TWISH CART™ Privacy Policy
Effective date: November 10, 2025
Contact (Privacy Officer): privacy@twishcart.com | 24A Main Street North, ON, Canada
Twish Cart™ operates a community shopping platform that lets customers (“Members”, “you”) pool grocery orders, access group/wholesale pricing, and arrange shared delivery or pickup through Twish and its partners. This Privacy Policy explains how we collect, use, disclose, and safeguard Personal Information across our website, mobile app, and related services (collectively, the “Services”).
Acknowledgment
By using Twish Cart™, you confirm you have read and understood this Privacy Policy and agree to our collection, use, and disclosure of Personal Information as described.
By creating an account or using the Services, you consent to the practices described below. If you do not agree, please discontinue use.
1) Key Definitions
Personal Information (PI): Information about an identifiable individual (e.g., name, email, address, phone, precise location, order history, device IDs).
Sensitive PI: Includes payment tokens, government IDs (if ever required for ID verification), precise geolocation, transaction details, or health-related dietary preferences (if you choose to share).
De-identified/Anonymized Data: Data modified so individuals cannot be identified. Under Law 25, anonymization must be irreversible according to generally accepted best practices.
Profiling Technology (Law 25): Technologies that identify, locate, or profile you (e.g., non-essential cookies, ad pixels, analytics identifiers).
Personal Information (PI): Information about an identifiable individual (e.g., name, email, address, phone, precise location, order history, device IDs).
Sensitive PI: Includes payment tokens, government IDs (if ever required for ID verification), precise geolocation, transaction details, or health-related dietary preferences (if you choose to share).
De-identified/Anonymized Data: Data modified so individuals cannot be identified. Under Law 25, anonymization must be irreversible according to generally accepted best practices.
Profiling Technology (Law 25): Technologies that identify, locate, or profile you (e.g., non-essential cookies, ad pixels, analytics identifiers).
2) What We Collect
A. Information You Provide
Account & Profile: name, email, mobile number, password, addresses (delivery/pickup), language, referral codes, community group/household associations.
Orders & Payments: items purchased, basket value, delivery/pickup instructions, preferences, promo codes, payment tokens (processed by PCI-compliant third-party payment processors; we do not store full card numbers).
Communications: emails, chats, support tickets, satisfaction surveys, reviews, and referral-program invitations.
Program Participation: loyalty/Food Coins balance and redemptions (if applicable), eligibility for discounts, and proof of residence where required for localized offers.
Account & Profile: name, email, mobile number, password, addresses (delivery/pickup), language, referral codes, community group/household associations.
Orders & Payments: items purchased, basket value, delivery/pickup instructions, preferences, promo codes, payment tokens (processed by PCI-compliant third-party payment processors; we do not store full card numbers).
Communications: emails, chats, support tickets, satisfaction surveys, reviews, and referral-program invitations.
Program Participation: loyalty/Food Coins balance and redemptions (if applicable), eligibility for discounts, and proof of residence where required for localized offers.
B. Information Collected Automatically
Device/Technical Data: IP address, device type, OS, browser, app version, crash logs, performance diagnostics, approximate or precise geolocation (with consent), session timestamps.
Usage & Interaction Data: pages/screens viewed, clicks, search queries, cart events, fulfillment choices, referral/attribution data.
Cookies & Similar Tech: see Section 9 (Cookies & Profiling Consent).
Device/Technical Data: IP address, device type, OS, browser, app version, crash logs, performance diagnostics, approximate or precise geolocation (with consent), session timestamps.
Usage & Interaction Data: pages/screens viewed, clicks, search queries, cart events, fulfillment choices, referral/attribution data.
Cookies & Similar Tech: see Section 9 (Cookies & Profiling Consent).
C. Information From Service Providers/Partners
Logistics partners: delivery status, proof of delivery, time stamps.
Payment partners: payment authorization/decline, fraud-screening signals, chargeback info.
Analytics/Marketing providers: aggregated attribution or campaign performance data.
Community partners (optional): where you join a community/organization basket, we may receive limited membership verification or hub details with your consent.
Logistics partners: delivery status, proof of delivery, time stamps.
Payment partners: payment authorization/decline, fraud-screening signals, chargeback info.
Analytics/Marketing providers: aggregated attribution or campaign performance data.
Community partners (optional): where you join a community/organization basket, we may receive limited membership verification or hub details with your consent.
We limit collection to what is necessary for the purposes outlined below (PIPEDA Principles 2–5; Law 25).
3) How We Use Personal Information (Identifying Purposes)
We use PI to:
Provide the Services: account creation, authentication, order placement, group-cart orchestration, fulfillment, delivery/pickup, and customer support.
Pricing & Savings: calculate group thresholds, apply negotiated wholesale rates, allocate discounts and rewards.
Service Improvement & Safety: troubleshoot, prevent fraud/abuse, maintain platform integrity, and conduct quality assurance.
Personalization (with consent): remember stores/hubs, suggest items, show relevant savings, and limited profiling to improve your experience (see Section 9).
Communications: transactional emails/SMS (order confirmations, delivery ETAs), service announcements, policy updates; marketing only with your express consent (CASL compliant).
Legal & Compliance: tax reporting, recordkeeping, responding to lawful requests, managing confidentiality incidents (Law 25), and meeting PIPEDA obligations.
Research & Analytics: use de-identified or anonymized data to understand demand, optimize routes, or evaluate programs (we will not attempt to re-identify individuals).
4) Legal Bases & Consent (PIPEDA & Law 25)
We rely on your consent (explicit or implied, depending on context) for most processing.
We obtain express consent for: (a) marketing messages, (b) collecting/using sensitive PI (e.g., precise geolocation), (c) profiling technologies (non-essential cookies), and (d) cross-border transfers where required by Law 25 notices.
You can withdraw consent at any time (may affect features). See Section 8 (Your Rights) and Section 9 (Cookies & Profiling).
We rely on your consent (explicit or implied, depending on context) for most processing.
We obtain express consent for: (a) marketing messages, (b) collecting/using sensitive PI (e.g., precise geolocation), (c) profiling technologies (non-essential cookies), and (d) cross-border transfers where required by Law 25 notices.
You can withdraw consent at any time (may affect features). See Section 8 (Your Rights) and Section 9 (Cookies & Profiling).
5) Sharing & Disclosures (We Do Not Sell PI)
We may share PI only as needed to deliver the Services or as required by law:
Service Providers (contract-bound): cloud hosting, payment processing (PCI DSS), logistics/courier partners, communications (email/SMS), analytics/anti-fraud, customer support. Access is limited to purpose, subject to confidentiality and data-protection agreements.
Community Fulfillment Hubs/Stores: limited order data to assemble and distribute group orders.
Business Transactions: merger, acquisition, financing, or sale of assets, your PI may transfer, subject to equivalent privacy safeguards and advance notice.
Legal/Regulatory: to comply with subpoenas, lawful requests, to protect rights, safety, or investigate suspected fraud/abuse.
Cross-Border Processing (Law 25 Notice): Your PI may be stored or processed outside Québec, including in other Canadian provinces and the United States. When we do so, we conduct transfer risk assessments and require recipients to provide comparable protection (contractual, technical, and organizational safeguards).
6) Retention, Destruction, and Anonymization
We retain PI only as long as necessary to fulfill the stated purposes, comply with legal/accounting obligations, and resolve disputes.
When no longer required, we will securely delete or anonymize PI. Under Law 25, anonymization must be irreversible according to generally accepted best practices and used only for serious and legitimate purposes (e.g., analytics).
We retain PI only as long as necessary to fulfill the stated purposes, comply with legal/accounting obligations, and resolve disputes.
When no longer required, we will securely delete or anonymize PI. Under Law 25, anonymization must be irreversible according to generally accepted best practices and used only for serious and legitimate purposes (e.g., analytics).
7) Security Safeguards
We apply administrative, technical, and physical measures proportionate to sensitivity and risk, including encryption in transit, strict access controls, least-privilege, audit logging, vulnerability management, and vendor due diligence.
No system is 100% secure; however, we maintain a privacy and security program consistent with PIPEDA and Law 25 expectations.
Confidentiality Incidents (Law 25): We maintain an incident register and will notify the Commission d’accès à l’information (CAI) and affected individuals of any confidentiality incident presenting a risk of serious injury, in line with Québec requirements. Where PIPEDA requires, we will also notify the Office of the Privacy Commissioner of Canada (OPC) and keep appropriate records.
8) Your Rights & Choices
Subject to applicable law, you have the right to:
Access & Portability: request a copy of your PI in a structured format where feasible.
Rectification: correct inaccurate or incomplete PI.
Deletion: request deletion of certain PI (we may retain what is required by law or for fraud prevention/recordkeeping).
Consent Management: withdraw consent to marketing, geolocation, or non-essential cookies at any time.
Automated Decisions/Profiling: request information about automated decisions that significantly affect you (e.g., fraud blocks) and seek human review.
