
Privacy Policy
Version 2026-05-18 · GDPR · UK GDPR · CCPA/CPRA · PIPEDA · BC PIPA
This Privacy Policy explains how 1585113 B.C. Ltd. (doing business as “4Planet”, “we”, “us”, or “our”) handles personal information when you use https://4planet.io, our partner and charity dashboards, our public APIs, our embedded conservation widgets installed on third-party stores, and any related services (collectively, the “Service”). It applies to visitors, registered account holders (partners, charities, donors), and end-users of partner stores that have installed our widgets.
1. Who We Are
1585113 B.C. Ltd. is a corporation incorporated under the laws of British Columbia, Canada, and is the data controller for personal information processed in connection with the Service, except where this Policy states otherwise (for example, Section 13 regarding embedded widgets on partner stores).
1585113 B.C. Ltd. (DBA 4Planet)587 Curtis Rd, Kelowna, BC V1V 2G6, Canada
Privacy contact: privacy@4planet.io
Our representative for privacy inquiries is reachable at the address and email above. We have not appointed an EU/UK Article 27 representative; if our EU/UK user base grows materially, we will do so and update this Policy.
2. Scope
This Policy covers personal information we collect from and about: (a) visitors to 4planet.io; (b) registered users of our dashboards (partner, charity, donor, admin); (c) end-users of partner stores who interact with our embedded widgets; and (d) people who contact us, apply for partnerships, or submit reports. It does not cover information collected directly by third-party services that you access through their own interfaces (their own privacy policies apply).
3. Information We Collect
We collect only the personal information we need to operate the Service. The categories of information we may collect are:
- Account information. Name, email, password hash, role (partner/charity/admin), organization name, profile photo, communication preferences. Provided by you at signup or in account settings.
- Transactional and payment information. When you start a paid subscription or make a donation, our payment processor (Stripe) collects your payment method. We receive transaction metadata (amount, currency, timestamp, last four digits, payment-method type, Stripe customer / account identifiers). We do not store full card numbers.
- Widget visitor information. When you interact with a 4Planet-powered widget on a partner store, we receive: the partner store identifier, an opaque visitor identifier (cookie or local storage), interaction events (impressions, clicks, donations), and basic technical metadata (page URL, user agent, approximate region from IP).
- Usage and analytics information. Pages viewed, features used, referring URLs, device and browser information, approximate location derived from IP (subject to your cookie preferences).
- Communications. Messages you send us (support, contact form, abuse / DMCA reports), and any attachments.
- Content you submit. Charity profile content, mission descriptions, blog posts, comments, and uploaded media. See our Terms of Service for how this user-generated content is licensed.
- Information from third parties. Where you sign in via a third-party identity provider, that provider may share basic profile information with us. Partners may share information about you in the course of administering their accounts.
We do not knowingly collect sensitive personal information (as defined under GDPR Article 9 or CCPA/CPRA §1798.140(ae)) and ask that you do not provide it.
4. How We Use Information — and Our Lawful Basis
Under the EU/UK General Data Protection Regulation, every processing activity must rest on a specific lawful basis. Under the Canadian PIPEDA and BC PIPA, processing must be for a purpose a reasonable person would consider appropriate and supported by consent unless an exception applies. We use personal information as follows:
- To deliver the Service (account creation, authentication, dashboards, widgets, donations, transactional emails). Lawful basis: performance of a contract (GDPR Art. 6(1)(b)); reasonable purpose with implied consent (PIPEDA/PIPA).
- To process payments and issue tax receipts via Stripe and our accounting systems. Lawful basis: contract performance (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for tax and anti-money-laundering record keeping.
- To prevent fraud and abuse and to enforce our Terms. Lawful basis: legitimate interests (Art. 6(1)(f)) — specifically, protecting users, partners, and the Service from harm.
- To analyze usage and improve the Service via aggregated analytics (PostHog, Vercel Analytics) once you have consented through our cookie banner. Lawful basis: consent (Art. 6(1)(a)); express consent under PIPEDA / PIPA.
- To communicate with you — service announcements, security notices, replies to inquiries. Marketing emails require separate opt-in. Lawful basis: contract performance for service messages; consent for marketing.
- To comply with law — responding to lawful requests, enforcing court orders, and meeting regulatory record-keeping requirements. Lawful basis: legal obligation (Art. 6(1)(c)).
5. Sharing and Sub-Processors
We do not sell personal information. We do not “share” personal information for cross-context behavioural advertising as those terms are defined under CCPA/CPRA. We do disclose personal information to the following categories of service providers (sub-processors) under written data-processing terms:
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | US / EU |
| Vercel | Application hosting, edge CDN, analytics | Global |
| Stripe / Stripe Connect | Payments, subscriptions, donor disbursements | US |
| PostHog | Product analytics (consent-gated) | EU / US |
| Sentry | Error monitoring (PII scrubbed) | US |
| Resend | Transactional email delivery | US |
| AgentMail | Test inbound mail (non-production) | US |
| Inngest / Vercel Workflow | Background job orchestration | US |
| Google Cloud (Gemini, Veo) | AI generation of brand assets and mascots | US |
| Unsplash | Photography sourcing | US |
| Shopify | Partner-side store integration for widgets | Global |
A current sub-processor register is maintained in our internal documentation. We notify partners under contract of material changes to this list. Beyond sub-processors, we may disclose personal information: (a) to law enforcement and government authorities when required by valid legal process; (b) in connection with a corporate transaction (merger, acquisition, asset sale) where successor obligations continue this Policy; (c) to professional advisors (legal, accounting) subject to confidentiality.
6. International Data Transfers
We are based in Canada and use service providers located in the United States, the European Union, and other jurisdictions. When personal information of EU, UK, or Swiss data subjects is transferred outside those regions, we rely on:
- Canada’s adequacy decision under GDPR (Commission Decision 2002/2/EC) for transfers from the EU to Canada;
- The European Commission’s Standard Contractual Clauses (Module 2 or 3 as appropriate), supplemented by the UK Addendum where applicable;
- Provider-specific safeguards (e.g., participation in the EU–US Data Privacy Framework where the provider is certified).
Under BC PIPA, personal information of BC residents may be processed outside Canada by our service providers; we use providers with comparable protections and contractual safeguards.
7. How Long We Keep Information
We retain personal information only as long as necessary for the purpose we collected it, or as required by law:
- Account records: for the life of the account, plus up to 90 days after closure for de-provisioning.
- Financial and tax records: seven (7) years (Canada Revenue Agency requirement).
- Donation receipts: seven (7) years.
- Analytics events: up to two (2) years.
- Support tickets: up to five (5) years.
- Widget visitor events: up to two (2) years in identifiable form, then aggregated.
- Backups: up to ninety (90) days after deletion from primary stores.
8. Your Rights
Depending on where you live, you have rights with respect to your personal information. Some of these rights overlap. To exercise any of them, email privacy@4planet.io or use the self-serve controls in your account settings under Settings → Privacy. We will respond within 30 days (GDPR) or 45 days (CCPA), and may extend once where the request is complex, with notice.
Rights under GDPR / UK GDPR
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure / “to be forgotten” (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object to processing, including profiling (Art. 21)
- Right to withdraw consent at any time (Art. 7(3))
- Right to lodge a complaint with your local supervisory authority (Art. 77)
Rights under CCPA / CPRA (California)
- Right to know what personal information we collect and how we use it
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to limit use and disclosure of sensitive personal information (we do not intentionally collect sensitive PI)
- Right to opt out of sale or sharing — we do not sell or share personal information as defined under CCPA/CPRA; no opt-out is required, but you may still submit one
- Right of non-discrimination for exercising any of the above
Rights under PIPEDA / BC PIPA (Canada)
- Right of access to your personal information
- Right to challenge accuracy and request correction
- Right to withdraw consent (subject to legal or contractual restrictions)
- Right to complain to the Office of the Privacy Commissioner of Canada or the BC Office of the Information and Privacy Commissioner
We verify requests against the requesting account’s authentication. We do not require excessive identity documentation. Where a request cannot be granted (for example, retention required by tax law), we will explain why.
9. Cookies and Similar Technologies
We use strictly necessary cookies to operate the Service and, with your consent, analytics and performance cookies. See our Cookie Policy for the full list of cookies, their purposes, and how to manage your choices. You can change your choices at any time via the “Manage cookies” link in the footer (where available) or by clearing your browser cookies.
10. Children
The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from anyone under 16 without verifiable parental consent. If you believe we have inadvertently collected information from a child, please contact privacy@4planet.io and we will delete it promptly. This Section is aligned with COPPA (US), Article 8 GDPR, and PIPEDA guidance on children’s consent.
11. Security
We use industry-standard administrative, technical, and physical safeguards, including TLS encryption in transit, encryption at rest, row-level security on our database, scoped service accounts, PII scrubbing in error monitoring, and routine security review. No system is perfectly secure; we ask that you use a strong, unique password and notify us promptly of any suspected compromise. See our Security page for additional information.
12. AI-Generated Content
We use Google’s generative AI services (Gemini, Veo) to create certain brand and mascot assets that appear on the Service. These assets are generated from prompts written by our team; we do not use your personal information to train third-party AI models. Where AI-generated content is presented in user-facing contexts, we label it as such consistent with Article 50 of the EU AI Act.
13. Embedded Widget Addendum
When a partner installs a 4Planet widget on their store (for example, on a Shopify storefront), visitor interactions with the widget are processed jointly: the partner determines the placement and context of the widget on their site, and 4Planet operates the widget service. For the limited personal information captured by the widget (interaction events, opaque identifiers, technical metadata):
- The partner is the controller for the underlying customer relationship and for the privacy disclosures presented to their store visitors.
- 4Planet acts as a processor of widget event data on behalf of the partner, under our Data Processing Agreement, and as an independent controller for aggregated analytics used to improve the Service.
- Visitors who interact with a 4Planet widget may exercise the rights described in Section 8 by contacting either the partner or 4Planet at privacy@4planet.io.
14. Changes to This Policy
We may update this Policy from time to time. For material changes that affect how we use your personal information, we will provide at least 30 days’ notice through the Service, by email to account holders, or both, before the change takes effect. The “Last Updated” date and version stamp at the top of this page indicate when the Policy was last revised. Prior versions are available on request.
15. Contact Us
Privacy inquiries, data-subject requests, and complaints:
1585113 B.C. Ltd. (DBA 4Planet)Attention: Privacy
587 Curtis Rd, Kelowna, BC V1V 2G6, Canada
Email: privacy@4planet.io