Privacy Policy

The data controller is the G20 Cultural Heritage Entrepreneurs Alliance, registered in Canada with its registered office in Ontario. For any privacy-related question or to exercise the rights described below, contact us at admin@g20chea.com.

The personal data we hold falls into the following categories:

• Account data — name, email address, country, organisation, biography, and avatar, provided when you join the Alliance or update your profile.
• Authentication data — managed by Supabase Auth, including hashed credentials and magic-link tokens.
• Membership and payment data — membership status, country, and Stripe customer reference. Payment card details are handled directly by Stripe; we never see or store them.
• Communications — messages you send through our contact form and transactional emails sent via Resend.
• Usage data — if you accept analytics cookies, we collect page views, interactions, and approximate location through PostHog. This is disabled by default until you consent.
• Audit data — for administrative actions, we log who did what and when, to protect the integrity of the platform.

• To operate the platform: authenticate you, manage your membership, process payments, and provide member-only resources.
• To communicate with you about your account, your membership, and the activities of the Alliance.
• To improve the platform — only with your consent — through aggregated analytics.
• To meet our legal obligations under Canadian law, including financial record-keeping.

For residents of the EEA and UK, processing is based on the following GDPR Article 6 grounds:

• Contract — processing necessary to provide membership and platform services.
• Consent — analytics cookies and marketing communications. You can withdraw consent at any time.
• Legal obligation — financial and tax record-keeping under Canadian law.
• Legitimate interest — security, fraud prevention, and audit logging.

For residents of Canada, processing is based on your knowledge and consent (express or implied) under PIPEDA, except where the law permits or requires processing without consent.

We use a small number of cookies. Essential cookies are required for the site to work — they keep you logged in and allow secure checkout. Analytics cookies (PostHog) are only set after you click Accept in our cookie banner. You can change your choice at any time using the Cookie Settings link in the site footer, or the button below.

We do not sell personal data. We share it only with the processors that operate the platform:

• Supabase — authentication, database, and file storage.
• Stripe — payment processing.
• Resend — transactional email delivery.
• PostHog — product analytics (only with your consent).
• Netlify — website hosting and content delivery.
• Wise — international bank transfers and payouts, where we send or receive funds (for example, reimbursements or payments to contributors).

Several of these processors store or process data outside Canada (typically in the United States or European Union). We rely on contractual safeguards comparable to PIPEDA’s requirements, including the EU Standard Contractual Clauses where relevant. Personal data transferred to processors outside your country may be subject to lawful access requests by foreign authorities.

We keep account and membership data for as long as your account is active, and for the period required by Canadian law afterwards (typically six years for financial records under the Income Tax Act). Audit logs are retained for security and accountability.

When you delete your account (see “Your rights” below), we hold it for a 30-day grace period during which you can cancel and restore it. After the grace period we permanently delete your profile, content, uploaded files, and authentication record, and cancel any active membership. Two categories are handled differently:

• Financial and membership records (payments, invoices, receipts) are retained for the period Canadian law requires, then deleted.
• Security audit logs are retained for accountability, but your identifying details in them are anonymised so the record of an action survives without naming you.

You have the right to:

• access the personal data we hold about you;
• correct inaccurate or incomplete data;
• request deletion of your data, subject to legal limits;
• restrict or object to certain types of processing (EEA/UK residents);
• receive your data in a portable format (EEA/UK residents);
• withdraw consent at any time;
• lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca), or, if you reside in the EEA or UK, with your local data protection authority.

Members can exercise the first three of these rights directly from the dashboard, under Security & account → Your data:

• Export your data.We assemble a copy of the personal data we hold about you as a downloadable archive (JSON and CSV) and email you a secure link, valid for 7 days. The link is private to you — anyone who has it can download the file, so don’t share it.
• Delete your account.You can schedule deletion yourself; it takes effect after the 30-day grace period described in “How long we keep your data” above, and you can cancel at any point during that window.

To exercise any other right, or if you need help, email admin@g20chea.com.

We use industry-standard measures to protect your data, including encryption in transit, role-based access, and audit logging of sensitive administrative actions. No system is perfectly secure, but we work continuously to reduce risk.

We may update this policy from time to time. The “last updated” date at the top reflects the most recent revision. Material changes will be communicated to members by email.