A privacy product only works if every public statement about it is verifiably true. In June 2026 we reviewed every privacy and security sentence on this site against the actual codebase. Some statements did not hold up. We corrected them, and we are publishing the findings here. This page is maintained alongside the code; when the architecture changes, this page changes in the same release.
Not true. Sign-in moved from email links to email + password some time ago, and the marketing copy was never updated. Passwords were always stored correctly — only as bcrypt hashes, which are one-way and cannot be reversed — but the claim itself was false.
Fixed. Every page now describes the real flow: email + password, bcrypt-hashed, with signed session tokens you revoke by signing out.
Misleading. Phrasing like this implies end-to-end encryption, where not even we could read your messages. That is not how this product works.
Fixed. What is true, and what we now say: your data is encrypted in transit (TLS) and at rest, and the server checks group membership before returning any group content. We do not claim end-to-end encryption anywhere.
Not true. There is no self-serve export button in the app today.
Fixed. What exists: account deletion in the app (Profile → Delete account, with confirmation) or by email. The same audit found gaps in deletion itself — they are listed in the data map and hardening sections below. For a copy of your data, email admin@panbuddha.ca and a person sends it. A self-serve export is on the roadmap.
Premature. Our privacy policy described database-level row security. Today, access control is enforced in the application layer: every request is authenticated and group content is scoped to members by the server. Database-level row security is part of our in-progress backend migration and the policy should not have claimed it early.
Fixed. The policy now describes the application-layer enforcement that actually runs. When database-level row security ships, we will say so here.
We also replaced a member count ("42 families") with founding-cohort wording. We will not publish numbers we cannot audit at the moment you read them.
Everything we store, in plain English. Nothing is collected beyond this list.
| What | Details |
|---|---|
| Account | Your email and a bcrypt hash of your password. Never the password itself. |
| Profile | Your name, family name, neighbourhood, profile photo, family banner photo. |
| Family members | First names, ages, and optional photos of the family members you add. Entered by you, editable and removable by you at any time. |
| Activity data | Events, RSVPs and comments, polls and votes, post-event reviews, group chat messages. |
| Sensitive extras (optional) | Emergency phone number and home location. Stored as you enter them; another member sees them only after you approve their request, and home location is shown only as an approximate area. |
| Notifications | Push subscription tokens for your device, so reminders can reach you. |
| Billing | If you subscribe or join a group money pool: your plan, renewal date, and Stripe payment references. Card numbers never touch our server — Stripe holds those. |
| Public event signups | If you fill in a public event signup page (for example a potluck signup), the details you enter there — names, what you're bringing, allergy notes — appear on that event's public page to anyone with the link. Treat that form like a poster, not a private profile. |
| Question | Answer |
|---|---|
| Where is it stored? | A PostgreSQL database and file storage hosted on Railway (cloud infrastructure). Traffic is encrypted in transit (TLS); encryption at rest is provided by the hosting platform. |
| Who can see group content? | Signed-in members. The server checks membership before returning events, chat, polls or member lists — it is not a client-side setting. One deliberate exception: public event signup pages (like a potluck signup) are public to anyone with the link, and say so. |
| Who can see photos? | Photo files are stored on our server and served at unguessable random addresses (64-bit random file names). Only members-only pages link to them; they are not listed anywhere public or indexable. Per-file membership checks are on our hardening roadmap. |
| Which third parties touch any data? | Brevo (transactional email — your email address). Expo and the Apple / Google push services (push tokens and notification content). Stripe (payments — your email and payment references; card numbers never touch our server). OpenStreetMap Nominatim (venue address lookup — the address text being searched). Jitsi / 8x8 (live video rooms — your display name plus the live audio and video). Supabase (authentication migration in progress — account emails and password hashes). Anthropic's Claude (activity discovery — a fixed search brief of activity categories and an age range; never your name, your kids' names, or any group content). |
| Ads, trackers, analytics SDKs? | None. No ad networks, no tracking pixels, no third-party analytics. Revenue comes from subscriptions and a small service fee on group money pools — never from data. |
| How do I delete everything? | Profile → Delete account (confirmed, irreversible), or email admin@panbuddha.ca and we do it for you. Database records are deleted right away. Our June 2026 audit found three gaps: the website's delete button did not send the required confirmation (now fixed), uploaded photo files were not purged with the account, and deletion could fail for members who had created groups or events. Until the remaining two fixes ship, email deletion is the guaranteed path. |
In progress, stated plainly so you can hold us to it: database-level row security as part of our backend migration; membership checks on individual photo files; purging uploaded photo files when an account is deleted; fixing account deletion for members who created groups or events; scoping the members' directory to shared groups; self-serve password reset; and self-serve data export. Each will be announced here when it ships — not before.
Questions about anything on this page: admin@panbuddha.ca. Full legal detail: Privacy Policy.
