Privacy Policy

1. Introduction

RidingDesk Technologies Inc. (“RidingDesk,” “we,” “us,” or “our”) is a Canadian corporation headquartered in Waterloo, Ontario, Canada. We operate the RidingDesk platform (“Service”), a campaign management software-as-a-service solution designed for Canadian federal, provincial, territorial, and municipal elections.

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information in connection with the Service. By accessing or using RidingDesk, you acknowledge that you have read and understood this Privacy Policy.

2. Governing Legislation

RidingDesk is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law. Where applicable, we also comply with substantially similar provincial privacy legislation, including:

• Alberta’s Personal Information Protection Act (PIPA Alberta)
• British Columbia’s Personal Information Protection Act (PIPA BC)
• Québec’s Act Respecting the Protection of Personal Information in the Private Sector (Québec Privacy Act / Law 25)

For campaigns or organizations that interact with public-sector bodies, we support compliance with provincial Freedom of Information and Protection of Privacy Acts (FIPPA) and equivalent legislation. We design our platform so that our customers—campaign teams, riding associations, and political parties—can meet their own obligations under all applicable Canadian privacy laws.

3. Information We Collect

3.1 Account Information

When you create a RidingDesk account, we collect your name, email address, phone number, campaign or organization name, riding (electoral district) association, and billing information (processed securely through our payment processor).

3.2 Voter and Constituent Data

Campaigns using RidingDesk may import, store, and manage voter and constituent data. This may include names, addresses, phone numbers, email addresses, voter ID numbers, canvassing notes, issue preferences, and supporter status. This data is provided and controlled by the campaign (“Customer Data”). RidingDesk processes Customer Data solely on behalf of and under the instructions of the campaign.

3.3 Campaign Operational Data

We collect data generated through use of the platform, including canvass records, volunteer schedules, event details, donation tracking entries, and communications logs.

3.4 Usage and Analytics Data

We automatically collect technical information such as IP addresses, browser type, operating system, device identifiers, pages visited, feature usage patterns, session duration, and referral URLs. This data helps us improve the Service and diagnose technical issues.

3.5 Communications

When you contact our support team or participate in surveys, we retain the content of those communications along with associated metadata.

4. How We Use Your Information

We use the personal information we collect for the following purposes:

• Providing, operating, and maintaining the Service
• Processing account registration and authentication
• Processing payments and managing subscriptions
• Sending transactional communications (account confirmations, billing notices, security alerts)
• Providing customer support and responding to inquiries
• Analyzing usage patterns to improve features, performance, and reliability
• Detecting, preventing, and addressing fraud, abuse, and security incidents
• Complying with legal obligations, including Canadian election law reporting requirements
• Enforcing our Terms of Service

We do not use Customer Data (voter/constituent data uploaded by campaigns) for our own marketing purposes or for any purpose unrelated to providing the Service to the applicable campaign.

5. Data Residency and Storage

All personal information and Customer Data is stored exclusively in Canada. Our infrastructure is hosted on Amazon Web Services (AWS) in the ca-central-1 (Canada – Central) region, located in Montréal, Québec. We do not transfer, replicate, or back up data to servers outside of Canada.

Data at rest is encrypted using AES-256 encryption. Data in transit is protected using TLS 1.2 or higher. Database backups are encrypted and stored within the same Canadian AWS region.

6. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access controls with the principle of least privilege
• Multi-factor authentication for all administrative access
• Regular vulnerability assessments and penetration testing
• Automated intrusion detection and monitoring
• Employee security awareness training and confidentiality agreements
• Incident response procedures with defined notification timelines

While no system can guarantee absolute security, we are committed to maintaining industry-standard protections appropriate to the sensitivity of campaign and voter data.

7. Third-Party Sharing and Disclosure

We do not sell, rent, or trade personal information or Customer Data to any third party.

We may share personal information only in the following limited circumstances:

• Service providers: We engage trusted Canadian and PIPEDA-compliant service providers (e.g., payment processing, email delivery, cloud hosting) that process data solely on our behalf and under contractual obligations to protect it.
• Legal requirements: We may disclose information when required by law, regulation, legal process, or enforceable governmental request, including requests from Elections Canada or provincial electoral authorities.
• Business transfers: In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of the transaction, subject to the same privacy protections described herein.
• Consent: We may share information with your explicit consent or at your direction.

8. Your Rights

Under PIPEDA and applicable provincial privacy legislation, you have the following rights with respect to your personal information:

• Access: You may request access to the personal information we hold about you. We will respond to access requests within 30 days, as required by PIPEDA.
• Correction: You may request that we correct any inaccurate or incomplete personal information.
• Deletion: You may request that we delete your personal information, subject to our legal retention obligations (e.g., financial records required under the Income Tax Act or election finance reporting laws).
• Withdrawal of consent: You may withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. Withdrawal of consent may affect your ability to use the Service.
• Data portability: You may request an export of your data in a machine-readable format.

For Customer Data (voter/constituent data), the campaign that uploaded the data is the controller. Individuals whose data is held by a campaign should contact the campaign directly to exercise their rights. RidingDesk will assist campaigns in responding to such requests.

9. Cookies and Tracking Technologies

RidingDesk uses cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Functional cookies: Remember your preferences, language settings, and dashboard configurations.
• Analytics cookies: Help us understand how users interact with the Service so we can improve it. We use privacy-focused analytics that do not track users across third-party websites.

We do not use advertising cookies or allow third-party advertising networks to place cookies on the Service. You may manage your cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Service.

10. Data Retention

We retain personal information and Customer Data according to the following schedule:

• Active accounts: Data is retained for the duration of the account’s active subscription.
• Post-termination: Upon account termination, Customer Data is retained for 90 days to allow for data export, after which it is permanently deleted from our production systems.
• Backups: Encrypted backups containing deleted data are purged within 180 days of account termination.
• Billing records: Financial transaction records are retained for seven (7) years as required by the Income Tax Act (Canada) and applicable election finance legislation.
• Usage analytics: Aggregated, anonymized analytics data may be retained indefinitely for product improvement purposes. This data cannot be used to identify individuals.
• Support communications: Customer support records are retained for three (3) years following resolution.

11. Children’s Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting a prominent notice on the Service or by sending you an email at least 30 days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

13. Complaints

If you believe that RidingDesk has not handled your personal information in accordance with applicable privacy law, you may file a complaint with us using the contact information below. If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) or the applicable provincial privacy commissioner.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer: