Privacy Policy

Last updated: March 10, 2026

1. Introduction

RidingDesk Technologies Inc. (“RidingDesk,” “we,” “us,” or “our”) is a Canadian corporation headquartered in Waterloo, Ontario, Canada. We operate the RidingDesk platform (“Service”), a campaign management software-as-a-service solution designed for Canadian federal, provincial, territorial, and municipal elections.

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information in connection with the Service. By accessing or using RidingDesk, you acknowledge that you have read and understood this Privacy Policy.

2. Governing Legislation

RidingDesk is subject to the Personal Information Protection and Electronic Documents Act(PIPEDA), Canada’s federal private-sector privacy law. Where applicable, we also comply with substantially similar provincial privacy legislation, including:

  • Alberta’s Personal Information Protection Act (PIPA Alberta)
  • British Columbia’s Personal Information Protection Act (PIPA BC)
  • Québec’s Act Respecting the Protection of Personal Information in the Private Sector (Québec Privacy Act / Law 25)

For campaigns or organizations that interact with public-sector bodies, we support compliance with provincial Freedom of Information and Protection of Privacy Acts(FIPPA) and equivalent legislation. We design our platform so that our customers—campaign teams, riding associations, and political parties—can meet their own obligations under all applicable Canadian privacy laws.

3. Information We Collect

3.1 Account Information

When you create a RidingDesk account, we collect your name, email address, phone number, campaign or organization name, riding (electoral district) association, and billing information (processed securely through our payment processor).

3.2 Voter and Constituent Data

Campaigns using RidingDesk may import, store, and manage voter and constituent data. This may include names, addresses, phone numbers, email addresses, voter ID numbers, canvassing notes, issue preferences, and supporter status. This data is provided and controlled by the campaign (“Customer Data”). RidingDesk processes Customer Data solely on behalf of and under the instructions of the campaign.

3.3 Campaign Operational Data

We collect data generated through use of the platform, including canvass records, volunteer schedules, event details, donation tracking entries, and communications logs.

3.4 Usage and Analytics Data

We automatically collect technical information such as IP addresses, browser type, operating system, device identifiers, pages visited, feature usage patterns, session duration, and referral URLs. This data helps us improve the Service and diagnose technical issues.

3.5 Communications

When you contact our support team or participate in surveys, we retain the content of those communications along with associated metadata.

4. How We Use Your Information

We use the personal information we collect for the following purposes:

  • Providing, operating, and maintaining the Service
  • Processing account registration and authentication
  • Processing payments and managing subscriptions
  • Sending transactional communications (account confirmations, billing notices, security alerts)
  • Providing customer support and responding to inquiries
  • Analyzing usage patterns to improve features, performance, and reliability
  • Detecting, preventing, and addressing fraud, abuse, and security incidents
  • Complying with legal obligations, including Canadian election law reporting requirements
  • Enforcing our Terms of Service

We do not use Customer Data (voter/constituent data uploaded by campaigns) for our own marketing purposes or for any purpose unrelated to providing the Service to the applicable campaign.

5. Data Residency and Storage

Customer Data (voter and constituent records, canvassing notes, donation records, communications logs) and account credentials are stored exclusively in Canada. Our application servers and primary database are hosted with iDigital Internet Inc., a Canadian hosting provider, in their Toronto, Ontario data centre. Bulk campaign email is delivered through Amazon Web Services Simple Email Service in the AWS Canada (Central) region (Montreal, Québec).

A narrow set of data flows is processed by service providers headquartered outside Canada under written agreements that incorporate PIPEDA-equivalent contractual safeguards. These flows are limited to:

  • Payment processing— Stripe, Inc. (United States) handles subscription billing and donation payments. Card data is collected directly by Stripe and is never stored on RidingDesk servers.
  • Address autocomplete— Mapbox, Inc. (United States) processes geocoding queries consisting only of the free-form address text typed by a user. No account identifier, voter record, or other personal data is sent with these queries.
  • DNS and edge caching— Cloudflare, Inc. routes traffic to our Canadian servers and caches static assets at globally distributed edge locations. Cloudflare does not store Customer Data.

