Privacy Officer (Canada)
Responsible for PIPEDA Principle 1 (accountability) and Quebec Law 25.
Trust & safety
Compliance
A plain-English summary of how Doodle Save handles privacy, security, and regulatory obligations in Canada and India. For the full legal text, see our Privacy Policy and Terms of Use.
Scope and applicable law
This page applies to the Doodle Save mobile app and the marketing websites at doodlesave.co, doodlesave.ca, and doodlesave.in. We are subject to:
- Canada (federal): Personal Information Protection and Electronic Documents Act (PIPEDA).
- Quebec: Act respecting the protection of personal information in the private sector (Law 25).
- India: Digital Personal Data Protection Act, 2023 (DPDP).
- Platform rules: Apple App Store Review Guidelines and Google Play Developer Program Policies, including the Account Deletion requirement.
Privacy and Grievance Officers
Grievance Officer (India)
Responsible for DPDP §13 grievance redressal. Response within 30 days.
General support
Anything that isn’t a privacy matter.
Canada — PIPEDA
| Principle | How we implement it |
|---|---|
| 1. Accountability | A named Privacy Officer at privacy@doodlesave.co. |
| 2. Identifying purposes | Each category of data we collect and the purpose for collecting it is listed in the Privacy Policy. |
| 3. Consent | Recorded at signup with version numbers and timestamps. Marketing consent is opt-in. Re-consent is requested in-app when we materially update the Terms or Privacy Policy. |
| 4. Limiting collection | No payment data, no government IDs, no precise GPS, no contacts, no calendar, no email contents. |
| 5. Limiting use, disclosure, retention | Data is used for the purposes stated. Affiliate-click logs purge at 13 months; audit logs at 24 months. |
| 6. Accuracy | You can edit your profile and subscriptions in-app. |
| 7. Safeguards | See Security controls below. |
| 8. Openness | This page plus the public Privacy Policy. |
| 9. Individual access | In-app data export and email-based access requests, fulfilled within 30 days. |
| 10. Challenging compliance | Privacy Officer email above, with escalation to the Office of the Privacy Commissioner of Canada. |
Quebec — Law 25
Quebec residents have all the rights described in PIPEDA, plus:
- The right to data portability in a structured, commonly used technological format — satisfied by our JSON data export.
- The right to be informed of automated decisions — Doodle Save does not make automated decisions producing legal or similarly significant effects.
- The right to contact our Privacy Officer (the « responsable de la protection des renseignements personnels ») at privacy@doodlesave.co.
India — DPDP Act 2023
| Section | How we implement it |
|---|---|
| §4 — Lawful processing on consent | Consent captured at signup with version and timestamp. |
| §6 — Notice at consent | Privacy Policy linked from the signup screen. |
| §8(4) — Erasure on withdrawal | Soft-delete flow with a 30-day grace period, then hard delete. |
| §8(5) — Reasonable security safeguards | See Security controls. |
| §8(6) — Breach notification | To the Data Protection Board and affected Data Principals within 72 hours of awareness. |
| §8(7) — Storage limitation | Retention windows enforced by automated database jobs. |
| §11 — Right of access | In-app data export plus email request. |
| §12 — Right to correction & erasure | Profile editor and account-deletion flow. |
| §13 — Grievance redressal | Grievance Officer at grievance@doodlesave.co, 30-day response window. |
| §14 — Right to nominate | Available by written request to the Grievance Officer. |
Security controls
- Passwords hashed with bcrypt by our authentication provider. Never stored in plain text and never written to logs.
- HTTPS / TLS only for all client-server traffic. We do not accept plain HTTP.
- Row-level security on every database table; cross-country reads return zero rows.
- Append-only audit log — update and delete are revoked at the database level, so the log cannot be rewritten even by a compromised admin role.
- MFA required for administrative access, with step-up MFA for sensitive actions (account freezes, bulk operations, privacy disclosures).
- Least-privilege scopes for any third-party integration. Service-role credentials are restricted to server-side files with a runtime guard against accidental client-side use.
- Idle session timeout in the admin portal; optional IP allowlist.
- Email masking in the admin portal by default; un-masking requires a typed reason that is logged.
- Breach-detection views over the audit log for failed sign-ins and bulk-export anomalies.
Retention
| Data | Retention |
|---|---|
| Account & subscription data | Kept while the account is active. |
| Affiliate-click logs | 13 months. |
| Audit log | 24 months. |
| Soft-deleted accounts | 30 days, then hard delete. |
| Backups | Rotated within 35 days. |
| Required tax / transaction records | Held for the minimum period required by law, with personal identifiers stripped. |
Breach response
- Detect: automated alerts on suspicious sign-in clusters and unusual export volume.
- Contain: rotate credentials, isolate affected components, revoke compromised sessions.
- Assess: use the append-only audit log to determine scope, data categories affected, and likelihood of harm.
- Notify:
- India residents and the Data Protection Board within 72 hours (DPDP §8(6)).
- Canadian residents and the Office of the Privacy Commissioner of Canada as soon as feasible where the breach poses a real risk of significant harm (PIPEDA s. 10.1).
- Quebec residents and the Commission d’accès à l’information where required (Law 25).
- Record: retain the incident record for at least 24 months (PIPEDA s. 10.3).
Sub-processors
The following providers process personal data on our behalf. All are under contractual privacy obligations and use the minimum data necessary to operate.
| Provider | Purpose | Region |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage, serverless functions | Canada Central (ca-central-1) |
| Universe, Inc. (Expo) | Push-notification delivery | United States |
| Netlify Inc. | Marketing website hosting | Global CDN |
| Anthropic / model providers | AI-assisted catalog and price work; not used on personal data | United States |
| Booking.com, MakeMyTrip, CueLinks, Flipp | Affiliate deal sourcing and click attribution | Various |
Exercising your rights
- Access / download: Settings → Privacy → Download my data in the app, or email the Privacy Officer.
- Correction: edit your profile in the app, or email the Privacy Officer.
- Erasure: Settings → Privacy → Delete my account in the app, or doodlesave.co/delete-account.
- Withdraw consent to marketing or analytics at any time in Settings → Privacy.
- Grievance (India): email grievance@doodlesave.co; we respond within 30 days.
If you are not satisfied with our response, you may complain to your data-protection regulator: the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, or the Data Protection Board of India.