Skip to main content
Goshuingoshuin

Privacy Policy

How Goshuin handles your personal information

Dernière mise à jour: January 29, 2026

About This Policy

Goshuin is operated by David Dias, a sole proprietor based in Toronto, Ontario, Canada. This Privacy Policy explains how we collect, use, and protect your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Accountability

Under PIPEDA's accountability principle, the following individual is responsible for our privacy practices:

All questions, concerns, or requests regarding your personal information should be directed to the contact above.

Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Username you choose
  • Profile information you optionally provide (bio, avatar)

If you sign in using Google or Facebook OAuth:

  • We receive your email address and basic profile information (name, profile picture) that you authorize
  • We do not receive or store your Google/Facebook password
  • We do not access your contacts, posts, or other social data

Analytics (No Personal Data)

We use Plausible Analytics, a privacy-focused, cookie-free analytics service based in the EU. Plausible:

  • Does not use cookies or any client-side storage
  • Does not collect personal data or track individuals
  • Does not track across websites or devices
  • Does not store IP addresses - they are discarded immediately after deriving country-level location

What Plausible collects (aggregated, anonymous data only):

  • Pages visited on our site
  • Referrer (how you found us)
  • Country (derived from IP, then IP is discarded)
  • Device type (desktop/mobile/tablet) and browser

For full details, see Plausible's Data Policy.

Vercel Speed Insights (Performance Monitoring)

  • Purpose: Measures Core Web Vitals and site performance
  • Data location: Global (Vercel infrastructure)
  • Privacy: Vercel Privacy Policy
  • Data collected: Anonymous performance metrics (LCP, FID, CLS, INP, TTFB)
  • No personal data: Does not track individuals or use cookies

Location Data

If you use our "nearby temples" feature, we request your location through your browser or device. This data:

  • Is only collected with your explicit permission
  • Is used only to find temples near you
  • Is not stored on our servers
  • Can be revoked anytime through your browser/device settings

User-Generated Content

When you contribute to Goshuin, we store:

  • Photos you upload
  • Reviews and comments you write
  • Your goshuin collection data
  • Pilgrimage progress

Why We Collect This Information

Under PIPEDA, we must identify our purposes before or at the time of collection:

PurposeData UsedLegal Basis
Provide your accountEmail, usernameContract (account creation)
Display your contributionsPhotos, reviews, collectionContract (service features)
Find nearby templesLocation (temporary)Consent (you grant permission)
Improve our serviceAnonymous analyticsLegitimate interest
Fix bugs and crashesError reports, device infoLegitimate interest
Respond to your inquiriesContact informationContract / Consent
Security and fraud preventionAccount activityLegitimate interest

Third-Party Services

We use the following services to operate Goshuin. Each processes data on our behalf:

Supabase (Database & Authentication)

Vercel (Hosting & CDN)

  • Purpose: Hosts our website and delivers content globally
  • Data location: Global CDN with edge locations
  • Compliance: SOC 2 Type 2, ISO 27001, GDPR compliant
  • Privacy: Vercel Privacy Policy

Plausible Analytics

  • Purpose: Anonymous, aggregated website analytics
  • Data location: EU (Germany)
  • Key point: No cookies, no personal data collected
  • Privacy: Plausible Privacy Policy

Google (OAuth Login - Optional)

  • Purpose: Allow you to sign in with your Google account
  • Data received: Email, name, profile picture (only what you authorize)
  • Privacy: Google Privacy Policy

Facebook (OAuth Login - Optional)

  • Purpose: Allow you to sign in with your Facebook account
  • Data received: Email, name, profile picture (only what you authorize)
  • Privacy: Meta Privacy Policy

Resend (Email Delivery)

  • Purpose: Sends transactional and marketing emails on our behalf
  • Data shared: Email address, name, message content
  • Data location: United States
  • Privacy: Resend Privacy Policy
  • DPA: Resend DPA

We use Resend to deliver:

  • Transactional emails (account confirmations, password resets)
  • Marketing emails (newsletters, feature announcements) if you opt in
  • All emails include an unsubscribe link per CASL requirements

We do not sell your personal information to anyone.

Cookies and Tracking

What We Use

Since we use Plausible Analytics, we do not use analytics cookies.