How to exercise: use in-app settings or email privacy@twishcart.com. We will verify identity and respond within the legal timelines. If you are in Québec, you may also contact the CAI; elsewhere in Canada, you may contact the OPC (see Section 12).
9) Cookies, Analytics & Profiling (Law 25 Consent)
We use cookies and similar tech:
Strictly Necessary: essential for login, cart, checkout, security (consent not required; cannot be disabled).
Functional/Performance: remember preferences, improve speed (consent where required).
Analytics: understand usage (e.g., aggregated analytics).
Marketing/Attribution: measure campaigns and show relevant offers.
Your Controls: A Cookie Preferences banner lets you accept/reject non-essential categories. You can also adjust browser settings or device permissions (e.g., disable precise location). Choices are revocable at any time.
10) Children’s Privacy
Our Services are not intended for children under 14 in Québec (parent/guardian consent required under that age) and under 13 elsewhere in Canada. We do not knowingly collect PI from children without appropriate consent. If you believe a child provided PI, contact us; we will promptly delete it where required.
11) Payments & Financial Data
Payments are processed by PCI-compliant third-party processors (e.g., major payment gateways). Twish Cart™ does not store full card numbers. We may retain tokens and transaction metadata to handle refunds, chargebacks, fraud prevention, and accounting.
12) Questions, Complaints & Regulatory Contacts
Twish Cart™ Privacy Officer
Email: privacy@twishcart.com | Address: 24A Main Street North, ON, Canada
Québec – Commission d’accès à l’information du Québec (CAI): www.cai.gouv.qc.ca
Canada – Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca
Twish Cart™ Privacy Officer
Email: privacy@twishcart.com | Address: 24A Main Street North, ON, Canada
Québec – Commission d’accès à l’information du Québec (CAI): www.cai.gouv.qc.ca
Canada – Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca
We will investigate and respond to complaints. If you are unsatisfied, you may escalate to CAI (Québec) or OPC (Canada).
13) Changes to this Policy
We may update this Policy periodically. Material changes will be highlighted in-app/on-site and, where required, we will seek renewed consent (e.g., for new purposes or profiling practices). The “Last Updated” date shows the most recent changes.
14) Additional Québec (Law 25) Disclosures
Privacy Officer: Designated above and accountable for compliance.
PIAs (Privacy Impact Assessments): We complete PIAs for projects involving sensitive PI, cross-border transfers, or profiling technologies, and we integrate privacy by default.
Location of PI: Canada and the United States (primary). A list of principal service providers and jurisdictions can be provided upon request.
Use of Technology to Identify, Locate, or Profile: We will present clear, prior notice and obtain consent before activating any such features, and will provide simple opt-out mechanisms.
Anonymization: When purposes are achieved, we destroy or anonymize PI. Anonymized data will be used only for serious and legitimate purposes (e.g., demand forecasting) and we will not re-identify individuals.
Privacy Officer: Designated above and accountable for compliance.
PIAs (Privacy Impact Assessments): We complete PIAs for projects involving sensitive PI, cross-border transfers, or profiling technologies, and we integrate privacy by default.
Location of PI: Canada and the United States (primary). A list of principal service providers and jurisdictions can be provided upon request.
Use of Technology to Identify, Locate, or Profile: We will present clear, prior notice and obtain consent before activating any such features, and will provide simple opt-out mechanisms.
Anonymization: When purposes are achieved, we destroy or anonymize PI. Anonymized data will be used only for serious and legitimate purposes (e.g., demand forecasting) and we will not re-identify individuals.
15) Operational Notes Adapted to Twish Cart™
Group Orders & Hubs: When you join a group cart or pickup hub, limited order and contact info may be shared with that hub or the designated group organizer only as necessary to assemble and distribute orders.
Delivery Partners: Couriers receive only what is needed to deliver (first name/initial, address, delivery window, contact method, instructions).
Ratings/Reviews: If you leave ratings or public reviews, your first name/initial and review content may appear to other users; you can edit/delete in your account.
Fraud Prevention: We use automated tools (and human review) to detect fraud or abuse. If a transaction is flagged, you may be asked for additional verification.
Group Orders & Hubs: When you join a group cart or pickup hub, limited order and contact info may be shared with that hub or the designated group organizer only as necessary to assemble and distribute orders.
Delivery Partners: Couriers receive only what is needed to deliver (first name/initial, address, delivery window, contact method, instructions).
Ratings/Reviews: If you leave ratings or public reviews, your first name/initial and review content may appear to other users; you can edit/delete in your account.
Fraud Prevention: We use automated tools (and human review) to detect fraud or abuse. If a transaction is flagged, you may be asked for additional verification.