Legal

Privacy Policy

CarinaOS is built by cultivators, and your operation's data is yours. This policy explains what we collect, why, who we share it with, and the controls you have over it.

Effective: June 8, 2026 Last updated: June 8, 2026 Applies to: carinaos.com & app.carinaos.com

01 Who we are

CarinaOS is a cannabis cultivation operating system — a hardware-agnostic intelligence layer that unifies METRC compliance, live sensor data, and crop analytics for licensed operators. The service is provided by CannaVia Holdings LLC ("CarinaOS," "we," "us"), which acts as the data controller for the information described here.

This policy covers our marketing site (carinaos.com) and the application (app.carinaos.com). It does not cover third-party systems you connect — such as METRC or your sensor vendors — which operate under their own privacy terms.

02 What we collect

We collect only what the platform needs to run your operation. That falls into four groups.

Account information

  • Your name, email address, and password (stored only as a salted hash — we never see your plaintext password).
  • Facility name and your role within the operation.

Compliance & cultivation data

  • Your METRC license number and the API credentials you supply to connect it.
  • Records you sync through CarinaOS: plant batches, harvests, packages, transfers, waste, and the cultivation logs derived from them.

Sensor & operational data

  • Readings pulled from the hardware you connect — climate, substrate, water, and tank metrics from systems such as Growlink, AROYA, and YoLink.
  • Room and tank configuration from your sensor manifest.

Billing & usage data

  • Subscription and payment details, processed by Stripe. We do not store full card numbers — Stripe handles card data directly.
  • Standard log and device data (IP address, browser, pages and features used) to keep the service secure and reliable.

03 How we use it

  • To operate the platform — syncing METRC, displaying sensor data, and computing the analytics you rely on.
  • To authenticate you and isolate your facility's data from every other tenant.
  • To process subscription billing and provide support.
  • To monitor for abuse, debug issues, and improve reliability and features.
  • To send service-related messages (alerts, billing notices, security notifications).
We do not sell your data, and we do not use your cultivation, compliance, or sensor data to train machine-learning models for other customers without your explicit, opt-in consent.

04 Subprocessors

We rely on a small set of trusted infrastructure providers to deliver the service. Each receives only the data needed for its function.

ProviderPurposeData handled
SupabaseAuthentication & databaseAccount, facility, and synced records
StripePayment processingBilling details & card data
CloudflareEdge compute, sync workers & CDNCredentials in encrypted storage; request data
Amazon Web ServicesStatic hosting (S3 / CloudFront)Public site assets
METRCState compliance APICompliance records you sync
CalendlyDemo schedulingName & email you submit

Sensor-platform vendors you connect (Growlink, AROYA, YoLink, and others) act as data sources rather than subprocessors; your relationship with them is governed by their own terms.

05 Sharing & disclosure

We share your information only in these limited circumstances:

  • With your direction — for example, when you connect METRC or a sensor platform and authorize data to flow.
  • With subprocessors listed above, under contractual confidentiality and security obligations.
  • For legal reasons — to comply with a valid legal request, or to protect the rights, safety, and security of CarinaOS, our customers, or the public.
  • In a business transfer — if CarinaOS is involved in a merger or acquisition, with notice to you and continued protection under this policy.

06 Retention

We keep your data for as long as your account is active. When you cancel, we retain your facility's data for a limited window so you can export or reactivate, then delete or anonymize it on request or at the end of that window — except where we're legally required to keep records longer. You can request export or deletion at any time (see Your rights).

07 Your rights

Depending on where you operate, you may have the right to:

Access

Request a copy of the personal data we hold about you.

Export

Download your facility's data in a portable format.

Correct

Update inaccurate account information.

Delete

Ask us to erase your data, subject to legal limits.

To exercise any of these, email hello@carinaos.com. We'll verify your identity before acting and respond within the timeframe required by applicable law.

08 Cookies

We use essential cookies to keep you signed in and to secure your session. We use limited, privacy-respecting analytics to understand how the product is used. We do not use third-party advertising cookies or sell behavioral data. You can control cookies through your browser settings; disabling essential cookies may break sign-in.

09 Security

We encrypt data in transit and at rest, isolate each tenant's data and credentials, and store API keys as encrypted secrets that are never exposed in the interface. For a full account of our controls, see our Security overview. No system is perfectly secure, but protecting your operation's data is core to the product.

10 Age & eligibility

CarinaOS is a business tool for licensed cannabis operators. It is not directed to anyone under 21, and we do not knowingly collect data from minors. You must be of legal age and authorized to act for a licensed facility to use the service.

11 Changes to this policy

We may update this policy as the product and the law evolve. When changes are material, we'll update the date above and notify account holders. Continued use after an update means you accept the revised policy.

12 Contact

Questions about privacy or your data? Reach us at hello@carinaos.com. For security matters, support@carinaos.com.