Digital Harvest LLC (“Digital Harvest,” “we,” “us,” or “our”) operates TimeKeep Compliance, a regulatory compliance platform for cannabis operators licensed by state cannabis regulatory authorities. This Privacy Policy describes how TimeKeep Compliance collects, uses, stores, and protects information.
1. About TimeKeep Compliance
TimeKeep Compliance is a software platform that helps licensed cannabis operators (“Licensees”) manage their state-mandated tracking and reporting obligations. The platform integrates with state-operated track-and-trace systems — including Metrc, operated by the State of Michigan Cannabis Regulatory Agency — to provide consolidated dashboards, reporting tools, and operational utilities for license holders.
Digital Harvest LLC is a state-approved Metrc integrator. We process regulated data on behalf of Licensees, who remain the controllers of their own compliance records.
2. Our Role and Your Licensee’s Role
TimeKeep Compliance is a tool used by Licensees to manage their own regulatory obligations. The Licensee — your employer or the operator whose license you work under — determines:
- Which licenses are tracked through the platform
- Which staff members have access to compliance data
- How that data is used within their compliance program
Digital Harvest processes data on the Licensee’s behalf as a service provider. The Licensee is the data controller for all regulated compliance records and is responsible for compliance with applicable state cannabis regulations, recordkeeping rules, and any other laws governing their operations.
The State of Michigan Cannabis Regulatory Agency, through Metrc, is the authoritative system of record for all regulated cannabis tracking data. TimeKeep Compliance is a layer on top of that system, not a replacement for it.
3. Information We Process
3.1 User Account Information
TimeKeep Compliance uses the same login system as the TimeKeep workforce management platform. Account information — including your name, email address, login credentials, and authentication tokens — is governed by the TimeKeep Privacy Policy. We do not duplicate or maintain a separate identity database for the Compliance Module.
3.2 Regulatory and Operational Data
When you use TimeKeep Compliance, we process data on behalf of your Licensee, including:
- License information: state license numbers, license types, business legal names, and license-related metadata
- Metrc API credentials: the user-specific or facility-specific API keys provided by your Licensee or the State of Michigan, used to authenticate requests to Metrc on the Licensee’s behalf
- Cached Metrc data: package tags, plant data, harvest data, transfer manifests, sales data, lab results, and other tracking records retrieved from Metrc, cached in our database to provide fast dashboards, multi-license consolidation, and reporting
- User-generated compliance data: CSV uploads, batch job inputs and outputs (such as package split jobs), user notes, internal audit records, and the timestamps of compliance actions taken in the platform
- Activity logs: records of which user performed which compliance action, used to support the Licensee’s internal audit and recordkeeping requirements
We do not collect personal information about individual cannabis consumers or patients through TimeKeep Compliance.
3.3 Why We Cache Metrc Data
Metrc is the authoritative system of record, but its API is not designed for real-time interactive dashboards or multi-license consolidation. We cache a synchronized copy of Metrc data in our own database so that Licensees can view, search, filter, and report across their licenses without overloading the state API. Cached data is refreshed regularly and is not treated as authoritative — Metrc remains the source of truth for all regulated records.
4. How We Use This Information
We use the data described above solely to:
- Provide TimeKeep Compliance functionality to your Licensee
- Authenticate to Metrc on the Licensee’s behalf using their API credentials
- Display consolidated dashboards across the Licensee’s licenses
- Generate compliance reports, exports, and audit records
- Execute batch operations (such as package split jobs) requested by authorized users
- Maintain logs of compliance actions for the Licensee’s internal records
- Diagnose and resolve technical issues with the platform
- Maintain the security and integrity of the platform
We do not use compliance data for advertising, marketing, profiling, or any purpose unrelated to providing the compliance service. We do not share compliance data with anyone other than the Licensee, the State of Michigan through Metrc, and the limited service providers described in Section 6.
5. Data Storage and Security
5.1 Where Data Is Stored
TimeKeep Compliance data is stored in a dedicated managed PostgreSQL database, separate from the TimeKeep workforce management database. This separation ensures that workforce data and regulated compliance data are not commingled.
All infrastructure is hosted in United States-based data centers operated by DigitalOcean.
5.2 Security Measures
- All data in transit is encrypted using TLS
- Databases use encryption at rest
- Metrc API credentials are stored encrypted and accessible only to the authentication subsystem that uses them to make requests to Metrc
- Access to compliance data is restricted to authenticated users assigned to the relevant Licensee
- Administrative access is logged and audited
- Passwords are hashed using industry-standard algorithms; we never see or store plaintext passwords
- Automated daily backups are taken; immutable off-site backups are stored with object-lock protection against tampering or ransomware
5.3 Breach Notification
If we become aware of a security incident affecting compliance data, we will notify affected Licensees promptly and cooperate with any required notifications under applicable state and federal law.
6. Third-Party Services
We use a limited number of service providers to operate TimeKeep Compliance. Each is contractually obligated to handle data appropriately:
| Service | Purpose | Data Handled |
|---|---|---|
| DigitalOcean | Application hosting, managed database, file storage | All compliance data (encrypted) |
| Amazon Web Services (S3 with Object Lock) | Immutable off-site backups | Encrypted backup snapshots |
| State of Michigan / Metrc | State-mandated track-and-trace integration | Regulatory data (as required by license) |
We do not use advertising networks, third-party analytics, or marketing SDKs in TimeKeep Compliance.
7. Data Retention
We retain compliance data for as long as your Licensee’s account is active and for a reasonable period afterward to support audit, dispute resolution, and the Licensee’s own recordkeeping obligations under state cannabis regulations.
Cannabis regulations typically require Licensees to retain compliance records for multiple years. Because the Licensee is the data controller and is responsible for those retention obligations, we follow the Licensee’s direction regarding retention and deletion of their compliance data.
When a Licensee’s account is terminated, we will, on request, provide an export of their compliance data in a portable format and delete cached data from our systems in accordance with applicable retention requirements.
Note that data submitted to Metrc remains in Metrc regardless of any action taken in TimeKeep Compliance — the State of Michigan controls retention of the authoritative record.
8. Access and Visibility Within the Platform
| Role | What They Can See |
|---|---|
| Licensee staff (compliance users) | Compliance data for licenses they are assigned to, within the scope their Licensee has granted |
| Licensee admin | All compliance data for licenses under that Licensee’s account |
| Digital Harvest support staff | Limited, audited access for support and troubleshooting purposes only |
We do not allow one Licensee to view another Licensee’s data. Where Digital Harvest manages multiple licenses on behalf of a single client under one Licensee account, all of those licenses share a common compliance scope as configured by that client.
9. Your Rights
Because TimeKeep Compliance processes data on behalf of Licensees, requests to access, correct, or delete personal information should generally be directed to your Licensee, who controls the data.
You may also contact Digital Harvest directly using the information in Section 12. Where required by applicable law, we will support Licensees in responding to data subject requests from their staff or other affected individuals.
10. Children’s Privacy
TimeKeep Compliance is a regulated business platform. Cannabis operators are required to ensure all individuals working under their license are of legal age under state law. We do not knowingly collect personal information from anyone under 18.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The “Effective Date” above will be updated to reflect material changes. We will notify Licensee administrators of material changes through the platform or by email.
12. Contact Us
If you have questions about this Privacy Policy or how TimeKeep Compliance handles data:
Digital Harvest LLC
Michigan, USA
Email: privacy@digitalharvest.tech
TimeKeep Compliance: go.timekeep.cloud/compliance
Corporate: digitalharvest.tech