Draft template, pending legal review. Not yet in effect. Replace this placeholder text with your lawyer-reviewed policy before launch.
Privacy Policy
Last updated: (to be set)
This Privacy Policy explains how LoafBase collects, uses, discloses, and protects personal information. LoafBase is a Canadian, bilingual platform with two sides: software that animal shelters and rescues use to run their operations, and a public adopter marketplace where people can browse animals, save favourites, and apply to adopt. We take privacy seriously and follow Canadian law, including the federal Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Law 25, and Canada's Anti-Spam Legislation (CASL). For adopter, applicant, and donor information that a shelter records or receives through LoafBase, the shelter is the controller of that information and LoafBase acts as its processor, following the shelter's instructions.
Who we are
LoafBase is operated by (legal entity name), based in Canada. We provide shelter-management software and a public adopter marketplace, in English and French, with pricing in Canadian dollars. If you have any questions about your privacy or this policy, you can reach us at david@loafbase.com and we will be glad to help.
Controller and processor roles
It matters who is responsible for which information. When a shelter enters or receives adopter, applicant, or donor personal information through LoafBase, the shelter is the controller and LoafBase is its processor: we handle that information only to run the service on the shelter's behalf and under contract. For shelter-staff accounts, for our public marketing website, and for our email waitlist, LoafBase is the controller and this policy governs directly. If you are an adopter and want to know how a specific shelter uses your information, please contact that shelter.
Information we collect
We collect only what we need. Shelter organizations and staff accounts: organization details plus each staff member's name, email, and role. Adopter accounts and profiles: name, email, date of birth (used only to confirm you meet the minimum adoption age), mailing address, phone number, adoption application answers, uploaded documents, electronic signatures on adoption agreements, saved and favourited pets, and in-app messages. Animal records entered by shelters: medical and vaccination history, photos, microchip numbers, intake and outcome details, and foster placements. Donations: donor details and donation records. Email waitlist signups: your email address plus proof of your CASL consent (the date and time, IP address, browser user-agent, and the exact wording and version of the consent you agreed to). We also keep notification records, consent records, and data-access and audit logs, and we collect limited technical data such as IP address and user-agent to keep the service secure and to prevent abuse through rate limiting.
How we use information
We use personal information to provide and maintain the service, create and authenticate accounts, display animals and manage adoption applications, send transactional messages (such as account, application, and adoption updates), send marketing or waitlist messages only where you have given express consent, geocode mailing addresses so locations can be shown on a map, prevent fraud and abuse, keep the platform secure, and meet our legal obligations. Shelters also use the information they collect to run their own adoption and rescue operations. We do not use your information for purposes unrelated to those described here without telling you.
Legal bases (PIPEDA and Quebec Law 25)
We process personal information on the bases permitted under Canadian federal law (PIPEDA) and, in Quebec, the Act respecting the protection of personal information in the private sector (Law 25). Depending on the situation, this includes your consent (for example, marketing email), the need to perform a contract or provide a service you asked for, our legitimate operational needs (such as security and fraud prevention), and compliance with legal obligations. Where consent is the basis, you may withdraw it at any time, subject to legal or contractual limits.
Consent and CASL
Marketing and waitlist emails are governed by Canada's Anti-Spam Legislation (CASL), and we send them only to people who have given express consent. When you sign up for our waitlist or opt in to updates, we record the details of that consent (date, time, IP address, browser, and the exact wording you agreed to) so we can honour and prove it. Every marketing message includes a clear, working unsubscribe link and our physical mailing address, and we act on unsubscribe requests promptly. Transactional messages that you need in order to use the service, such as password resets and adoption-application updates, are not marketing and are sent as part of the service.
Service providers
We rely on a small set of trusted service providers (processors) to run LoafBase, and each of them processes personal information only on our instructions and under contract. Supabase provides our database, authentication, and file storage, hosted in a Canadian region to support data residency. Resend delivers our transactional email and our consented marketing email. Vercel hosts the application; we also use Vercel Analytics and Speed Insights, which are cookieless and privacy-friendly. Mapbox geocodes mailing addresses so locations can be shown on a map. Upstash Redis provides rate limiting to prevent abuse. We do not permit these providers to use personal information for their own purposes.
Data residency
We take a Canada-first approach to where your information lives. Our primary database, authentication, and file storage are hosted in a Canadian region through Supabase. Some of our service providers may process limited technical data (such as request routing or email delivery) outside Canada in the course of operating their services; where that happens, the information remains protected by contract and by the safeguards described in this policy.
Cookies and analytics
We keep tracking to a minimum. We use only essential cookies needed to sign you in and keep your session secure; we do not use advertising or cross-site tracking cookies. For understanding how the site performs, we use Vercel Analytics and Speed Insights, which are cookieless and privacy-friendly and do not build advertising profiles of you. Because we do not use non-essential cookies, there is no advertising cookie banner to manage.
Data retention
We keep personal information only as long as it is needed for the purposes described in this policy, or as required by law, and then we delete or anonymize it. Shelters control retention of the records they enter, and adopters can request erasure of their own account information. Some records may be kept longer where the law requires it or to resolve disputes, prevent fraud, or enforce our agreements; consent proof for waitlist and marketing email is retained as long as needed to demonstrate compliance with CASL.
Your rights
Subject to law, you have the right to access the personal information we hold about you, to correct it if it is inaccurate, to request its deletion or erasure, to withdraw consent, and, under Quebec's Law 25, to data portability (to receive certain information in a structured, commonly used technological format). Adopters can manage their consents and request erasure directly from the privacy page in their in-app account. To exercise any of these rights, contact us at david@loafbase.com; if a shelter is the controller of the information, we may direct your request to that shelter or help coordinate a response. We will respond within the timeframes required by law.
Children's privacy
LoafBase is not directed at children, and the adopter marketplace is intended for adults. Adoption involves a binding agreement, so adopters must meet the minimum adoption age, and we use date of birth only to confirm that eligibility. We do not knowingly collect personal information from children; if you believe a child has provided us with personal information, please contact us at david@loafbase.com and we will take appropriate steps to address it.
Security
We protect personal information with encryption in transit and at rest, row-level-security tenant isolation so one organization cannot see another's data, access controls that limit who can see what, and audit logging. No system can be guaranteed perfectly secure, but we work hard to safeguard your information. If a security breach creates a real risk of significant harm, we will notify affected people and the appropriate regulators as required by PIPEDA and Law 25.
We never sell your information
We do not sell your personal information, and we do not rent or trade it. We do not share it with third parties for their own marketing. We share information only with the service providers needed to run LoafBase, with the shelter that controls it, or where the law requires or permits it.
Privacy Officer
Our Privacy Officer is (name), responsible for overseeing our compliance with privacy law and answering your questions, reachable at david@loafbase.com. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada or, in Quebec, the Commission d'accès à l'information.
Changes to this policy
We may update this policy from time to time as the service or the law changes. When we make material changes, we will post the updated policy here with a new effective date, and where appropriate we will let you know directly. Please check back periodically to stay informed.
