pplate/pi_mcps
1
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
main
pi_mcps/plans/cannabis-club-saas/STRATEGY.md
T
pplate 21956f7a42 docs(plans): add CannaManage SaaS strategy — cannabis club management for Germany 
- Legal feasibility check vs CanG (Konsumcannabisgesetz): LEGAL as B2B Vereinsverwaltungs-Software
- B2B SaaS for Anbauvereinigungen: member management, distribution tracking, compliance reports
- Tech stack: Spring Boot 3.x (Java 21) + JPA/Hibernate, PrimeFaces MVP, PostgreSQL + Flyway
- Mobile: PWA → Kotlin Android → Kotlin Multiplatform (natural path for Java developer)
- Revenue model: freemium (free ≤30 members), paid tiers €29-€179/month
- Market: 500-3000 clubs forming, zero dedicated tooling exists (first mover window)
- Also adds BIGMIND_HOSTED_MVP.md (BigMind SaaS vision plan)
2026-04-04 10:52:17 +02:00

26 KiB
Raw Permalink Blame History

🌿 CannaManage — Cannabis Club Management SaaS

Strategic Plan & Feasibility Assessment

Author: Patrick (Lumen, 2026-04-04)**
Status: Draft for review

Executive Summary

Germany's Konsumcannabisgesetz (CanG), in force since April 1, 2024, legalised cannabis for personal use and established a framework for Anbauvereinigungen (cannabis social clubs / CSCs). These clubs face significant mandatory compliance burdens with almost zero software tooling available to help them. This is the market gap.

CannaManage is a B2B SaaS platform for cannabis social clubs in Germany. It handles their mandatory member management, distribution tracking, stock management, compliance reporting, and member portal — replacing Excel sheets and pen-and-paper with a purpose-built regulated-sector management tool.

Verdict: LEGAL — MONETIZABLE — ⚠️ WITH SPECIFIC CAUTION

1. Legal Feasibility Check

1.1 The Law: Konsumcannabisgesetz (CanG) — Key Facts

Source: Federal Health Ministry FAQ (verified 2026-04-04 via bundesgesundheitsministerium.de)

Rule Detail
Personal possession 25g in public, 50g at home
Home growing Max 3 plants per adult
CSC distribution 25g/day, 50g/month per adult member
Members 18-21 Max 30g/month, max 10% THC
Max club density 1 club per 6,000 residents per district (state-optional)
Advertising ban TOTAL ban on advertising and sponsoring of cannabis AND Anbauvereinigungen
Documentation Mandatory tracking: who received what, when, contamination traceability
Prevention officer Clubs must designate a Präventionsbeauftragter
Youth protection concept Mandatory health & youth protection plan required
Reporting obligations Regular documentation and reporting to authorities

1.2 The Critical Question: Does a SaaS Platform Violate the Advertising Ban?

§ CanG: "Generelles Werbe- und Sponsoringverbot für Cannabis und Anbauvereinigungen"

This is the key legal boundary. The advertising ban applies to:

  • Advertising for cannabis
  • Advertising for Anbauvereinigungen (the clubs themselves)

A B2B management tool is NOT advertising. Here is why:

Scenario Legal Status Reasoning
Public directory "Find clubs near you" Illegal Constitutes advertising for clubs
"Sign up to discover CSCs in your city" Illegal Discovery = advertising
B2B dashboard used by club admins Legal Internal operations software
Member portal (member logs in to see their club's stock) Legal Member already joined; no advertising
Compliance reporting tools for clubs Legal Administrative software, like tax software
Payment processing for member fees Legal Financial operations, not advertising
Marketing the SaaS to clubs via B2B channels Legal Selling software to businesses is normal

The analogy: Shopify doesn't become a drug dealer when a pharmacist uses it. A POS system for a bar doesn't make the bar illegal. We sell operational software to licensed, regulated entities. We are not in the cannabis business.

1.3 Positioning — Critical Architecture Decision

The platform MUST NOT include:

  • Public-facing club discovery (no "find clubs near you")
  • Any feature that functions as advertising for a specific club to non-members
  • Stock information visible to non-members (which could look like advertising)

The platform SHOULD include:

  • Member login restricted to verified club members only
  • Club admin portal (sign-up via direct B2B sales / word-of-mouth — not public listing)
  • Explicit "this software is for existing clubs and their verified members" framing

1.4 DSGVO / Data Privacy

Clubs handle sensitive personal data (membership, health-adjacent data). Our platform must:

  • Store all data in Germany/EU (Hetzner, not AWS us-east)
  • Provide DSGVO-compliant data processing agreements (DPA/AVV)
  • Enable data export and deletion per member request
  • Have clear privacy policies in German

1.5 Legal Risk Register

Risk Probability Impact Mitigation
Advertising ban reinterpretation to include B2B SaaS Low High Legal opinion before launch; strict no-discovery design
New German government rolls back CanG Medium High Modular architecture — pivot to compliance-only if needed
Payment processors (Stripe) block cannabis-adjacent businesses Medium High Use Stripe (they allow compliance software); never process cannabis payments
Club licenses revoked / clubs fail Medium Medium Diversified customer base; per-month billing (easy to cancel)
DSGVO violation Low Very High EU hosting, DPA agreements, security audit

Bottom line: The legal risk is manageable with correct product positioning. We are selling compliance management software, not cannabis.

2. Market Analysis

2.1 Market Size

Potential CSC count in Germany:

  • Germany population: ~83 million
  • If 1 club per 6,000 residents (theoretical maximum): ~13,800 clubs
  • Realistic 2025-2028 formation rate: 5003,000 active clubs
  • Reason: complex licensing process, Länder-specific delays, conservative uptake initially

Consumer backdrop:

  • 5.05 million adults consumed cannabis in the past 12 months (2024 survey)
  • 670823 tonnes consumed in 2024 — huge demand
  • This is not a niche; it is a mainstream market with a regulatory moat

Total Addressable Market (TAM):

  • 3,000 clubs × €79/month average = €2.85M ARR
  • 500 clubs × €79/month = €475K ARR (conservative bootstrap target)
  • Even 100 paying clubs = €94,800 ARR — a solid side hustle

2.2 Why Clubs Desperately Need This

The CanG creates massive administrative burden on clubs:

Requirement Pain Without Software
Track every distribution (who, what, how much, when) Excel sheets, manual errors
Monthly quantity caps per member Manual math, compliance risk
Youth protection (18-21 THC cap, quantity cap) Manual age checks
Contamination traceability Paper trail disaster
Prevention officer reporting No standard format exists
Member data management (DSGVO) Illegal if done on personal email/phone)
Annual reporting to authorities No tooling from the state

These clubs are legally required to do this. They will pay for something that makes compliance manageable.

2.3 Competition Check

Current competitors (estimated):

  • None known at launch time specifically for German CSCs (market is <2 years old)
  • General club management software (e.g., ClubDesk, easyVerein) — not cannabis-compliant, lack distribution tracking
  • Generic SaaS tools (Airtable, Notion) — no compliance features, no German legal mapping

Timing advantage is critical. The window to establish market leadership is 2026-2027 before larger players notice.

3. Product: Feature Specification

3.1 MVP (Version 1 — Ship First)

For Club Admins:

  • Club registration and setup wizard
  • Member management (add/remove, age, contact, membership date)
  • Age verification flag (18+, 18-21 restricted category)
  • Distribution log: record each handout (member, strain, weight, date/time)
  • Monthly limit enforcement: system warns/blocks if member exceeds 50g (or 30g for under-21)
  • Stock management: strains, quantities, batch info
  • Simple dashboard: total members, distributions this month, stock levels

For Members (Member Portal):

  • Login with club-issued credentials
  • View personal distribution history
  • View current stock availability (what strains are available)
  • View remaining monthly quota
  • Request distribution appointment (optional, club configures)

Compliance Tools:

  • Monthly distribution report export (PDF + CSV) for authority reporting
  • Member list export for inspections
  • Contamination alert: flag a batch and see all members who received it
  • Prevention officer information tracking

3.2 Version 2 (Growth Features)

  • Payment processing for membership fees (Stripe — no cannabis payments)
  • Automated waiting list management
  • Email/SMS notifications to members
  • Multi-strain grow tracking (integrate growing calendar)
  • Mobile: PWA first — Spring Boot serves a responsive web app; works on all Android/iOS browsers, no App Store submission needed
  • Mobile: Kotlin Android app — native Android app for Play Store distribution (covers ~70% of German users); Kotlin is essentially better Java, Patrick can leverage existing JVM knowledge directly
  • API for custom integrations
  • Analytics dashboard (club-level, anonymised trends)

3.3 Version 3 (Scale Features)

  • Kotlin Multiplatform (KMP) — shared business logic in Kotlin + Compose Multiplatform UI deployed to Android + iOS + web from one codebase; natural step after the Kotlin Android app
  • Multi-location club support
  • White-label option for large club networks
  • Legal template library (Satzungen, Jugendschutzkonzept, etc.)
  • Integration with German authority reporting portals (if they exist)
  • Prevention officer training module

4. Revenue Model

4.1 Pricing Tiers (SaaS)

Plan Price/month Members Key Features
Starter Free Up to 30 Distribution log, basic member management
Basic €29/month Up to 100 + Compliance reports, stock management
Professional €79/month Up to 500 + Member portal, batch tracking, exports
Enterprise €179/month Unlimited + API, multi-location, priority support

Rationale:

  • Free tier creates word-of-mouth in the club community
  • Professional is the sweet spot for a typical club (100-300 members)
  • Freemium-to-paid conversion pressure: "your club hit 30 members, upgrade to continue"

4.2 Revenue Projections

Scenario Paying Clubs Average Plan MRR ARR
Bootstrap (Year 1) 30 €49 €1,470 €17,640
Growth (Year 2) 150 €65 €9,750 €117,000
Scale (Year 3) 500 €79 €39,500 €474,000

Year 1 is realistic as a side hustle while working at ADP.

4.3 Additional Revenue Streams

  • Setup fee: Optional one-time €99299 onboarding fee for Professional/Enterprise
  • Legal templates: Sell standardised Satzung, Jugendschutzkonzept templates (€49 one-time)
  • Training: Webinars for Präventionsbeauftragter (€149/person) — high-value, low-effort
  • Affiliate/referral: Partner with lawyers who advise clubs (they refer clients, we pay commission)

5. Tech Stack

5.1 Skills Assessment — ⚠️ CORRECTED (Java is Patrick's primary language)

Important correction: The initial plan had this backwards. Python is Lumen's language, used for MCP servers. Patrick's real expertise is Java — JPA/EclipseLink, JAXB, PrimeFaces, Maven, Jakarta EE. He built the entire wellmann-shop without AI, and wrote a custom JPA-annotation-style flatfile parser for euBP/DSAK. The stack below is redesigned around Java as the primary language.

Technology Patrick's Level Required?
Java (Spring Boot / Quarkus) Expert Yes — backend
JPA / EclipseLink Expert Yes — ORM layer
JAXB Expert Yes — report generation
PrimeFaces / JSF Expert Optional — one frontend path
Maven Expert Yes — build tool
PostgreSQL Good Yes — database
Docker Comfortable Yes — deployment
Spring Security / JWT 🟡 Familiar Yes — auth
Kotlin (Android / KMP) 🟡 Natural transition — same JVM, IntelliJ Yes — mobile v2/v3
Compose Multiplatform 🟡 New but Kotlin-based Yes — cross-platform UI v3
Vaadin Flow (Java UI) 🟡 New, Java-native Alternative fast frontend
React / Next.js Needs learning Best long-term web frontend
Stripe Java SDK 🟡 New (REST, documented) Yes — billing
German DSGVO practical ⚠️ Basic Critical — legal

5.2 Frontend Choice — The Real Decision

With Java as the primary language, three paths exist:

Option A: Vaadin Flow — Full Java, zero JavaScript (fastest start)

  • Write UI in pure Java — no HTML/CSS/JS required
  • Deeply integrated with Spring Boot, component-based
  • Patrick can start immediately with zero new language learning
  • Downside: Vaadin commercial license for some features; UI looks enterprise-y

Option B: PrimeFaces + JSF — Patrick already knows this cold

  • Built wellmann-shop entirely from scratch with PrimeFaces
  • Runs on Quarkus, WildFly, or Payara
  • Zero learning curve — known patterns, fast to ship
  • Downside: JSF is considered legacy by the wider web community; not ideal for modern SaaS polish

Option C: Spring Boot backend + Next.js/React frontend (Best long-term)

  • Java stays the backend — Patrick's full existing strength
  • React/Next.js frontend — one-time learning investment
  • Standard modern SaaS architecture (2024+); best hiring/community ecosystem
  • Downside: React/Next.js learning curve (~4-6 weeks)

Recommendation: Start with Option B (PrimeFaces) to ship an MVP fast with zero learning overhead. Migrate the frontend to Option C (Next.js) in Version 2 when revenue justifies the investment. This is pragmatic — ship first, polish later.

5.3 Recommended Stack

Frontend:     PrimeFaces + JSF (MVP) → Next.js/React (v2+)
Backend:      Spring Boot 3.x (Java 21) — REST API + JPA/Hibernate
ORM:          JPA/Hibernate (Patrick's core expertise)
Database:     PostgreSQL + Flyway migrations
Auth:         Spring Security + JWT (stateless sessions)
Payments:     Stripe Java SDK (subscriptions, webhooks)
PDF Reports:  iText 7 or Apache PDFBox (Java, battle-tested)
Email:        Jakarta Mail / Resend.com REST API
Hosting:      Hetzner Cloud VPS (German DC, GDPR, €5-20/month)
              — TrueNAS.local Docker for dev/staging
CI/CD:        Gitea Actions → Hetzner (Maven build pipeline)
Monitoring:   Sentry Java SDK (free tier)

Why this stack:

  • Spring Boot + JPA = Patrick's natural habitat — fastest possible iteration on the backend
  • PrimeFaces MVP = zero new tools, ship in weeks not months
  • PostgreSQL + Flyway = production-grade, schema migrations Patrick knows from JPA patterns
  • Hetzner = German hosting, cheap, GDPR-compliant by design
  • Stripe Java SDK = mature, handles EU VAT + subscription billing
  • iText/PDFBox = Java-native PDF generation for compliance reports (no Python dependency)

5.4 Architecture Overview

┌─────────────────────────────────────────────────────────┐
│                  CannaManage Platform                    │
│                                                         │
│  ┌─────────────────┐    ┌────────────────────────────┐  │
│  │  Admin Portal   │    │     Member Portal          │  │
│  │ PrimeFaces/JSF  │    │   PrimeFaces/JSF (MVP)     │  │
│  │ Next.js (v2+)   │    │   Next.js/React (v2+)      │  │
│  │  - Club setup   │    │  - Login (club-issued)     │  │
│  │  - Member mgmt  │    │  - Stock view              │  │
│  │  - Distribution │    │  - My quota / history      │  │
│  │  - Compliance   │    │  - Request pickup          │  │
│  └────────┬────────┘    └──────────┬─────────────────┘  │
│           │                        │                     │
│           └───────────┬────────────┘                    │
│                       ↓                                 │
│     ┌───────────────────────────────────────┐           │
│     │  Spring Boot 3.x Backend (Java 21)    │           │
│     │  - REST API (Spring MVC)              │           │
│     │  - JPA/Hibernate entities             │           │
│     │  - Business logic + compliance rules  │           │
│     │  - PDF report generation (iText 7)    │           │
│     │  - Spring Security + JWT              │           │
│     └──────────────────┬────────────────────┘           │
│                        ↓                                │
│            ┌─────────────────────┐                      │
│            │     PostgreSQL       │                      │
│            │  - Multi-tenant      │                      │
│            │  (tenant_id on all   │                      │
│            │   JPA entities)      │                      │
│            │  - Flyway migrations │                      │
│            └─────────────────────┘                      │
│                                                         │
│  ┌──────────────────────────────────────────────────┐   │
│  │  Stripe Java SDK        │   Email (Jakarta Mail) │   │
│  │  (subscription billing) │   (notifications)      │   │
│  └──────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────┘

