Your data, in plain language.

The short version

• We collect the minimum we need to run a petition and email you when there is something worth doing.
• Your email address, name, postal code (optional), and your comment (optional) are stored in a Cloudflare database. Your IP address is hashed before storage; we never store the raw IP.
• We do not sell your data. We do not share it with advertisers, brokers, or commercial third parties.
• We use four service providers that touch your data: Cloudflare (hosting, anti-bot, database), Resend (sending email), Zeffy (donations, if you donate), and Turnstile (bot check, part of Cloudflare). Their roles are listed below.
• You can request a copy of your data, correct it, withdraw your consent, or have it deleted at any time. Contact privacy@operationimaginal.org.
• This policy is governed by Canadian privacy law: the federal Personal Information Protection and Electronic Documents Act (PIPEDA), and, for Quebec residents, the Act respecting the protection of personal information in the private sector (Quebec Law 25).
• Our emails comply with Canada's Anti-Spam Legislation. Every email identifies us, explains why you received it, and includes a working unsubscribe link.

Who we are

Operation Imaginal is a federal non-profit corporation incorporated under the Canada Not-for-profit Corporations Act (CNCA). We are not a registered charity, and contributions to us are not tax-deductible for Canadian donors. Our governance information is published on the transparency page.

The Director and Privacy Officer is Joshua Han, CFA, who reads every complaint personally. The Privacy Officer is the person responsible for the corporation's compliance with PIPEDA and Quebec Law 25, including answering your questions about how your data is handled and responding to access and deletion requests.

Privacy Officer contact: privacy@operationimaginal.org
Corporation: Operation Imaginal, a federal non-profit corporation under the CNCA
Registered office: being formalized; correspondence by email is processed within 5 business days while the office address is being published.

What we collect, and why

When you sign the petition

• Name (required): so we can present a real signature and address you by name in confirmation email.
• Email address (required): so we can send you the confirmation link and, with your consent, occasional campaign updates.
• Postal code (optional): so we can identify the MP who represents you, and so we can show campaign reach by region.
• Comment (optional): your reason for signing, in your own words. The strongest comments may be quoted publicly on the campaign site, in which case we will not show your last name without separate written consent. You can ask us to remove your comment at any time.
• IP address: collected at the moment of submission for anti-spam and abuse prevention. Hashed with a server-side secret using HMAC-SHA256 before storage. We do not store the raw IP. The hash is one-way and cannot be reversed without the secret.
• User-agent: the make and version of your browser, captured to spot automated scraping. Not used for tracking.
• Country: derived from your postal code (Canada / United States) so the live counter and MP-lookup work correctly. If you do not provide a postal code, this falls back to the country code provided by Cloudflare's edge network from your IP.

When you donate

Donations are processed by Zeffy, an external donation platform. Your name, email, billing details, and donation amount are processed by Zeffy according to Zeffy's privacy policy. We receive: the donation amount in Canadian dollars; the cadence (one-time or recurring); a hashed version of your email; and, only if you opt in to be listed publicly, your first name + last initial on our transparency page.

When you apply to a role

The careers form on /careers collects your name, email, optional LinkedIn or personal site, availability, two short-answer responses, and a PDF resume. Joshua reads every application personally. Resumes are stored in private cloud storage (Cloudflare R2) and emailed to Joshua via our email provider (Resend). Unsuccessful applications are retained for up to 12 months in case other roles open, then deleted. You can withdraw or request deletion at any time.

When you email your MP through our tool

The "Email your MP" feature uses your email account as the sender: the message is from you, not from us. Our server transmits the message to the MP's official email address on your behalf. We do not store the content of the message after it is sent. We log: the time, the destination email domain, and a hash of your session, for abuse prevention.

When you take the five-minute friend-test

The /friend-test instrument is a usability study. We capture: a random 8-character session identifier (not linked to your email), the time you spent on each step, your answer to a face-recognition question, your 1-5 clarity rating, and a single short qualitative line. We strip personal identifiers (email, phone, postal code) from the qualitative line both in your browser and on our server. No personal information is stored.

What we do not collect

• No analytics, no advertising pixels, no browser fingerprinting. We do not load any third-party tracking scripts.
• No third-party fonts or CDNs that would leak your IP to other companies.
• No persistent cookies. Three small items are stored in your browser's local storage: a random letter pinning the homepage variant you saw, a temporary friend-test session id (if you take it), and the UTM tag of the link that brought you here. These are not shared with anyone and you can clear them at any time.

