Skip to Content
ESC

Privacy Policy

Effective Date: March 1, 2026  ·  Last Updated: February 20, 2026

Threevo Solutions Inc. ("Threevo", "we", "us", or "our") operates the CauseHub platform at causehub.ca. This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

CauseHub is built with privacy at its core. We track consent at every touchpoint, never sell personal data, and give both organizations and their constituents full control over their information.

1. Definitions

"Platform" means the CauseHub software-as-a-service application, including all portals, APIs, and related services hosted at causehub.ca and its subdomains.

"Tenant Organization" (or "Tenant") means a Canadian nonprofit, charity, or similar organization that subscribes to CauseHub to manage its operations.

"Staff User" means an individual who performs organizational-level activities within the Platform on behalf of a Tenant Organization, including administrators, program coordinators, and finance managers. Staff Users count toward a Tenant's user limit.

"Portal User" means a donor, volunteer, member, board member, guardian, program participant, or vendor who accesses self-service portal features. Portal Users are free and unlimited.

"Personal Information" means information about an identifiable individual, as defined under PIPEDA.

2. Information We Collect

We collect personal information in the following categories:

Account and Organization Information

  • Organization name, address, CRA registration number, and contact details
  • Staff User names, email addresses, roles, and login credentials
  • Billing and payment information (processed securely via Stripe; we do not store full credit card numbers)

Constituent Information (Managed by Tenant Organizations)

  • Donor records: names, contact details, donation history, tax receipt information
  • Volunteer records: names, contact details, hours logged, skills, background check status
  • Member records: names, contact details, membership tier, payment history
  • Program participant records: names, demographics, enrollment history, attendance
  • Guardian and dependent information for youth programs, including emergency contacts and medical information
  • IRCC identifiers for settlement service organizations (UCI, FOSS/GCMS numbers)

Technical and Usage Information

  • IP addresses, browser type, device information
  • Pages visited, features used, and session duration
  • Consent records including timestamps, source, and IP addresses

3. How We Use Personal Information

We use personal information for the following purposes:

  • Service delivery: Operating the Platform, processing subscriptions, providing technical support
  • Compliance: Generating CRA-compliant tax receipts, T4A/T4A-NR slips, IRCC iCare exports, and other regulatory filings
  • Communication: Sending service-related notices (account confirmations, subscription changes, security alerts). We do not send marketing emails without express CASL consent.
  • Security: Detecting unauthorized access, maintaining audit trails, enforcing tenant data isolation
  • Improvement: Analyzing aggregated, de-identified usage data to improve Platform features

4. Consent

We obtain consent before collecting, using, or disclosing personal information, except where permitted or required by law. The Platform tracks two types of consent:

  • PIPEDA consent (implied or express) — for the collection and use of personal information by Tenant Organizations. Consent type, date, source, and IP address are logged.
  • CASL marketing consent (implied or express) — for commercial electronic messages. Implied consent expires after two years. Express consent does not expire but may be withdrawn at any time.

Consent may be withdrawn at any time by contacting the relevant Tenant Organization or by emailing us at privacy@causehub.ca. Withdrawal of consent may limit our ability to provide certain services.

5. Data Processor Role

For constituent data entered by Tenant Organizations (donor, volunteer, member, and participant records), Threevo acts as a data processor. The Tenant Organization is the data controller and is responsible for:

  • Obtaining appropriate consent from their constituents
  • Determining the purposes for which personal information is collected
  • Responding to access and correction requests from their constituents
  • Complying with applicable privacy legislation in their jurisdiction

Threevo processes this information only on the instructions of the Tenant Organization and in accordance with this Privacy Policy and our Terms of Service.

6. Disclosure of Personal Information

We do not sell, rent, or trade personal information. We may disclose personal information to:

  • Payment processors: Stripe, for processing subscription payments and tenant-configured donation/membership payments
  • Infrastructure providers: Odoo S.A. (hosting on Odoo.sh), for platform operation. Odoo's servers are located in data centres with appropriate security certifications.
  • Regulatory authorities: Where required by law (e.g., CRA audits, court orders)
  • Tenant Organizations: Constituent data is accessible only to the Tenant Organization that collected it, subject to strict tenant data isolation

7. Tenant Data Isolation

Each Tenant Organization's data is logically isolated using company-based record rules. This means:

  • Organization A cannot view, access, or modify Organization B's data
  • All database queries are filtered by company at the ORM level
  • Portal Users can only see data belonging to their own organization
  • MSP administrators (Threevo) can access tenant data only for support and maintenance purposes

8. Data Retention

We retain personal information only as long as necessary for the purposes described above, or as required by law:

  • CRA tax receipts: Retained for a minimum of 6 years as required by the Income Tax Act
  • T4A/T4A-NR slips: Retained for a minimum of 6 years
  • Consent records: Retained for the duration of the consent plus 3 years
  • Account data: Retained for the duration of the subscription plus 90 days
  • Backup data: Purged within 30 days of account deletion

9. Data Export and Deletion

Tenant Organizations may request a complete export of their data at any time through the Platform's Data Export Wizard or by contacting support. Exports are delivered in standard machine-readable formats.

Tenant Organizations may request complete deletion of their data through the Data Deletion Wizard, subject to mandatory CRA retention periods. Upon deletion:

  • All organization data is permanently removed from the active database
  • User accounts associated with the tenant are deactivated
  • Backup copies are purged within 30 days
  • A deletion log is retained for audit purposes (containing only the deletion date, requestor, and confirmation — no personal data)

10. Security Safeguards

We protect personal information with administrative, technical, and physical safeguards including:

  • Encrypted data transmission (TLS 1.2+) for all Platform communications
  • Encrypted storage for sensitive fields (SIN fragments, payment tokens)
  • Role-based access controls limiting data access to authorized personnel
  • Multi-tenant data isolation at the database level
  • Regular security audits and vulnerability assessments
  • Comprehensive audit trails for all data access and modifications
  • Automatic session timeouts and secure authentication

11. Access and Correction

Individuals have the right to access their personal information held by us and to request corrections if it is inaccurate or incomplete.

  • Portal Users: Can view and update their information through their self-service portal
  • Staff Users: Can view and update their profile through their portal account
  • Constituents without portal accounts: Should contact their Tenant Organization directly, or email us at privacy@causehub.ca

We will respond to access requests within 30 days, as required by PIPEDA.

12. Cookies and Analytics

The Platform uses essential cookies required for authentication, session management, and security. We do not use third-party advertising cookies or cross-site tracking.

We may use privacy-respecting analytics to understand aggregate usage patterns. No personal information is shared with analytics providers.

13. Children's Privacy

The Platform processes information about minors (under 18) only through youth program features, with verifiable guardian consent. Guardian consent is obtained through the Platform's consent management system, which records the consent type, date, source, and digital signature via Odoo Sign.

14. International Data Transfers

The Platform is hosted in Canada on infrastructure provided by Odoo S.A. Personal information may be processed in jurisdictions where our infrastructure providers operate. Where personal information is transferred outside Canada, we ensure that adequate safeguards are in place as required by PIPEDA.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Tenant Organization administrators via email at least 30 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision.

16. Contact Us

For privacy inquiries, access requests, or complaints:

Privacy Officer
Threevo Solutions Inc.
Edmonton, Alberta, Canada
Email: