicable to you to the extent Subprocessor Processes Weedmaps Personal Data; and (iii) you do not make any disclosures to the Subprocessor that Applicable Law would treat as a sale or disclosure.

  5. Commingling or Aggregation of Business Personal Data or Weedmaps Personal Data. Where reasonably feasible, the Service Provider Party agrees not to commingle or aggregate the Data Controller Party’s Personal Data, as applicable, with other data without the Data Controller Party’s prior written consent. In the event that it is not reasonably feasible to segregate Business Personal Data or Weedmaps Personal Data from other data or information that is not Business Personal Data or Weedmaps Personal Data, as applicable, the Parties acknowledge that the obligations with respect to Business Personal Data or Weedmaps Personal Data, as applicable, under the Agreement will still apply even though such data will be commingled with other data or information.

  6. Compliance with Law. Each Party agrees it will comply with its obligations under Applicable Law with respect to any Business Personal Data or Weedmaps Personal Data it Processes under or in relation to the Agreement. Without prejudice to the foregoing, the Service Provider Party will not Process the Data Controller Party’s Personal Data in a manner that will, or is likely to, result in the Data Controller Party breaching its obligations under Applicable Law.

  7. Hashed or Encrypted Business Data or Weedmaps Data. If the Service Provider Party Processes or otherwise has access to the Data Controller Party’s Data in hashed, encrypted or otherwise obfuscated format, the Service Provider Party will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Business Data or Weedmaps Data unless the Data Controller Party instructs the Service Provider Party to do so; and (ii) only share such Business Data or Weedmaps Data with its Subprocessors in the format in which it was received by the Data Controller Party.

  8. Equitable Relief. The right to seek and obtain emergency injunctive relief under the Agreement includes injunctive relief for any threatened or continued breach of the obligations under this Addendum related to a Party’s Personal Data.

  9. Disposal. At the expiration or termination of the Agreement, the Service Provider Party will delete all Confidential Information of the Data Controller Party upon their request, including by (a) returning all or subsets of such Confidential Information (and any Personal Data, subject to the exceptions set forth below) in the Service Provider Party’s possession or reasonable control to the Data Controller Party, and (b) permanently deleting all copies of such Confidential Information (and any Personal Data, subject to the exceptions set forth below) in its possession or reasonable control; provided, that the Service Provider Party will not be required to delete and may retain any such Confidential Information or Personal Data that it must retain in order to comply with a legal obligation for so long as such legal obligation applies, and to maintain records in the event of consumer disputes or complaints, or as evidence of compliance with age verification requirements) for a commercially reasonable period. To the extent deletion of such Confidential Information and Personal Data is required and not subject to an exception set forth above, it must be done in a manner that makes it non-readable and non-retrievable (i.e., pursuant to NIST 800-88, DoD 5220-22-M).

  10. Data Inquiry Handling. Each Service Provider Party will, unless prohibited by Applicable Law, inform the Data Controller Party promptly, and in any event within two (2) business days, of any Data Inquiry and will not respond to such communication unless required by Applicable Law or expressly authorized by the Data Controller Party in writing. If the Data Controller Party is unable to or does not receive a protective order or other remedy for any such Data Inquiry, the Service Provider Party may disclose only that portion of Business Data or Weedmaps Data that it is legally required to disclose and will use reasonable efforts to ensure the disclosed data is handled in accordance with the Agreement and accorded confidential treatment.

  11. Data Inquiry Cooperation. The Parties will provide reasonable cooperation and assistance to each other as may reasonably be required to allow the Data Controller Party to respond to, object to, or challenge any Data Inquiry and to comply with its obligations under Applicable Law, including in relation to data security, Data Breach notification, data protection impact assessments, prior consultation with supervisory authorities, the fulfillment of consumers’ rights, and any inquiry, notice or investigation by a supervisory authority. Without limitation of the foregoing, each Party will maintain records necessary to comply with Data Inquiries from Consumers and delete data to the extent such deletion is required under Applicable Law, and not otherwise subject to an exception to such deletion requirement (e.g., if a Party must retain such data to comply with a legal obligation, to maintain records in the event of Consumer disputes or complaints, or as evidence of compliance with age verification requirements).

  12. Personal Data Breach.

  • 12.1. Notification. In accordance with Applicable Law, the Service Provider Party will notify the Data Controller Party without undue delay and, where feasible, no more than twenty-four (24) hours after becoming aware of a Data Breach. The Service Provider Party will also provide the Data Controller Party with a description of the Data Breach, the type of data that was the subject of the Data Breach, and (to the extent known) the categories of Consumers affected, as soon as such information can be collected or otherwise becomes available, and the Service Provider Party will cooperate with any reasonable request made by the Data Controller Party relating to the Data Breach.

