Tilray Brands Privacy Policy
Effective Date: May 3, 2024
Tilray Brands, Inc. and our subsidiaries (collectively, “Tilray,” the “Tilray Group,” “we” or “us”) are committed to privacy and transparency. A list of Tilray Group entities is available here. This Privacy Policy describes how Tilray collects, uses, discloses and otherwise manages personal information. “Personal information” means any information about an identified or identifiable individual.
1. SCOPE
This Privacy Policy applies to the personal information we collect related to our:
-
- websites, including www.tilray.com and our medical use websites including https://aphria.ca/ and https://www.brokencoastrx.com/, adult/recreational use branded websites for each of the brands of Tilray Group, and other websites operated by Tilray that display or link to this Privacy Policy, and the services available through such websites (together, our “Websites”)
- mobile apps, social media properties and other online services
- events and business development activities
- communications and other online and offline business interactions
Additional Notices. Different privacy policies or notices (“Additional Notices”) may be provided by us and apply to certain Websites and services operated by Tilray Group companies; in such cases, these Additional Notices will control in the event of a conflict with this Privacy Policy.
2. COLLECTION OF PERSONAL INFORMATION
A. Sources of Personal Information
We may collect personal information directly, indirectly (or automatically), and from third parties. For example, Tilray collects and uses personal information when individuals register for our services, purchase our products, visit our Website or other channels, communicate with us, submit inquiries to us, and or otherwise interact with us. In addition, in order to purchase cannabis from one of our medical use Websites, we may also collect and receive information from authorized third parties such as health care practitioners, medical clinics and caregivers. We also may automatically collect information about individuals, including visitors to our Websites (via cookies, pixels, and similar technologies).
In general, the personal information we collect includes: (i) name, address, email address and other contact information; (ii) date of birth, gender and other demographic details; (iii) prescription and medical records, including daily dosage, primary symptoms/conditions, and other information set out on an Individual’s medical document and registration materials, as well as the name, practice and other information about your prescribing health care practitioner; (iv) payment information, order and shipping information; (vi) account and profile data; your preferences and feedback on our products, services and Websites; and (vii) other information you choose to or consent to provide us.
Most of the personal information we collect from you is necessary for us to comply with our legal obligations, provide our services to you or to fulfil your request or orders. For example, in order to fulfil your cannabis order from one of our medical use Websites, we are required to collect certain documentation, including your prescription, prescribing health care provider, and other medical records; if you do not provide us with the required information, we will be unable to process your order. When we collect your personal information, we will highlight whether information is required to proceed or submit a request or order, and whether it is voluntary.
B. Personal Information We Collect Directly From You
Tilray may collect personal information directly from individuals as follows:
-
- Visit our Websites: In order to access our Websites, we may require you to enter your date of birth and jurisdiction of residence to verify that you are the age of majority in your jurisdiction of residence in order to meet regulatory requirements.
-
- Register to Purchase Cannabis for Medical Use: To purchase medical cannabis from our medical use Websites, you will be required to register as a patient or caregiver by creating an account and completing a patient or caregiver registration form. When you register, Tilray will collect personal information such as your username and password, as well as the information you provide on the patient or caregiver registration form. On the patient registration form, Tilray will collect personal information such as your first and last name, date of birth, phone number, email address, your prescription information (including dosage and medical condition/diagnosis), gender, shipping address, mailing address, residential address, health care practitioner name and contact information, insurance policy information (including your policy number and policy provider) and whether you are a Canadian veteran. On the caregiver registration form, Tilray will collect personal information such as your patient ID number, gender, as well as your caregiver’s first and last name, gender, phone number, email address, and date of birth. Tilray will use this information to confirm your registration status, issue a username and password and/or to maintain your registered account. You must keep your username and password secure and not share it with anyone else either within or outside your organization. We will never ask you for your password in any unsolicited communication (such as letters, phone calls or email messages). We may also collect other information where necessary for our business operations, in accordance with requirements under applicable law.
-
- Purchase Products or Services: If you purchase a product or service through our Websites, we (or our authorized third-party payment processor) collect your payment information (including billing address, credit card number, expiry data and CVV code) in order to process the transaction.
-
- Marketing Communications: You may sign-up to receive email marketing communications such as newsletters and special offers on products and services by providing us with your name and email address. You can unsubscribe at any time by clicking the “unsubscribe” link included at the bottom of each email. Alternatively, you can opt-out of receiving email marketing communications by contacting us at the contact information provided in the “Contact Us” section below. Please note that you may continue to receive transactional or account-related communications from us.
