Privacy Policy

Last updated: October 30, 2025

1. Introduction

Steps.fyi ("we", "our", or "the service") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application.

2. Information We Collect

Information You Provide:

  • OAuth Profile Information: When you sign in with Google, we collect your name, email address, and profile picture from your authentication provider
  • Timeline Data: Application submission dates, processing milestones, program stream information, family composition details, travel history, current location, and any additional comments you choose to provide
  • Preferences: Your choice to make your timeline public or private

Information Automatically Collected:

  • Basic usage data and analytics (anonymized)
  • Browser type and version
  • Time zone and location (country level only)

3. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the timeline tracking service
  • Authenticate your account and ensure security
  • Calculate and display aggregate statistics about processing times
  • Conduct analysis and research to understand immigration trends and patterns
  • Generate insights and reports based on anonymized, aggregated data
  • Enable you to share your timeline with others (if you choose public visibility)
  • Improve our service based on usage patterns and user feedback
  • Respond to your inquiries or support requests
  • Comply with legal obligations

4. How We Share Your Information

Public Timelines:

If you choose to make your timeline public, other users will be able to see your timeline data including dates, stream type, and province. Your email address and OAuth profile information are never shared publicly.

We Do Not:

  • Sell, rent, or trade your personal information to third parties
  • Share your private timelines with other users
  • Use your information for marketing purposes
  • Transfer your data outside of secure infrastructure

Legal Requirements:

We may disclose your information if required by law, court order, or government regulation.

5. Data Storage and Security

  • Your data is stored using Supabase, a secure platform that provides enterprise-grade security and encryption
  • All data transmission is encrypted using SSL/TLS protocols
  • Database access is protected by Row Level Security (RLS) policies
  • We implement industry-standard security measures to protect against unauthorized access
  • Only authenticated users can access their own private data

While we implement robust security measures, no method of electronic storage is 100% secure. We cannot guarantee absolute security of your data.

6. Your Rights and Choices

You have the right to:

  • Access: View your timeline data at any time through your account
  • Update: Modify or correct your timeline information
  • Delete: Request deletion of your account and all associated data
  • Privacy Control: Change your timeline visibility between public and private at any time

7. Data Retention

We retain your information for as long as your account is active. If you request account deletion, we will delete your personal data within 30 days, except where retention is required for legal compliance. Anonymized aggregate statistics may be retained indefinitely for research purposes.

8. Third-Party Services

We use the following third-party services that may collect information:

  • Google OAuth: For authentication (governed by Google's Privacy Policy)
  • Supabase: For data storage and authentication (governed by Supabase's Privacy Policy)
  • PostHog: For analytics and error tracking. We use PostHog to understand how users interact with our service and to improve user experience. PostHog collects anonymized usage data including page views, feature usage, and technical errors. No personally identifiable information is sent to PostHog. (governed by PostHog's Privacy Policy)

9. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your jurisdiction. By using our service, you consent to such transfers.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by updating the "Last updated" date. Material changes will be communicated through the service interface. Your continued use after changes constitutes acceptance.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at steps.fyi@gmail.com or visit our Contact page.

12. Legal Compliance

This Privacy Policy is designed to comply with applicable privacy laws including the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada and, where applicable, the General Data Protection Regulation (GDPR).