Privacy Policy
Last updated: 6/23/2025
At Sun Growers Farm CHRA, your privacy matters. As a licensed Cannabis Harm Reduction Association (CHRA), we are committed to protecting your personal data and ensuring transparency about how we collect, use, and store your information. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights as a member or visitor.
1. WHO WE ARE
Sun Growers Farm CHRA 020
Email: info@sungrowersfarmchra.org
We are the data controller for the personal data we process. This means we determine the purpose and means of processing your data.
2. WHAT DATA WE COLLECT
We collect and process the following personal data when you apply for membership, participate in club activities, or use our services:
- Full name
- ID card number
- Date of birth
- Gender
- Address and contact details (email, phone)
- Copy of ID card (for internal verification only)
- Membership history and payments
- Product purchase history and engagement
- Communications with the club (e.g. emails, feedback)
3. WHY WE COLLECT YOUR DATA (LEGAL BASIS)
We collect your data for the following reasons:
| Purpose | Legal Basis |
|---|---|
| Membership management and identification | Performance of a contract (your membership) |
| Sale of regulated cannabis products | Legal obligation under ARUC licensing (Legal Notice 56 of 2023) |
| Ensuring responsible use and harm reduction | Legitimate interest in protecting members and public health |
| Security and traceability (CCTV, invoices) | Legal obligation and legitimate interest |
| Communication with members | Consent or legitimate interest |
| Regulatory audits (e.g. by ARUC) | Legal obligation |
4. HOW LONG WE KEEP YOUR DATA
We keep your personal data for as long as you remain a member of Sun Growers Farm CHRA, and for up to 5 years after the end of your membership. This is to comply with regulatory record-keeping requirements. Data that is no longer necessary is securely deleted or anonymized.
5. WHO WE SHARE YOUR DATA WITH
We do not share your data with third parties except with the Information and Data Protection Commissioner (IDPC), if a complaint is filed.
6. HOW WE SECURE YOUR DATA
Your member data is managed using secure platforms that comply with international security and privacy standards including ISO 27001, ISO 27701, SOC 2 Type II, and GDPR.
Your data is never sold, disclosed for marketing, or shared with other members.
7. CCTV MONITORING
CCTV is used within club premises for security and regulatory purposes, in accordance with ARUC guidelines. Signage is clearly displayed at entrances. Footage is securely stored and retained for 60 days, unless required in connection with a specific incident or investigation.
You may request access to footage that clearly and exclusively shows you. If other individuals are visible, we may not be able to provide a copy in line with data protection rules. In such cases, we may facilitate an internal review instead.
8. YOUR RIGHTS UNDER GDPR
You have the right to:
- Access your personal data
- Request correction of inaccurate data
- Request deletion of data (under certain conditions)
- Object to or restrict processing
- Receive your data in a portable format (data portability)
- Lodge a complaint with the Information and Data Protection Commissioner (IDPC)
To exercise any of these rights, please contact us at: info@sungrowersfarmchra.org
9. CONTACT & COMPLAINTS
If you have any questions or concerns about how we process your data, or would like to make a complaint, you can contact:
Email: info@sungrowersfarmchra.org
Or lodge a complaint with:
Office of the Information and Data Protection Commissioner (IDPC)
https://idpc.org.mt
info@idpc.org.mt
10. UPDATES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect changes in law or our operations. The latest version will always be available online on sungrowersfarmchra.org and at the club premises.