Privacy Policy

About this Policy

This Privacy Policy (the “Policy”) applies to reaatech.com (the “Site”) and to REAA Technologies Inc (“REAA,” “we,” “us,” or “our”). It explains what personal information we collect when you visit the Site, why we collect it, who we share it with, how long we keep it, and the rights you have over it. By using reaatech.com, you consent to the data practices described in this Policy.

What we do not do

Up front, so you can stop reading sooner if these are your concerns:

• We do not sell, rent, or lease your personal information to anyone.
• We do not share your information with advertisers, ad networks, data brokers, or marketing-automation vendors.
• We do not load advertising pixels, remarketing tags, A/B testing scripts, or third-party trackers.
• We do not collect biometric data.
• We do not collect or process payment-card information through this Site. Paid engagements are invoiced separately under a signed Statement of Work.
• We do not fingerprint your device beyond the daily-rotating hash our analytics provider uses to count unique visitors (see “Analytics” below).

What we collect

Information you give us.When you fill in a form on the Site (contact, charity application, calendar “trouble finding time”) or book an appointment through the calendar, we collect the fields you submit: typically your name, email address, time-zone (for calendar bookings), and any free-text message or notes you choose to include.

Comments via GitHub. When you sign in to leave a comment, authentication is delegated to GitHub via OAuth. We do not see your GitHub password. From GitHub we receive a public display name, your GitHub username, and a SHA-256 hash of your email address (used to render a Gravatar avatar). We do not store your plaintext email.

Server logs.Our hosting provider (Vercel) maintains standard web server logs containing IP address, request path, user agent, referring URL, and timestamp. These roll off on Vercel’s retention schedule.

Error telemetry.When the Site encounters an unhandled error, we send a report to Sentry that includes a stack trace, the URL the error occurred on, basic browser/device context, and (for a short window around the error only) a session replay of the page so we can reproduce the bug. Session replays are not recorded for normal browsing — only when an error fires.

Analytics. We use Plausible Analytics, a privacy- respecting, EU-hosted analytics service that does not set cookies and does not collect personal information. Plausible counts unique visitors using a daily-rotating hash of IP + user-agent; the underlying values are not retained.

Attribution cookie. A first-party cookie called reaatech_session stores the landing page, UTM parameters, and the referrer that brought you to the Site, so that if you later submit a form we can attribute the lead to its source. The cookie is signed (HMAC), base64-encoded, and contains no identity or PII. It is a functional cookie, not a tracking cookie.

Authentication cookies. If you sign in as an administrator or as a commenter, standard Supabase Auth session cookies are set in your browser to keep you logged in. These cookies are visible only to reaatech.com.

OAuth state cookies.When you start an OAuth flow (signing in with GitHub to comment, or — if you are an administrator — connecting Google Calendar or Microsoft 365), a short-lived cookie is set for CSRF protection during the handshake. It is deleted as soon as the callback completes.

How we use your information

We use the information we collect to:

• respond to your inquiries and process charity applications;
• confirm, remind, reschedule, or cancel calendar bookings, and write the agreed event to your host’s connected calendar when one is configured;
• display public comments you have chosen to post, attributed to you;
• measure aggregate site usage (which pages are visited, where visitors come from) so we can improve the Site;
• attribute leads to the marketing source they came from, so we understand which channels are working;
• detect and prevent abuse, fraud, and security incidents;
• diagnose and fix bugs and operational errors;
• communicate with you about the services you have requested (a confirmation, reminder, or follow-up to a conversation you started);
• comply with applicable laws, regulations, legal process, and government requests.

We do not use your information for advertising, retargeting, or marketing automation. We do not share it with anyone for those purposes.

Who we share information with

We work with a small number of vetted third-party providers (collectively, “Sub- processors”) who help us run the Site. Each provider is bound by contract to use the information we share only to deliver the service for which we engaged them, and to maintain the confidentiality and security of that information.

• Vercel— hosts the Site and serves all requests; sees IP address and request metadata as part of normal hosting.
• Supabase— provides our database and authentication. Stores form submissions, comments, calendar bookings, encrypted OAuth tokens for connected calendars, and admin/commenter session data.
• Resend— sends transactional email (booking confirmations, reminders, contact-form acknowledgements). Sees the recipient email address and the message we send.
• Cloudflare— provides Turnstile (the invisible CAPTCHA on our forms), DNS, and bot protection. Cloudflare may collect signals as described in their privacy policy in order to determine whether a request is automated.
• Plausible Analytics— EU-hosted, cookie- less aggregate analytics. Receives pageview and event data; does not receive PII.
• Sentry— receives error reports and (on errors only) session-replay data; sees IP, user-agent, and any data captured in the error context.
• GitHub— provides OAuth for commenter sign-in. We receive only the profile fields necessary to display a comment.
• Google and Microsoft— if (and only if) an administrator connects a Google Calendar or Microsoft 365 account, the Site will interact with the relevant API on the host’s behalf using OAuth tokens that the host has explicitly authorized. Booking guests’ details are sent to the host’s connected calendar so the event can be created and managed.

We may disclose your personal information, without notice, if required to do so by law, legal process, or government request, or in good faith belief that disclosure is necessary to (a) comply with the law, (b) protect and defend our rights or property, or (c) act under exigent circumstances to protect the personal safety of our users or the public.

Analytics

We use Plausible Analytics on public pages of the Site to understand which pages are visited, how visitors arrived, and how the Site performs. Plausible is cookieless and counts unique visitors using a daily-rotating hash of IP + user-agent; the underlying values are not retained. Admin pages are not tracked. Plausible respects the browser Do-Not-Track signal where we have enabled it. No advertising profiles are built; no cross-site tracking takes place.