-
- Feedback: We may collect and use customer feedback about our products and services to better understand our customers and enhance our product and service offerings.
-
- Interactive Services: We collect information when you post a review or share information with other users on our Websites or through social media. We may also collect a username under which your review or comments will be posted. Your review may also be made publicly available on the website. Please exercise caution before sharing any personal information.
-
- Surveys and Customer Research: In order to improve our processes, products, and service offerings, Tilray may from time to time offer you the opportunity to participate in one of our surveys or other customer research. Unless otherwise noted, the information obtained through the surveys and customer research is used in an aggregated and non-personally identifiable form (“Aggregated Data”). The purposes for which we use this data include, without limitation, better understanding the needs and wants of our customers and users.
-
- Careers: If you apply for a job with Tilray, you may provide us with certain personal information about yourself, such as information contained in a resume, cover letter, or similar employment-related materials. We use this information for the purpose of processing and responding to your application for current and future career opportunities.
-
- Contact Us: When you contact us with a comment, question or complaint through live chat, email, telephone, or the contact us form on our Websites, you may be asked for information that identifies you, such as your name, email address and a telephone number, along with additional information we need to help us promptly answer your question or respond to your comment. We may retain this information to assist you in the future and to improve our customer service and service offerings.
C. Personal Information We May Receive From Third Parties
As noted, we may receive information about you from third parties:
-
- Information Provided by your Health Care Practitioner: To purchase cannabis for medical use, Tilray will also require that you submit: (i) a document known as a “Medical Document” completed by your health care practitioner, which includes information such as your health care practitioners’ name and contact information, their jurisdiction of registration and registration number, your first and last name, date of birth, location of consultation, and dosage information (including daily quantity and period of use) as well as additional comments regarding your diagnosis, if provided by your health care practitioner, and (ii) a signed and completed consent form which requires you to verify the information provided in the Medical Document. Tilray collects this information to confirm your registration status and fulfill the purchase of your medical cannabis.
-
- Other Third Parties: We may collect or receive certain information about individuals from service providers, and other third parties, such as social media sites (for example when you interact with us or our content on these sites, as well as other public sources and records.
D. Information We Collect Automatically or Otherwise
When you interact with us and use our Websites, we may automatically collect certain information about you and your devices and interactions, including:
-
- Call Recording: We may monitor and record our telephone conversations with you for training and quality assurance purposes. You will be provided with a notice at the beginning of any call that is being recorded. If you do not wish to have your call recorded, please let us know.
-
- Cookies, Log Files, Pixels and Other Tools: our Websites use cookies, log files, pixel tags, and other technologies (some of which are provided by third parties) to collect information about users of our Websites, such as IP address, location information, domain name, page views, a date/time stamp, browser type, device type, device ID, Internet service provider (“ISP”), referring/exit URLs, operating system, language, clickstream data, and other information about the links clicked, features used, size of files uploaded, streamed or deleted, and similar device and usage information. For more information, see the Cookies and similar devices section below.
-
- Analytics and Targeting: We may work with third party providers to collect analytics about how individuals use our Websites and our marketing campaigns.
3. USE OF PERSONAL INFORMATION
A. Purposes of Processing
Generally, we collect, use, disclose and process the personal information that we collect for the following purposes:
-
- Providing Support and Services: To operate our Websites, provide our Services, communicate with you about your use of the Websites or Services, provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, process your payments, communicate with you, and for similar service and support purposes.
-
- Responding to Your Requests: To respond to your inquiries, fulfill your orders and requests, and otherwise consider or process your request.
-
- Personalization: To tailor content we may send or display to you, including to offer location customization and personalized help and instructions on our Websites and Apps, and to otherwise personalize your experiences.
-
- Newsletters and Direct Marketing: For direct marketing purposes, including to send you newsletters, client alerts and information we think may interest you. If you are located in a jurisdiction that requires opt-in consent to receive electronic marketing messages, we will only send you such messages if you opt-in to receive them.
-
- Protecting Legal Rights and Prevent Fraud and Misuse: To protect the Websites, Services and our business operations; to prevent and detect fraud, unauthorized activities and access, and other misuse; where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of us or any person or third party, or violations of our Terms of Use or other agreements; and to respond to actual or potential legal claims against us.
-
- Complying with Legal and Regulatory Obligations: In order to comply with our legal, regulatory and compliance obligation. For example, to verify an individual’s eligibility for registration under the Canadian Cannabis Act or to respond to legal process (e.g., court orders, subpoenas or warrants) or regulator investigations and inquiries, or where otherwise required by law or our legal or regulatory obligations.
