The Alchemy NYC Privacy Policy

We collect the following categories of information.

Identity information. Full name, date of birth, government-issued ID information for age verification (the ID is verified at the door, not stored beyond the verification check), and (for delivery customers) delivery address. NYS OCM rules require age verification at multiple points in every transaction, and identity information is the foundational compliance data.

Contact information. Email address, mobile phone number, and (for delivery and pickup) preferred contact method (SMS, email, in-app push notification).

Transaction information. Products purchased, transaction date and time, transaction amount, payment method (cash, debit card, approved cannabis-banking partner), and (for loyalty members) point activity. Cannabis-specific transactions are also logged to Metrc, the OCM-required seed-to-sale tracking system, under 9 NYCRR §113 recordkeeping rules.

Loyalty information. Member ID, point balance, tier status, redemption history, birthday and signup anniversary dates, communication preferences, and (for community-specific enhancements where applicable) verified status (NYU student, veteran, first responder, senior).

Online activity information. Pages visited on thealchemy.nyc, products viewed, cart activity, session duration, IP address, browser type and version, device type, operating system, screen resolution, and referral source. We use industry-standard web analytics tools that aggregate this data for site improvement purposes.

Communication information. Content of emails, chat messages, SMS, and phone interactions with our team. This includes customer service requests, press inquiries, vendor partnership conversations, accessibility accommodation coordination, and any other communication channel we operate.

Employment application information. Resume, cover letter, references, work eligibility status, background check results consistent with NYS OCM hiring rules under Part 118 (9 NYCRR §118), and interview notes. Employment-related information is governed by additional NY State and federal employment privacy law (notably NY Labor Law §201-d for off-duty cannabis use protection, NY Human Rights Law for anti-discrimination, and federal EEOC regulations).

Press and vendor inquiry information. Contact information, outlet or company affiliation, and inquiry content for press and vendor partnership conversations.

Accessibility accommodation information. Where a customer or press visitor requests an accommodation, we may collect information about the accommodation needed (large-print menu, ASL interpreter, sensory-quiet consultation area, etc.). This information is used solely to coordinate the accommodation and is not retained beyond the immediate need unless the customer requests an ongoing accommodation profile.

We do not collect government-issued ID image storage beyond the verification check (the ID is verified at the door using OCM-approved scanning technology, then released without an image being retained), Social Security numbers (except for employment), unrelated medical information, or genetic data of any kind.

We use the information for the following purposes.

Age verification and NYS OCM compliance. Verifying every customer is an adult 21 and over per Cannabis Law §70(2) at door, checkout, and (for delivery) handoff. This is the foundational compliance requirement and the primary use of identity information. OCM compliance officers conduct unannounced site visits across the licensed retail tier and the verification protocol is one of the standard inspection items.

Order fulfillment. Processing online orders, coordinating pickup and delivery, providing order status updates, building the Metrc retail receipt for the transaction, and managing courier handoff for delivery orders within the NYS-licensed service zone.

Loyalty program operation. Tracking points, calculating tier status, applying member benefits, communicating member-only offers, processing redemptions, and maintaining the loyalty account ledger.

Customer service. Responding to questions, troubleshooting issues, processing returns where the defective product policy applies, coordinating accessibility accommodations, and improving our service through customer feedback.

Marketing communication. Sending email and SMS notifications about deals, events, and product launches to customers who have opted in. Marketing communication complies with NYS OCM advertising rules (9 NYCRR §116), the federal CAN-SPAM Act for email, and the federal TCPA for SMS. Customers can unsubscribe at any time through the unsubscribe link in every marketing email or by replying STOP to any marketing SMS.

Website operation. Operating thealchemy.nyc, analyzing usage patterns, improving the online experience, detecting fraud (unauthorized account access, payment fraud, scraping attempts at volumes that affect site performance), and maintaining the technical infrastructure.

Legal compliance. Maintaining records required by NYS OCM (transaction records for seven years per Part 113 recordkeeping rules), NYC retail regulations, tax authorities (federal IRS, NY State Department of Tax and Finance, NYC Department of Finance), and applicable federal frameworks where cannabis operations intersect with federal regulatory exposure.

Internal analytics. Aggregate analysis of customer behavior to inform business decisions including curation strategy, hours optimization, staffing levels, and store layout. Aggregate data does not identify individual customers.