Cookies

The full cookie inventory on this Site:

• reaatech_session — first-party, signed JSON containing UTM parameters, referrer, and landing page only. Functional (used for attribution); contains no identity.
• Supabase Auth session cookies — set only when you sign in (as an administrator or to comment). Functional.
• OAuth state cookies — short-lived CSRF protection during sign-in handshakes. Deleted on callback.
• Cloudflare/Vercel cookies — may be set by our hosting and bot-protection providers per their own policies. These are necessary for the Site to function.

You can decline or delete cookies via your browser settings; some Site features (signing in, completing a booking) will not work without functional cookies.

Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, or disclosure. Traffic to and from the Site is served over HTTPS (TLS). OAuth tokens for connected calendars are encrypted at rest using AES-256-GCM with a key held in our hosting provider’s environment-variable vault. Manage-tokens for guest booking management are 256-bit random values and are compared using constant-time comparison to prevent timing attacks.

No data transmission over the Internet or any wireless network can be guaranteed to be 100% secure. While we take reasonable steps, you acknowledge that (a) there are security and privacy limitations inherent to the Internet that are beyond our control, and (b) the security, integrity, and privacy of any information exchanged between you and us through the Site cannot be guaranteed.

Data retention

• Contact submissions: 2 years from the date of submission.
• Charity applications: 2 years from the date of submission.
• Calendar bookings: retained while the booking is active; archived for 1 year after the meeting date and then deleted.
• Public comments: retained as long as the related post or page is published. You may request deletion of your own comments at any time.
• Server logs: 30 days at our hosting provider.
• Sentry error reports and session replays: subject to Sentry’s default retention windows for our plan.

Your rights

Regardless of where you live, you may:

• request access to the personal information we hold about you;
• request correction of inaccurate information;
• request deletion of your personal information;
• object to or request restriction of certain uses (including any use you believe is unfair);
• export a copy of the personal information you have provided to us in a portable format.

To exercise any of these rights, email rick@reaatech.com. We will respond within 30 days, or sooner where required by applicable law.

California residents (CCPA/CPRA):we do not “sell” or “share” personal information for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act. Because we do not sell or share, there is no opt-out mechanism for us to provide for the sale of personal information — but you retain all other CCPA/CPRA rights (access, correction, deletion, portability, limit-use-of-sensitive-info, non-discrimination for exercising those rights), which you may exercise via the email address above.

EU/EEA/UK residents (GDPR/UK GDPR): our legal bases for processing personal information are contract (to deliver services you have requested), legitimate interests (to operate the Site, secure it against abuse, and measure aggregate usage), and your consent where applicable (e.g., for non-essential cookies in jurisdictions that require it). You may exercise your access, rectification, erasure, restriction, portability, and objection rights via the email address above, and you have the right to lodge a complaint with your supervisory authority.

Right to deletion — exceptions

Subject to certain exceptions, on receipt of a verifiable request from you we will delete your personal information from our records and direct our service providers to do the same. We may decline to comply with a deletion request, or comply only in part, if it is necessary for us or our service providers to:

• complete a transaction for which the personal information was collected, fulfill the terms of a written warranty, or perform a contract between you and us;
• detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for such activity;
• debug to identify and repair errors that impair existing intended functionality;
• exercise free speech, ensure the right of another consumer to exercise free speech, or exercise another right provided for by law;
• comply with the California Electronic Communications Privacy Act;
• engage in public or peer-reviewed scientific, historical, or statistical research in the public interest, where deletion would render the research impossible or seriously impair it and where we have obtained your informed consent;
• enable solely internal uses reasonably aligned with the context in which you provided the information;
• comply with an existing legal obligation; or
• otherwise use your personal information internally in a lawful manner that is compatible with the context in which you provided it.

Breach notification

In the event of a security incident involving personal information, we will promptly investigate and provide notice to affected individuals and to applicable regulatory authorities in the manner and within the timeframes prescribed by applicable law.

Email communications

Email we send is transactional — replies to your inquiries, calendar booking confirmations and reminders, and operational notices about a service you have requested. We do not send marketing or promotional email blasts. If you do receive an email from us that you wish to stop, reply to it with “unsubscribe” or email rick@reaatech.com.

Disconnecting third-party accounts

Two surfaces of the Site connect to third-party accounts:

• Commenter sign-in (GitHub):you may revoke our access at any time from your GitHub account settings under “Authorized OAuth Apps.”
• Administrator calendar connections (Google / Microsoft): administrators may disconnect a connected calendar from the admin calendar Connections page at any time, or revoke access directly from their Google or Microsoft account.

Disconnecting an account does not delete data we have already received under that connection — use the deletion request flow above for that.

Links to other sites

The Site contains links to other websites. We are not responsible for the content or privacy practices of those sites. When you click a link off our Site, please review the privacy statement of the destination site if it collects personally identifiable information.

Children

REAA does not knowingly collect personally identifiable information from children under the age of 13. If you are under 13, please do not use this Site or submit any personal information. If we learn that we have inadvertently collected personal information from a child under 13, we will delete it promptly. If you are between 13 and 18, please use the Site only with the permission of a parent or guardian.

International transfers

REAA is based in the United States, and several of our service providers operate worldwide. When you submit information to the Site, that information may be processed in the United States or in another country in which one of our service providers operates. By using the Site, you acknowledge and consent to the transfer of your information to jurisdictions which may have different data protection laws than your home country.

Changes to this Policy

We reserve the right to change this Policy from time to time — for example, when our services change, when our data-protection practices change, or when the law changes. When changes are significant, we will notify you (by email to the address we have on file for you, by placing a prominent notice on the Site, or both). Your continued use of the Site after such modifications constitutes (a) your acknowledgement of the modification and (b) your agreement to be bound by the modified Policy.

Contact

For questions or comments about these Terms, contact us or email rick@reaatech.com.