  • 12.2. Investigation. The Parties agree to immediately take action to investigate any Data Breach, to identify, prevent, and mitigate the effects of any such Data Breach, and with their prior agreement, to carry out any recovery or other action necessary to remedy the Data Breach. The Service Provider Party shall cooperate in good faith with the Data Controller Party in its handling of any Data Breach, including without limitation any investigation, reporting, the timing and manner of any notifications to any individuals, regulators or other third parties, and other obligations required by Applicable Law, or as otherwise required to respond to and mitigate any damages caused by the Data Breach. The Service Provider Party agrees to indemnify and hold the Data Controller Party harmless for any costs, expenses, claims and losses incurred in connection with a Data Breach including, without limitation, the cost of reconstructing data and data forensics (including any security audits or reviews of the Service Provider Party’s systems reasonably requested by the Data Controller Party), the cost of notifications and providing credit monitoring and identity theft protection and restoration services to affected parties, and any counsel fees incurred by the Data Controller Party related to such Data Breach.

  • 12.3. Communication. The Parties may not issue, publish, or make available to any third party any press release or other communication concerning a Data Breach without the other Party’s prior approval.

  1. Definitions.

  • 13.1. “Aggregate Consumer Information” means information that relates to a group or category of Consumers, from which individual Consumer identities have been removed, that is not linked or reasonably linkable to any Consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual Consumer records that have been de­identified.

  • 13.2. “Business Data” means data and information (a) that you disclose to Weedmaps or to which you provide Weedmaps access in connection with the Agreement, including the WM Delivery Features; and (b) that is Processed, prepared, accessed, used, aggregated, or generated in connection with the WM Delivery Features, including Business Personal Data, regardless of whether any such data or information is commingled or aggregated with other data or information.

  • 13.3. “Business Personal Data” means any and all Personal Data controlled by you or an Affiliate of yours Processed by Weedmaps in connection with use of the WM Delivery Features, including Off Platform Personal Data and Delivery Personnel Personal Data.

  • 13.4. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, and its implementing regulations.

  • 13.5. “Consumer” means either “consumer” as defined in the CCPA or a data subject as defined by Applicable Law.

  • 13.6. “Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Business Data or Weedmaps Data on systems used, managed or controlled by a Party or a Party’s Subcontractors (including Subprocessors).

  • 13.7. “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

  • 13.8. “Data Inquiry” means any inquiry, legal process, or complaint received from a Consumer, or supervisory, judicial, legal, or government authority relating to Business or Weedmaps Data.

  • 13.9. “Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular Consumer, provided that a business that uses deidentified information: (1) Has implemented technical safeguards that prohibit reidentification of the Consumer to whom the information may pertain, (2) Has implemented business processes that specifically prohibit reidentification of the information, (3) Has implemented business processes to prevent inadvertent release of deidentified information, and (4) Makes no attempt to reidentify the information.

  • 13.10. “Delivery Personnel Personal Data” means Personal Data associated with your Personnel engaged in delivery that were provided by you to Weedmaps in connection with your use of the WM Delivery Features.

  • 13.11. “Off Platform Personal Data” means Personal Data provided by you to Weedmaps, or otherwise generated, in connection with your use of the WM Delivery Features for orders not placed via the Weedmaps Products and Services.

  • 13.12. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

  • 13.13. “Process” means any operation or set of operations performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, safeguarding, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, accessing, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  • 13.14. “Subprocessors” means third parties authorized under the Agreement to access and process Business Personal Data or Weedmaps Personal Data.

  • 13.15. “Weedmaps Data” means data and information (a) that is disclosed to you or to which you have access in connection with the Agreement, including the WM Delivery Features; and (b) that is Processed, prepared, accessed, used, aggregated, or generated in connection with the WM Delivery Features, including Weedmaps Personal Data, regardless of whether any such data or information is commingled or aggregated with other data or information.

  • 13.16. “Weedmaps Personal Data” means any and all Personal Data controlled by Weedmaps or an Affiliate of Weedmaps Processed by you in connection with your use of the WM Delivery Features, including WM Delivery User Personal Data.

  • 13.17. “WM Delivery User Personal Data” means Personal Data provided by Users who place WM Orders to you, for fulfillment via Delivery.

EXHIBIT A

DATA SECURITY REQUIREMENTS

Minimum Security Requirements. You are responsible for and will ensure compliance with the following:

1.1. Implementation of and compliance with a written information security program consistent with established industry standards including administrative, technical, and physical safeguards appropriate to the nature of the Weedmaps Personal Data that are designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to Weedmaps, Weedmaps’ customers, or Weedmaps’ employees; and any anticipated threats or hazards to the security or integrity of such information.

1.2. Adopting and implementing reasonable policies and standards related to security and privacy.

1.3. Assigning responsibility for information security management.

1.4. Devoting adequate personnel resources to information security.

1.5. Carrying out verification checks on permanent staff who will have access to the Weedmaps Personal Data (other than Deidentified Data or Aggregate Consumer Information).

1.6. Conducting appropriate background checks and requiring employees, vendors, and others with access to the Weedmaps Personal Data to enter into written confidentiality agreements.

1.7. Conducting training to make employees and others with access to the Weedmaps Personal Data aware of information security risks and to enhance compliance with your policies and standards related to data protection.

1.8. Preventing unauthorized access to the Weedmaps Personal Data (other than Deidentified Data or Aggregate Consumer Information) through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with your policies and standards related to data protection on an ongoing basis. In particular, you have implemented and comply with, as appropriate and without limitation:

  • 1.8.1. Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance, and exterior security);

  • 1.8.2. Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements and firewalls);

  • 1.8.3. Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that the Weedmaps Personal Data (other than Deidentified Data or Aggregate Consumer Information) cannot be read, copied, modified, or removed without authorization;

  • 1.8.4. Data transmission control measures to ensure that the Weedmaps Personal Data (other than Deidentified Data or Aggregate Consumer Information) cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data media, and transfer and receipt of records. In particular, your information security program will be designed:

    • 1.8.4.1. To encrypt in storage any data sets in your possession, including sensitive personal data; and
    • 1.8.4.2. To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside your information technology system or transmitted over a public network is encrypted to protect the security of the transmission.

  • 1.8.5. Data entry control measures to ensure you can check and establish whether and by whom the Weedmaps Personal Data (other than Deidentified Data or Aggregate Consumer Information) has been input into data processing systems, modified, or removed; and

  • 1.8.6. Subprocessor supervision measures to ensure that, if you are permitted to use subprocessors, the Weedmaps Personal Data is Processed strictly in accordance with Weedmaps’ instructions including, as appropriate:

    • 1.8.6.1. Measures to ensure that the Weedmaps Personal Data is protected from accidental destruction or loss including, as appropriate, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs;
    • 1.8.6.2. Measures to ensure that data collected for different purposes can be Processed separately including, as appropriate, physical or adequate logical separation of Weedmaps Personal Data; and
    • 1.8.6.3. Measures to maintain an up-to-date list of: (i) all Subprocessors involved in Processing Weedmaps Personal Data; (ii) the purposes for which the Subprocessors Process Weedmaps Personal Data; and (iii) the location of each Subprocessor.

1.9. At least once per month, performing internal system, endpoint systems, and application vulnerability assessments and external web (and other, if applicable) application and infrastructure vulnerability assessments on all facilities, information systems (including mobile computing devices, servers, networking equipment, storage media, and host software systems) storing, Processing or transmitting Customer Data used to provide services under the Agreement and remediate any identified vulnerabilities promptly.

2.0. Taking such other steps as may be appropriate under the circumstances.

SCHEDULE I

DESCRIPTION OF PERSONAL DATA PROCESSING

The data processing activities carried out by the Parties under Section 4 (Delivery) of the Supplemental Product Terms may be described as follows:

  1. Subject Matter. Weedmaps provides you with the ability to dispatch delivery orders, manage delivery-related logistics, and track and communicate with delivery drivers via the WM Delivery Features. Weedmaps will provide you with Weedmaps Personal Data, including WM Delivery User Personal Data, to Process in connection with such Features. You will provide Weedmaps with Business Personal Data, including Off Platform Personal Data and Delivery Personnel Personal Data, to Process in connection with such Features.

  2. Duration. The processing of Business Personal Data and Weedmaps Personal Data is authorized during the Term of the Agreement and for such further period during which each Party is required to retain such Business Personal Data or Weedmaps Personal Data in order to comply with Applicable Law or is otherwise permitted to retain such Business Personal Data or Weedmaps Personal Data under Applicable Law.

  3. Nature and Purpose. Weedmaps will receive Business Personal Data and you will receive Weedmaps Personal Data via the Weedmaps Delivery Features for order management and tracking. Weedmaps will use such Business Personal Data and you will use such Weedmaps Personal Data (other than Deidentified Data and Aggregate Consumer Information) solely to facilitate the provision of the Delivery Features, to provide you with order tracking and management functionality for the benefit of Users, to facilitate logistics of Delivery, and to report deliveries as required under Applicable Law. For avoidance of doubt, Weedmaps will act solely as a processor and service provider as to Business Personal Data, and Business will act solely as a processor and service provider as to Weedmaps Personal Data.

  4. Data Categories. First name, last name, date of birth, address, email address, telephone number, copy of driver’s license or other identification card, medical cannabis recommendation or card (for medical cannabis Delivery), any Personal Data contained in User notes to the Client Retailers, and other order-related information (for Users requesting Delivery). First name, last name, copy of driver’s license, vehicle identifying information, and geolocation (for Delivery Personnel).

  5. Data Subjects. Users, Delivery Personnel.

  6. Location of Data. United States or Canada, or another location mutually agreed upon by the Parties in a signed amendment to this Schedule 1.