Privacy Policy | 4Planet

Legal Review Required

This document requires review by legal counsel to ensure full PIPEDA compliance. The content below is a template structure.

Your trust is the foundation of everything we do at 4Planet. This Privacy Policy explains clearly and honestly how we handle your personal information — because conservation starts with integrity, and that includes how we treat your data.

1. Introduction

4Planet ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

This policy is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and other applicable Canadian privacy laws.

2. Information We Collect

2.1 Personal Information

We may collect the following types of personal information:

Name and contact information (email address, phone number)
Account credentials and authentication information
Payment and billing information (processed through secure third-party processors)
Verification and transaction history
Communication preferences

2.2 Automatically Collected Information

When you use our Service, we may automatically collect:

Device information (IP address, browser type, operating system)
Usage data (pages visited, features used, time spent)
Location data (general location based on IP address)
Cookies and similar tracking technologies

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve our services
Process verifications and donations
Generate and deliver tax receipts
Communicate with you about your account and our services
Send you updates about conservation projects and impact
Detect, prevent, and address technical issues and security threats
Comply with legal obligations and enforce our terms

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

With Charities: When you verify a product that supports a charity, we share necessary information (donation amount, date) for tax receipt generation
With Partners: Aggregated, anonymized data may be shared with partners for impact reporting
Service Providers: We may share information with trusted third-party service providers who assist in operating our platform
Legal Requirements: When required by law or to protect our rights and safety
Business Transfers: In connection with a merger, acquisition, or sale of assets

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

256-bit AES encryption for data in transit and at rest
Secure data centers with physical and digital security measures
Regular security audits and vulnerability assessments
Access controls and authentication requirements
Employee training on data protection

6. Your Rights (PIPEDA)

Under PIPEDA, you have the right to:

Access: Request access to your personal information we hold
Correction: Request correction of inaccurate or incomplete information
Withdrawal of Consent: Withdraw consent for certain uses of your information
Complaint: File a complaint with the Privacy Commissioner of Canada

To exercise these rights, please contact us at privacy@4planet.io.

7. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. Tax receipt information is retained as required by CRA regulations.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience and analyse usage. Non-essential cookies (analytics, performance, error tracking) are only set after you give explicit consent via our cookie banner.

For a full list of cookies we use, their purposes, and how to manage them, see our Cookie Policy.

9. Children's Privacy

Our Service is not intended for children under the age of 13. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and processed in countries other than Canada. We rely on the following safeguards for international transfers:

Standard Contractual Clauses (SCCs): Our key processors — Vercel (hosting), Supabase (database), and Sentry (error tracking) — operate under EU-approved SCCs for transfers to the United States.
EU-hosted analytics: PostHog analytics data is processed on EU servers (eu.i.posthog.com) and does not leave the European Economic Area.
Adequacy decisions: Canada has an EU adequacy decision for commercial organisations subject to PIPEDA.

11. Your Rights Under EU/GDPR

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent laws:

Right of Access (Art. 15): Request a copy of all personal data we hold about you. Submit via your account Privacy Settings or email privacy@4planet.io.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete information. Available via Dashboard → Settings → Profile.
Right to Erasure / Right to be Forgotten (Art. 17): Request deletion of your personal data where no legal retention obligation applies. Financial records are retained as required by Canadian tax law (CRA) but anonymised so they cannot identify you.
Right to Restrict Processing (Art. 18): Request that we limit how we process your data while a dispute is resolved.
Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format (JSON). Available via Dashboard → Settings → Privacy → Export My Data.
Right to Object (Art. 21): Object to processing based on legitimate interests, including direct marketing. You may withdraw analytics consent at any time via your Privacy Settings.
Rights Related to Automated Decision-Making (Art. 22): We do not make solely automated decisions that significantly affect you. Sanctions screening results are reviewed by a human compliance team before any account action is taken.

To exercise any of these rights, contact us at privacy@4planet.io. We will respond within 30 days (PIPEDA) or one month (GDPR). You also have the right to lodge a complaint with your local supervisory authority — for EU residents, this is your national Data Protection Authority (DPA).

12. Sub-Processors and Third-Party Services

We use the following third-party services to operate the 4Planet platform. Each processes personal data as described. Full details including DPA status are maintained in our internal Sub-Processor Register.

Service	Purpose	Location
Supabase	Database, authentication, file storage	USA (SCCs)
Vercel	Platform hosting, analytics, performance monitoring	USA (SCCs)
PostHog	Usage analytics (consent-gated)	EU (eu.i.posthog.com)
Stripe	Payment processing and charity account management (Stripe Connect)	USA
Resend	Transactional email (account notifications, receipts)	USA
Stripe	Payment processing (partner subscriptions)	USA/EU (SCCs)
Sentry (optional)	Error tracking (consent-gated)	USA (SCCs)

We do not sell your personal information to any third party.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date.

14. Contact Us

If you have questions, concerns, or wish to exercise your privacy rights, please contact us:

Privacy Officer

Email: privacy@4planet.io

You may also file a complaint with the Privacy Commissioner of Canada atwww.priv.gc.ca