Privacy Policy

1. Who We Are

The Queer & Creative Social Club ("QCSC", "we", "us", "our") is a not-for-profit social club operated by Queer Niagara, based in Niagara-on-the-Lake, Ontario, Canada. We operate the website at qcsc.ca and the Members Area at qcsc.ca/members.

We are subject to the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 ("PIPEDA"), which governs the collection, use, and disclosure of personal information in the course of commercial activities. This Privacy Policy explains how we handle your personal information and describes your rights under Canadian privacy law.

This policy applies to all visitors, applicants, and members of the QCSC. By using our website or becoming a member, you acknowledge you have read and understood this policy.

2. Personal Information We Collect

We collect personal information only for the specific, identified purposes set out in Section 3, and only to the extent necessary to fulfil those purposes. Where reasonably practicable, we collect information directly from you.

Information you provide directly

• Your name (first and last) and email address when you apply for membership or create an account
• A password, which we store as a one-way cryptographic hash (bcrypt) — we cannot retrieve it
• Your preferred display name and profile colour
• Stay request details: requested check-in and check-out dates, accommodation preferences, guest count, and any notes you provide
• Event RSVPs and messages you post in community groups
• Messages sent through the stay chat or contact forms
• Contact information you voluntarily choose to share with other members (email address, phone number, social media links) — controlled entirely by your account privacy settings

Information collected automatically during use

• Login timestamps and session tokens required to keep you securely signed in
• IP address at the time of login or account creation, used solely for security and fraud prevention
• General browser type and device category from server access logs (not used to track or profile you individually)

Information received from third parties

• Payment status and receipt reference from Stripe when you pay an invoice — we never receive, process, or store your card number, CVV, expiry date, or any other payment card details

3. Purposes for Collection and Use

Under PIPEDA Principle 2 (Identifying Purposes), we are required to identify the purposes for collecting personal information before or at the time of collection. We collect, use, and disclose personal information only for the following purposes:

• Membership administration — processing applications, issuing registration codes, and managing your member account and profile
• Stay bookings — reviewing, confirming, and coordinating overnight stay requests and maintaining associated records
• Event management — recording RSVPs, sending event reminders and confirmations, and managing attendance
• Billing and invoicing — generating and delivering invoices, processing payments through Stripe, and maintaining financial records as required by law
• Transactional communications — sending booking confirmations, invoices, password-reset links, security alerts, and other communications that are necessary for the operation of your membership; we do not send unsolicited commercial electronic messages
• Member networking — facilitating voluntary, opt-in contact exchanges between members where you have explicitly initiated or accepted a connection
• Security and fraud prevention — detecting and preventing unauthorised access, fraud, and other misuse of the platform
• Legal compliance — meeting our obligations under PIPEDA, the Income Tax Act (Canada), and other applicable legislation

We do not use your personal information for advertising, behavioural or demographic profiling, automated decision-making, or any purpose beyond the operation of the QCSC.

If we wish to use your personal information for a new purpose that was not identified at the time of collection, we will seek your consent before doing so.

4. Consent

Under PIPEDA, consent is the cornerstone of the framework governing personal information. Subject to limited exceptions prescribed by law, we require your consent to collect, use, or disclose your personal information.

How we obtain consent

• Express consent — by completing the membership application and agreeing to this Privacy Policy, you expressly consent to the collection, use, and disclosure of your personal information for the purposes set out in Section 3
• Implied consent — for purposes that are obvious and consistent with your relationship with us, such as sending you a confirmation of a booking you initiated

Withdrawing consent

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice to us. Note that withdrawing consent for essential purposes — such as processing billing or maintaining your member account — may mean we can no longer provide membership services. To withdraw consent or close your account, use the self-serve account deletion tool in your account settings, or contact our Privacy Contact at the details in Section 12.

Note: Membership is open to adults only. We do not knowingly collect personal information from individuals under 18 years of age.

5. Disclosure of Personal Information

We do not sell, rent, trade, or otherwise disclose your personal information to third parties, except in the following limited circumstances. Any service provider to whom we disclose personal information is contractually required to protect it and use it only for the specific purpose of providing services to us.

• Stripe, Inc. — our payment processor. When you pay an invoice, you transact directly with Stripe through their PCI-DSS-compliant checkout. We receive only a payment confirmation and a receipt reference; we never see your full card number or payment credentials. Stripe may process data outside Canada; their privacy practices are governed by their privacy policy at stripe.com/privacy.
• Transactional email delivery — we use an SMTP service to send emails that you have requested or that are required for your membership. Your email address and message content are shared with our email provider solely to deliver the message.
• Member-to-member contact exchange — only where you have voluntarily initiated a contact exchange through the Members Platform. You control precisely which contact details are visible to other members through your account privacy settings, and you may disconnect at any time.
• Legal requirement or public safety — if required to do so by applicable law, court order, or governmental authority, or where we reasonably believe disclosure is necessary to protect the safety, rights, or property of our members or the public.

We do not transfer personal information outside Canada except where Stripe's payment infrastructure requires it. In such cases, appropriate contractual data-transfer safeguards are in place.

6. Retention & Disposal

Under PIPEDA Principle 5 (Limiting Use, Disclosure, and Retention), we retain personal information only as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. When personal information is no longer needed, we securely destroy, erase, or anonymise it.

• Active member accounts — retained for the duration of your membership, plus a 90-day period after account closure to resolve outstanding matters or disputes
• Invoices and financial records — 7 years from the date of the transaction, as required by the Income Tax Act (Canada) and applicable accounting standards
• Stay request records and chat messages — 2 years after the relevant stay date, after which records are anonymised or deleted
• Account deletion requests — personal data is anonymised or permanently deleted within 30 days of a verified deletion request, subject to the above legal retention obligations (e.g. billing records)
• Security and access logs — automatically purged after 90 days, unless retained in connection with an active security investigation
• Login IP addresses — deleted after 12 months or upon account deletion, whichever is earlier

7. Cookies & Session Data

We use only a single, strictly necessary session cookie to keep you securely signed in to the Members Area. This cookie:

• Contains only a secure, randomly generated session identifier — no personal information whatsoever
• Is transmitted over HTTPS only (the Secure flag is set)
• Is not accessible to JavaScript (HttpOnly flag is set)
• Is deleted automatically when you sign out or your browser session ends

We do not use advertising cookies, tracking pixels, fingerprinting scripts, or any third-party analytics platform (including Google Analytics). Because we use only an essential, functional cookie, no cookie consent banner or opt-out mechanism is required under Canada's Electronic Commerce Protection Act (CASL) or the Telecommunications Act.

8. Safeguards

Under PIPEDA Principle 7 (Safeguards), we protect personal information using security safeguards appropriate to the sensitivity of the information:

• Passwords are hashed with bcrypt (a one-way adaptive hash) — we cannot recover your password and it is never stored in plain text
• All data is transmitted using TLS 1.2+ encryption (HTTPS) — unencrypted connections are rejected
• Database access is restricted to authorised personnel through role-based access controls
• Two-factor authentication (2FA) is available and required for all admin accounts
• All forms that handle personal data are protected against CSRF (cross-site request forgery) attacks
• Our hosting infrastructure is located in Canada

Data breach notification: The Breach of Security Safeguards Regulations (in force under PIPEDA since November 1, 2018) require us to notify you and the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible if a breach of security safeguards involving your personal information creates a real risk of significant harm to you. We maintain an internal breach response procedure and a record of all breaches for a minimum of 24 months.

Despite our safeguards, no system is completely secure. If you believe your account has been compromised, please contact us immediately at hello@qcsc.ca.

9. Your Rights Under PIPEDA

Under PIPEDA and applicable Canadian privacy law, you have the following rights in relation to your personal information:

• Right of access (PIPEDA, s. 8) — you may submit a written request to access the personal information we hold about you. We will respond within 30 days of receiving a complete written request, or provide written notice if an extension is required. We will not charge a fee for reasonable access requests.
• Right to challenge accuracy (PIPEDA, s. 12) — you may request that we correct, update, or annotate personal information you believe to be inaccurate, incomplete, or outdated.
• Right to withdraw consent — you may withdraw consent to collection, use, or disclosure at any time, subject to legal or contractual restrictions and reasonable notice (see Section 4).
• Right to know about disclosures — upon written request, we will identify any third parties to whom we have disclosed your personal information and the purposes for those disclosures.
• Right to challenge compliance (PIPEDA, s. 11) — you may direct a challenge regarding our compliance with PIPEDA or this Privacy Policy to our Privacy Contact (see Section 12). We will investigate and respond in writing.
• Right to complain to the OPC — if you are not satisfied with our response to any privacy concern, you may file a complaint with the Office of the Privacy Commissioner of Canada: priv.gc.ca · 1-800-282-1376 (toll-free)

Many account-level actions can be completed directly in your account settings. For requests requiring our direct assistance, use the Privacy Contact details in Section 12.

10. Children's Privacy

The QCSC is an adults-only community. Membership is restricted to individuals who are 18 years of age or older. We do not knowingly solicit or collect personal information from minors under the age of 18.

If we become aware that personal information has been submitted by or about a minor, we will delete it from our systems as promptly as possible. If you believe a minor has submitted information to us, please notify our Privacy Contact immediately using the details in Section 12.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable legal requirements. When we make changes, we will:

• Update the "Last updated" date at the top of this page
• Post the revised policy at qcsc.ca/privacy.php
• Where changes are material, notify active members by email at least 14 days before the revised policy takes effect

Your continued use of the QCSC website or Members Area after the effective date of a revised policy constitutes your acceptance of that policy. If you do not agree with the changes, you may close your account at any time before the changes take effect.

12. Privacy Contact

Under PIPEDA Principle 1 (Accountability), we have designated a Privacy Contact who is responsible for our compliance with PIPEDA and this Privacy Policy. If you have questions, concerns, access requests, correction requests, or wish to challenge our privacy practices, please reach out:

We aim to acknowledge all privacy inquiries within 5 business days and to respond fully within 10 business days. For formal access requests under PIPEDA s. 8, we will respond within 30 days of receiving a complete written request, or provide written notice of any required extension (maximum 30 additional days).