Who We Are
HIGHGRADE ("we", "us", "our") operates the HIGHGRADE cannabis discovery platform, accessible at highgrade.media. As the data controller, we are responsible for how your personal data is collected, stored, and processed. For any privacy-related enquiries, contact us at privacy@highgrade.com.
What Data We Collect
We collect the following categories of personal data:
Account & Identity Data
Username, email address, profile photo, date of birth confirmation (age verification only — we do not store your exact date of birth).
Usage & Activity Data
Pages visited, coffeeshop searches, reviews submitted, community posts, stories/reels uploaded, check-ins, session activity, and features used.
Technical & Device Data
IP address (anonymised), browser type, operating system, device identifiers, screen resolution, referring URLs, and time zone.
Analytics Data
When you consent to analytics cookies, we collect anonymised behavioural data via Google Analytics 4 (GA4) including pages viewed, session duration, and conversion actions (sign-ups, review submissions, reviewer programme joins). This data is aggregated and never tied to your identity.
Communications
Messages sent through our in-app messaging, support requests, and newsletter subscriptions.
Payments
If you subscribe to our reviewer programme or advertise on the platform, we collect billing information. Card data is processed by Stripe and never stored on our servers.
How We Use Your Data
We use your data to:
Provide and personalise the platform experience
Process sign-up, authentication, and account management
Display your reviews, posts, stories, and reels
Send you relevant notifications you have opted into
Detect and prevent fraud, spam, and misuse
Comply with legal obligations
Analyse usage trends to improve the platform (aggregated, anonymised where possible) — only with your explicit consent
Send marketing communications — only with your explicit consent
Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we rely on the following lawful bases:
Contract
Processing necessary to provide you the service you signed up for — account management, review publishing, messaging.
Legitimate Interests
Platform security, fraud prevention, and product improvement — balanced against your rights and always minimised.
Consent
Analytics cookies (Google Analytics 4), marketing emails, and personalisation features. You may withdraw consent at any time via the cookie banner or by emailing privacy@highgrade.com.
Legal Obligation
When required by applicable law, court order, or regulatory authority (e.g. GDPR data subject requests, tax records).
Cookies, Analytics & Consent Mode
Updated April 2026We use cookies and similar technologies, governed by Google Consent Mode v2 for full GDPR compliance:
Essential Cookies (Always Active)
Required for the platform to function — login session tokens, age verification state, security (CSRF), and your cookie consent preference. These are never blocked and do not require consent.
Analytics Cookies — Google Analytics 4 (GA4)
We use Google Analytics 4 (measurement ID: G-DW8B1Y8BNC) to understand how users navigate the platform, which pages perform best, and which actions drive growth. All analytics tracking is blocked by default under Google Consent Mode v2 — no GA4 data is collected until you explicitly click "Accept All" on our cookie banner. When accepted, we collect: pages visited, session duration, scroll depth, conversion events (sign-up, review submission, reviewer programme join). IP addresses are anonymised. No GA4 data is ever shared for advertising purposes.
Personalisation Cookies (Optional)
Remember your saved venues, notification preferences, and content recommendations. Only active after consent.
Google Consent Mode v2
HIGHGRADE implements Google Consent Mode v2 with all storage types (analytics_storage, ad_storage, functionality_storage, personalization_storage) defaulted to "denied". Consent is granted or denied at runtime when you interact with our banner. This ensures zero data collection before your decision, in full compliance with GDPR and the ePrivacy Directive.
Withdrawing Cookie Consent
You can withdraw cookie consent at any time by clearing your browser's localStorage (key: hg_cookie_consent) or by emailing privacy@highgrade.com. Reloading the page after clearing will show the cookie banner again. Note that withdrawing analytics consent does not affect past anonymised data already collected.
Google Services We Use
We integrate the following Google services, each governed by Google's Privacy Policy (policies.google.com/privacy):
Google Analytics 4 (GA4)
Behavioural analytics. Only active with consent. Data is sent to Google's servers in the US (protected by Standard Contractual Clauses). Retention in GA4 is set to 14 months. You can opt out globally at tools.google.com/dlpage/gaoptout.
Google Search Console
We use Google Search Console to monitor search indexing, organic traffic, and site health. Search Console processes data about how our pages appear in Google Search — it does not collect or process individual user data from site visitors.
Google Fonts
Typography assets loaded from fonts.googleapis.com. Google may log your IP when fonts are fetched. We use non-blocking font loading to minimise this.
Google Maps (Embeds)
Venue detail pages embed Google Maps iframes for location display. Google may set cookies or collect your IP when the map is rendered.
Data Sharing & Third Parties
We do not sell your personal data. We share data only in these circumstances:
Supabase (cloud hosting & database) — EU-region deployment, bound by data processing agreement
Google Analytics 4 — anonymised analytics only, with your explicit consent
Google Search Console — site-level search data only, no individual visitor data
Stripe — billing data for subscription and payout processing (never card numbers)
Resend / email delivery — transactional and notification emails
Legal authorities — when legally required to disclose
Business transfers — in the event of a merger or acquisition, with prior notice to users
International Transfers
Our infrastructure is primarily EU-based (Supabase EU region). Google Analytics data may be processed in the US. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) approved by the European Commission and Google's EU Data Processing Terms.
Data Retention
We retain your data for as long as your account is active, plus:
Account data: deleted within 30 days of account deletion request
Public reviews and posts: may be retained in anonymised form for platform integrity
Financial records: retained for 7 years as required by law
Server logs: retained for up to 90 days for security purposes
Google Analytics 4: data retention set to 14 months, then auto-deleted by Google
Cookie consent preference: stored in browser localStorage, cleared when you reset consent
Your GDPR Rights
If you are located in the EU/EEA or UK, you have the following rights:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Correct inaccurate or incomplete data.
Right to Erasure
"Right to be forgotten" — request deletion of your data where no legal basis remains.
Right to Restriction
Request we limit processing of your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent
Withdraw analytics or marketing consent at any time — clear the hg_cookie_consent key in your browser localStorage, or email privacy@highgrade.com.
Children's Privacy
Our platform is strictly for adults of legal cannabis consumption age in their jurisdiction (minimum 18). We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us immediately at privacy@highgrade.com and we will delete it.
Security
We implement industry-standard security measures including encrypted storage (AES-256 at rest), HTTPS/TLS in transit, and row-level security (RLS) on our Supabase database. Authentication tokens are short-lived and rotated. No internet transmission is 100% secure. We will notify you of any data breach within 72 hours as required by GDPR Article 33.
Changes to This Policy
We may update this Privacy Policy periodically. Material changes — including changes to how we use analytics or cookies — will be notified via in-app notification or email at least 7 days before taking effect. The date at the top of this page will always reflect the latest revision. Continued use after changes constitutes acceptance.
Exercise your rights or contact our DPO
To make a data subject request (access, deletion, portability, consent withdrawal, etc.) or to raise a privacy concern, email us at privacy@highgrade.com. We respond within 30 days as required by GDPR Article 12.
You also have the right to lodge a complaint with your local data protection authority (e.g. the AP (Netherlands), ICO (UK), or your national DPA in the EU).
Google Analytics Opt-Out
To opt out of Google Analytics globally across all websites, install the Google Analytics Opt-out Browser Add-on. To opt out specifically on HIGHGRADE, decline cookies on our banner or reset your consent preference via localStorage.