Where your data goes (cross-border transfers)

We use four service providers. Each is contractually bound to protect your data and to act only on our instructions. Their roles, in order of how much data they see:

Service	Role	Data it sees	Where
Cloudflare	Hosting, database (D1), key-value store (KV), application runtime (Workers), bot check (Turnstile), DDoS protection. We are a Cloudflare Pages customer.	All petition, donation metadata, application, and friend-test data. IP at the moment of request (hashed before our application stores it).	Cloudflare global network, primarily North America, with replication for resilience. Cloudflare's data processing agreement applies.
Resend	Sends transactional and consented broadcast email on our behalf.	Your email address, name, the email body (which may include your postal code if it appears in the confirmation copy), the message subject.	United States. Resend's privacy policy applies. DKIM, SPF, and DMARC are configured.
Zeffy	Donation processing only. We do not process payment details ourselves.	Your billing name, email, payment details, donation amount, cadence. We receive only the amount and a hashed email back from Zeffy.	United States and Canada. Zeffy's privacy policy applies.
Cloudflare Turnstile	Bot check, invisible to you. Replaces a CAPTCHA.	Browser characteristics and IP at the moment of the check.	Cloudflare global network. Operates as a Cloudflare sub-processor under the same agreement.

Some of the data we collect from you crosses the Canada-US border to reach these service providers. We have assessed each transfer under section 17 of Quebec Law 25 and concluded that the receiving jurisdictions and the contractual protections in each provider's data processing agreement give the data protection equivalent to what it would receive in Canada. The full cross-border transfer assessment is available on request.

How long we keep your data

• Signatures (confirmed): retained until you ask us to delete, or until the campaign sunsets.
• Pending signatures (unconfirmed): automatically deleted seven days after submission if you do not click the confirmation link.
• Sign attempts log (an audit table that records every submission, used only to recover lost signers and detect abuse): retained for 24 months, then purged.
• Application events log (system audit log, contains no personal identifiers, only hashes and aggregate counts): retained for 12 months, then purged.
• Donations: retained for the period required by the Income Tax Act and the CNCA (seven years from the end of the relevant fiscal year), then purged.
• Career applications: retained for up to 12 months in case other roles open, then deleted.
• Email engagement (open, click, bounce signals from Resend): we do not store these in our database. Resend may retain them per its policies.

Your rights

Under PIPEDA and Quebec Law 25, you have specific rights. We will respond to any of these requests within 30 days of receiving a verified request at privacy@operationimaginal.org:

• Right of access: ask us what data we hold about you. We will send you a copy.
• Right of correction: ask us to correct any data we hold that is inaccurate or out of date.
• Right of withdrawal: withdraw your consent at any time. We will stop processing and, on request, delete.
• Right of deletion (erasure): ask us to delete your personal information. We will, unless we are legally required to keep it (e.g., financial records under the Income Tax Act).
• Right of portability (Quebec): ask us to deliver your personal information to you, or to another organization you designate, in a structured, machine-readable format.
• Right to challenge our practices: raise a concern about how we are handling your data. Joshua reads every concern personally. If you are not satisfied with our response, you can file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, if you are a Quebec resident, with the Commission d'accès à l'information du Québec (cai.gouv.qc.ca).

To verify a deletion or access request, we will ask you to confirm your email address by clicking a one-time link sent to that address, the same mechanism we use to confirm signatures. This prevents anyone else from impersonating you.

This policy satisfies all ten fair-information principles under the Personal Information Protection and Electronic Documents Act (PIPEDA).

Quebec residents have additional rights under Law 25, including data portability, the right to de-indexation, 72-hour breach notification, and protection from automated decision-making. All of these rights are honoured under this policy. A French summary is at privacy.fr.html.

How we protect your data

• Encryption: every page is served over HTTPS (TLS 1.2+). Cloudflare D1 and KV apply at-rest encryption to all stored data.
• IP hashing: raw IP addresses are never stored. We hash them with HMAC-SHA256 using a server-side secret. The hash cannot be reversed without the secret.
• Injection and scripting defences: all database queries use prepared statements with bound parameters. All user-provided text is HTML-escaped before output.
• Anti-abuse: honeypot fields, Turnstile bot checks, and rate limiting on every form. Admin endpoints are token-protected, rate-limited on failed attempts, and audit-logged.
• No third-party tracking: no analytics services, no advertising pixels, no external scripts that could fingerprint or track you across sites.

Breach notification

If we ever experience a privacy incident that creates a real risk of significant harm to you, we will notify you, the Office of the Privacy Commissioner of Canada, and, if you are a Quebec resident, the Commission d'accès à l'information du Québec. PIPEDA requires this notification "as soon as feasible" after we determine the breach. Law 25 requires notification within 72 hours of becoming aware of an incident that presents a risk of serious injury. We have a written incident response procedure that covers both timelines.

Children

Operation Imaginal is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe we have collected information from a minor, contact us and we will delete it.

Changes to this policy

We update this policy when our practices change. The last-updated date is at the top of the page. Material changes (new service providers, new categories of data collected, new purposes) are announced by email to confirmed signers.