WM Orders Data Processing Addendum

Last updated October 30, 2023

WM Orders Data Processing Addendum

This WM Orders Data Processing Addendum (“Addendum”) forms an integral part of your agreement with Weedmaps for the access to and use of the Weedmaps Orders features, which also includes the Weedmaps Commercial Terms of Use as well as the applicable Supplemental Product Terms, the Weedmaps Privacy Policy, and any other terms or agreements that make up the WM Collective Terms of Service (the “Agreement”), as applicable, and reflects the parties’ agreement with respect to the Processing of Personal Data. In the event of any conflict between this Addendum (as amended, restated, supplemented, or otherwise modified from time to time), and any other part of the Agreement, the terms of this Addendum will control. Capitalized terms used but not defined herein shall have the meaning set forth in the WM Collective Terms of Service.

You hereby enter into this Addendum on behalf of the Business you represent. You acknowledge and agree that, for the purposes of this Addendum, Weedmaps acts as the Data Controller of Weedmaps Personal Data, and you act as the Processor or Service Provider of such Data.

By using the WM Orders Features, you agree as follows:

  1. Privacy and Security of Weedmaps Data. If you receive, Process, or have any access to Weedmaps Personal Data, you will, at all times, comply with your obligations under Applicable Law relating to the Processing of any Weedmaps Personal Data, and will implement and maintain all appropriate technical, administrative, physical, and organizational measures (including, at a minimum, those measures detailed in this Data Processing Addendum and the requirements and obligations set forth in Exhibit A - Data Security Requirements, below) sufficient to (i) ensure a level of confidentiality and security appropriate to the risks represented by the Processing and the nature of Weedmaps Data; and (ii) prevent unauthorized or unlawful Processing of Weedmaps Data, and accidental loss, disclosure or destruction of, or damage to, Weedmaps Data.

  2. Processing of Weedmaps Data. You will only Process Weedmaps Data in accordance with Section 3 (Orders) of the Supplemental Product Terms.

  3. Processing of Weedmaps Personal Data. You will only collect, use, retain or disclose Weedmaps Personal Data in accordance with Section 3 (Orders) of the Supplemental Product Terms. You agree to make publicly available and adhere to a privacy policy describing your privacy practices with respect to Personal Data. You will not Process, sell, or otherwise make Weedmaps Personal Data available for your own commercial purposes; provided, that you may Process Weedmaps Personal Data related to an Order solely to the extent disclosed to and authorized by the User at the point of collection.

    • 3.1. California Law Certification. You warrant and certify that you understand the Agreement and the restrictions and prohibitions set forth in the CCPA, on selling or sharing Personal Data and retaining, using, or disclosing Weedmaps Personal Data outside of your and Weedmaps’ direct business relationship and as specifically permitted by the Agreement, and that you will comply with such restrictions and prohibitions. You also warrant that you have no reason to believe any CCPA requirements or restrictions prevent you from performing under the Agreement. You must promptly notify Weedmaps of any changes to the CCPA requirements that may adversely affect your performance under the Agreement.

    • 3.2. Subprocessing. You may use Subprocessors in connection with Weedmaps Data you gain access to in connection with WM Orders only if (i) each such Subprocessor qualifies as a Service Provider under the CCPA; (ii) each such Subprocessor agrees to comply with the terms set forth herein as applicable to you to the extent Subprocessor Processes Weedmaps Personal Data; and (iii) you do not make any disclosures to the Subprocessor that Applicable Law would treat as a sale or disclosure.

  4. Commingling or Aggregation of Weedmaps Personal Data. Where reasonably feasible, you agree not to commingle or aggregate Weedmaps Personal Data with other data that is not Weedmaps Data without Weedmaps’ prior written consent. In the event that it is not reasonably feasible to segregate Weedmaps Personal Data from other data or information that is not Weedmaps Personal Data, you acknowledge that the obligations with respect to Weedmaps Personal Data under the Agreement will still apply even though such data will be commingled with other data or information.