-
- Analytics and Improvement: To better understand how users access and use our Website, products and Services, and for other research and analytical purposes, such as to evaluate and improve our products and services and business operations, and to verify that orders are being fulfilled and tracked in compliance with the Cannabis Act or any other applicable local legislation.
-
- General Business Operations: Where necessary, for the administration of our general business, accounting, recordkeeping, audit, compliance and legal functions.
Anonymous and De-identified information. We create and use anonymous and de-identified information to assess, improve and develop our business, products and services, and for similar research and analytics purposes.
B. Legal Bases for Processing Under Certain Laws
The EU General Data Protection Regulation (“GDPR”) and similar laws, including the UK Data Protection Act and Brazil’s General Law for the Protection of Personal Data, require that we inform you of the legal bases for our processing of your personal information. Pursuant to the GDPR and these other similar laws, we rely, generally, on the following legal bases for processing your personal data:
-
- Performance of Contract: the processing is necessary to enter into or carry out the performance of our contract with you (such as to fulfil your orders).
-
- Compliance with Laws: for compliance with legal obligations under local laws, including regulatory obligations, data protection, and tax, accounting and corporate compliance requirements.
-
-
Our Legitimate Interests: in furtherance of our legitimate business interests, which are not overridden by your interests and fundamental rights, including:
-
- Performance of contracts with clients and other parties
-
- Implementation and operation of global support (e.g., IT) services for our business operations
-
- Complying with our legal and ethical obligations under other international laws
-
- Improving our Website and our services, and conducting research and analytics
-
- Customer relationship management and marketing
-
- Fraud detection and prevention, including misuse of Services or money laundering
-
- Physical, IT, and network perimeter security
-
- Internal investigations, audits and assessments
-
- Mergers, acquisitions, and reorganization, and other business transactions
-
-
Our Legitimate Interests: in furtherance of our legitimate business interests, which are not overridden by your interests and fundamental rights, including:
-
- Legal Claims and Rights: the processing is necessary to establish, exercise or defend against legal claims or protect our legal rights.
-
- With your Consent: where we have your consent (the GDPR (where it applies) and other applicable laws give you the right to withdraw your consent, which you can do this at any time by contacting us using the details at the end of this privacy notice. In some jurisdictions, your use of the Services may be taken as implied consent to the collection and processing of personal information as outlined in this privacy notice.
In addition, we may process your personal information where necessary to protect the vital interests of any individual.
4. SHARING OF PERSONAL INFORMATION
Tilray does not, sell or rent your personal information, or share it with third parties for their own marketing purposes, without your consent. We may disclose personal information described below or as required or permitted by applicable law:
-
- Service Providers: Your personal information may be transferred (or otherwise made available) to third parties that provide services on our behalf. We use service providers to provide services such as hosting the Website, processing payments and orders, providing advertising and marketing services, and providing professional advice. Our service providers are only provided with the information they need to perform their designated functions and are not authorized to use or disclose personal information for their own marketing or other purposes.
-
- Legal and Compliance: We and our Canadian, US and other foreign service providers may disclose your personal information in response to a search warrant or other legally valid inquiry or order, or to another organization for the purposes of investigating a breach of an agreement or contravention of law or detecting, suppressing or preventing fraud, or as otherwise may be required or permitted by applicable Canadian, U.S. or other law or legal process, which may include lawful access by US or foreign courts, law enforcement or other government authorities. Your personal information may also be disclosed where necessary for the establishment, exercise or defense of legal claims and to investigate or prevent actual or suspected loss or harm to persons or property.
-
- Sale of Business: We may transfer any information we have about you as an asset in connection with a proposed or completed merger, acquisition or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of Tilray or as part of a corporate reorganization or other change in corporate control.
-
- Protect and Defend Rights: Where we believe it necessary to respond to claims asserted against us, enforce or administer our agreements and terms, or for fraud prevention, risk assessment and investigation, and to protect and defend the rights, property or safety of Tilray Piper, our clients and customers, or others.
-
- Researchers: From time to time, Tilray may request your consent to use or disclose personal information for research purposes, such as (without limitation) information relating to that your use of medical cannabis. This may include, without limitation, invitations to complete surveys or participate in studies to be conducted by Tilray or a third party. Tilray will not use or disclose personal information for such research purposes without your express consent, which may be withheld or denied without consequence to you.
-
- Medical Cannabis: If you purchase medical cannabis from one of our medical use Websites, we share your personal information with your health care practitioner and if applicable, your caregiver in order to meet our regulatory requirements and to fulfill your request. If you are a caregiver, the information we collect about you will also be shared with the patient.
