Privacy Policy

Introduction

My Prep Plan (“we”, “us”, “our”) operates myprepplan.app. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service. We are committed to compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL).

Information We Collect

Quiz Responses: When you complete the preparedness quiz, we collect your answers including your ZIP code or postal code prefix (FSA). Quiz responses are stored anonymously — we do not require an account or collect your name to generate a score.

Email Address (optional): If you choose to subscribe to our email series, we collect your email address.

Consent Records: When you subscribe, we store: the verbatim consent text you agreed to, a SHA-256 hash of your IP address (not your actual IP address), and the timestamp of your consent. This is required by CASL to demonstrate proof of express consent.

Analytics: We use Plausible Analytics, a privacy-focused analytics service that does not use cookies, does not collect personal data, and does not track individual users across sites. Plausible collects aggregate page view and event data only. No cookie consent banner is required.

How We Use Your Information

• Quiz responses: to generate your preparedness score and personalized recommendations
• Email address: to send you the email series you subscribed to (up to 4 emails over 14 days)
• Consent records: to demonstrate compliance with CASL requirements
• Analytics data: to understand how the Service is used in aggregate (e.g., quiz completion rates, popular pages)

Legal Basis for Processing

Under PIPEDA, we process your personal information based on: (a) your express consent for email communications (CASL-compliant opt-in); (b) legitimate interest for quiz scoring (necessary to provide the Service you requested). You may withdraw consent at any time by unsubscribing.

Data Retention

• Quiz submissions: retained indefinitely for aggregate analytics and to support your results page URL
• Email records: retained for the duration of the email series (14 days) plus 2 years for CASL consent proof retention
• Unsubscribed records: the unsubscribe timestamp is retained; no further emails are sent
• Analytics data: retained by Plausible per their data retention policy (aggregate data only, no personal information)

Data Sharing

We do not sell, trade, or share your personal information with third parties, except with the following service providers who process data on our behalf:

• Resend (resend.com): our email delivery provider, which processes your email address solely to deliver emails on our behalf
• Supabase (supabase.com): our database provider, which stores quiz and email data
• Vercel (vercel.com): our hosting provider, which serves the website
• Plausible Analytics (plausible.io): our analytics provider, which collects aggregate usage data only

All service providers are bound by their respective privacy policies and data processing agreements.

Your Rights

Under PIPEDA, you have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of your personal information
• Withdraw Consent: Unsubscribe from emails at any time via the link in any email

To exercise any of these rights, contact us at privacy@myprepplan.app. We will respond within 30 days.

Unsubscribe Process

Every email we send includes an unsubscribe link. Clicking the link immediately removes you from all future emails. You can also unsubscribe by contacting us at privacy@myprepplan.app. Per CASL requirements, we process all unsubscribe requests within 10 business days (our system processes them immediately upon click).

Security

We implement reasonable security measures to protect your personal information, including: encrypted connections (HTTPS), database row-level security policies, server-side only database access (no client-side database exposure), and hashed IP addresses (SHA-256, one-way — original IP cannot be recovered).

Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13.

International Data Transfers

Your data may be processed in the United States and Canada by our service providers (Supabase, Vercel, Resend). These transfers are governed by the service providers' data processing agreements.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. We encourage you to review this page periodically.

Contact

For privacy-related questions or to exercise your rights, contact us at privacy@myprepplan.app.