We only use essential cookies for:

  • Session management: Keeps you logged in
  • Language preference: Remembers your language choice (en/ja)
  • Theme preference: Remembers light/dark mode choice

What We Don't Use

  • No advertising cookies
  • No third-party tracking pixels
  • No cross-site tracking
  • No fingerprinting

You can manage cookies through your browser settings. Disabling all cookies will prevent you from staying logged in.

Marketing Communications

We will not send you marketing or promotional emails unless you have explicitly opted in to receive them through your account settings or during signup.

Transactional emails (account confirmations, password resets, security alerts, service updates) do not require consent and will be sent as necessary to operate your account and keep it secure.

Marketing emails (newsletters, feature announcements, tips, community updates) require your explicit consent under Canada's Anti-Spam Legislation (CASL).

You can unsubscribe from marketing emails at any time by:

  • Clicking the "unsubscribe" link in any marketing email
  • Updating your email preferences in your account settings
  • Contacting us at hello@goshuin.com

Unsubscribing from marketing emails will not affect transactional emails necessary for your account.

Data Security

We protect your information through:

  • Encryption in transit: All connections use HTTPS/TLS
  • Secure authentication: Passwords are hashed using industry-standard algorithms (via Supabase Auth)
  • Access controls: Database access is restricted and authenticated
  • Reputable infrastructure: We use established, security-audited services (Supabase, Vercel)

No system is 100% secure. If we discover a breach that poses a real risk of significant harm, we will notify you and the Office of the Privacy Commissioner of Canada as required by PIPEDA.

Error Monitoring

To maintain app stability and fix crashes, we use Sentry, a third-party error monitoring service that may collect:

  • Crash reports and stack traces
  • Device model, browser version, and OS version
  • App/website version and state at time of error
  • Anonymized user identifier

About Sentry:

  • Provider: Sentry (Functional Software, Inc.)
  • Data location: United States
  • Privacy: Sentry Privacy Policy
  • Data Processing Agreement: Sentry DPA
  • Usage: Only in production environment, 5% sampling rate
  • Data scrubbing: Sensitive headers and URL parameters are filtered before sending

This data is used solely for debugging and does not include personally identifiable information. Error reports are automatically collected but contain no user content.

Your Rights

For All Users

Regardless of where you live, you can:

  • Access your personal information
  • Correct inaccurate information
  • Delete your account and associated data
  • Export your data
  • Withdraw consent at any time

PIPEDA Rights (Canadian Users)

Under PIPEDA, you have the right to:

Response time: We will respond to access or correction requests within 30 days. If we need more time, we will notify you within that period.

GDPR Rights (EU/EEA Users)

If you are in the European Union or EEA, you have additional rights including:

  • Right to data portability
  • Right to object to processing
  • Right to lodge a complaint with your local Data Protection Authority

CCPA Rights (California Users)

California residents have the right to:

  • Know what personal information is collected
  • Request deletion of personal information
  • Know that we do not sell personal information

Data Retention

  • Active accounts: We retain your data while your account is active
  • Deleted accounts: Personal data is deleted within 30 days of account deletion
  • Public contributions: Reviews and photos you've shared publicly may remain visible after account deletion, but will be anonymized (not linked to your name)
  • Breach records: Kept for 2 years as required by PIPEDA

To delete your account, go to your account settings and follow the deletion process. If you need assistance, contact us at hello@goshuin.com.

International Data Transfers

  • Business location: Toronto, Ontario, Canada
  • Database: Tokyo, Japan (Supabase)
  • CDN: Global edge locations (Vercel)

Your data may be processed in Japan (database) and various countries (CDN). Our service providers maintain appropriate safeguards including Standard Contractual Clauses for international transfers.

Children's Privacy

Goshuin is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy when our practices change or when required by law. For significant changes, we will:

  • Update the "Last updated" date at the top
  • Post a notice on our website
  • Email registered users if the changes materially affect how we use your data

Contact Us

For any privacy-related questions, requests, or complaints:

  • Email: hello@goshuin.com
  • Response time: We aim to respond within 7 business days, and will fulfill access/correction requests within 30 days as required by PIPEDA

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.

Sources & References

This policy was written to comply with: