Privacy Policy

Effective date: April 24, 2026 · Jurisdiction: Ontario, Canada

OhTrivia ("we," "us," or "our") is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) and its ten Fair Information Principles, the Consumer Protection Act, 2002 (Ontario), and, where applicable, the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).

By using OhTrivia, you consent to the practices described in this Privacy Policy.

1. Accountability (PIPEDA Principle 1)

OhTrivia is responsible for all personal information under its control. We have designated a Privacy Officer who is accountable for our compliance with PIPEDA and this Privacy Policy.

Privacy Officer
Email: privacy@ohtrivia.com
Province of Ontario, Canada

We require all third parties who process personal information on our behalf to adhere to comparable privacy standards through contractual obligations.

2. What Personal Information We Collect (PIPEDA Principle 4)

We collect only the personal information that is necessary for the purposes identified below. Depending on how you use OhTrivia, we may collect:

Information You Provide Directly

  • Account registration: email address, display name, organisation name;
  • Profile information: first name, last name (optional);
  • Payment information: billing address, payment card details (processed securely by our payment processor, Stripe; we do not store full card numbers);
  • Communications: messages you send us via email or support channels;
  • User Content: trivia questions, game content, and other materials you create on the platform.

Information Collected Automatically

  • Usage data: pages visited, features used, games created or joined, timestamps;
  • Device information: browser type and version, operating system, screen resolution;
  • IP address: used for security, abuse prevention, and approximate geolocation (country/province level);
  • Cookies and similar technologies: see Section 10 below.

Information from Third Parties

  • Authentication information from your identity provider (where OAuth/SSO login is used);
  • Payment status updates from our payment processor (Stripe).

We do not collect sensitive personal information such as health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, or criminal history, unless you voluntarily provide it in User Content (which is subject to our Acceptable Use Policy).

3. Identifying Purposes (PIPEDA Principle 2)

We collect and use personal information for the following purposes, identified before or at the time of collection:

  • Account management: to create and manage your account, verify your identity, and provide customer support;
  • Platform operations: to provide, maintain, and improve the OhTrivia service, including hosting trivia games and processing game results;
  • Billing and payments: to process subscription payments and manage billing;
  • Communications: to send you transactional emails (account verification, password resets, billing receipts, security alerts) — these are necessary for the operation of the service and do not require separate consent;
  • Marketing communications: to send you promotional content about OhTrivia — only with your express consent, as required by CASL;
  • Security and abuse prevention: to detect, investigate, and prevent fraudulent, illegal, or harmful activity, including to fulfil our mandatory reporting obligations regarding child sexual abuse material (CSAM) and other illegal content;
  • Analytics and improvement: to understand how users interact with OhTrivia and to improve our features and services;
  • Legal compliance: to comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms of Service.

We will not use your personal information for any new purpose without first identifying that purpose and obtaining your consent, where required.

4. Consent (PIPEDA Principle 3)

We obtain your consent for the collection, use, and disclosure of personal information as follows:

  • Express consent: You provide express consent when you agree to these Terms and Privacy Policy at registration, when you check the marketing opt-in box, or when you expressly agree to a specific use of your information.
  • Implied consent: In some circumstances, consent may be implied — for example, providing your email address to receive a transactional email implies consent to receive that communication.
  • Withdrawal of consent: You may withdraw your consent to non-essential uses of your personal information at any time, subject to legal or contractual restrictions and reasonable notice, by contacting our Privacy Officer. Withdrawal of consent to essential uses (such as account creation) may require account deletion.

Children and consent: We do not knowingly collect personal information from children under 13. Users between 13 and 16 years of age must have verifiable parental consent. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly.

5. Limiting Use, Disclosure, and Retention (PIPEDA Principle 5)

Disclosure to Third Parties

We may disclose your personal information to:

  • Service providers who process data on our behalf, including:
    • Cloud infrastructure and hosting providers (servers may be located in Canada, the United States, or the European Union);
    • Payment processor: Stripe, Inc. (United States) — subject to their own privacy policy and standard contractual clauses for international transfers;
    • Identity and authentication provider: Keycloak (self-hosted by OhTrivia);
    • Error monitoring: Sentry (United States) — receives limited technical error data;
    • Email delivery provider (for transactional and marketing emails).
  • Law enforcement and regulatory authorities, where required by applicable law, court order, or other legal process, including:
    • The Canadian Centre for Child Protection (cybertip.ca) and law enforcement, where we discover or receive reports of child sexual abuse material (CSAM) — this is a mandatory legal obligation;
    • The Royal Canadian Mounted Police (RCMP) or other authorities, for suspected terrorist content or other serious criminal activity;
    • Any court, regulator, or authority with jurisdiction over OhTrivia.
  • Business transfers: in connection with a merger, acquisition, or sale of all or substantially all of our assets, provided the acquiring party agrees to honour this Privacy Policy or provide you equivalent protection.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

Data Retention

  • Active accounts: we retain personal information for as long as your account is active and as necessary to provide our services.
  • After account deletion: we retain certain information for up to 2 years after account closure for legal, tax, and audit purposes, after which it is securely deleted or anonymised. Game results and analytics data may be retained in anonymised form indefinitely.
  • IP addresses and logs: retained for up to 90 days for security purposes, unless retained longer for active investigations.
  • Financial records: billing records are retained for a minimum of 7 years as required by Canadian tax law.
  • Illegal content reports: records of reports to cybertip.ca or law enforcement are retained indefinitely to support ongoing investigations, as required by law.

