CannaMatch

Privacy Policy

Last updated: April 14, 2026

Plain English version:We only collect what you give us, we don’t sell anything, we delete your info right after your search unless you opt in, and we use Claude in a mode where Anthropic doesn’t keep a copy either. We reserve the right to change our approach — if we do, we’ll update this page. If you’re not comfortable with any of this, please don’t use the site.

Who we are

CannaMatch is operated by Jason Reposa / Good Vibes, based in Massachusetts. goodvibessyrup.com.

What we collect

From job seekers: Name, optional email, current or recent job title, optional city/state, and the resume text or experience summary you paste or upload. Nothing else.

From employers: Company name, job title, location, description, optional posting URL, optional contact email.

Automatically:Basic server logs and Vercel’s built-in analytics (page views, referrers, IP for rate limiting). No third-party tracking cookies, ad pixels, or retargeting.

How we use it

Candidate data is used to generate AI job-match scores. If you do not opt in to notifications, your data is deleted immediately after results are shown. If you opt in, we keep your profile for up to 90 days to re-match against new postings and email you when something fits.

Employer data is shown publicly on the Service and used to send you weekly aggregate match counts if you provided a contact email.

AI processing and PII protection

Before any resume text is sent to Claude, we strip full names, emails, phone numbers, street addresses, and personal URLs using regex. Only job title, city/state, and the scrubbed experience text are sent to the AI. We call Anthropic’s Claude API with the zero-data-retention setting, so Anthropic does not store your submission, log it, or use it for training.

Who sees your data

Candidate data is never shared with employers, other candidates, or any third party. Employers cannot see who matched to their postings or view any candidate profile. Candidates initiate all contact by clicking through to the employer’s own link.

We don’t sell data.We don’t rent, license, or trade it either. Right now we have no plans to.

Subprocessors

We rely on a short list of service providers to run the Service. Each processes data only as needed to deliver functionality:

  • Anthropic (Claude API) — AI match scoring, with zero-data-retention.
  • Turso — hosted SQLite database.
  • Vercel — web hosting, CDN, basic analytics.
  • SendGrid — transactional email (opt-in notifications and employer summaries).
  • Cloudflare Turnstile (if enabled) — bot detection on forms.

Data retention

One-time search (default): Deleted immediately after results are shown.

Opted in: Retained for 90 days from opt-in, then automatically and permanently deleted. Unsubscribe at any time via the link in any notification email.

Job postings: Expire from public view after 30 days. The posting record may be retained indefinitely as business data — it contains no personal information about candidates.

Data security

Data is stored in Turso with encrypted connections. The application is hosted on Vercel with HTTPS enforced. Database access is limited to the application’s server-side routes. Admin access is password-protected with a signed, HttpOnly session cookie.

GDPR rights (EEA / UK users)

If you are in the European Economic Area or the United Kingdom, you have the following rights under the GDPR / UK GDPR:

  • Access — ask for a copy of the data we have on you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data.
  • Restriction — ask us to limit processing.
  • Portability — get your data in a machine-readable format.
  • Objection — object to processing at any time.
  • Withdraw consent — at any time, with no effect on processing already done.
  • Complain — lodge a complaint with your local data protection authority.

The lawful basis for processing candidate data is your consent, given when you submit the matching form. To exercise any right, contact us at the address below. We aim to respond within 10 business days.

Children’s privacy

The Service is not intended for anyone under 21 (consistent with Massachusetts cannabis-industry employment rules). We do not knowingly collect data from anyone under 21.

Massachusetts residents

Massachusetts residents may have additional rights under state law (including 201 CMR 17.00 for data security). We will honor those rights alongside the general rights listed above.

Changes to this policy

We may update this policy at any time by posting a new version at this URL. The “last updated” date will reflect the most recent revision.

Contact

For privacy questions, data requests, or anything else, email hello@goodvibessyrup.com.