Safety and security. Maintaining safe operations at our retail locations and on delivery routes including the standard NYS retail safety protocol, incident documentation, and (where applicable) coordination with law enforcement on incidents requiring formal reporting.

We share information with the following categories of recipients only.

NYS OCM and other regulatory authorities. Records required for licensing compliance, audit response, and incident reporting. Cannabis transactions are tracked in the NYS-mandated Metrc seed-to-sale system, accessible by OCM for compliance audit. The compliance officer is the point of contact for all OCM information requests.

Service providers. Payment processors (operating under approved cannabis-banking partnerships), age verification technology providers, website hosting, email and SMS delivery, customer service platforms, inventory management, and analytics tools. Service providers are bound by data protection agreements limiting their use of the information to providing the specific service we contract for. We do not allow service providers to use customer data for their own marketing purposes.

Law enforcement. In response to valid legal process (subpoena, warrant, court order) and as required by law. We will challenge improper requests and notify affected customers where legally permitted to do so. We do not voluntarily share customer information with federal authorities including the DEA, FBI, or any other federal agency outside the context of a valid legal demand, and we will require a warrant or equivalent legal process for any cannabis-specific request.

Successor entity. In the event of a sale, merger, or restructuring of the business, customer information transfers to the successor entity subject to the same privacy commitments. Customers will be notified before any such transfer becomes effective.

Tax authorities. Aggregate transaction records and tax reporting data to the federal IRS, NY State Department of Tax and Finance, and NYC Department of Finance as required by law. Tax reporting does not include individually identifiable customer information beyond what is required by the applicable tax form.

We do not sell customer information to third parties. We do not share customer information with advertising networks for behavioral targeting beyond the first-party data used for our own marketing communication. We do not participate in data brokerage arrangements. We do not share customer information with employers, insurance companies, or other parties seeking to verify cannabis use; this is a cannabis-industry-specific protection we hold to without exception.

We store information on encrypted systems with access controls limited to employees and service providers with a business need. Storage practices align with the New York SHIELD Act (NY GBL §899-bb) reasonable security standards including administrative, technical, and physical safeguards.

Retention periods vary by category.

Transaction records. Retained per NYS OCM Part 113 recordkeeping rules (currently seven years from the transaction date). The Metrc retail receipt is retained per OCM rules and is accessible to OCM for compliance audit.

Loyalty information. Retained while the account is active plus seven years after the last activity for tax and regulatory recordkeeping. Customers who close their loyalty account can request deletion of non-required loyalty data.

Online activity logs. Retained for 13 months in identifiable form (IP address, user ID, session-level activity). Aggregate analytics retained indefinitely without individual identifiers.

Communication records. Retained for three years from the communication date. This includes customer service emails, chat transcripts, SMS history, and recorded phone calls (where calls are recorded; we do not record all phone calls and the auto-greeting will disclose recording when it is in use).

Employment records. Retained per applicable employment law (varies by record type; I-9 records retained for the longer of three years after hire or one year after termination per federal rules; payroll records retained for at least three years per FLSA; OCM Part 118 documentation retained per OCM rules).

Press and vendor inquiry records. Retained for three years from last contact.

Accessibility accommodation records. Retained only as long as needed to coordinate the accommodation, plus an optional ongoing accommodation profile for repeat customers who request one.

After the retention period, identifiable information is securely deleted or anonymized through processes that meet NY SHIELD Act reasonable security standards.

Thealchemy.nyc uses cookies and similar technologies for the following purposes.

Essential cookies. Required for the website to function (cart persistence, login session, age verification state, accessibility preferences). These cannot be disabled without breaking core site functionality.

Analytics cookies. Aggregate usage analysis to improve the site. We use industry-standard analytics tools configured for IP anonymization where the tool supports it. Analytics data does not include individually identifiable customer information once processed.

Preference cookies. Remember user preferences such as language, location-specific menu defaults (Chelsea vs Flatiron based on the user's stated preference), and display settings.

Marketing cookies. Email and SMS marketing attribution. Used only for opted-in marketing communication. Customers who have not opted into marketing communication do not have marketing cookies set.

Customers can manage cookie preferences via the cookie banner on first visit and via the privacy preferences link in the footer at any subsequent visit. Browser-level controls (cookie blocking, third-party cookie restriction) are respected.

You have the following rights with respect to your information.

Right to access. Request a copy of the information we have about you. We respond to verified requests within 30 days with a portable copy.