Data in transit is protected using TLS 1.2 or higher. We are working to add automated, encrypted off-site backups in a Canadian region; until those are operational, our database is backed up on the same Canadian host.

6. Data Security

We implement administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Current measures include:

  • TLS 1.2 or higher for all data in transit, with HSTS enabled
  • Strong one-way password hashing using bcrypt before any credential is stored
  • Application-level access controls that scope every database query to the requesting user’s campaign and role
  • Server-side rate limiting on authentication endpoints
  • Strict Content Security Policy and same-origin restrictions on the web application
  • Encrypted, signed session cookies with short rotation windows
  • Mandatory breach notification consistent with our obligations under PIPEDA section 10.1 and applicable provincial legislation

We are a small, founder-led company. As we grow, we will add measures appropriate to that growth, including formal third-party security assessments, multi-factor authentication for all administrative accounts, automated intrusion detection, and a written incident response plan. We will update this policy as those controls come into place.

No system can guarantee absolute security. If you become aware of a security issue, please contact us at the address listed below.

7. Third-Party Sharing and Disclosure

We do not sell, rent, or trade personal information or Customer Data to any third party.

We share personal information only in the following limited circumstances:

  • Service providers: The processors listed in Section 5 (iDigital, Amazon Web Services, Stripe, Mapbox, Cloudflare) act on our instructions under written agreements that prohibit them from using personal information for any purpose other than providing their service to RidingDesk.
  • Legal requirements: We may disclose information when required by law, regulation, legal process, or enforceable governmental request, including requests from Elections Canada or provincial electoral authorities.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of the transaction, subject to the same privacy protections described herein.
  • Consent: We may share information with your explicit consent or at your direction.

8. Your Rights

Under PIPEDA and applicable provincial privacy legislation, you have the following rights with respect to your personal information:

  • Access: You may request access to the personal information we hold about you. We will respond to access requests within 30 days, as required by PIPEDA.
  • Correction: You may request that we correct any inaccurate or incomplete personal information.
  • Deletion: You may request that we delete your personal information, subject to our legal retention obligations (e.g., financial records required under the Income Tax Act or election finance reporting laws).
  • Withdrawal of consent: You may withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. Withdrawal of consent may affect your ability to use the Service.
  • Data portability: You may request an export of your data in a machine-readable format.

For Customer Data (voter/constituent data), the campaign that uploaded the data is the controller. Individuals whose data is held by a campaign should contact the campaign directly to exercise their rights. RidingDesk will assist campaigns in responding to such requests.

9. Cookies and Tracking Technologies

RidingDesk uses cookies and similar technologies for the following purposes:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Functional cookies: Remember your preferences, language settings, and dashboard configurations.
  • Analytics cookies: Help us understand how users interact with the Service so we can improve it. We use privacy-focused analytics that do not track users across third-party websites.

We do not use advertising cookies or allow third-party advertising networks to place cookies on the Service. You may manage your cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Service.

10. Data Retention

We retain personal information and Customer Data according to the following schedule:

  • Active accounts:Data is retained for the duration of the account’s active subscription.
  • Post-termination: Upon account termination, Customer Data is retained for 90 days to allow for data export, after which it is permanently deleted from our production systems.
  • Backups: Encrypted backups containing deleted data are purged within 180 days of account termination.
  • Billing records: Financial transaction records are retained for seven (7) years as required by the Income Tax Act (Canada) and applicable election finance legislation.
  • Usage analytics: Aggregated, anonymized analytics data may be retained indefinitely for product improvement purposes. This data cannot be used to identify individuals.
  • Support communications: Customer support records are retained for three (3) years following resolution.

11. Children’s Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting a prominent notice on the Service or by sending you an email at least 30 days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

13. Complaints

If you believe that RidingDesk has not handled your personal information in accordance with applicable privacy law, you may file a complaint with us using the contact information below. If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) or the applicable provincial privacy commissioner.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

Privacy Officer

RidingDesk Technologies Inc.

Waterloo, Ontario, Canada

Email: [email protected]