  5. Compliance with Law. You agree to comply with your obligations under Applicable Law with respect to any Weedmaps Personal Data you Process under or in relation to the Agreement. Without prejudice to the foregoing, you will not Process Weedmaps Personal Data in a manner that will, or is likely to, result in Weedmaps breaching its obligations under Applicable Law.

  6. Hashed or Encrypted Weedmaps Data. If you Process or otherwise have access to Weedmaps Data in hashed, encrypted or otherwise obfuscated format, you will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Weedmaps Data unless Weedmaps instructs you to do so; and (ii) only share such Weedmaps Data with your Subprocessors in the format you received it from Weedmaps.

  7. Equitable Relief. The right to seek and obtain emergency injunctive relief under the Agreement includes injunctive relief for any threatened or continued breach of the obligations under this Addendum related to Weedmaps Personal Data.

  8. Disposal. At the expiration or termination of the Agreement, you will delete all Confidential Information of Weedmaps upon Weedmaps’ request, including by (a) returning all or subsets of such Confidential Information (and any Weedmaps Personal Data, subject to the exceptions set forth below) in your possession or reasonable control to Weedmaps, and (b) permanently deleting all copies of such Confidential Information (and any Weedmaps Personal Data, subject to the exceptions set forth below) in your possession or reasonable control; provided, that you will not be required to delete and may retain any such Confidential Information or Weedmaps Personal Data that you must retain in order to comply with a legal obligation for so long as such legal obligation applies, and to maintain records in the event of consumer disputes or complaints, or as evidence of compliance with age verification requirements) for a commercially reasonable period. To the extent deletion of such Confidential Information and Weedmaps Personal Data is required and not subject to an exception set forth above, it must be done in a manner that makes it non-readable and non-retrievable (i.e., pursuant to NIST 800-88, DoD 5220-22-M).

  9. Data Inquiry Handling. You will, unless prohibited by Applicable Law, inform Weedmaps promptly, and in any event within two (2) business days, of any Data Inquiry and will not respond to such communication unless required by Applicable Law or expressly authorized by Weedmaps in writing. If Weedmaps is unable to or does not receive a protective order or other remedy for any such Data Inquiry, you may disclose only that portion of Weedmaps Data that you are legally required to disclose and will use reasonable efforts to ensure the disclosed data is handled in accordance with the Agreement and accorded confidential treatment.

  10. Data Inquiry Cooperation. You will, at no additional cost to Weedmaps, provide reasonable cooperation and assistance to Weedmaps as Weedmaps may reasonably require to allow Weedmaps to respond to, object to, or challenge any Data Inquiry and to comply with its obligations under Applicable Law, including in relation to data security, Data Breach notification, data protection impact assessments, prior consultation with supervisory authorities, the fulfillment of consumers’ rights, and any inquiry, notice or investigation by a supervisory authority. Without limitation of the foregoing, you will maintain records necessary to comply with Data Inquiries from Consumers and delete data to the extent such deletion is required under Applicable Law, and not otherwise subject to an exception to such deletion requirement (e.g., you must retain such data to comply with a legal obligation, to maintain records in the event of Consumer disputes or complaints, or as evidence of compliance with age verification requirements).

  11. Personal Data Breach.

  • 11.1. Notification. In accordance with Applicable Law, you will notify Weedmaps without undue delay and, where feasible, no more than twenty-four (24) hours after becoming aware of a Data Breach. You will also provide Weedmaps with a description of the Data Breach, the type of data that was the subject of the Data Breach, and (to the extent known to you) the categories of Consumers affected, as soon as such information can be collected or otherwise becomes available, and you will cooperate with any reasonable request made by Weedmaps relating to the Data Breach.

  • 11.2. Investigation. You agree to immediately take action to investigate the Data Breach, to identify, prevent, and mitigate the effects of any such Data Breach, and with Weedmaps’ prior agreement, to carry out any recovery or other action necessary to remedy the Data Breach. You shall cooperate in good faith with Weedmaps in Weedmaps’ handling of any Data Breach, including without limitation any investigation, reporting, the timing and manner of any notifications to any individuals, regulators or other third parties, and other obligations required by Applicable Law, or as otherwise required by Weedmaps to respond to and mitigate any damages caused by the Data Breach. You agree to indemnify and hold Weedmaps harmless for any costs, expenses, claims and losses incurred in connection with a Data Breach including, without limitation, the cost of reconstructing data and data forensics (including any security audits or reviews of your systems reasonably requested by Weedmaps), the cost of notifications and providing credit monitoring and identity theft protection and restoration services to affected parties, and any counsel fees incurred by Weedmaps related to such Data Breach.

  • 11.3. Communication. You may not issue, publish, or make available to any third party any press release or other communication concerning a Data Breach without Weedmaps’ prior approval.

  1. Definitions.

  • 12.1. “Aggregate Consumer Information” means information that relates to a group or category of Consumers, from which individual Consumer identities have been removed, that is not linked or reasonably linkable to any Consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual Consumer records that have been de­identified.

  • 12.2. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, and its implementing regulations.

  • 12.3. “Consumer” means either “consumer” as defined in the CCPA or a data subject as defined by Applicable Law.

  • 12.4. “Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Weedmaps Data on systems used, managed or controlled by you or your Subcontractors (including Subprocessors).

  • 12.5. “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

  • 12.6. “Data Inquiry” means any inquiry, legal process, or complaint received from a Consumer, or supervisory, judicial, legal, or government authority relating to Weedmaps Data.

  • 12.7. “Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular Consumer, provided that a business that uses deidentified information: (1) Has implemented technical safeguards that prohibit reidentification of the Consumer to whom the information may pertain, (2) Has implemented business processes that specifically prohibit reidentification of the information, (3) Has implemented business processes to prevent inadvertent release of deidentified information, and (4) Makes no attempt to reidentify the information.

  • 12.8. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

  • 12.9. “Process” means any operation or set of operations performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, safeguarding, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, accessing, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  • 12.10. “Service Provider” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.

  • 12.11. “Subprocessors” means third parties authorized under the Agreement to access and Process Weedmaps Personal Data.

  • 12.12. “Weedmaps Data” means data and information (a) that is disclosed to you or to which you have access in connection with the Agreement, including the WM Orders Feature; and (b) that is Processed, prepared, accessed, used, aggregated, or generated in connection with the WM Orders Feature, including Weedmaps Personal Data, regardless of whether any such data or information is commingled or aggregated with other data or information.

  • 12.13. “Weedmaps Personal Data” means any and all Personal Data controlled by Weedmaps or an Affiliate of Weedmaps Processed by you in connection with use of the WM Orders feature, including WM Orders User Personal Data and WM Store Orders User Personal Data.

  • 12.14. “WM Orders User Personal Data” means any and all Personal Data provided by Users who place WM Orders with you.

  • 12.15. “WM Store Orders User Personal Data” means any and all Personal Data provided by Users who place WM Store Orders with you, or if you are a Brand using the WM Store Orders feature, from a Business selling your products.

EXHIBIT A

DATA SECURITY REQUIREMENTS

Minimum Security Requirements. You are responsible for and will ensure compliance with the following:

1.1. Implementation of and compliance with a written information security program consistent with established industry standards including administrative, technical, and physical safeguards appropriate to the nature of the Weedmaps Personal Data that are designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to Weedmaps, Weedmaps’ customers, or Weedmaps’ employees; and any anticipated threats or hazards to the security or integrity of such information.

1.2. Adopting and implementing reasonable policies and standards related to security and privacy.

1.3. Assigning responsibility for information security management.

1.4. Devoting adequate personnel resources to information security.

1.5. Carrying out verification checks on permanent staff who will have access to the Weedmaps Personal Data (other than Deidentified Data or Aggregate Consumer Information).

1.6. Conducting appropriate background checks and requiring employees, vendors, and others with access to the Weedmaps Personal Data to enter into written confidentiality agreements.

1.7. Conducting training to make employees and others with access to the Weedmaps Personal Data aware of information security risks and to enhance compliance with your policies and standards related to data protection.

1.8. Preventing unauthorized access to the Weedmaps Personal Data (other than Deidentified Data or Aggregate Consumer Information) through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with your policies and standards related to data protection on an ongoing basis. In particular, you have implemented and comply with, as appropriate and without limitation:

  • 1.8.1. Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance, and exterior security);

  • 1.8.2. Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements and firewalls);

  • 1.8.3. Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that the Weedmaps Personal Data (other than Deidentified Data or Aggregate Consumer Information) cannot be read, copied, modified, or removed without authorization;

  • 1.8.4. Data transmission control measures to ensure that the Weedmaps Personal Data (other than Deidentified Data or Aggregate Consumer Information) cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data media, and transfer and receipt of records. In particular, your information security program will be designed:

    • 1.8.4.1. To encrypt in storage any data sets in your possession, including sensitive personal data; and
    • 1.8.4.2. To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside your information technology system or transmitted over a public network is encrypted to protect the security of the transmission.

  • 1.8.5. Data entry control measures to ensure you can check and establish whether and by whom the Weedmaps Personal Data (other than Deidentified Data or Aggregate Consumer Information) has been input into data processing systems, modified, or removed; and

  • 1.8.6. Subprocessor supervision measures to ensure that, if you are permitted to use subprocessors, the Weedmaps Personal Data is Processed strictly in accordance with Weedmaps’ instructions including, as appropriate:

    • 1.8.6.1. Measures to ensure that the Weedmaps Personal Data is protected from accidental destruction or loss including, as appropriate, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs;
    • 1.8.6.2. Measures to ensure that data collected for different purposes can be Processed separately including, as appropriate, physical or adequate logical separation of Weedmaps Personal Data; and
    • 1.8.6.3. Measures to maintain an up-to-date list of: (i) all Subprocessors involved in Processing Weedmaps Personal Data; (ii) the purposes for which the Subprocessors Process Weedmaps Personal Data; and (iii) the location of each Subprocessor.

1.9. At least once per month, performing internal system, endpoint systems, and application vulnerability assessments and external web (and other, if applicable) application and infrastructure vulnerability assessments on all facilities, information systems (including mobile computing devices, servers, networking equipment, storage media, and host software systems) storing, Processing or transmitting Customer Data used to provide services under the Agreement and remediate any identified vulnerabilities promptly.

2.0. Taking such other steps as may be appropriate under the circumstances.

SCHEDULE I

DESCRIPTION OF PERSONAL DATA PROCESSING

The data processing activities carried out by you under Section 3 (Orders) of the Supplemental Product Terms may be described as follows:

  1. Subject Matter. You provide Users with the ability to submit Orders via the Weedmaps Orders Features and will Process Weedmaps Personal Data, including WM Orders User Personal Data and WM Store Orders User Personal Data, in connection with such Features.
  2. Duration. The Processing of Weedmaps Personal Data is authorized during the Term of the Agreement and for such further period during which you are required to retain such Weedmaps Personal Data in order to comply with Applicable Law or you are otherwise permitted to retain such Weedmaps Personal Data under Applicable Law.
  3. Nature and Purpose. You will receive Weedmaps Personal Data related to Orders placed via the Weedmaps Orders Features for fulfillment by you and will use such Weedmaps Personal Data (other than Deidentified Data and Aggregate Consumer Information) solely to facilitate the completion and fulfillment of Orders, to provide Weedmaps with tax calculations and status updates for the benefit of Users, to facilitate logistics for Pickup or Delivery Orders, as applicable, and to report such Orders as required under Applicable Law.
  4. Data Categories. First name, last name, date of birth, address (for Delivery Orders), email address, telephone number, copy of driver’s license or other identification card, medical cannabis recommendation or card (for medical cannabis Orders), any Personal Data contained in User notes to the Client Retailers, and other order-related information.
  5. Data Subjects. Users.
  6. Location of Data. United States or Canada, or another location mutually agreed upon by the Parties in a signed amendment to this Schedule 1.