5. COOKIES AND SIMILAR TECHNOLOGIES
We and our service providers use cookies, pixels, log files and other technologies to gather information about your use of our Websites.
-
- Cookies: Cookies are alphanumeric identifiers that we transfer to your computer’s hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate our Websites, while others are used to enable a faster log-in process or to allow us to track your activities while using our Website. Most web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.
-
- Clear GIFs, Pixels and Other Technologies: Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, clear GIFs are embedded invisibly on web pages. We may use clear GIFs (also referred to as web beacons, web bugs or pixel tags), in connection with our services to, among other things, track the activities of users of our services, help us manage content, and compile statistics about usage of our services. We and our third-party service providers also use clear GIFs in HTML emails to our customers, to help us track email response rates, to identify when our emails are viewed, and to track whether our emails are forwarded.
-
- Log Files: Most browsers collect certain information, such as your IP address, device type, screen resolution, operating system version, and internet browser type and version. This information is gathered automatically and stored in log files.
-
- Third-party Analytics: We also use automated devices and applications, such as Google Analytics (more info here) to evaluate the use of our Websites and Services. We use these tools to gather non-personal data about users to help us improve our services and user experiences. These analytics providers may use cookies and other technologies to perform their services and may combine the information they collect about you on our Websites with other information they have collected for their own purposes. For more information or to opt-out using the Google Analytics opt-out browser add-on, see “How Google uses data when you use our partners’ sites or apps“ and “Google Analytics and Privacy“.
-
- Do-not-track Signals: Our Websites do not respond to do-not-track signals. For more information about do-not-track signals, please click here. You may, however, disable certain tracking as discussed above (e.g., by disabling cookies) and as set out in our Cookie Policy.
6. ADVERTISING
We may partner with third party advertising services including AdRoll to present you with advertising on third party Web sites based on your previous interaction with the Site. The techniques our partners employ do not directly collect personal information, but could be used to collect identifiable information about your online activities over time and across different Web sites, including when you use the Site. You can learn about AdRoll’s Privacy Policy here. You can visit this page to opt out of AdRoll’s and their partners’ targeted advertising.
We also implement Google Analytics Demographics and Interest Reporting, a display advertising feature from Google Analytics that allows us to review anonymous data regarding the gender, age and interests of visitors to the Site and adapt our content to better reflect the needs of our visitors. You can learn about Google Analytics’ Privacy Policy and use of cookies here. You can opt out of having your data used by Google Analytics by installing the Google Analytics opt-out browser add-on.
7. THIRD PARTY LINKS
Our Websites may contain links to other websites that Tilray does not own or operate such as links to provincial cannabis stores to purchase cannabis for recreational use. We provide links to third party websites as a convenience to the user. These links are not intended as an endorsement of or referral to the linked websites. The linked websites have separate and independent privacy policies, notices and terms of use. We do not have any control over such websites, and therefore we have no responsibility or liability for the manner in which the organizations that operate such linked websites may collect, use or disclose, secure and otherwise treat personal information. We encourage you to read the privacy policy of every website you visit.
8. DATA TRANSFERS
Tilray makes use of third-party service providers to store and process data, including personal information, on its behalf. Any of Tilray, its service providers, and/or either’s agents may use servers or other facilities located outside of the jurisdiction in which you provided the information, including the United States of America and other foreign jurisdictions for this purpose. The government, courts, law enforcement, security, or regulatory agencies of the United States of America or other foreign jurisdictions may be able to obtain access to or disclosure of personal information as permitted by the laws of that country. We will take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms and/or data transfer agreements with our service providers.
Users in the European Economic Area (EEA) and United Kingdom. Your personal information may be transferred to and processed in the United States and other jurisdictions that do not provide equivalent levels of data protection according to the European Commission. In such cases, Tilray will take steps to ensure that appropriate safeguards are in place to protect your personal information, including by putting in place standard contractual clauses as approved by the European Commission (the form for the standard contractual clauses can be found at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm).
9. SECURITY
Tilray has implemented reasonable administrative, technical and physical measures in an effort to safeguard the personal information in our custody and control against theft, loss and unauthorized access, use, modification and disclosure. We restrict access to personal information on a need-to-know basis to employees and authorized service providers who require access to fulfil their job requirements.
10. YOUR RIGHTS AND CHOICES
You have certain rights regarding your personal information which we hold, as well as choices regarding marketing communications.
