Privacy Policy

Last updated: September 7, 2025

1. Who we are and scope

The University of Guelph Central Student Association (“CSA”, “we”, “us”, “our”) operates the website located at https://csaonline.ca (the “Site”). This Privacy Policy describes how we collect, use, disclose, store, and protect personal information when you visit or interact with the Site, and how you can exercise your privacy rights under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

This policy applies to information collected through the Site and any pages, forms, or features we host on it. It does not apply to third-party websites, platforms, or services that we link to or embed (see Section 12).

Contact (Privacy): [email protected]

2. What we mean by “personal information”

Personal information” means information about an identifiable individual (e.g., name, email address, IP address, or other identifiers). It does not include anonymized or aggregated information that cannot reasonably be linked back to an individual.

3. Information we collect

A. Information you provide to us

  • Forms: We collect what you submit via forms — for example: petitions, surveys, event registrations, volunteer sign-ups, contact requests, or other submissions. The fields vary by form and may include your name, email, phone number, affiliation, responses to open-ended questions, and any files you attach.
  • Job alerts & recruitment: If you subscribe to job alerts, we collect your email and any preferences you set. If you apply for a job or volunteer opportunity through our recruitment tools, we collect the information you provide (e.g., résumé, cover letter, references).
  • Comments: If you leave a comment, we collect the data shown in the comment form along with your IP address and browser user-agent string to aid spam detection. If you use Gravatar, an anonymized hash of your email may be provided to Gravatar to check if you have a profile; after approval, your profile image may be publicly visible with your comment.
  • Media uploads: If you upload images or files, please remove embedded EXIF GPS or other sensitive metadata. Visitors can download and extract metadata from images posted on the Site.

B. Information collected automatically

  • Device & usage data: When you browse the Site, we automatically collect information such as your IP address, browser type, operating system, referring/exit pages, time stamps, and general interaction data (e.g., which pages you view).
  • Cookies and similar technologies: We use cookies and similar technologies for essential site functions, security, preferences, analytics, and (in the future) e-commerce (see Section 7).

C. Information from service providers and third parties

  • Analytics: We use Google Analytics and Microsoft Clarity to understand how visitors use the Site (e.g., which pages are popular, how users navigate). These services may set their own cookies and collect device/usage information.
  • Security: Our security tools may collect IP addresses, user-agent strings, login timestamps, and similar technical data to prevent abuse, detect fraud, and protect the Site.
  • Email delivery: When the Site sends email (for example, form notifications), metadata required for delivery may be processed by our chosen SMTP/email service.

4. How we use personal information (purposes)

We use personal information to:

  • Provide and improve our services on the Site (forms, petitions, event registration, content publishing, accessibility, and usability).
  • Communicate with you, including responding to inquiries and sending transactional messages (e.g., confirmations).
  • Recruitment and job alerts: Receive and assess applications, schedule interviews, and manage job alerts and related communications.
  • Security and integrity: Monitor, detect, and prevent spam, abuse, fraud, or security incidents; troubleshoot and maintain the Site.
  • Analytics and performance: Understand Site usage, improve content and navigation, and plan new features.
  • E-commerce transactions: Process orders, payments, and deliveries, issue receipts and confirmations, and meet our financial and record-keeping obligations.
  • Legal compliance: Comply with applicable laws and law-enforcement requests, and protect CSA’s rights.

We do not sell your personal information.

Where appropriate, we rely on your consent (express or implied) to collect, use, and disclose personal information for the purposes above. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice (see Section 10). We will not use or disclose your information for new, unrelated purposes without getting your consent, unless required or permitted by law.

6. Disclosures and service providers (who we share information with)

We may disclose personal information to:

  • Service providers (“processors”) who support our Site and operations, under appropriate safeguards. These may include:
    • Website hosting: Hosted in Canada; underlying infrastructure currently in Montréal.
    • Analytics: Google Analytics and Microsoft Clarity.
    • Email delivery: SendGrid SMTP email provider.
    • E-commerce: Our online store uses WooCommerce to manage transactions. Payments may be processed through third-party providers such as Stripe, PayPal, or Square. These processors collect and process your payment information directly under their own privacy policies. CSA does not store full payment card details on our servers.
  • Other disclosures required or permitted by law, such as to comply with subpoenas or lawful requests, enforce our rights, or protect visitors and the public.

We do not sell or rent your personal information to third parties.

7. Cookies and similar technologies

Types of cookies we use

  • Strictly necessary / essential: Required for basic Site functions (e.g., login sessions for staff, security).
  • Preferences / functionality: Remember choices like display settings.
  • Analytics / performance: Help us understand and improve Site usage (Google Analytics, Microsoft Clarity).
  • E-commerce & payments: Support cart/checkout functions, fraud prevention, and order processing.

WordPress-related cookies (examples)

  • Comment convenience cookies (if you opt-in) to remember your name/email/website.
  • Session/login cookies for authenticated users (CSA staff).
  • Editor/publishing cookies (e.g., post ID) when creating or editing content.

Your choices

You can control cookies through your browser settings (including blocking or deleting cookies). Blocking some cookies may impact Site functionality. You can opt out of Google Analytics via your browser add-on; you can also adjust advertising preferences with major platforms. (Note: we do not currently run personalized advertising on this Site.)

Do Not Track: The Site does not respond to Do Not Track signals.

8. Retention (how long we keep information)

We retain personal information only as long as necessary to fulfill the purposes above, unless a longer period is required or permitted by law.

  • Form submissions (petitions, surveys, event sign-ups, general contact): Retained indefinitely at this time, unless you request deletion or unless retention is no longer necessary.
  • Job alerts subscriptions: Retained until you unsubscribe or your email becomes inactive/undeliverable.
  • Job applications: Retained for up to 1 year after the hiring process concludes, then securely deleted.
  • Security logs (e.g., IPs, failed logins): Retained for a limited period appropriate to security and troubleshooting needs (e.g., ~90 days), unless required for longer in connection with an investigation.
  • Comments and associated metadata (if enabled): Retained indefinitely to recognize and approve follow-ups automatically.
  • E-commerce records: Transaction records (not payment card numbers) are retained for at least the period required by law and financial record-keeping obligations.

9. Safeguards (how we protect information)

We use administrative, technical, and physical safeguards proportionate to the sensitivity of the information, including:

  • Limiting access to authorized CSA personnel and service providers with a need to know.
  • Encryption in transit (HTTPS) and security monitoring.
  • Least-privilege account management and role-based access for staff.
  • Routine maintenance, patching, and logging.

No method of transmission or storage is 100% secure. We strive to protect personal information but cannot guarantee absolute security.

10. Your choices and rights

Subject to legal exceptions, you have the right to:

  • Access your personal information in our custody or control.
  • Request corrections to inaccurate or incomplete information.
  • Withdraw consent to our use/disclosure of your personal information, subject to legal or contractual restrictions.
  • Request deletion where we no longer need the information for the stated purposes and no legal requirement prevents deletion.
  • Unsubscribe from job alerts or other recurring communications we send from the Site.

We may ask you to verify your identity before responding. We aim to respond within 30 days as required by PIPEDA.

How to contact us about your data: [email protected]

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada (OPC) for guidance or to file a complaint. (See: priv.gc.ca)

11. Children’s privacy

The Site is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, please contact us at [email protected] and we will take appropriate steps to delete it.

12. Embedded content and links to other websites

The Site may include embedded content (e.g., YouTube videos) or links to third-party websites. Embedded content behaves as if you visited the third-party site directly and may allow that third party to collect data, set cookies, and track your interaction—especially if you are logged in to that third-party service.
We are not responsible for the privacy practices of third-party sites or services. Please review their privacy policies before interacting with them.

13. Where information is stored and processed (data location)

Our Site is hosted in Canada. However, some service providers (e.g., Google Analytics, Microsoft Clarity, email delivery services, and future payment processors) may process data in other countries (including the United States). As a result, your personal information may be subject to the laws of those jurisdictions and may be accessible to their courts, law-enforcement, and national security authorities.

15. Email and SMS communications

If you sign up for communications via the Site (e.g., job alerts) you can unsubscribe using the link provided or by contacting [email protected].
Some CSA bulk email communications are sent using University systems and are subject to the University of Guelph Mass Email Policy. Where such systems are used, we follow that policy as well as applicable anti-spam requirements.

16. E-commerce and payments

The CSA operates an online store through WooCommerce. When you make a purchase, we collect the information needed to process your order — such as your name, contact details, order details, billing/shipping information, and payment method.

Payments are processed through trusted third-party payment processors (such as Stripe, PayPal, or Square) and handled under their respective privacy policies. These providers may store and process your information outside Canada.

We use this information to:

  • Process your payment and deliver your purchase.
  • Provide order confirmations, invoices, and receipts.
  • Screen orders for fraud or abuse.
  • Maintain proper accounting and financial records.

We do not store your full payment card details. Only transaction records (e.g., order details, receipts) are retained, and then only for as long as legally required.

17. Changes to this policy

We may update this Privacy Policy to reflect changes to our practices, technologies, or legal requirements. Changes will be posted here with an updated “Last updated” date. If changes are material, we will take reasonable steps to provide additional notice.

18. How to contact us

Questions, requests, or complaints about privacy can be sent to:
Email: [email protected]

Quick reference (common questions)

  • Can I request a copy of my data? Yes – email us at [email protected].
  • Can I correct or delete my data? Yes – subject to legal exceptions. Recruitment files are kept for up to 1 year after a hiring process, then deleted.
  • Do you sell my data? No.
  • Do you use analytics? Yes – Google Analytics and Microsoft Clarity.
  • Do you run ads/personalized advertising? Not on this Site at this time.
  • Are children allowed? The Site is not intended for children under 13.
Back to top