Privacy Policy

Last updated: March 5, 2026

1. Introduction

ActionItem ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our board governance platform ("the Service"). This policy complies with the Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Information We Collect

Information you provide:

• Account information: Name, email address, and organization name when you register
• Organization data: Meeting agendas, minutes, decisions, votes, action items, documents, and other governance content you create
• Payment information: Billing details processed securely by Stripe (we do not store credit card numbers)

Information collected automatically:

• Usage data: Pages visited, features used, and timestamps
• Session data: IP address, browser type, and device information for security purposes

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Send transactional emails (login links, meeting notifications, action reminders)
• Process payments and manage subscriptions
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

We do not sell your personal information. We do not use your data for advertising. We do not train AI models on your data.

4. Data Security

We take security seriously:

• Encryption at rest: Sensitive fields (names, emails, meeting content, votes, declarations) are encrypted in the database using Rails ActiveRecord::Encryption
• Encryption in transit: All connections use TLS/SSL (HTTPS enforced)
• Access controls: Role-based permissions at the organization and board level
• Rate limiting: Automated protections against brute force and abuse
• Session security: Automatic timeout after inactivity, secure cookie handling

5. Data Residency

Your data is stored on servers located in Canada. We use Canadian-hosted infrastructure to ensure your data remains subject to Canadian privacy law. Third-party service providers (email delivery, payment processing) may process limited data in other jurisdictions as necessary to provide the Service.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. If you close your account, we will delete your data within 30 days, except where retention is required by law. Database backups are retained for 30 days and then automatically destroyed.

7. Your Rights

Under PIPEDA, you have the right to:

• Access your personal information held by us
• Correct inaccurate or incomplete information
• Withdraw consent for non-essential processing
• Request deletion of your personal information
• Export your data in a portable format

To exercise these rights, contact us at hello@actionitem.ca. We will respond within 30 days.

8. Third-Party Services

We use the following third-party services:

• Stripe — payment processing (Stripe Privacy Policy)
• MailerSend — transactional email delivery (MailerSend Privacy Policy)

9. Cookies

We use only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

ActionItem
Email: hello@actionitem.ca