Privacy Policy

PuffSeal LLC, doing business as 420Ledger ("420Ledger," "we," "our," or "us"), provides cannabis-focused accounting and tax preparation services. This Privacy Policy describes the information we collect, how we use it, who we share it with, how long we retain it, and the rights you have over your information.

1. Information we collect

1.1 Information you provide directly

• Business identifiers — entity name, EIN, license numbers, state of operation, ownership structure.
• Owner and employee personal data — names, addresses, dates of birth, Social Security or taxpayer identification numbers, contact information.
• Financial information — bank statements, sales reports, invoices, vendor bills, payroll records, tax documents.
• Account credentials — email address, hashed password, multi-factor authentication factors.
• Communications — emails, support requests, signed engagement letters, meeting notes.

1.2 Information collected automatically

• Log data — IP address, browser, device, timestamps, pages viewed, error events.
• Cookies and similar technologies — for session management, authentication, and basic analytics. We do not use third-party advertising or behavioral-tracking cookies.

1.3 Information collected from third parties (with your authorization)

• Bank transaction data via Plaid or direct CSV imports.
• Point-of-sale data from systems including Dutchie, Treez, Flowhub, Cova, Blaze, Jane, BioTrack.
• Cannabis seed-to-sale data from METRC.
• Payroll data from Gusto.

2. How we use your information

• To deliver bookkeeping, 280E compliance, tax preparation, and related services described in your engagement letter.
• To authenticate users and protect accounts.
• To prepare and file federal, state, and local tax forms on your behalf.
• To communicate with you about your account, deliverables, deadlines, and service updates.
• To comply with legal obligations, including IRC §7216 governing tax-return-information disclosures.
• To improve service quality and security.

3. How we share your information

We do not sell personal information. We share information only as described below:

• Service providers that operate our infrastructure under written confidentiality terms — including Railway (application hosting), Vercel (web hosting), Cloudflare (storage and content delivery), and SendGrid (transactional email).
• Tax authorities when required to file returns or respond to lawful requests, including the Internal Revenue Service and applicable state revenue agencies.
• Authorized integrations you connect to your account — Plaid, your point-of-sale system, METRC, Gusto, and similar — only for the data flows you authorize.
• Legal compliance in response to valid subpoenas, court orders, or government requests, with notice to you where legally permitted.
• Business transfers in connection with a merger, acquisition, or sale of all or substantially all of our assets, with continued protection of your information under terms no less protective than this policy.

4. Data retention

We retain tax-related records for at least seven (7) years after the close of the tax year to which they relate, consistent with IRS guidance for tax-return preparers and recordkeeping requirements applicable to our clients. We retain non-tax operational records for the duration of our engagement plus a reasonable period thereafter for audit, legal, and recordkeeping purposes.

You may request deletion of records that we are not legally required to retain. See Section 6 — Your rights.

5. Security

We use industry-standard administrative, technical, and physical safeguards to protect your information, including:

• TLS encryption in transit between your browser and our servers.
• Encrypted storage at rest for files and database records.
• Password hashing using PBKDF2-SHA256 at 200,000 iterations; multi-factor authentication available.
• Role-based access controls and audit logging on administrative actions.
• Daily database backups.

No method of transmission or storage is perfectly secure. If we become aware of a breach affecting your information, we will notify you in accordance with applicable law.

6. Your rights

You may exercise the following rights with respect to information we hold about you:

• Access — request a copy of the personal information we maintain about you.
• Correction — request that we correct inaccurate or incomplete information.
• Deletion — request deletion of personal information that we are not legally required to retain (see Section 4 — Data retention).
• Portability — request a machine-readable export of the personal information you provided to us.
• Objection or restriction — request that we limit certain processing where applicable law allows.

To exercise any of these rights, email admin@420ledger.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

7. Children's privacy

Our services are intended for licensed cannabis businesses and the adults who operate them. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child, contact us and we will delete it.

8. International users

Our services are operated in the United States. Information you provide is processed and stored in the United States. If you access our services from outside the United States, you do so on your own initiative and are responsible for compliance with local laws.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through the service. Continued use of the services after a change constitutes acceptance of the updated policy.

10. Governing law

This Privacy Policy is governed by the laws of the State of New Jersey, without regard to its conflict-of-laws principles. Any dispute arising out of or relating to this Policy will be brought exclusively in the state or federal courts located in New Jersey.

11. Contact