Privacy Policy
Last updated: 2026-03-26 — Version 1.1
1. Introduction
This Privacy Policy describes how Festoya Inc. ("Festoya," "we") collects, uses, retains, and protects your personal information. We comply with Quebec's Law 25, Quebec's Act respecting the protection of personal information in the private sector (LPRPSP), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
2. Privacy Officer
In accordance with Law 25, Festoya has designated a privacy officer: info@festoya.ca
3. Information Collected
Buyers: email address, name, password (irreversible bcrypt hash), company name, address, city, province, postal code, phone (optional), GST/QST numbers (optional), language preference. Caterers: same data as Buyers, plus: business name, description, business address, phone, cover image, chef photo, delivery zones, cuisine types, lead time. Order data: delivery address, postal code, instructions, event type, financial details, payment method, dietary breakdown. Third-party data (Preference Gatherings): when a Buyer invites participants to submit dietary preferences, the following data is collected from guests (no account required): name, email (optional), dietary preferences, allergies, notes. This data is collected on behalf of the Buyer and is subject to automatic purging as described in the Data Retention section. Waitlist: email address, company (optional), role. Automatic data: session tokens (HTTP-only cookies), email verification tokens (24 h), password reset tokens (1 h), one-time authentication tokens. IP addresses are collected for rate limiting purposes on authentication endpoints, form submissions, and waitlist signups. IP addresses are not stored permanently and are used solely for abuse prevention.
4. Device and Usage Information
Festoya may collect data related to your device and your use of the platform, including: IP address, browser type, operating system, pages visited, visit duration, and interactions with the platform. This data would be collected through privacy-respecting analytics tools. If such tools are activated, Festoya commits to: using this data only for platform improvement and user experience purposes; applying IP address anonymization where possible; not performing session recording; not using this data for advertising or cross-site tracking purposes; obtaining your prior consent in accordance with Law 25 before any non-essential collection. This Policy will be updated to reflect the specific details of any analytics tool deployed.
5. Use of Information
Your information is used to: manage your account and authenticate your identity; process and track orders; generate invoices; send transactional communications (order confirmations, status updates, dispute notifications, account management, deletion reminders); provide address autocomplete; enforce delivery zone restrictions; apply rate limiting for abuse prevention; comply with tax obligations (GST/QST).
6. Marketing and Advertising Communications
Festoya may send you marketing or promotional communications by email, including special offers, platform updates, or Caterer recommendations. If applicable, Festoya commits to: obtaining your explicit prior consent before sending any marketing communications, in accordance with Law 25 and Canada's Anti-Spam Legislation (CASL); providing a clear and functional unsubscribe mechanism in each communication; processing unsubscribe requests within ten (10) business days; never selling, renting, or exchanging your information to third parties for advertising purposes. Currently, Festoya only sends transactional communications (order confirmations, status updates, dispute notifications, account management). These transactional communications do not require marketing consent and cannot be unsubscribed from, as they are necessary for service delivery.
7. Storage and Security
All data is stored in Canada (Supabase, Toronto region, ca-central-1). Security measures: encryption in transit (TLS); passwords stored as irreversible bcrypt hashes; no credit card or banking data stored; sessions managed via HTTP-only cookies; image metadata removed during processing (location, device data).
10. Your Rights
In accordance with Law 25 and PIPEDA, you have the right to: access your personal information; request correction; request deletion (subject to retention obligations and grace periods described below); cancel a pending deletion request during the grace period; withdraw consent; request data portability in a structured format; file a complaint with Quebec's Commission d'accès à l'information (CAI). Contact: info@festoya.ca. Response time: 30 days.
11. Data Retention
Account data: retained while account is active. Orders and invoices: minimum 6 years (tax obligations). Guest data (Preference Gatherings): automatically purged 90 days after the gathering is closed — guest names, emails, allergies, and notes are erased; aggregated dietary preference data is preserved. Temporary tokens: email verification (24 h), password reset (1 h), one-time authentication tokens. Account deletion: Upon requesting account deletion, a grace period applies — thirty (30) days for Buyer accounts, and one (1) year from the last delivered order for Caterer accounts (minimum 30 days). During the grace period, you may cancel the deletion and reactivate your account. At the end of the grace period: all sessions and authentication tokens are deleted; profile data, images, and uploaded files are permanently removed; your email is replaced with an anonymized placeholder; order and invoice records are retained for the legally required six (6) year period with anonymized user references. Festoya may also initiate account deletion for policy violations, with or without a grace period. Affected users are notified by email.
12. Privacy Incident
In the event of an incident presenting a risk of serious harm, Festoya will notify Quebec's Commission d'accès à l'information and affected individuals as soon as possible, and maintain a register of incidents.
13. Contact
info@festoya.ca