Privacy Policy

Last updated: June 11, 2026 · Version 1.0 (Pilot)

Pilot notice: This is the pilot-stage privacy policy. The production version, including the formal Privacy Impact Assessment (PIA) and the customer-specific Data Processing Agreement (DPA), is issued during the procurement / onboarding process for each municipal customer.

1. Who we are

Pool Operator Logbook ("the Service") is a digital operational record-keeping tool designed for Ontario Regulation 565 compliance at public aquatic facilities. The Service is currently operated as a private pilot with a municipal aquatic facility.

2. What we collect

The Service collects and stores the following categories of data, all of which are operational in nature:

Operator identification: display name, initials, role assignment (operator / supervisor / manager), hashed PIN, and login timestamps.
Operational test data: water chemistry readings, bather counts, equipment check results, chemical additions, meter readings, shift handoff notes, and closing records.
Audit metadata: for every change to operational data, the Service records the operator initials, timestamp, before/after values, and session identifier. This audit log is append-only and retained for seven years to meet record-retention obligations.
Authentication telemetry: PIN-attempt timestamps (success/failure) for 90 days, to support intrusion detection and account lockout.

The Service does not collect: bather identities, photographs, biometric data, payment information, location data beyond facility name, or any personally identifying information about pool users.

3. Lawful basis

The Service processes data on the lawful basis of (a) compliance with a legal obligation (Ontario Regulation 565 record-keeping) and (b) legitimate operational interest in safe public pool operation. Operator personal information is processed under the employment relationship between the operator and the customer municipality.

4. Where data lives

All data is stored in PostgreSQL on Supabase infrastructure, hosted in the Canada Central region (Ontario). Data does not leave Canada in normal operation. Backups are retained by the provider for 7 days (Supabase Pro tier) or 30 days (Team tier) and are also Canada-resident.

5. Who can see the data

Operators see their own and their facility's operational data necessary to do their job.
Managers / supervisors see all data for their organization, including the audit log.
The Service operator (this software's developer) has database administration access to perform technical support and security work. All such access is logged.
Public health inspectors may be granted read-only access by the customer for inspection purposes.
No third parties are given access for marketing, advertising, analytics, or any commercial purpose.

6. Retention and disposal

Operational records (test cycles, chems, equipment, meters, handoffs): retained for seven years from the date of entry, then deleted, in line with Ontario record-retention practice for aquatic facility logbooks.
Audit log: retained for seven years, append-only.
Authentication telemetry: retained for 90 days.
Sessions: expire after 30 minutes of inactivity and are deleted shortly after expiry.
Operator accounts: retained while active; on termination of employment, the customer may request deletion. Audit log entries referencing the operator's initials remain (the audit trail is immutable by design).

7. Your rights (PIPEDA / GDPR)

Operators and customers have the following rights:

Access: any operator may export their own data in machine-readable JSON via the user menu. Managers may export the entire organization's data.
Correction: within 24 hours of entry, operators may correct their own test cycles. After 24 hours, managers may make corrections with a recorded reason.
Deletion (right to be forgotten): available on written request to the customer's manager and the Service operator. Note: legally required retention (Reg 565) supersedes individual deletion requests until the retention period expires.
Portability: the JSON export is in an open, structured format suitable for ingestion by other systems.
Restriction of processing: contact your facility manager.
Complaint: contact the Office of the Information and Privacy Commissioner of Ontario (IPC) or the Office of the Privacy Commissioner of Canada (OPC).

8. Security

See the Security overview for technical detail. In summary: PINs are bcrypt-hashed, all traffic is TLS-encrypted, sessions expire on idle, every change is audit-logged, and account access requires PIN authentication with rate limiting and lockout.

9. Children

The Service is operated by adult facility staff. The Service is not directed at children and does not knowingly collect any personally identifying information about minors.

10. Changes to this policy

Material changes will be communicated to customer organizations directly. Operators will be notified through the app on next sign-in.

11. Contact

Privacy questions or requests: contact your facility manager in the first instance. For Service-operator-level questions, contact the developer named in your organization's pilot/service agreement.