Patrick Plate
cda8946c75
- 11 wiki pages: CannaManage-Home + 01-10 covering full Phase 0 docs - 5 mockup images in docs/wiki/images/ - Updated _Sidebar.md with CannaManage section
12 KiB
12 KiB
CannaManage — Project Charter
Author: Patrick Plate
Date: 2026-04-06
Version: 1.0
Status: Draft for Review
1. Executive Summary
Vision Statement
CannaManage is the compliance backbone for German cannabis social clubs — purpose-built to turn a legally mandated administrative burden into a manageable, auditable, and digitised workflow.
The Problem
Germany's Konsumcannabisgesetz (CanG), in force since April 1, 2024, legalised cannabis for personal use and established a framework for Anbauvereinigungen (cannabis social clubs / CSCs). Every operating CSC faces mandatory, recurring compliance obligations:
- Track every distribution (recipient, strain, weight, date/time) — by law
- Enforce quantity limits per member (50g/month for adults, 30g/month for under-21, 25g/day)
- Maintain batch-level contamination traceability
- Produce periodic authority reports
- Designate and track a Prevention Officer (Präventionsbeauftragter)
- Manage member data under DSGVO
Clubs currently manage this with Excel spreadsheets, pen-and-paper logs, and WhatsApp groups — creating legal risk, audit gaps, and administrative chaos.
Why Now
The market is less than two years old. No purpose-built software tooling exists for German CSCs. The window to establish market leadership is 2026–2027 before larger players notice the niche. First-mover advantage combined with the permanent regulatory moat from CanG compliance requirements makes this the right moment.
What We Are Building
A multi-tenant B2B SaaS platform offering:
- Club admin portal (member management, distribution logging, stock management, compliance reporting)
- Member portal (personal quota, distribution history, stock visibility)
- Built-in CanG compliance enforcement and export tooling
We are selling compliance management software to licensed, regulated entities. We are not in the cannabis business.
2. Project Scope
2.1 In Scope — MVP v1
| Area | Features Included |
|---|---|
| Onboarding | Club registration, setup wizard, admin account creation |
| Member Management | Add/remove members, age verification (18+, 18–21 restricted), contact data |
| Distribution Tracking | Log each handout (member, strain, weight, date/time); enforce daily/monthly limits |
| Limit Enforcement | 25g/day cap, 50g/month (adult), 30g/month (under-21), 10% THC flag |
| Stock Management | Strains, batch tracking, quantity levels |
| Admin Dashboard | Club-level totals: members, distributions this month, stock levels |
| Compliance Exports | Monthly distribution report (PDF + CSV), member list export for inspections |
| Contamination Recall | Flag a batch; system lists all members who received from it |
| Prevention Officer | Store officer contact info and designation date |
| Member Portal | Login with club-issued credentials; view quota, distribution history, stock availability |
| Authentication | Spring Security + JWT; role-based (ADMIN, MEMBER) |
| Hosting | Hetzner VPS (German DC), Docker Compose, PostgreSQL + Flyway |
2.2 Explicitly Out of Scope — MVP v1
| Feature | Reason Excluded |
|---|---|
| Public club discovery / "find clubs near you" | Illegal under CanG §§6–7 advertising ban |
| Cannabis e-commerce or payment for cannabis | Illegal; violates positioning |
| Non-EU data storage (AWS us-east, etc.) | DSGVO violation |
| Stripe subscription billing | Deferred to Phase 1 (Weeks 9–16) |
| Email/SMS notifications | v2 feature |
| Mobile native app (Android/iOS) | v2/v3 feature |
| Multi-location club support | v3 feature |
| Legal template marketplace | v3 feature |
| Next.js/React frontend | v2 migration after revenue justifies investment |
| Authority portal integrations | v3 feature (portals don't exist yet) |
3. Stakeholders
| Role | Description | Needs |
|---|---|---|
| Club Admin (primary user) | Vereinsvorstand or designated manager; runs day-to-day club operations | Compliant distribution logging, member management, authority-ready exports |
| Club Member (secondary user) | Verified adult member of the Anbauvereinigung | Self-service quota visibility, distribution history, stock availability |
| Prevention Officer (Präventionsbeauftragter, tertiary user) | Legally required role; may or may not be the admin | Contact info tracked in system; receives relevant reports |
| Patrick Plate (developer & product owner) | Solo developer; nights/weekends; ADP Germany full-time | Minimal learning overhead; fast path to first revenue; legally sound product |
4. Success Criteria
MVP is considered complete when all of the following are true:
| # | Criterion | Measure |
|---|---|---|
| 1 | Core compliance loop working | Admin can log a distribution → system enforces limits → admin exports PDF report for authorities |
| 2 | Multi-tenant isolation | Two clubs' data are completely isolated — no cross-tenant data leakage |
| 3 | Member portal live | Member can log in with club-issued credentials and view their quota + history |
| 4 | Contamination recall functional | Admin flags a batch; system returns full recipient list in < 2 seconds |
| 5 | Deployment stable | Platform runs on Hetzner VPS via Docker Compose with uptime ≥ 99% over 30-day beta |
| 6 | Beta validation | 3–5 real club admins have used the system and provided written feedback |
| 7 | Legal review passed | No features violate CanG advertising ban; DSGVO AVV in place before any live data |
| 8 | Zero PII on non-EU infrastructure | All data confirmed to reside in Hetzner DE datacenter |