Right to correct. Request correction of inaccurate information. We update verified corrections within 30 days and propagate corrections to relevant downstream systems.

Right to delete. Request deletion of your information subject to legal retention requirements. Some records (transaction history per NYS OCM rules, employment records per federal and state employment law, tax records) cannot be deleted before the retention period expires. We honor deletion requests for non-required records within 30 days and we explain in writing what can and cannot be deleted.

Right to opt out of marketing. Unsubscribe from email and SMS marketing at any time through the unsubscribe link in any marketing email or by replying STOP to any marketing SMS. Customer service communication related to active orders cannot be opted out of while orders are active.

Right to portability. Request your information in a portable, machine-readable format (CSV or JSON). We provide portability within 30 days of verified request.

Right to non-discrimination. We will not discriminate against you for exercising any of these rights. Service is unaffected by privacy rights exercise.

Right to file a complaint. With the New York Attorney General's office (ag.ny.gov), with the relevant federal authority where applicable, or directly with us at [email protected].

To exercise any of these rights, email [email protected] or write to the mailing address listed on /contact/. We respond to verified requests within 30 days. We may need to verify your identity before fulfilling certain requests, which protects your information from being shared with someone impersonating you.

The Alchemy serves adults 21 and over only. We do not knowingly collect information from individuals under 21. If we discover that we have collected information from a minor, we will delete it without delay. Parents or guardians who believe their minor child has interacted with The Alchemy in any context should contact [email protected] immediately.

Customers residing in California have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Customers residing in the European Union or United Kingdom have rights under the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018. These additional rights are reflected in our practices including the rights listed above. We do not engage in cross-border data transfers that require Standard Contractual Clauses for our operating model.

Customers from other jurisdictions with applicable privacy law (Colorado CPA, Virginia VCDPA, Connecticut CTDPA, Utah UCPA, and other state laws as they take effect) should contact [email protected] to understand how our practices apply to their specific rights framework.

Cannabis remains federally prohibited under 21 USC §812 (Schedule I, Controlled Substances Act). We do not share customer information with federal authorities except in response to valid legal process, and we will require a warrant or equivalent legal demand for any cannabis-specific request. We protect customer information against requests we believe are improper, and we will notify affected customers where legally permitted to do so.

We do not share customer information with employers, insurance companies, or other parties seeking to verify cannabis use. NY Labor Law §201-d protects off-duty cannabis use for adults 21+; our privacy practices reinforce that protection by declining external verification requests.

For customers concerned about cannabis-related privacy exposure, we offer the option to enroll in the loyalty program under a name that differs from the legal name on the ID (the ID-verified name is retained for age verification compliance but is not used for marketing communication). Customers can also pay in cash to minimize digital transaction records, though the transaction is still logged to Metrc per OCM rules.

In the event of a data breach affecting customer information, we will notify affected customers consistent with NY SHIELD Act notification requirements (NY GBL §899-aa). Notification includes the categories of information affected, the approximate date of the breach, the steps we have taken in response, and the steps customers can take to protect themselves. We will also notify the NY Attorney General's office and other applicable regulatory authorities as required by law.

We may update this policy from time to time. Material changes will be communicated via email to active customers and via a notice on thealchemy.nyc at least 14 days before the effective date. The effective date of the most recent version is displayed at the bottom of this page. Continued use of our services after the effective date of the updated policy constitutes acceptance of the updated terms.

Email [email protected] for privacy questions, rights requests, or complaints. We aim to respond within one business day for active matters and we fulfill verified rights requests within 30 days. Written correspondence can be sent to The Alchemy NYC, c/o The Alchemy Chelsea, 302 8th Avenue, Manhattan, NY 10001.

License status for both Alchemy locations through the OCM public licensee directory at cannabis.ny.gov/dispensary-verification. NY SHIELD Act at NY GBL §899-aa and §899-bb. NYS OCM recordkeeping rules under Part 113 (9 NYCRR §113) at cannabis.ny.gov/regulations. NY Labor Law §201-d off-duty cannabis use protection at nysenate.gov/legislation/laws/LAB. CAN-SPAM Act at 15 USC §7701 et seq. TCPA at 47 USC §227. Federal cannabis status at 21 USC §812. CCPA/CPRA at oag.ca.gov/privacy. GDPR at gdpr-info.eu.