6. Accuracy (PIPEDA Principle 6)

We strive to keep personal information accurate, complete, and up to date. You may review and update your personal information at any time through your account settings. If you believe any personal information we hold about you is inaccurate, you may contact our Privacy Officer to request a correction.

7. Safeguards (PIPEDA Principle 7)

We use commercially reasonable technical, administrative, and physical security measures to protect your personal information against loss, theft, and unauthorised access, disclosure, copying, use, or modification, including:

  • Encryption of data in transit using TLS 1.2 or higher;
  • Encryption of sensitive data at rest;
  • Access controls limiting personal information access to authorised personnel with a legitimate business need;
  • Regular security assessments and dependency auditing;
  • Incident response procedures for security breaches.

Data breach notification: In the event of a security breach that poses a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner of Canada as soon as feasible, as required under PIPEDA.

No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable efforts to protect your personal information, we cannot guarantee absolute security.

8. Openness (PIPEDA Principle 8)

This Privacy Policy is publicly available at ohtrivia.com/privacy and is linked from our registration page and account settings. We will notify you of any material changes to this Privacy Policy by email and/or by posting a prominent notice on the platform, with at least 14 days' advance notice before material changes take effect.

9. Individual Access (PIPEDA Principle 9)

You have the right to access, correct, and, subject to legal limitations, request deletion of your personal information. To exercise these rights:

  • Access and correction: You may access and update most personal information directly through your account settings. For additional information, contact our Privacy Officer at privacy@ohtrivia.com.
  • Account deletion: You may request deletion of your account and associated personal information through your account settings or by contacting us. We will fulfil your request within 30 days, subject to retention obligations described in Section 5.
  • Data portability: Upon request, we will provide a copy of your personal information in a commonly used, machine-readable format within 30 days.

We will respond to access requests within 30 days. In exceptional circumstances, we may extend this to 60 days with notice. We may charge a reasonable fee for access requests that are excessive or repetitive, after providing notice of the fee. We may deny access requests only in limited circumstances permitted by PIPEDA (e.g., where disclosure would reveal third-party personal information or is prohibited by law).

10. Cookies and Tracking Technologies

OhTrivia uses the following types of cookies and similar technologies:

  • Essential cookies: required for the platform to function, including authentication session cookies. These cannot be disabled without disabling core functionality.
  • Analytics cookies: used to understand how users interact with the platform. We use anonymised analytics and do not share raw analytics data with third-party advertising networks.
  • Error monitoring: we use Sentry for application error tracking. Sentry may receive limited technical data including your IP address in the context of an error report.

You may control cookie preferences through your browser settings. Disabling essential cookies will impair your ability to use OhTrivia.

We do not use tracking cookies for advertising or cross-site tracking purposes.

11. Challenging Compliance (PIPEDA Principle 10)

If you have a complaint or question about our privacy practices, please contact our Privacy Officer at privacy@ohtrivia.com. We will acknowledge receipt of your complaint promptly and respond within 30 days.

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada:

Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec, K1A 1H3
Toll-free: 1-800-282-1376
www.priv.gc.ca

12. International Data Transfers

OhTrivia may transfer personal information to servers or service providers located outside Canada, including in the United States. Where personal information is transferred outside Canada, it may be subject to the laws of those jurisdictions, including lawful access by foreign governments. We take reasonable contractual steps (such as standard contractual clauses) to ensure adequate protection for any such transfers.

13. Rights of EU/EEA Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the GDPR:

  • Right to access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure ("right to be forgotten") (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object to processing (Article 21)
  • Right not to be subject to automated decision-making (Article 22)

Lawful basis for processing: We process your personal information on the following legal bases: (a) contract performance (to provide the service you signed up for); (b) legitimate interests (security, fraud prevention, service improvement); (c) legal obligation (mandatory reporting); and (d) consent (marketing communications).

To exercise your GDPR rights, contact our Privacy Officer at privacy@ohtrivia.com. You also have the right to lodge a complaint with your local data protection supervisory authority.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or by posting a prominent notice on OhTrivia at least 14 days before the changes take effect. Your continued use of OhTrivia after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

Last updated: April 24, 2026. Document version: 1.0. For privacy inquiries: privacy@ohtrivia.com