# CannaManage — Project Charter **Author:** Patrick Plate **Date:** 2026-04-06 **Version:** 1.0 **Status:** Draft for Review --- ## 1. Executive Summary ### Vision Statement > *CannaManage is the compliance backbone for German cannabis social clubs — purpose-built to turn a legally mandated administrative burden into a manageable, auditable, and digitised workflow.* ### The Problem Germany's **Konsumcannabisgesetz (CanG)**, in force since April 1, 2024, legalised cannabis for personal use and established a framework for **Anbauvereinigungen** (cannabis social clubs / CSCs). Every operating CSC faces mandatory, recurring compliance obligations: - Track every distribution (recipient, strain, weight, date/time) — by law - Enforce quantity limits per member (50g/month for adults, 30g/month for under-21, 25g/day) - Maintain batch-level contamination traceability - Produce periodic authority reports - Designate and track a Prevention Officer (Präventionsbeauftragter) - Manage member data under DSGVO Clubs currently manage this with Excel spreadsheets, pen-and-paper logs, and WhatsApp groups — creating legal risk, audit gaps, and administrative chaos. ### Why Now The market is less than two years old. **No purpose-built software tooling exists** for German CSCs. The window to establish market leadership is 2026–2027 before larger players notice the niche. First-mover advantage combined with the permanent regulatory moat from CanG compliance requirements makes this the right moment. ### What We Are Building A **multi-tenant B2B SaaS platform** offering: - Club admin portal (member management, distribution logging, stock management, compliance reporting) - Member portal (personal quota, distribution history, stock visibility) - Built-in CanG compliance enforcement and export tooling **We are selling compliance management software to licensed, regulated entities. We are not in the cannabis business.** --- ## 2. Project Scope ### 2.1 In Scope — MVP v1 | Area | Features Included | |------|-------------------| | **Onboarding** | Club registration, setup wizard, admin account creation | | **Member Management** | Add/remove members, age verification (18+, 18–21 restricted), contact data | | **Distribution Tracking** | Log each handout (member, strain, weight, date/time); enforce daily/monthly limits | | **Limit Enforcement** | 25g/day cap, 50g/month (adult), 30g/month (under-21), 10% THC flag | | **Stock Management** | Strains, batch tracking, quantity levels | | **Admin Dashboard** | Club-level totals: members, distributions this month, stock levels | | **Compliance Exports** | Monthly distribution report (PDF + CSV), member list export for inspections | | **Contamination Recall** | Flag a batch; system lists all members who received from it | | **Prevention Officer** | Store officer contact info and designation date | | **Member Portal** | Login with club-issued credentials; view quota, distribution history, stock availability | | **Authentication** | Spring Security + JWT; role-based (ADMIN, MEMBER) | | **Hosting** | Hetzner VPS (German DC), Docker Compose, PostgreSQL + Flyway | ### 2.2 Explicitly Out of Scope — MVP v1 | Feature | Reason Excluded | |---------|-----------------| | Public club discovery / "find clubs near you" | **Illegal under CanG §§6–7 advertising ban** | | Cannabis e-commerce or payment for cannabis | Illegal; violates positioning | | Non-EU data storage (AWS us-east, etc.) | DSGVO violation | | Stripe subscription billing | Deferred to Phase 1 (Weeks 9–16) | | Email/SMS notifications | v2 feature | | Mobile native app (Android/iOS) | v2/v3 feature | | Multi-location club support | v3 feature | | Legal template marketplace | v3 feature | | Next.js/React frontend | v2 migration after revenue justifies investment | | Authority portal integrations | v3 feature (portals don't exist yet) | --- ## 3. Stakeholders | Role | Description | Needs | |------|-------------|-------| | **Club Admin** *(primary user)* | Vereinsvorstand or designated manager; runs day-to-day club operations | Compliant distribution logging, member management, authority-ready exports | | **Club Member** *(secondary user)* | Verified adult member of the Anbauvereinigung | Self-service quota visibility, distribution history, stock availability | | **Prevention Officer** *(Präventionsbeauftragter, tertiary user)* | Legally required role; may or may not be the admin | Contact info tracked in system; receives relevant reports | | **Patrick Plate** *(developer & product owner)* | Solo developer; nights/weekends; ADP Germany full-time | Minimal learning overhead; fast path to first revenue; legally sound product | --- ## 4. Success Criteria MVP is considered complete when all of the following are true: | # | Criterion | Measure | |---|-----------|---------| | 1 | **Core compliance loop working** | Admin can log a distribution → system enforces limits → admin exports PDF report for authorities | | 2 | **Multi-tenant isolation** | Two clubs' data are completely isolated — no cross-tenant data leakage | | 3 | **Member portal live** | Member can log in with club-issued credentials and view their quota + history | | 4 | **Contamination recall functional** | Admin flags a batch; system returns full recipient list in < 2 seconds | | 5 | **Deployment stable** | Platform runs on Hetzner VPS via Docker Compose with uptime ≥ 99% over 30-day beta | | 6 | **Beta validation** | 3–5 real club admins have used the system and provided written feedback | | 7 | **Legal review passed** | No features violate CanG advertising ban; DSGVO AVV in place before any live data | | 8 | **Zero PII on non-EU infrastructure** | All data confirmed to reside in Hetzner DE datacenter | --- ## 5. Constraints & Assumptions ### Constraints | Type | Constraint | |------|-----------| | **Legal** | CanG §§6–7 imposes a **total advertising and sponsoring ban** on cannabis AND Anbauvereinigungen — no public club discovery feature, ever | | **Legal** | DSGVO requires EU hosting, data processing agreements (AVV), member data export/deletion capability | | **Technical (MVP)** | Frontend is PrimeFaces + JSF — Patrick's existing expertise; no new framework learning in Phase 0 | | **Technical** | Multi-tenancy via `tenant_id` on all JPA entities — no row-level security shortcuts | | **Team** | Solo developer — Patrick; nights and weekends only; full-time at ADP Germany | | **Timeline** | Phase 0 target: 8 weeks; Phase 1 target: 16 weeks total from project start | | **Budget** | Infrastructure: Hetzner €5–20/month; no team salary cost | ### Assumptions - German CSCs are willing to pay €29–€79/month for compliance software - Stripe will process subscriptions for compliance software (not cannabis sales) without restriction - Spring Boot 3.x is sufficiently adjacent to Patrick's Jakarta EE expertise to use without major ramp-up - PrimeFaces MVP is sufficient for beta validation — UI polish deferred to v2 - CanG remains in force and CSC licensing continues in all major Bundesländer --- ## 6. Risk Register | Risk | Probability | Impact | Mitigation | |------|-------------|--------|-----------| | **Advertising ban reinterpreted to include B2B SaaS** | Low | High | Obtain legal opinion from cannabis law specialist before launch (€300–500); strict no-discovery design enforced at architecture level | | **New German government rolls back or tightens CanG** | Medium | High | Modular architecture — compliance-only features can be extracted and pivoted to a general club management tool | | **Stripe blocks cannabis-adjacent businesses** | Medium | High | Position as "Vereinsverwaltungs-Software" (club management software); never process cannabis payments; test with Stripe before public launch | | **Clubs fail / licenses revoked** | Medium | Medium | Diversified customer base; per-month billing (easy cancellation); no annual lock-in required for MVP | | **DSGVO violation** | Low | Very High | EU-only hosting (Hetzner DE), DPA/AVV agreements before any live data, DSGVO-compliant privacy policy in German, member data export/deletion API from day one | --- ## 7. Budget & Resources | Item | Cost | Notes | |------|------|-------| | **Development** | €0 (Patrick's time) | Nights/weekends; valued at opportunity cost only | | **Infrastructure — Hetzner VPS** | €5–20/month | German DC; scales with load | | **Infrastructure — PostgreSQL** | €0 (self-hosted on VPS) | Managed DB upgrade available when needed | | **Legal opinion** | €300–500 (one-time) | Cannabis law specialist; pre-launch requirement | | **Domain (cannamanage.de)** | ~€15/year | To be registered | | **Stripe fees** | 1.4% + €0.25 per transaction | EU cards; only on paid subscriptions | | **Email (Resend / Jakarta Mail)** | €0–10/month | Resend free tier for low volume | | **Sentry monitoring** | €0 (free tier) | Error tracking; Java SDK | | **Total pre-launch** | **~€600–700** | Including legal opinion | --- ## 8. Timeline Overview ```mermaid gantt title CannaManage Development Roadmap dateFormat YYYY-MM-DD axisFormat %b %Y section Phase 0 — Foundation Spring Boot setup + JPA entities :p0a, 2026-04-07, 2w Core REST API (member, distribution) :p0b, after p0a, 2w Admin portal PrimeFaces :p0c, after p0b, 2w Limit enforcement + PDF report :p0d, after p0c, 2w section Phase 1 — MVP Member portal :p1a, after p0d, 2w Stock management + contamination recall :p1b, after p1a, 2w Stripe billing integration :p1c, after p1b, 2w DSGVO + beta launch (5 clubs) :p1d, after p1c, 2w section Phase 2 — Launch Payment flows + email notifications :p2a, after p1d, 4w Marketing site + legal review :p2b, after p2a, 4w Soft launch to club community :milestone, after p2b, 0d section Phase 3 — Growth PrimeFaces → Next.js migration :p3a, 2026-12-01, 8w PWA mobile :p3b, after p3a, 4w Template marketplace + referral :p3c, after p3b, 8w ``` --- ## 9. Legal Framework ### Key CanG Provisions | Provision | Content | Product Implication | |-----------|---------|---------------------| | **§2 CanG** | Definitions — Anbauvereinigung, Mitglied | Data model must align with statutory definitions of club and member | | **§§15–26 CanG** | Anbauvereinigungen — formation, rights, obligations | Club registration flow must capture legally required club attributes | | **§22 CanG** | Distribution limits: 25g/day, 50g/month per adult member | Hard enforcement in distribution service; cannot be overridden by admin | | **§23 CanG** | Under-21 restrictions: 30g/month max, max 10% THC | Age flag on member entity; separate limit enforcement path for restricted category | | **§§6–7 CanG** | **Total advertising and sponsoring ban** for cannabis and Anbauvereinigungen | **No public club discovery. No stock visible to non-members. No club listings.** Architecture constraint. | | **§26 CanG** | Documentation and reporting obligations | Compliance export module is a legal requirement, not an optional feature | | **§27 CanG** | Prevention officer requirements | Prevention officer fields mandatory in club setup; not optional | ### DSGVO Obligations - All personal data stored on EU infrastructure (Hetzner DE) - Data processing agreement (AVV) required with each club before live data entry - Member data export endpoint required (Art. 20 DSGVO — data portability) - Member data deletion endpoint required (Art. 17 DSGVO — right to erasure) - Privacy policy in German, DSGVO-compliant, published before launch --- ## 10. Sign-Off | Role | Name | Date | |------|------|------| | **Project Sponsor** | Patrick Plate | 2026-04-06 | | **Lead Developer** | Patrick Plate | 2026-04-06 | | **Product Owner** | Patrick Plate | 2026-04-06 | --- *Next review date: 2026-05-01 | Source: [STRATEGY.md](../STRATEGY.md)*