Ode'min Circle
Settings

Privacy Policy

Last reviewed: May 6, 2026

Pending legal review. This policy reflects our current data practices but has not yet been reviewed by counsel for full PIPEDA compliance. We are working with legal counsel to validate and expand this document. Substantive changes will be announced here and via email to registered users.

Ode'min Circle ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our AI-assisted grant matching and project planning services.

1. Information We Collect

1.1 Information You Provide Directly

  • Account Information: Email address (used for one-time-code login), and any name or affiliation you choose to enter on your profile.
  • Idea Wizard (Phase 1): When you use our Idea Wizard, we collect project descriptions, goals, location pins, sector tags, and any constraints you enter. We also store the artifacts generated during this process — strategic roadmap, project charter snapshots, generated paths and tasks, and grant rationales.
  • Grant Selections: Which grants you view, pin, or unpin, used to refine our matching algorithms for your project.
  • Phase 0 Handoff (if used): If you import a brief from a Phase 0 entry point, we receive your project intent, context, and readiness assessment data, plus a temporary handoff code.
  • Communications: Anything you send us when contacting support or making a privacy/access request.

1.2 Automated Data Collection

  • Usage Data: Pages visited, features used, server-side request timing, and AI tool-call counts. Used to operate, secure, and improve the platform.
  • Device Information: Browser user-agent string and approximate IP geolocation, used for security (rate limiting, abuse detection) and basic analytics.
  • Error Reports: When the application encounters an error, we record the error message, stack trace, and the page URL where it occurred. We may store the request method and route. We do not capture form values, idea text, or other content you have entered when reporting these errors.

2. How We Use Your Information

  • To provide, maintain, and improve our AI-assisted grant matching and planning services.
  • To generate project artifacts (charters, roadmaps, paths, draft application sections) tailored to your inputs. Note: outputs are AI-generated and require your review before submission to any funder.
  • To send authentication codes (one-time login codes) via email.
  • To prevent abuse, including rate-limiting requests and detecting automated traffic.
  • To respond to your support, access, correction, or deletion requests.

3. Data Retention

We retain your personal information and project data only as long as your account is active or as needed to provide the service. You may request deletion at any time (see section 7).

  • Phase 0 Handoff Codes: Temporary handoff payloads are stored for up to 30 days to allow you to complete the import process. If unused after 30 days, they are automatically purged.
  • One-Time Login Codes: Stored for a maximum of 5 minutes after generation, then deleted. Once verified, the code is consumed and removed immediately.
  • User Accounts & Project Data: Retained while your account is active. On account deletion, project data, charters, paths, and conversation history are removed within 30 days, except where retention is required by law.
  • Error Reports: Retained until resolved through our triage process, then archived for a period not exceeding 12 months.

4. Service Providers and Cross-Border Transfers

We do not sell your personal data. To operate the platform we share information with the following service providers, each of whom is bound by their own privacy commitments and data-processing terms.

Cross-border data transfer notice. Several of these service providers operate infrastructure outside Canada (primarily the United States). Your data may transit through, or be processed in, those jurisdictions. By using the service, you consent to this processing. We are working to expand Canadian-resident options where available.
  • Google (Gemini API) — generates AI text and embeddings from your idea/charter inputs. Subject to Google's API privacy terms. Used for: chat assistant, charter summary, grant rationale, embeddings, planning, application drafts.
  • Supabase, Inc. — primary database and authentication infrastructure. Stores your account, ideas, charters, plans, tasks, and error logs.
  • Vercel, Inc. — application hosting, serverless function execution, and edge networking.
  • Resend — transactional email delivery (one-time login codes, account-related notifications).
  • Cloudflare, Inc. (Turnstile) — bot deterrent on anonymous AI calls. Receives an opaque interaction token; no idea content is sent to Cloudflare.
  • Upstash, Inc. (Redis) — request rate-limiting counters keyed on hashed identifiers. No idea or account content is stored in Upstash.
  • Mapbox — map tiles and place geocoding when you set a project location.

We may also disclose information when required by law, in response to valid legal process, or to protect the rights, safety, and property of Ode'min Circle, its users, or the public.

5. Security

We use TLS encryption for data in transit, encrypted-at-rest storage at our infrastructure providers, row-level security policies in the database, and per-caller rate limiting on sensitive endpoints. Service-role credentials are stored only in the deployment platform's secret store. No method of transmission over the Internet or electronic storage is 100% secure, but we follow industry-standard practices proportional to the sensitivity of the data we hold.

6. Cookies and Tracking

We use a small number of cookies to operate the service:

  • session — your encrypted login session (HTTP-only, signed JWT). Set after a successful one-time-code login.
  • odemin_anon — an anonymous session identifier so you can start drafting an idea before signing up. Cleared once you claim the idea by signing in.
  • Cloudflare Turnstile may set a short-lived cookie as part of its bot-detection process on the wizard page.

We do not use third-party advertising or cross-site tracking cookies.

7. Your Rights

Under PIPEDA and applicable provincial privacy legislation, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Withdraw consent for non-essential processing where applicable.
  • Make a complaint to the Office of the Privacy Commissioner of Canada.

Self-serve data export and account deletion are on our public-launch roadmap. In the meantime, please email privacy@odemincircle.ca and we will respond within 30 days.

8. AI-Generated Content

Our service uses generative AI (currently Google Gemini) to draft project charters, paths, tasks, and application sections from your inputs. AI-generated content is clearly marked in the interface. You are responsible for reviewing any AI-generated text before submitting it to a funder, sharing it externally, or relying on it for decisions. We make no warranty as to the accuracy or completeness of AI-generated content.

9. Children

The platform is intended for use by adults. We do not knowingly collect personal information from individuals under the age of 16. If you believe a child has provided us with information, contact us and we will delete it.

10. Changes to This Policy

When we update this Privacy Policy we will revise the "Last reviewed" date at the top. Material changes will be announced here and via email to registered users where we have an address on file.

Contact Us

Questions, access requests, or concerns about this Privacy Policy:

privacy@odemincircle.ca

See also our Terms of Service.