Hatchling

Privacy Policy

Last updated: March 2026

Hatchling.ca is operated in Ontario, Canada and complies with the Personal Information Protection and Electronic Documents Act (PIPEDA).

1. What We Collect

  • Account information: email address, name, and password (stored securely hashed, never in plaintext).
  • Provider profile data: display name, care details, availability, rates, photos, and credentials — all voluntarily provided by the provider.
  • Inquiry data: when you send an inquiry, your name, email, and any additional information you provide (such as your child's approximate birth date) are shared with the provider you are contacting.
  • Messages: content of messages sent between parents and providers through our platform.
  • Reviews: review text, rating, and whether you would recommend the provider.
  • Location data: postal code and address (for providers); approximate search location (for parents).
  • Usage data: pages visited, search queries, and basic analytics.

2. Children's Information

When you submit an inquiry to a childcare provider, you may provide your child's approximate birth date. This information is:

  • Shared only with the specific provider you contact.
  • Used solely to help the provider assess age-group compatibility.
  • Never displayed publicly or shared with third parties.
  • You may provide an approximate date if you prefer not to share the exact birth date.

3. What Is Public vs. Private

  • Public: provider display name, care type, credentials, availability, rates, photos, neighbourhood, and reviews.
  • Public (approximate): provider location on the map is jittered (randomly offset) — exact addresses are never shown publicly.
  • Private: provider exact address, parent email, messages between users, and account passwords.
  • Private: parent names and email addresses are never displayed publicly.

4. How We Use Your Data

  • To operate the directory and messaging platform.
  • To display provider listings in search results.
  • To send you service-related communications (e.g., messages from parents/providers).
  • To enforce our Terms of Service and Content Policy.

5. Data Sharing & Third Parties

  • We do not sell your personal data.
  • Inquiry forms: when you submit an inquiry, your name and email are shared with the provider so they can respond. You consent to this when sending a message.
  • Service providers: we use third-party services to operate the platform, including email delivery (Postmark), hosting (AWS), error monitoring (Sentry, with PII disabled), and address geocoding (Google Maps, using postal codes only when possible).
  • Cross-border transfers: your data may be processed outside Canada, including in the United States, by our service providers (Amazon Web Services, Postmark by ActiveCampaign, Sentry, Google Maps Platform). These providers maintain appropriate safeguards through their published data processing agreements and security certifications. Data stored with these providers may be subject to lawful access requests by foreign governments under applicable laws.
  • Legal requirements: we may disclose data if required by law or to protect the safety of our users.

6. Data Retention & Deletion

  • Account data is retained while your account is active.
  • Deleted content (listings, reviews, photos) is soft-deleted and permanently removed after 14 days.
  • You may request deletion of your account and all associated data from your account settings page. Deletion takes effect within 30 days, during which you may cancel the request by logging in.
  • After the 30-day grace period, your data is permanently and irreversibly deleted.
  • Retention schedule: active accounts are retained while in use; soft-deleted photos are permanently removed after 14 days; deleted accounts are permanently removed after 30 days; audit logs are retained for 7 years for regulatory compliance; breach incident records are retained permanently as legal evidence.

7. Breach Notification

In the event of a data breach involving your personal information, we will assess the risk of significant harm and, if applicable, notify you as soon as feasible and report the breach to the Office of the Privacy Commissioner of Canada, in accordance with PIPEDA requirements.

8. Your Rights Under PIPEDA

Under Canadian privacy law, you have the right to:

  • Access: request a copy of all personal data we hold about you. You can export your data from your account settings, or by contacting support@hatchling.ca. We will respond within 30 calendar days.
  • Correction: update or correct your profile information at any time.
  • Deletion: request deletion of your account and associated data from your account settings, or by contacting support@hatchling.ca.
  • Withdraw consent: you may close your account at any time, which withdraws your consent for us to process your data. You may also withdraw consent for specific features by ceasing their use (e.g., not sending further inquiries).

9. Security

  • Passwords are hashed using industry-standard BCrypt.
  • All data is transmitted over HTTPS (TLS encryption).
  • Authentication uses short-lived JWT tokens (15 minutes) with secure refresh token rotation.
  • Sensitive data is redacted from application logs.
  • Rate limiting protects against automated abuse.

10. Contact

Privacy questions, data access requests, or complaints? Email support@hatchling.ca. You may also file a complaint with the Office of the Privacy Commissioner of Canada.