Privacy Policy

We do not sell your data. We do not use your data for advertising. We collect only what is necessary to provide the raisin service to you.

1. Introduction and who we are

raisin together ("raisin," "we," "our," or "us") is a childcare discovery and application management service operated by Shikhar Jha, an individual operating under their personal name in Metro Vancouver, British Columbia, Canada.

We built raisin for parents. We are parents ourselves. We understand that the information you share with us — your name, your child's details, your address — is personal and matters deeply. This Privacy Policy explains exactly what information we collect, why we collect it, how we use it, who we share it with, and what rights you have over it.

This policy applies to all information collected through raisintogether.com, the raisin progressive web application, and any related communications including emails sent via our platform.

2. Applicable law

raisin operates in British Columbia, Canada. This Privacy Policy is designed to comply with:

• The Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada's federal private-sector privacy law • British Columbia's Personal Information Protection Act (PIPA) — BC's provincial privacy legislation, substantially similar to and recognised as equivalent to PIPEDA • Canada's Anti-Spam Legislation (CASL) — governing commercial electronic messages sent to or from Canada

If you are accessing raisin from outside Canada, your information will be processed and stored in Canada and in the jurisdictions where our sub-processors operate (see Section 7).

3. Information we collect

We collect information in three ways: information you give us directly, information generated by your use of the service, and information collected automatically.

Account information: First name, middle name (optional), and last name · Email address · Password (stored as a cryptographic hash — never stored in readable form) · Phone number · Home address.

Child profile information: Child's first name, middle name (optional), and last name · Child's date of birth · Gender (optional).

Application and communication data: The daycares you apply to and the dates of those applications · Application status updates · Private notes you add to applications (stored securely; never shared with daycares) · Custom email body text (Sprout and Blossom tier users only) · Reminder and withdrawal email history.

Payment information: Subscription tier (Seed, Sprout, or Blossom). Payment processing is handled entirely by Stripe. raisin does not collect, store, or have access to your credit card number, card expiry, or CVV at any point.

Information collected automatically: Device type and operating system · Browser type and version · IP address (used to determine approximate location; not stored long-term) · Session identifiers · Pages visited and time spent · Referring URL. This information is collected using PostHog (analytics) and Sentry (error tracking).

4. How we use your information

To provide the raisin service — to show you relevant daycares, send application and reminder emails to daycares on your behalf, and maintain your application dashboard.

To send emails on your behalf to daycares — when you apply, send a reminder, or withdraw an application. The reply-to address on every such email is your registered email address. Daycare responses go directly to your inbox. We do not read, store, or intercept those replies.

To communicate with you about your account — transactional emails: welcome messages, application confirmations, reminder notifications, and service updates.

To send marketing communications — only if you have explicitly opted in. You may opt out at any time using the unsubscribe link in any such email.

To improve the service — aggregated, anonymised usage data. Individual parents are not identified in our product analysis.

To process payments — your subscription information is used to determine which features you have access to and to manage billing through Stripe.

To comply with legal obligations — where required by applicable Canadian law.

5. Legal basis for processing

Consent — You have given us consent by creating a raisin account. You may withdraw consent at any time by deleting your account.

Contract — Processing is necessary to perform the service you have contracted with us to provide.

Legitimate interests — We have a legitimate interest in understanding how our service is used and in keeping it secure and functional.

Legal obligation — We may process information where required by Canadian law or a lawful order.

6. How we store and protect your information

Storage — Your personal information is stored in Supabase. All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256.

Access controls — We use Row Level Security (RLS) on all database tables — each parent can only access their own data.

Authentication — Passwords are never stored in readable form. Authentication is managed through Supabase Auth using industry-standard cryptographic hashing.

Error tracking — Sentry is configured to scrub names, email addresses, and child information from all error payloads before they leave your device.

Security incidents — In the event of a data breach posing a real risk of significant harm, we will notify affected parents and the Office of the Privacy Commissioner of Canada as required by PIPEDA's breach notification obligations.

7. Sub-processors — who we share your data with

We do not sell your personal information. We do not share it with advertisers, data brokers, or any third party for their own commercial purposes.

We share limited personal information with the following sub-processors solely to provide the raisin service:

Supabase — Database, authentication, and file storage — All account and application data Resend — Email delivery to daycares — Parent name, email, child name and age, preferred start date Stripe — Payment processing and subscription management — Name, email address, subscription tier PostHog — Product analytics and session recording — Anonymised usage events, session data, device information Mapbox — Mapping and geolocation for daycare search — Approximate location (when permission granted) Sentry — Error tracking and application monitoring — Anonymised error payloads (no PII) Vercel — Website and application hosting — IP addresses (standard web server logs)

8. Cookies and tracking technologies

Strictly necessary cookies — Required for the service to function, including your authentication session token. Cannot be disabled without breaking the service.

Analytics cookies — PostHog places cookies to track usage patterns and session behaviour. You may decline these when you first visit raisin or at any time through your browser settings. Declining will not affect your ability to use the service.

We do not use advertising cookies. We do not use third-party tracking cookies for retargeting or behavioural advertising. We never will.

9. Your rights

Right to access — Request a copy of the personal information we hold about you. We will respond within 30 days.

Right to correction — Request correction of inaccurate or incomplete information. Most information can be updated directly in your account settings.

Right to withdraw consent and delete your account — Delete your account at any time from account settings. All personal information will be permanently deleted within 30 days. We will confirm deletion by email.

Right to object to processing — Object to processing based on our legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds.

Right to data portability — Request an export of your personal information in a structured, machine-readable format within 30 days.

Right to lodge a complaint — You may lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca).

To exercise any of the above rights, contact us at: hello@raisintogether.com

10. Children's information

raisin collects limited information about children (name, date of birth, gender) solely to generate application emails to daycares on a parent's behalf. This information is collected from parents only — not from children directly. It is used exclusively to personalise application emails, never shared with any third party for any purpose beyond sending emails to specific daycares the parent has chosen, and deleted permanently when a parent deletes their account.

We do not knowingly collect information from individuals under the age of 18 directly.

11. Data retention

Account and profile information — Until account deletion Child profile information — Until account deletion or child profile deletion Application history and notes — Until account deletion Email logs — Until account deletion Payment records — 7 years from transaction date (Canadian tax law) Analytics events (PostHog) — 12 months rolling Error logs (Sentry) — 90 days Server access logs (Vercel) — 30 days

12. Changes to this policy

When we make material changes to this policy, we will notify you by email at least 14 days before the changes take effect and update the effective date at the top of this page. Your continued use of raisin after the effective date constitutes acceptance of the updated policy.

13. Contact us

For any questions, concerns, or requests relating to this Privacy Policy:

Email: hello@raisintogether.com Operator: Shikhar Jha Location: Metro Vancouver, British Columbia, Canada

We will respond to all privacy inquiries within 30 days.