← Back
Draft — subject to change before public launch.

Privacy Policy — Draft

Status: DRAFT. Not legally reviewed. This is a working draft to unblock MVP development. Before collecting any real user data at launch, have this reviewed by someone qualified in Canadian privacy law (PIPEDA + Ontario-specific).

Placeholders in {braces} must be filled before publishing.

Who we are

CalledIt ("we," "us," "our") is operated by {Legal name or sole proprietorship} from Hamilton, Ontario, Canada. CalledIt is a play-money prediction market platform for McMaster University students. It is not affiliated with or endorsed by McMaster University.

Contact: {contact@calledit.ca}

Scope

This policy explains how we collect, use, and protect personal information of users of the CalledIt web application and desktop landing page at calledit.ca.

It is governed by:

  • The Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Any applicable Ontario provincial privacy legislation

What information we collect

You provide directly

  • McMaster email address. Required to create an account. Used to verify you are a McMaster student and to send one-time login codes.
  • Username. Publicly visible on your profile, bets, and markets.
  • Market content you submit. Titles, resolution criteria, source URLs, and context you include when creating a market.
  • Bet activity. Every bet you place, including side, amount, and time.
  • Communications. If you email us, we store your message.

Collected automatically

  • Session and authentication data (login codes, session tokens).
  • Device and usage data — browser type, operating system, pages viewed, approximate time spent. Used to operate and improve the service.
  • IP address. Logged for security, fraud prevention, and aggregate analytics. Not displayed publicly.
  • Cookies and local storage. Only essential cookies for authentication and session continuity. No advertising or cross-site tracking cookies.

We do not collect

  • Real-money payment information (there is no payment flow)
  • Physical address (unless you opt in for a physical prize fulfilment — see LEGAL.md)
  • Phone numbers
  • Government ID

Why we collect it

| Purpose | Lawful basis | |---|---| | Verify McMaster affiliation and authenticate logins | Service operation (consent at signup) | | Display your public profile, bets, and created markets | Consent — core product function | | Operate the Cache economy (balances, payouts, decay) | Service operation | | Moderate markets and enforce community guidelines | Legitimate interest — platform integrity | | Detect fraud, manipulation, and multi-account abuse | Legitimate interest — platform integrity | | Improve the product based on aggregate usage | Legitimate interest | | Communicate with you about your account | Service operation |

We do not use your information for advertising or profile-building for third parties.

Public information on the platform

By design, the following are publicly visible to all users (and potentially to anyone viewing an authenticated market page):

  • Your username
  • Your betting history (markets, sides, amounts, time)
  • Your accuracy and net-profit statistics
  • Markets you have created
  • Any comments you post
  • Your Cache balance (visible to other authenticated users)

This is a transparency-first platform. Do not use CalledIt if you do not want your betting activity attributed to your username.

We do not publicly link your email address to your username.

Who we share it with

We do not sell personal information. Ever.

We share data only with:

  • Service providers (processors) acting on our instructions:
    • Supabase (database, authentication, realtime — data hosted in {region, ideally Canada})
    • Vercel (web hosting)
    • Cloudflare (CDN, DDoS protection)
    • Email delivery provider for OTP codes ({provider})
  • Legal obligations. If required by Canadian law, a valid court order, or to protect the rights, property, or safety of users.

All processors are bound by contractual obligations consistent with PIPEDA.

Where your data is stored

Primary database and authentication are hosted on Supabase in {region}. Our CDN and hosting providers may cache non-sensitive data in other regions. If data is stored outside Canada, it may be subject to the laws of that jurisdiction — including lawful access by foreign authorities.

How long we keep it

| Data | Retention | |---|---| | Account and profile | Until you delete your account | | Transaction ledger (Cache movements) | Retained indefinitely for platform integrity; see below | | Bet history | Retained indefinitely as part of the public leaderboard and accuracy record | | Session tokens | 30 days from last use | | IP logs | 90 days, then anonymised or deleted | | Email correspondence | 2 years |

Important: Even if you delete your account, your betting history may be retained in an anonymised form (with your username replaced by a pseudonym) to preserve the integrity of historical markets and leaderboards. If you do not want your bets permanently associated with any record, do not use the platform.

Your rights under PIPEDA

You have the right to:

  • Access a copy of the personal information we hold about you
  • Correct inaccurate information
  • Withdraw consent for future processing (may require account closure)
  • Delete your account — this removes your profile and replaces your username on historical records with an anonymous pseudonym
  • Complain to us, and separately to the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca

To exercise any right, email {contact@calledit.ca} from the email address on your account. We will respond within 30 days.

Security

We use industry-standard measures to protect your information:

  • TLS encryption for all data in transit
  • At-rest encryption on the database
  • Row-level security scoping user-owned data
  • Rate limits on authentication endpoints
  • Append-only transaction ledger (see ARCHITECTURE.md)
  • Restricted admin access with audit logs

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you and the Office of the Privacy Commissioner of Canada as required by law.

Children

CalledIt is intended for McMaster University students. We do not knowingly collect information from anyone under 13. Users between 13 and the age of majority in their province (18 in Ontario) must have parental consent to use the service. We rely on McMaster email ownership as a practical proxy for age, but do not independently verify age at signup.

If you believe a child under 13 has created an account, email {contact@calledit.ca} and we will remove the account.

Analytics

We use basic, privacy-respecting analytics to understand aggregate usage (page views, feature adoption). We do not use Google Analytics or advertising networks. Analytics data is aggregated and cannot identify individual users.

Specifically: {analytics provider, e.g. Plausible, PostHog (self-hosted), or none}.

Changes to this policy

We may update this policy from time to time. Changes will be:

  • Posted in-app on the Community Guidelines / Legal pages
  • Logged in the public platform changelog with a dated entry
  • Announced to all active users via email for material changes
  • Never applied retroactively to past data in a way that reduces user protections

Current version: Draft — dated {YYYY-MM-DD}

Contact

For any privacy question or to exercise your rights:

{contact@calledit.ca}

{Optional: mailing address for formal requests}

What this draft still needs before going live

Tracked for pre-launch lawyer review:

  • [ ] Legal entity name for the operator
  • [ ] Confirmed Supabase data region (prefer Canada; US requires explicit cross-border disclosure)
  • [ ] Confirmed email delivery provider name
  • [ ] Confirmed analytics provider (or removal of section)
  • [ ] Confirmed contact email
  • [ ] Legal review of retention periods against PIPEDA expectations
  • [ ] Alignment with final Community Guidelines and Terms of Service
  • [ ] A published version date