⚠️ DRAFT — pending legal review
This document has not been reviewed by a lawyer and is not final. Blanks marked [TODO] must be filled in before public launch. MaplePath is not a law firm and this page does not constitute legal advice.
Privacy Policy
Last updated: June 28, 2026
MaplePath (“we”, “us”, “our”) operates joinmaplepath.com. We are committed to protecting your personal information in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25), and applicable privacy legislation.
1. Information We Collect
Information you provide directly
- Account information: email address, display name, and password (hashed — never stored in plain text).
- Profile information:optional details you choose to share, such as immigration status flags (e.g., “Verified PR”), your immigration journey stage, and bio.
- User-generated content: questions, answers, comments, and experience reports you post on the platform.
- Communications: messages you send us via support or privacy@joinmaplepath.com.
- Expert applications: for RCIC/lawyer applicants only — RCIC licence number or law-society membership ID, publicly verifiable against official registers. We do not store copies of any licence documents.
- Waitlist: email address collected via our Kit waitlist form before app launch.
Information collected automatically
- Usage data: pages visited, features used, time on page, search queries within the site.
- Technical data: IP address (used for security/fraud prevention, not profiling), browser type, device type, operating system, referring URL.
- Cookies and similar technologies: see our Cookie Policy for full details. Non-essential cookies require your explicit consent.
Information we do NOT collect
- We never store identity documents, passports, or government-issued IDs. Identity verification (Stripe Identity) follows a verify-then-delete model — the verification result (pass/fail + timestamp) is stored, never the document.
- We do not collect payment card details directly. All payments are processed by Stripe; we receive only a transaction ID and status.
2. How We Use Your Information
| Purpose | Legal basis (PIPEDA / Law 25) |
|---|---|
| Providing and operating the platform (accounts, Q&A, tools) | Contract / service provision |
| Authenticating you and keeping your account secure | Contract / legitimate interest |
| Improving platform quality and fixing bugs | Legitimate interest |
| Analytics — understanding how the site is used | Consent (opt-in via cookie banner) |
| Sending transactional emails (e.g., email verification, password reset) | Contract |
| Sending product or marketing emails to waitlist / opted-in users | Consent (CASL express consent at signup) |
| Processing payments for expert consultations | Contract |
| Complying with legal obligations and preventing fraud | Legal obligation / legitimate interest |
3. Third Parties We Share Data With
We do not sell your personal information to any third party. We share data only with the service providers listed below, solely to operate the platform:
| Provider | Role | Data shared | Region |
|---|---|---|---|
| Supabase | Database & authentication | Account data, user content, session tokens | ca-central-1 (Canada) |
| Upstash Redis | Caching & session management | Session data, rate-limit counters | [TODO — confirm region] |
| Stripe | Payment processing & identity verification | Payment details (Stripe holds card data), identity verification result | United States |
| Kit (formerly ConvertKit) | Email & waitlist management | Email address, name, subscription status | United States |
| Vercel | Hosting & edge functions | Request logs, IP addresses (transient) | Global CDN / [TODO — confirm primary region] |
| Analytics provider | Usage analytics | Usage events (only with your consent) | [TODO — provider TBD; will update before activation] |
Where providers are located outside Canada, we rely on contractual safeguards (e.g., standard contractual clauses or equivalent) to protect your data.
4. Data Retention
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of account + 2 years after closure |
| User-generated content (posts, answers) | Until deleted by user or removed for policy violation |
| Session / authentication tokens | 1 hour to 7 days (depending on “remember me”) |
| Database backups | 90 days |
| Server / access logs | 30 days |
| Payment transaction records | 7 years (tax / legal obligation) |
| Identity verification result (boolean + timestamp only) | Duration of account |
| Consent records (cookie consent) | Stored locally in your browser; we retain a server-side log for [TODO] days |
5. Your Rights
Under PIPEDA and Quebec Law 25, you have the following rights regarding your personal information:
- Right of access: request a copy of the personal information we hold about you.
- Right to correction: ask us to correct inaccurate or incomplete information.
- Right to deletion: request deletion of your account and associated personal data (subject to legal retention obligations).
- Right to withdraw consent: withdraw consent to optional processing (e.g., marketing emails or analytics cookies) at any time without affecting processing already done.
- Right to data portability: request your data in a structured, machine-readable format [TODO — self-serve export feature in roadmap].
- Right to complain: lodge a complaint with the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d’accès à l’information du Québec (CAI).
To exercise any right, email privacy@joinmaplepath.com. We will respond within 30 days.
6. Security
How we protect your data
- Encryption at rest: your data is stored on infrastructure encrypted with AES-256.
- Encryption in transit: all traffic between your device and MaplePath is protected with TLS (HTTPS).
- Password protection: passwords are never stored in plain text — they are hashed with bcrypt by our authentication provider (Supabase). We never see your password.
- No identity documents: we never store passports, ID cards, or other government-issued documents. Identity checks follow a verify-then-delete model.
- No payment data: we never store your payment card details — all payments are handled directly by Stripe.
- All data is encrypted in transit (TLS) and at rest.
- Access to production data is restricted to authorised personnel on a least-privilege basis.
- Secrets (API keys, database credentials) are stored in environment variables only — never in code.
- We follow a verify-then-delete model for identity documents — documents are never persisted.
- In the event of a breach that poses a real risk of significant harm, we will notify affected users and report to the relevant regulator as required by law.
7. Children
MaplePath is not directed at individuals under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us with their information, please contact us at privacy@joinmaplepath.com and we will delete it promptly.
8. Privacy Officer
As required by Quebec Law 25 and PIPEDA, MaplePath has designated a person responsible for privacy compliance:
Privacy Officer: [TODO — name/title]
Email: privacy@joinmaplepath.com
Mailing address: [TODO — registered business address]
9. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) and update the “Last updated” date above. Continued use of the platform after the notice period constitutes acceptance of the updated policy.
10. Cookie Consent
We use a cookie consent banner compliant with Quebec Law 25 and PIPEDA. Non-essential cookies (analytics, marketing) are blocked until you opt in. You can review or change your cookie preferences at any time using the Cookie settings link in the footer. See our full Cookie Policy for details.