Infaque

Privacy Policy

Last updated: July 16, 2026  ·  Version 2.0

This Privacy Policy describes how Infāque Social Enterprise Inc. (“Infāque”, “we”, “our”, or “us”) collects, uses, discloses, and safeguards personal information in connection with the Infāque platform and related services (the “Service”). It applies to information we collect from and about (a) representatives of nonprofit organizations that subscribe to the Service (“Customers”), (b) donors who make donations through the Service, and (c) visitors to infaque.com.

This Privacy Policy is incorporated into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

1. Our Roles: Controller and Processor

Under Canadian and international privacy law, an organization that determines the purposes and means of processing personal information is a “controller” (or, under Canadian law, the “accountable organization”). An organization that processes personal information on behalf of and under the instructions of another is a “processor” (or “service provider”).

Infāque acts in two distinct roles under this Policy:

  • Controller (accountable organization) — for information we collect directly from Customer representatives, website visitors, and prospective customers (for example, when you register for an account, contact support, or visit infaque.com). We determine how this information is used.
  • Processor (service provider) — for information that Customers collect from their donors and supporters through the Service (donor records, donation transactions, campaign interactions). The Customer is the controller of this donor information; Infāque processes it on the Customer's behalf under the Customer's instructions and in accordance with the Terms of Service and this Policy.

Where Infāque is a processor, donors with questions or requests regarding their information should contact the Customer (the nonprofit) directly. Infāque will support Customers in responding to donor requests in accordance with applicable law.

2. Information We Collect

2.1 Information Customers provide

  • Account information: name, email address, phone number, role, and organizational details of Customer representatives who register for an account.
  • Billing information: billing contact, billing address, and the last four digits and expiry of the payment method on file. We do not receive or store full payment card numbers; these are collected directly by our payment processor (Stripe) using embedded fields that transmit card data directly to Stripe.
  • Onboarding data: information Customers enter or import during self-serve account setup, including donor records and organizational data migrated from prior systems.
  • Support communications: information Customers share when contacting our support, sales, or compliance teams.

2.2 Information donors provide to Customers through the Service

  • Donor contact information: name, email address, mailing address, and phone number as entered on donation forms.
  • Donation information: amount, campaign, frequency (one-time or recurring), designation, and any message from the donor.
  • Payment information: collected directly by our payment processors (Stripe, PayPal, Interac); Infāque does not receive or store full payment card or bank account numbers.

Infāque processes this donor information as a service provider on behalf of the Customer.

2.3 Information collected automatically

  • Usage data: pages viewed, features used, session duration, referring URL, timestamps, and other diagnostic information.
  • Device and connection data: IP address, browser type and version, device type, operating system, and general geographic location derived from IP address.
  • Cookies and similar technologies: see Section 5.

3. How We Use Information

We use the information described in Section 2 to:

  • Provide, operate, maintain, and improve the Service;
  • Process donations and support Customer billing;
  • Generate tax receipts on behalf of Customers in the format required by the Canada Revenue Agency and the United States Internal Revenue Service;
  • Send transactional emails (donation confirmations, receipts, account notices, security alerts, and service updates);
  • Enable Customers to communicate with their donors through the Service's email tools;
  • Power optional AI-assisted features (see Section 6);
  • Analyze usage in aggregated and de-identified form to improve the Service;
  • Detect, prevent, and address fraud, security incidents, abuse, and technical issues;
  • Comply with our legal, regulatory, tax, and accounting obligations; and
  • Communicate with Customer representatives about their accounts and, with consent, about product news and marketing.

4. Legal Bases and Consent (Canada, Quebec, and International)

4.1 Canada (PIPEDA). Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), we rely on your knowledge and consent (express or implied, as appropriate to the sensitivity and context) to collect, use, and disclose personal information. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent may limit our ability to provide the Service.

4.2 Quebec (Law 25). If you reside in Quebec, additional rights and obligations apply under An Act respecting the protection of personal information in the private sector (Law 25), including rights of access, rectification, portability, cessation of dissemination, and de-indexation, and rights related to automated decision-making. Our Privacy Officer is responsible for compliance and can be contacted at privacy@infaque.com.

4.3 United States. Where US state privacy laws apply (including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others), we honour applicable rights of access, correction, deletion, portability, and to opt out of “sales” or “sharing” for cross-context behavioural advertising. Infāque does not sell personal information for monetary consideration. Where you have the right to opt out of sharing for behavioural advertising, you may do so by disabling marketing cookies in our cookie preferences or by writing to privacy@infaque.com.

4.4 Other jurisdictions. Where other privacy laws apply to you or to the personal information we process, we will comply with those laws to the extent they apply to us.

5. Cookies and Similar Technologies

We use cookies and similar technologies on infaque.com and within the Service. These fall into three categories:

  • Strictly necessary: required for authentication, session management, security, and load balancing. These cannot be disabled through cookie preferences without breaking the Service.
  • Analytics: help us understand aggregate usage of infaque.com and the Service (currently Google Analytics).
  • Marketing and attribution: used to measure the effectiveness of our marketing and, for Customer-embedded donation forms where the Customer has enabled it, to support conversion tracking (Meta Conversions API, UTM tracking).

Where required by law (including in Quebec and other jurisdictions requiring affirmative consent), analytics and marketing cookies will be set only after you provide consent through our cookie preferences banner. You may change your preferences at any time through the “Cookie preferences” link in the footer of infaque.com.

6. AI-Assisted Features

The Service includes optional AI-assisted features (donor segmentation, email drafting suggestions, and campaign insights). To power these features, we send limited data to third-party AI service providers under contractual terms that:

  • Prohibit the use of Customer or donor data to train, fine-tune, or improve the AI provider's models;
  • Require the deletion of inputs and outputs after the processing session, except as required for abuse monitoring and legal compliance;
  • Restrict use of the data to providing the requested processing to Infāque.

The specific data sent to AI providers depends on the feature. We minimize personal identifiers in AI prompts and rely on aggregated or transactional signals where feasible. For features involving donor-directed content (such as email drafting), donor-identifying fields may be included in the prompt so the AI can personalize the draft; drafts are generated for Customer review and are not sent to donors until the Customer approves them.

AI features involving automated donor segmentation constitute automated processing. AI-generated segmentation does not, by itself, make decisions with legal or similarly significant effects on donors; segmentation output is a recommendation to the Customer, and the Customer decides what actions to take. Donors who wish to exercise rights regarding automated processing should contact the Customer (the nonprofit) directly.

Our current list of AI service providers is available on our Subprocessors page at infaque.com/subprocessors.

7. Third-Party Service Providers (Subprocessors)

We use third-party service providers to operate the Service. Each subprocessor is bound by contractual obligations that require them to process personal information only as instructed by Infāque and to implement appropriate security safeguards.

Our current subprocessors include payment processors (Stripe, PayPal, Interac), cloud infrastructure (Google Cloud Platform, Firebase), analytics (Google Analytics), attribution and marketing (Meta Conversions API), transactional and marketing email, error monitoring, customer support tooling, and AI service providers.

A current, versioned list of all subprocessors, including their processing purpose and location, is available at infaque.com/subprocessors. Customers may subscribe to change notifications at that page. We will give at least thirty (30) days' notice of new subprocessors that will process donor personal information, during which Customers may object; if an objection cannot be reasonably resolved, the Customer may terminate under the Terms of Service.

We do not sell, rent, or share personal information with third parties for their independent marketing purposes.

8. Cross-Border Data Transfers

Infāque is based in Canada. Personal information collected by us is processed in Canada and the United States, and may be processed in other jurisdictions where our subprocessors operate. When personal information is transferred outside Canada:

  • It may become subject to the laws of the destination country, including lawful access by law enforcement and government authorities in those countries;
  • We remain accountable under Canadian law for the protection of that personal information and require our subprocessors, by contract, to provide a comparable level of protection;
  • For transfers of personal information subject to Quebec's Law 25 outside Quebec, we conduct privacy impact assessments as required by Law 25.

The Subprocessors page identifies where each subprocessor processes personal information. If you have concerns about cross-border transfer of your personal information, contact us at privacy@infaque.com.

9. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, to comply with our legal, tax, and accounting obligations, and to resolve disputes and enforce our agreements.

  • Customer account data: retained for the duration of the subscription plus 90 days following the end of the paid billing period (the export window).
  • Donor and transaction records processed on behalf of a Customer: retained for the duration of the Customer's subscription plus 90 days following the end of the paid billing period. Customers are responsible for exporting these records within the 90-day window for their own long-term retention (including for CRA and IRS requirements).
  • Backups: residual copies of deleted data in encrypted backup systems are overwritten in the normal course of backup rotation within 60 days after deletion from active systems.
  • Billing and accounting records: retained by Infāque for the periods required by Canadian and applicable US tax and corporate laws (typically 6–7 years) as records of Infāque's own business.
  • Usage and diagnostic logs: retained for up to 13 months, then deleted or aggregated.
  • Support communications: retained for up to 24 months from the date of last contact.
  • Marketing preferences and unsubscribe records: retained as long as necessary to honour your preferences.

After the applicable retention period, we delete or irreversibly de-identify personal information.

10. Security

We implement technical and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These safeguards include:

  • Encryption of data in transit using industry-standard TLS;
  • Encryption of data at rest on our cloud infrastructure (Google Cloud Platform, Firebase);
  • Payment card data processed exclusively by PCI-DSS compliant payment processors, with card data transmitted directly to the processor and not stored by Infāque;
  • Access controls limiting personal information to authorized personnel with a need to know;
  • Multi-factor authentication for administrative access;
  • Logging and monitoring of access to production systems;
  • Regular review and update of security practices.

No security measure is perfect. If you believe you have discovered a security vulnerability, please contact us at security@infaque.com.

11. Breach Notification

If Infāque determines that a breach of security safeguards affecting personal information under our control creates a real risk of significant harm to individuals (as those terms are used in PIPEDA), we will:

  • Notify the Office of the Privacy Commissioner of Canada and other applicable regulators as required by law;
  • Notify affected individuals as soon as feasible where required by law;
  • Notify affected Customers (nonprofit organizations) without undue delay, and in any event within 72 hours of confirming the breach, so they can meet their own notification obligations to their donors;
  • Maintain records of breaches as required by PIPEDA.

12. Your Rights

Depending on your jurisdiction and your relationship with Infāque, you may have the following rights:

  • Access: request a copy of the personal information we hold about you.
  • Correction/rectification: request correction of inaccurate or incomplete information.
  • Deletion/erasure: request deletion of your personal information, subject to legal retention requirements.
  • Portability: request a machine-readable copy of your personal information.
  • Withdrawal of consent: withdraw consent to processing where consent is the legal basis.
  • Objection: object to certain processing, including for direct marketing.
  • Automated decision-making (Quebec): request information about automated decisions that produce legal or similarly significant effects on you and request human review.
  • Opt-out of marketing: unsubscribe from marketing communications using the link in our emails or by writing to privacy@infaque.com.

To exercise any of these rights, email privacy@infaque.com. We will respond within thirty (30) days. We may need to verify your identity before responding to certain requests. If you are a donor of a nonprofit that uses Infāque, please contact the nonprofit directly for requests regarding donor information they collected through the Service.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca), the Commission d'accès à l'information du Québec (cai.gouv.qc.ca) if you reside in Quebec, or the applicable regulator in your jurisdiction.

13. Marketing Communications and Anti-Spam Compliance

Marketing communications from Infāque (as opposed to transactional service messages) are sent only with consent. Every marketing email includes an unsubscribe link. Infāque complies with Canada's Anti-Spam Legislation (CASL) and the US CAN-SPAM Act for our own communications.

When Customers use the Service to send email to their donors and supporters, the Customer is the sender of those messages and is responsible for compliance with CASL, CAN-SPAM, and other applicable law. Infāque provides tools to support Customer compliance (including unsubscribe links and consent tracking), but the Customer remains the accountable party for their own communications.

14. Minors

The Service is intended for use by nonprofit organizations and their donors, not by children. Infāque does not knowingly collect personal information directly from individuals under the age of 16 (or the applicable age of majority in their jurisdiction, whichever is higher). If we learn that we have collected personal information from a minor without appropriate consent, we will delete it. If you believe a minor has provided personal information to us, contact privacy@infaque.com.

15. Business Transitions

If Infāque is involved in a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy, personal information may be transferred as part of that transaction. Any successor entity will be bound by this Privacy Policy (or a policy providing at least equivalent protection) with respect to your personal information, and we will notify you of any material change to how your personal information is handled.

16. Third-Party Links and Services

The Service and infaque.com may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third parties before providing personal information to them.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our subprocessors, or applicable law. Material changes will be communicated by email to Customer administrators and by notice on infaque.com at least thirty (30) days before they take effect. The “Last updated” and “Version” at the top reflect the effective date of the current version. Prior versions are available on request.

18. Privacy Officer and Contact

Infāque has designated a Privacy Officer accountable for compliance with this Privacy Policy and applicable privacy law.

  • Privacy Officer: Fahad Qureshi
  • Email: privacy@infaque.com
  • Mail: Infāque Social Enterprise Inc., Attn: Privacy Officer, 700 - 305 Milner Avenue, Toronto, ON M1B 3V4, Canada

For general questions, contact support@infaque.com. To report a security concern, contact security@infaque.com.