5. Constraints & Assumptions
Constraints
| Type | Constraint |
|---|---|
| Legal | CanG §§6–7 imposes a total advertising and sponsoring ban on cannabis AND Anbauvereinigungen — no public club discovery feature, ever |
| Legal | DSGVO requires EU hosting, data processing agreements (AVV), member data export/deletion capability |
| Technical (MVP) | Frontend is PrimeFaces + JSF — Patrick's existing expertise; no new framework learning in Phase 0 |
| Technical | Multi-tenancy via tenant_id on all JPA entities — no row-level security shortcuts |
| Team | Solo developer — Patrick; nights and weekends only; full-time at ADP Germany |
| Timeline | Phase 0 target: 8 weeks; Phase 1 target: 16 weeks total from project start |
| Budget | Infrastructure: Hetzner €5–20/month; no team salary cost |
Assumptions
- German CSCs are willing to pay €29–€79/month for compliance software
- Stripe will process subscriptions for compliance software (not cannabis sales) without restriction
- Spring Boot 3.x is sufficiently adjacent to Patrick's Jakarta EE expertise to use without major ramp-up
- PrimeFaces MVP is sufficient for beta validation — UI polish deferred to v2
- CanG remains in force and CSC licensing continues in all major Bundesländer
6. Risk Register
| Risk | Probability | Impact | Mitigation |
|---|---|---|---|
| Advertising ban reinterpreted to include B2B SaaS | Low | High | Obtain legal opinion from cannabis law specialist before launch (€300–500); strict no-discovery design enforced at architecture level |
| New German government rolls back or tightens CanG | Medium | High | Modular architecture — compliance-only features can be extracted and pivoted to a general club management tool |
| Stripe blocks cannabis-adjacent businesses | Medium | High | Position as "Vereinsverwaltungs-Software" (club management software); never process cannabis payments; test with Stripe before public launch |
| Clubs fail / licenses revoked | Medium | Medium | Diversified customer base; per-month billing (easy cancellation); no annual lock-in required for MVP |
| DSGVO violation | Low | Very High | EU-only hosting (Hetzner DE), DPA/AVV agreements before any live data, DSGVO-compliant privacy policy in German, member data export/deletion API from day one |
7. Budget & Resources
| Item | Cost | Notes |
|---|---|---|
| Development | €0 (Patrick's time) | Nights/weekends; valued at opportunity cost only |
| Infrastructure — Hetzner VPS | €5–20/month | German DC; scales with load |
| Infrastructure — PostgreSQL | €0 (self-hosted on VPS) | Managed DB upgrade available when needed |
| Legal opinion | €300–500 (one-time) | Cannabis law specialist; pre-launch requirement |
| Domain (cannamanage.de) | ~€15/year | To be registered |
| Stripe fees | 1.4% + €0.25 per transaction | EU cards; only on paid subscriptions |
| Email (Resend / Jakarta Mail) | €0–10/month | Resend free tier for low volume |
| Sentry monitoring | €0 (free tier) | Error tracking; Java SDK |
| Total pre-launch | ~€600–700 | Including legal opinion |
8. Timeline Overview
gantt
title CannaManage Development Roadmap
dateFormat YYYY-MM-DD
axisFormat %b %Y
section Phase 0 — Foundation
Spring Boot setup + JPA entities :p0a, 2026-04-07, 2w
Core REST API (member, distribution) :p0b, after p0a, 2w
Admin portal PrimeFaces :p0c, after p0b, 2w
Limit enforcement + PDF report :p0d, after p0c, 2w
section Phase 1 — MVP
Member portal :p1a, after p0d, 2w
Stock management + contamination recall :p1b, after p1a, 2w
Stripe billing integration :p1c, after p1b, 2w
DSGVO + beta launch (5 clubs) :p1d, after p1c, 2w
section Phase 2 — Launch
Payment flows + email notifications :p2a, after p1d, 4w
Marketing site + legal review :p2b, after p2a, 4w
Soft launch to club community :milestone, after p2b, 0d
section Phase 3 — Growth
PrimeFaces → Next.js migration :p3a, 2026-12-01, 8w
PWA mobile :p3b, after p3a, 4w
Template marketplace + referral :p3c, after p3b, 8w
9. Legal Framework
Key CanG Provisions
| Provision | Content | Product Implication |
|---|---|---|
| §2 CanG | Definitions — Anbauvereinigung, Mitglied | Data model must align with statutory definitions of club and member |
| §§15–26 CanG | Anbauvereinigungen — formation, rights, obligations | Club registration flow must capture legally required club attributes |
| §22 CanG | Distribution limits: 25g/day, 50g/month per adult member | Hard enforcement in distribution service; cannot be overridden by admin |
| §23 CanG | Under-21 restrictions: 30g/month max, max 10% THC | Age flag on member entity; separate limit enforcement path for restricted category |
| §§6–7 CanG | Total advertising and sponsoring ban for cannabis and Anbauvereinigungen | No public club discovery. No stock visible to non-members. No club listings. Architecture constraint. |
| §26 CanG | Documentation and reporting obligations | Compliance export module is a legal requirement, not an optional feature |
| §27 CanG | Prevention officer requirements | Prevention officer fields mandatory in club setup; not optional |
DSGVO Obligations
- All personal data stored on EU infrastructure (Hetzner DE)
- Data processing agreement (AVV) required with each club before live data entry
- Member data export endpoint required (Art. 20 DSGVO — data portability)
- Member data deletion endpoint required (Art. 17 DSGVO — right to erasure)
- Privacy policy in German, DSGVO-compliant, published before launch
10. Sign-Off
| Role | Name | Date |
|---|---|---|
| Project Sponsor | Patrick Plate | 2026-04-06 |
| Lead Developer | Patrick Plate | 2026-04-06 |
| Product Owner | Patrick Plate | 2026-04-06 |
Next review date: 2026-05-01 | Source: STRATEGY.md