Legal & Privacy

Transparency regarding
your data and rights

Clear, accessible information on how we protect your medical data, manage cookies, and the terms of using the CannaLog platform.

Privacy Policy

Last Updated: 24th of April 2026

1. Introduction

Welcome to CannaLog ("we," "our," or "us"). We are committed to protecting and respecting your privacy. This policy explains how we collect, use, and protect the personal data you provide to us through our website, mobile applications (iOS and Android), and Progressive Web App (PWA).

CannaLog is a tracking and journaling tool. We are not a medical provider. We do not provide medical advice, diagnosis, or treatment.

2. Who We Are (Data Controller)

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the Data Controller is:

CannaLog Technologies Limited
Registered Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Data Protection Contact: dpo@cannalog.co.uk

3. The Data We Collect

We collect different types of data to provide our tracking services. Because CannaLog tracks medical cannabis usage, some of this data is classified as Special Category Data (Health Data), which requires extra protection.

A. Information You Give Us

  • Account Data: Full name, email address, date of birth, password (hashed), and optional profile photo.
  • Clinic Data: The UK clinic you attend and your prescribing clinician's name, which we use to verify your status (see "Clinic Connect" below). Clinics are stored by name and matched against an admin-curated directory.
  • Health & Usage Data (Special Category Data):
    • Prescriptions: product, strain, THC/CBD percentages, dosage, classification, expiry date.
    • Orders & deliveries: pharmacy, courier, tracking reference, delivery status.
    • Sessions: method of administration, dose, route, onset/peak times, relief score, symptom and feeling tags.
    • Side effects and therapeutic effects.
    • Optional session photos, product batch images and prescription PDFs.
    • Free-text journal notes.
  • Support & Correspondence: Messages you send to our support team, contact-form submissions, and any data-subject requests you raise.

B. Technical Data (Automatically Collected)

  • Device Information: Device model, operating system (iOS/Android/Web), and browser user-agent.
  • Usage Data: Page loads, feature usage, login events, and crash reports.
  • Network Data: IP address (anonymised in analytics) used for security, fraud prevention and regional compliance.
  • Cookies & Local Storage: See our Cookies & Data policy for specifics.

4. Lawful Basis for Processing

Under the UK GDPR, we must have a lawful basis to process your data.

  • For General Personal Data (Account Info):
    • Consent (Article 6(1)(a)): You give us permission to create your account.
    • Contract (Article 6(1)(b)): Processing is necessary to provide the service you signed up for.
  • For Health Data (Special Category Data):
    • Explicit Consent (Article 9(2)(a)): When you sign up and begin logging data, we ask for your explicit consent to process your health-related information solely for the purpose of personal tracking. You may withdraw this consent at any time by deleting your account.

5. How We Store and Secure Your Data

We prioritise security. Your data is not stored on local servers in our office but is hosted by industry-leading cloud infrastructure providers.

A. Our Tech Stack & Third-Party Processors

We use the following third-party processors. We have Data Processing Agreements (DPAs) in place with them.

Provider / Technology Purpose Location of Data
Microsoft Azure — patient portal & API
App Service, Container Apps, .NET 10		 Web Hosting, Application Runtime, Authentication for everything that handles patient data UK Azure regions only (UK West primary, UK South failover) — encrypted at rest & in transit
Microsoft Azure — public site & static delivery
cannalog.co.uk marketing site, CDN edge for static assets		 Public marketing pages (no login, no patient data) and static asset delivery Global Azure regions — no PII or health data ever processed
Azure SQL Database Primary patient database (TDE + column-level encryption) UK West
Azure Blob Storage User-uploaded files (prescription PDFs, session photos, clinic/pharmacy logos) UK West
Azure Key Vault Secrets, connection strings, signing keys for Apple & Google Wallet passes UK West
Azure Application Insights Internal stability monitoring, crash reporting, performance telemetry UK West
Google Analytics 4 (cannalog.co.uk only, opt-in) Aggregated public-site traffic. Disabled until you accept in the cookie banner. IP anonymisation on, ad signals off. Never used on the patient portal. Google EU/US infrastructure
Google Gemini API (AI Overview) Generates a short, anonymised summary of your recent tracking patterns. The prompt sent to Gemini contains only aggregate counts, top strains, and symptom/relief tags — no name, email, date of birth, clinic, prescriber or free-text notes are ever sent. Responses are cached for 12 hours and are never used to train Google models. Google EU infrastructure (zero-retention on our endpoint)
TrackingMore Live delivery status for prescription parcels. Only the tracking number, courier and status are exchanged — no patient identifiers. EU infrastructure

B. Encryption

  • In Transit: TLS 1.3 encryption between your device and our servers.
  • At Rest: AES-256 encryption standards for data stored in Microsoft Azure and SQL Server 2025.

C. Staff Access & Vetting

We enforce a "Principle of Least Privilege."

  • No Access by Default: Operational staff cannot see your specific health entries.
  • Vetted Access: Only specific, senior technical staff have access to the backend database for maintenance. They undergo background checks and are bound by NDAs.
  • Audit Logs: Any access to the production database is logged.