A. Access and Correction
You are entitled, with certain legal restrictions, to access, update, correct and review your personal information in our custody and control. Such legal restrictions include, without limitation, where the information contains personal information of third parties or is subject to solicitor-client privilege. We will respond within a reasonable timeframe to all such requests for access and revision and either provide access to the personal information or, if permissible, explain why access is denied.
Accurate personal information is required for efficient and effective delivery of products and services. You may contact the Privacy Officer using the contact information provided above to modify or correct any personal information. Corrections will be made within a reasonable timeframe.
Requests for access to personal information should be made to our Privacy Officer by email at privacy@tilray.com.
B. Marketing Choices
As indicated above, if you have signed-up to receive our marketing communications, you can unsubscribe any time by clicking the “unsubscribe” link included at the bottom of the newsletter. Alternatively, you can opt-out of receiving our marketing communications by contacting us at the contact information under “Contact Us” below.
C. Residents of the EEA and UK
Individuals in the EEA and the UK have the below rights with respect to their personal information:
-
- Right of access: You can ask us to confirm whether we are processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details).
-
- Right to rectify and complete personal information: You can ask us to rectify inaccurate information. We may seek to verify the accuracy of the data before rectifying it.
-
- Right of erasure: You can ask us to erase your personal information, but only where: it is no longer needed for the purposes for which it was collected; you have withdrawn your consent (where the data processing was based on consent); following a successful right to object (see ‘Objection’ below); it has been processed unlawfully; or to comply with a legal obligation to which we are subject. We are not required to comply with your request to erase your personal information if the processing of your personal information is necessary: for compliance with a legal obligation; or for the establishment, exercise or defense of legal claims. There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request.
-
- Right of restriction: You can ask us to restrict the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to our use or stated legal basis.
-
- Right to object to our use of your personal information for direct marketing purposes: You can request that we change the manner in which we contact you for marketing purposes. You can request that we not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.
-
- Right to object for other purposes: You have the right to object at any time to any processing of your personal information which has our legitimate interests as its legal basis. You may exercise this right without incurring any costs. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. The right to object does not exist, in particular, if the processing of your personal information is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
-
- Right to (data) portability: You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another Data Controller, but only where our processing is based on your consent and the processing is carried out by automated means.
-
- Right to withdraw consent: You can withdraw your consent in respect of any processing of personal information which is based upon a consent which you have previously provided.
-
- Right not to be subject to automated decision-making: You have the right not to be subject to a decision when it is based on automatic processing if it produces a legal effect or similarly significantly affects you, unless it is necessary for entering into or performing a contract between us.
-
- Right to obtain a copy of safeguards: you can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside the EU/EEA. We may redact data transfer agreements to protect commercial terms.
-
- Right to lodge a complaint with your local supervisory authority: You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information. We ask that you please attempt to resolve any issue with us first, although you have a right to contact your supervisory authority at any time.
Submitting a GDPR Request. Please contact us as set out in the Contact Us section below to exercise one of these rights. If we receive any requests from individuals related to the Platform Data, we will forward the request to the relevant clients.
11. CONTACT US
If you have any questions or comments regarding this Privacy Policy or the manner in which Tilray or its service providers treat your personal information, or to request access to your personal information in Tilray’s records, please contact Tilray’s Privacy Officer using the contact information provided below.
Tilray Inc.
Attention: Privacy Officer
P.O. Box 20009
269 Erie St. South
Leamington, Ontario N8H 3C4
Email: privacy@tilray.com
Any complaints received regarding Tilray’s or its service providers’ use or handling of personal information will be investigated within a reasonable timeframe. Upon concluding the investigation, the Privacy Officer will respond to the complaint and, if necessary, Tilray will take appropriate measures to rectify the situation and maintain compliance with applicable law.
The controller and responsible entity for your personal information is Tilray, Inc., and where you interact directly with another Tilray group entity, they will also be a controller of your personal information, together with Tilray, Inc. Tilray, Inc. As noted above, this Policy applies to Tilray, Inc. and its subsidiaries; data subjects may exercise their rights regarding their personal information that we process pursuant to this Policy by contacting Tilray, Inc. online, by email or by postal mail, as set forth above.
If you are in the EEA or UK, our representative is:
Ronja Baeker
Tilray Deutschland GmbH
Friedrichstraße 153A
10117 Berlin
Telephone: +49 (0) 30 629 33 050
Email: dataprivacy@tilray.com
We have appointed an external data protection officer for our company. You can reach him at:
Name: Arne Platzbecker
Address: HABEWI GmbH & Co. KG, Palmaille 96, 22767 Hamburg
Telephone: 040/18189800
Fax: 040/181898099
E-Mail: datenschutz@habewi.de