May 20th, 2018
TL;DR (Too Long, Didn't Read):
The SaskSeats team strives to protect and uphold your privacy online. We do our best to collect as little information as possible and work to keep the information we do keep about you secure to the best of our abilities. We store 2 cookies on your system (more about this below) but these cookies do not contain any personally identifying information. We do not collect your full IP address but we do have the ability to track which pages you view/click. This information is anonymized however and not linked to a specific individual identity (IP address anonymization in our analytics software - see below). We do not process payment/financial information or store sensitive login information like passwords or security questions for individuals outside of our administration team. The login information we do keep for our administration team is stored in encrypted/hashed format (specially: bcrypt using PHP's `password_hash()` function). This information is thus inaccessible to our admin team and to attackers during a potential server breach.
How our website works to protect you:
No, that is not a joke. Our website does have measures in place to protect the people viewing it. First and foremost, the domain https://saskseats.ca uses TLS (Transport Layer Security) to create an encrypted connection between our server and your browser. This means that everything you do once you have reached our website is not view-able by an outside party who may be trying to eavesdrop. This party could be another person on the same WiFi network as you, or it could be your Internet service provider. We also force an encrypted connection when you visit our website from all operating systems and devices (HSTS headers). This does not stop an onlooker from seeing that you visited our website (we cannot protect your DNS requests), but it does protect the activity you do while on our website (pages you click, the contact submission form, etc).
Information our website collects from you:
Our nginx server that handles the website configurations has been set with the flag access_log off; This means that the server will not log any access requests and won't see who you are (your IP address) or what device you are connecting from. We have kept error logging on however so we can of course debug server issues. Our admin portal used by our team to login does log access attempts via a plugin, but this logging does not concern you as a viewer of our website and only works to keep our site secure from attackers.
We currently have analytical tracking disabled but do have hopes of enabling this in the future. The analytics platform we will be using is Matamo (formerly Piwik) and is hosted on our own server without third party access. It allows us to strip the last 2 bytes of the IP address it records so instead of seeing 18.104.22.168, we would only see 42.53.xx.xx We don't want to know the specifics of who is connecting to our website, just how much outreach our information is getting so we can better streamline the content we are offering and to whom we are offering it.
Currently (as of May 2018), our server only delivers 2 cookies to users visiting our website. The first cookie is "_wpfuuid" which is used by our WordPress Form plugin. It does not store any personally identifying information, and is only used on the plugin backend to organize the form submissions. The second cookie is "_cfduid" which is used by CloudFlare so they can offer their security settings to our server (as we share a CloudFlare IP with many other websites). This helps to keep our site secure and online during an attack. It, like the first cookie, does not contain any personally identifying information about the users connecting to our site.
Information our website does not collect about you:
+ Your full IP address, which could identify you to an attacker or third party
+ Any login information (unless you are a part of our team and administrate the website)
+ Any financial information (we don't currently offer the ability to pay/donate for services online)
Information our team collects from you:
The information collected in these situations may contain (but not be limited to):
+ The name you provide us
+ The email address you provide us
+ The phone number you provide us
+ The location you provide us
+ Information about your vehicle/car seats that you provide to us
+ Information you provide to us about your children (weight, height, age, etc)
+ Pictures of your vehicle and/or children (we recommend their faces are always blurred)
How our team stores the information collected from you:
When collecting information from you (as noted above) it is important to us that this information remain secure while in our hands. As such, we have a very strict set of individuals who are able to access and/or view this information. We ensure that any websites/services with our accounts storing this information outside of our own server are protected to the best of our abilities. We do this by administering strong password policies among our team, enabling two-factor authentication wherever possible, and limiting access to only the core admin members of SaskSeats. None of this information is ever made public without your consent.
Should this document need amending:
Your team at SaskSeats - Child Passenger Safety