6. How We Use Your Data

  • Provide the Service: Allow you to log, view, export and share your history.
  • Sync Across Devices: Availability on Web and Progressive Web App today, with iOS and Android on the roadmap.
  • Clinic Connect: Verify that the clinic you select is your genuine prescriber, so that travel letters, emergency cards and wallet passes carry a "verified" badge. This is described in detail below.
  • AI Overview (optional): Generate a plain-English summary of your own data. Detailed below — never includes identifiers.
  • Improve the App: Internal stability monitoring via Azure Application Insights; opt-in aggregated traffic analytics via Google Analytics 4 on the public marketing site only.
  • Security: Detect fraud, account abuse and unauthorised access.
We do NOT sell your identifiable health data to third parties, advertisers, clinics, pharmacies or insurers.

6a. Clinic Connect & Clinician Share

When you select your UK cannabis clinic in your profile, your name and clinic selection enter a verification queue that our support team uses to confirm you are a genuine patient of that clinic. Once verified, a "Clinic-verified" badge appears on your travel letter, emergency card, patient-ID wallet pass and on the Clinician Share view. We log who verified you and when.

You can, at your option, generate a Clinician Share link — a read-only, time-limited URL that lets your prescriber view a curated summary of your data. You control which fields are included and you can revoke the link at any time.

6b. AI Overview (Google Gemini)

On your dashboard you can request an AI Overview — a short, natural-language summary of your recent tracking patterns. The prompt sent to Google's Gemini API contains only:

  • Aggregate counts (number of sessions, average relief score, days tracked)
  • Top products, symptoms and feelings by frequency
  • Active prescription count

The prompt never contains your name, email, date of birth, clinic name, prescriber name, free-text notes, photos, or any other identifier. Responses are cached for 12 hours; you can request a new overview at any time. Google has confirmed that traffic from the paid Gemini API tier is not used to train their models. You can disable AI Overview in your account settings.

6c. Apple Wallet & Google Wallet Passes

We offer a signed patient-ID pass for Apple Wallet and Google Wallet, containing your name, clinic, prescribing clinician, and current prescription reference. Passes are signed with certificates held in Azure Key Vault; the pass file itself is generated on demand and not stored long-term. Apple and Google do not receive the pass content itself during distribution.

7. Data Residency & International Transfers

We operate a strict split between the systems that touch patient data and the supporting services that don't:

  • Patient data — UK Azure regions only. Your account, prescriptions, sessions, uploads, support history and every other piece of personal or special-category data is stored and processed exclusively in Microsoft Azure's UK regions (UK West primary, UK South failover). It is never transferred outside the United Kingdom.
  • Non-PII services — may use global Azure regions. A limited set of supporting services that do not process patient data — for example the public marketing site at cannalog.co.uk, CDN edge for static assets like logos and images, and transactional email delivery — may use Azure regions outside the UK for global reach and resilience. These services never receive personal data, health data or anything tied to a patient account.
  • Third-party SaaS (Google Analytics 4 on the public site only, Google Gemini for the optional AI Overview, TrackingMore for delivery status) operate on their providers' own infrastructure as listed in the table above. We have Data Processing Agreements with each, and the data sent is minimised as described in sections 5 and 6b.

This split keeps you firmly inside UK data sovereignty for everything that matters, while letting the public-facing marketing site stay fast for visitors anywhere in the world.

8. Data Retention

We apply tiered retention windows per data category, aligned with the NHS Records Management Code of Practice where applicable:

  • Active account data: retained while your account is active.
  • Session logs & prescription history: retained for the life of the account — this is the core record you track with us.
  • Login events & security audit logs: 13 months (for fraud / abuse investigation).
  • Support tickets & contact messages: 24 months after last activity.
  • Uploaded files (PDFs, photos): kept until you delete them, or until account closure.
  • Deleted accounts: pseudonymised in the live database within 30 days. Encrypted backups are cycled within 90 days. Legally mandated logs (e.g., financial records) are retained per statutory requirements.

We operate an internal Data Retention dashboard that flags rows approaching their policy window for review.

9. Your Rights

Under the UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure (Right to be Forgotten) — delete your account and associated data.
  • Restrict or Object to processing in certain circumstances.
  • Portability — receive your data in a machine-readable format (JSON/CSV).
  • Withdraw Consent — for analytics, AI Overview, or any other optional processing.
  • Lodge a complaint with the Information Commissioner's Office (ICO) — ico.org.uk.

Requests are handled through our internal Data Subject Request (DSR) queue, so you receive a written acknowledgement within 3 working days and a substantive response within 30 days, in line with UK GDPR Article 12(3).

To exercise any of these rights, contact: dpo@cannalog.co.uk

10. Medical Disclaimer

Important Disclaimer:
  • CannaLog is a software tool for information tracking only.
  • We do not offer medical advice.
  • Use of the app does not create a doctor-patient relationship.
  • Do not disregard professional medical advice because of this app.
  • If you experience a medical emergency, contact 999 or your doctor immediately.

11. Data Breaches

We maintain an internal breach register and an ICO 72-hour notification clock on every new incident. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours (per UK GDPR Article 33) and contact affected users directly (Article 34).

12. Children's Privacy

CannaLog is intended exclusively for UK medical cannabis patients aged 18 or over. We do not knowingly collect personal data from anyone under 18. If we become aware that an account has been created by a minor, the account will be closed and all associated data deleted.

13. Changes to This Policy

We may update this policy as the platform evolves. Material changes will be flagged in-app and by email where we hold your address. The "Last Updated" date at the top of this page always reflects the most recent edit.

Contact Us

Email: dpo@cannalog.co.uk
Address: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ

If you have specific questions about our legal policies, please reach out to our Data Protection Officer at dpo@cannalog.co.uk.