Legal
Privacy Policy
Last updated · May 16, 2026
How Sunday Society collects, uses, stores, and shares personal information. This policy is written for PIPEDA (Canada's federal privacy law).
What we collect
We collect personal information only as needed to sell tickets, operate events, and (with your consent) send event updates.
- Email address, used for guest list signup and ticket delivery.
- Name, billing address, and phone number, collected by Stripe at checkout for payment processing and receipts.
- Stripe customer ID, session ID, and payment status, used for matching purchases to tickets and handling disputes.
- IP address, used for rate-limiting, fraud prevention, and server logs.
- QR ticket token and entry timestamp, used for door scanning.
- CASL consent log: timestamp, source URL, exact consent text, and withdrawal status, kept as proof of opt-in.
- Booth-inquiry email contents (if you contact us about a booth).
Who processes your data
We rely on third-party processors. Each handles only the data they need; we do not sell, rent, or trade your information.
- Stripe: payments, billing info, receipts (PCI-DSS compliant).
- Resend: transactional and marketing email delivery.
- Sanity: content management (no buyer data).
- Upstash: rate-limiting (hashed IPs, short TTL).
- Neon (Postgres): subscribers, tickets, purchase records.
- Vercel: hosting, request logs.
How long we keep it
- Marketing email list: kept while you remain subscribed. We prune addresses with zero opens for 12 months and remove you immediately on unsubscribe.
- Sales records (tier purchases, Stripe IDs, billing info): 6 years, per Canada Revenue Agency recordkeeping requirements.
- QR tokens and attendance data: archived after each event.
- Server logs and IP addresses: 30 days.
- Booth inquiry emails: standard inbox retention.
Your rights
Under PIPEDA you have the right to access the personal information we hold about you, request corrections, and request deletion (subject to legal retention requirements). To exercise any of these rights, email us at the address in the site footer.
Cookies and tracking
We do not run advertising pixels or third-party analytics. The site uses local storage for cart state (functional, exempt from consent requirements) and Sanity sets auth cookies inside the /studio editor only.
Children
Our events are 19+. We do not knowingly collect information from anyone under 19.
Breach handling
If we suffer a data breach with a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and affected individuals as required by PIPEDA.
Changes
We may update this policy as the business changes. The 'last updated' date at the top of the page reflects the most recent change. Continued use of the site after an update means you accept the revised policy.
Contact
To access or delete your data, ask a question about this policy, or report a privacy concern, email us at the address in the site footer.