specimenOS

Privacy Policy

Last Updated: May 12, 2026

1. Introduction

Cannomic ("we", "us", "our") operates SpecimenOS, a cultivation management platform for commercial horticulture and controlled-environment agriculture operations (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Service.

By accessing or using SpecimenOS, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

2. Data Controller

Cannomic is the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) and other applicable data-protection laws.

Contact: privacy@specimenos.com

3. Information We Collect

3.1 Account Data

When you create an account we collect your name, email address, role within your workspace, and a password. Passwords are cryptographically hashed before storage; we never store passwords in plaintext.

3.2 Billing Data

Payment processing is handled entirely by Stripe. Cannomic does not store your credit card number, CVC, or full card details. Stripe is PCI-DSS Level 1 certified. We retain only a Stripe customer identifier, subscription status, and billing period dates necessary to manage your subscription.

3.3 Customer Data

Customer Data is the content you and your workspace members create within the Service, including but not limited to:

  • Cultivation batches, species records, and observation logs
  • Protocols and standard operating procedures
  • Inventory items and stock solution records
  • Equipment profiles, maintenance schedules, and fertigation logs
  • Quality records, checklists, deviations, and CAPAs
  • Work-log and handoff entries
  • Workspace configuration and settings

You own your Customer Data. We process it solely to provide and improve the Service.

3.4 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, session duration, device type, browser type, operating system, and IP address. Usage data is collected in aggregated or anonymized form where possible.

3.5 Communications

When you contact us through support channels, contact forms, or email, we retain the content of those communications to provide assistance and improve the Service.

3.6 Cookies

We use essential cookies required for authentication and session management. Analytics cookies are only placed with your explicit consent. See our Cookie Policy for full details.

4. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Service — maintain your account, process your data, and deliver features you request
  • Process billing and payments — manage subscriptions, invoices, and payment processing through Stripe
  • Provide customer support — respond to inquiries, troubleshoot issues, and resolve complaints
  • Send transactional emails — account verification, password resets, billing confirmations, and security alerts
  • Improve the Service — analyze usage patterns, identify areas for improvement, and develop new features
  • Ensure security and prevent abuse — detect fraud, enforce rate limits, and protect the integrity of the platform
  • Comply with legal obligations — respond to lawful requests from authorities and maintain required records
  • Send marketing communications — product updates and feature announcements, only with your consent and with an easy opt-out mechanism in every message

5. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases to process your personal data:

  • Contract performance — processing necessary to provide your account, operate the Service, and fulfill our contractual obligations to you
  • Legitimate interest — security monitoring, service improvement, usage analytics, and fraud prevention, where our interests do not override your fundamental rights
  • Consent — marketing communications and non-essential cookies, which you can withdraw at any time
  • Legal obligation — retention of tax and billing records, and compliance with law-enforcement requests

6. Data Sharing and Disclosure

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We disclose data only in the following circumstances:

6.1 Service Providers (Subprocessors)

We use trusted third-party service providers to operate the Service. Each provider processes data only as necessary to perform their function and is bound by data-processing agreements:

  • Supabase — database hosting (PostgreSQL), authentication, and real-time infrastructure
  • Vercel — application hosting, edge network, and content delivery
  • Stripe — payment processing and subscription management
  • Resend — transactional email delivery
  • Vercel Analytics — anonymized usage analytics

For a complete list, see our Subprocessors page.

6.2 Marketplace Transactions

When you purchase or sell protocols on the SpecimenOS Marketplace, limited information (email address and workspace name) is shared between buyer and seller to facilitate the transaction.

6.3 Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that disclosure is necessary to comply with a legal obligation, protect our rights or safety, or prevent fraud.

7. Data Retention

  • Active accounts — your data is retained for as long as your subscription remains active and your account is open
  • Post-cancellation — after you cancel your subscription, your data is retained for 30 days to allow for reactivation, after which it is permanently deleted
  • Audit logs — retained in accordance with applicable compliance requirements and internal policy
  • Billing records — retained as required by applicable tax and accounting laws
  • Backups — maintained on a rolling 30-day retention cycle; older backups are automatically purged

You may request earlier deletion of your data at any time by contacting privacy@specimenos.com.

8. Your Rights Under GDPR

If you are located in the EEA or United Kingdom, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete personal data
  • Erasure — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
  • Data portability — receive your personal data in a structured, commonly used, machine-readable format
  • Restrict processing — request that we limit how we process your data in certain circumstances
  • Object to processing — object to our processing of your data based on legitimate interests
  • Withdraw consent — withdraw any previously given consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
  • Lodge a complaint — file a complaint with your local data protection supervisory authority

To exercise any of these rights, contact privacy@specimenos.com. We will respond to your request within 30 days.

9. Your Rights Under CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to delete — request deletion of your personal information, subject to certain exceptions
  • Right to correct — request correction of inaccurate personal information
  • Right to opt-out of sale or sharing — we do not sell your personal information and do not share it for cross-context behavioral advertising
  • Right to limit use of sensitive personal information — direct us to limit our use and disclosure of sensitive personal information to what is necessary for the Service
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact privacy@specimenos.com.

10. International Data Transfers

Your data is processed and stored in the United States through our infrastructure providers (Supabase, Vercel, and Stripe). If you are located in the EU, EEA, or United Kingdom, your data is transferred to the United States under appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission.

By using the Service, you acknowledge and consent to the transfer, processing, and storage of your data in the United States.

11. Data Security

We implement robust technical and organizational measures to protect your data, including:

  • Encryption at rest and in transit (TLS 1.2 or higher)
  • Row-level security (RLS) on all database tables, ensuring workspace isolation
  • Role-based access controls enforced at both application and database layers
  • Append-only audit logging for accountability and incident investigation
  • Regular security reviews and vulnerability assessments
  • Hashed and salted passwords — plaintext credentials are never stored

While we take every reasonable precaution, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any breach in accordance with applicable notification laws.

12. Children's Privacy

SpecimenOS is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected data from an individual under 18, we will take steps to delete that information as quickly as possible. If you believe a minor has provided us with personal data, please contact us at privacy@specimenos.com.

13. Cookies

By default, SpecimenOS uses only essential cookies required for authentication and session management. These cookies are strictly necessary for the Service to function and cannot be disabled.

Analytics and non-essential cookies are only placed with your explicit consent. You can manage your cookie preferences at any time. For full details on the cookies we use, their purpose, and their retention periods, please see our Cookie Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by email or by placing a prominent notice within the Service prior to the changes taking effect.

Your continued use of the Service after any changes constitutes your acceptance of the updated policy. We encourage you to review this page periodically for the latest information.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

    Privacy Policy | SpecimenOS | specimenOS