5.5 New Skills Needed — Revised Learning Path

Skill Priority Patrick's Starting Point Resource
Spring Boot 3.x REST 🟡 Medium Knows Jakarta EE — similar model spring.io/guides
Spring Security + JWT 🟡 Medium Security concepts from JEE Baeldung tutorials
Flyway migrations 🟡 Medium Knows JPA schema generation flyway.io/docs
Stripe Java SDK 🟡 High Knows REST from Java stripe.com/docs/billing
Next.js / React 🔴 For v2+ Zero JS framework experience nextjs.org/learn (free)
Docker + Compose 🟡 Medium Comfortable with Docker basics Hetzner deploy guides
German DSGVO practical 🔴 Critical Basic awareness Legal counsel + AVV templates

Pragmatic MVP path: Use PrimeFaces (Patrick knows it cold) → ship MVP → earn first revenue → invest time in Next.js for v2.

6. Go-To-Market Strategy

6.1 Phase 0 — Build & Validate (Private Beta)

Goal: Working MVP, 3-5 beta clubs, collect real feedback

Actions:

  • Join German cannabis clubs online community (Telegram groups, Reddit r/cannabisde)
  • Find 3-5 club admins willing to test for free
  • Build MVP focused on distribution tracking + compliance reports (the biggest pain)
  • Do NOT launch publicly until legally reviewed

Where to find early adopters:

  • Hanfverband Deutschland (German Hemp Association) — they represent clubs
  • Online forums: Rollitup.de German section, GreenPassion.de
  • Local cannabis clubs in your area
  • LinkedIn outreach to CSC founders

6.2 Phase 1 — Soft Launch (€0 → First €1K MRR)

Target: 30+ paying clubs, Basic plan minimum

Channels (all B2B, no cannabis advertising):

  • Word of mouth between club admins (community is small and tight-knit)
  • Content marketing: blog posts about "how to manage CanG compliance" (targets club admins searching for help)
  • Partner with lawyers advising clubs (they refer clients)
  • Hanfverband newsletter mention (not advertising — editorial content about compliance tools)
  • LinkedIn / XING posts targeted to "Vereinsvorstand" / "Vereinsgründer" keywords

6.3 Phase 2 — Growth (€1K → €10K MRR)

  • Referral program (clubs refer other clubs for free months)
  • German startup press (Gründerszene, t3n)
  • Templates marketplace (Satzungen, Jugendschutzkonzepte)
  • Webinar series for Präventionsbeauftragte

7. Business Structure & Risk

7.1 Legal Entity

Recommendation: Register as a Gewerbetreibender / Einzelunternehmen first (simplest), then transition to GmbH when revenue exceeds €50K/year.

  • No special license needed to sell software to cannabis clubs
  • You are NOT a cannabis business — you sell management software
  • Standard software VAT applies (19% German USt)

7.2 Banking & Payments

  • DO NOT describe your business as "cannabis software" to banks
  • Describe it as: "Vereinsverwaltungs-Software" (club management software)
  • Stripe works fine for compliance software — they block cannabis sales, not software for cannabis-adjacent industries
  • Open a separate business account early (Kontist, Finom, or Deutsche Bank business)

7.3 Exit Scenarios

Scenario When Valuation Range
Keep as passive income Year 2+ at €5K MRR N/A
Sell to larger SaaS player Year 3+ at €20K MRR 3-5× ARR (~€720K-1.2M)
Raise seed funding Year 2 with 200+ clubs €500K-€2M round
Pivot to EU expansion Year 3 Same platform, localised

8. Development Roadmap

Phase 0 — Foundation (Weeks 1-8, solo)

  • Set up Spring Boot 3.x project (Maven, JPA/Hibernate, PostgreSQL, Flyway)
  • Design JPA entities: Club, Member, Distribution, Strain, Batch (multi-tenant via tenant_id)
  • Build core REST API (member CRUD, distribution log)
  • Build admin portal with PrimeFaces (Patrick already knows this)
  • Distribution limit enforcement logic (25g/day, 50g/month, 30g/month under-21)
  • Simple PDF compliance report export (iText 7)
  • Spring Security + JWT auth (club admin login)
  • Deploy to Hetzner VPS (Docker Compose)

Phase 1 — MVP (Weeks 9-16)

  • Member portal (PrimeFaces, login with club-issued creds, quota view, stock view)
  • Stock management module (strains, batches, quantities)
  • Contamination batch recall feature
  • Stripe Java SDK integration (subscription billing)
  • DSGVO: privacy policy, data processing agreement (AVV), cookie consent
  • Beta launch with 5 clubs (free, feedback-only)

Phase 2 — Launch (Months 5-8)

  • Payment flows live (Stripe webhooks, subscription lifecycle)
  • Email notification system (Jakarta Mail / Resend API)
  • Marketing site (cannamanage.de — example name, separate Next.js landing page)
  • Legal review of terms, privacy, advertising compliance
  • Formal soft launch to club community
  • First paying customers

Phase 3 — Growth (Months 9-18)

  • Frontend migration: PrimeFaces → Next.js/React (when revenue justifies it)
  • Mobile-optimised (PWA)
  • Legal template marketplace (Satzungen, Jugendschutzkonzepte)
  • Referral program
  • Webinar series for Präventionsbeauftragte
  • Hire first part-time support person

9. Honest Assessment — Strengths & Weaknesses

Strengths

  • First mover advantage — nobody is doing this well yet
  • Regulatory moat — the compliance burden creates permanent demand
  • B2B SaaS — predictable recurring revenue
  • Patrick's Java expertise — Spring Boot + JPA = fastest possible backend iteration (this is his daily tool at ADP)
  • PrimeFaces knowledge — built a full shop UI from scratch; zero learning curve for MVP frontend
  • Low competition — niche market overlooked by big players
  • Low infra cost — Hetzner VPS €5-20/month, manageable

Weaknesses / Challenges ⚠️

  • Modern frontend gap — Next.js/React must eventually be learned for v2 polish (deferred, not blocking)
  • Market is young — clubs are still forming, slow regulatory licensing in some Länder
  • Political risk — new German government could tighten the law
  • Churn risk — if a club closes, subscription ends immediately
  • Payment friction — some processors are cannabis-adjacent-averse (mitigated by correct positioning)
  • Two-sided attention — building while working full-time at ADP is slow (nights/weekends)
  • Spring Boot learning curve — Patrick knows Jakarta EE / JEE; Spring Boot 3.x is adjacent but not identical

The Honest Path

This is a 18-24 month project to meaningful passive income:

  • Months 1-3: Spring Boot setup + PrimeFaces MVP (using existing Java knowledge — fast!)
  • Months 4-6: Beta with 5 clubs, Stripe integration, DSGVO compliance
  • Months 7-12: Paid launch, first 30-50 paying clubs
  • Year 2+: €5-10K MRR is realistic, genuine passive with <10h/week

10. Immediate Next Steps

  1. Join 2-3 German cannabis club communities (Telegram, Reddit) — listen, don't sell yet
  2. Start Next.js tutorial (nextjs.org/learn) — 1 hour/day, 4 weeks
  3. Create a Supabase project — explore multi-tenancy with Row Level Security
  4. Set up the project repo (pi_mcps/cannamanage or separate Gitea repo)
  5. Talk to 3 club admins — validate the pain before writing a line of code
  6. Get a legal opinion (€300-500 from a cannabis law specialist — worth it before launch)

Appendix: Key CanG References

Provision Content
§2 CanG Definitions — Anbauvereinigung, Mitglied
§§15-26 CanG Anbauvereinigungen — formation, rights, obligations
§22 CanG Distribution limits (25g/day, 50g/month)
§23 CanG Under-21 restrictions (30g/month, 10% THC)
§§6-7 CanG Advertising and sponsoring ban
§26 CanG Documentation and reporting obligations
§27 CanG Prevention officer requirements

Plan created: 2026-04-04 | Next review: 2026-05-01 | Status: Awaiting Patrick's approval

Reference in New Issue View Git Blame Copy Permalink