Privacy Policy

How Kernels and Cones collects, uses, stores and protects your personal information.

Effective date: May 12, 2026 · Last updated: May 12, 2026

1) About This Policy

Kernels and Cones ("we", "us", "our") is a family-owned business based in the Greater Toronto Area providing popcorn, cotton candy and snow cone machine rentals. This policy explains what personal information we collect, why we collect it, how we use and protect it, and the rights you have over it. We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy laws.

2) Information We Collect

We only collect the information needed to respond to your inquiry, prepare a quote, and fulfill your booking. Specifically:

  • Contact details: your name, email address, and phone number
  • Event details: event type, date, time, expected number of guests, machines you're interested in, and any special requests you choose to share
  • Service address: venue name and the event street address (so we can deliver and set up)
  • Company details (optional): business name and trade-show booth number, if applicable
  • Payment information: we do not collect or store credit card numbers. All payments are processed by Stripe, a PCI-DSS certified payment processor. Card data goes directly from you to Stripe and never touches our servers.
  • Technical data: standard server logs (IP address, browser type, timestamp) for security and abuse prevention
  • Email engagement: if we send you a quote or invoice by email, we use a one-pixel tracking image to know whether the email was opened. We use this to confirm our messages aren't getting caught in your junk or spam folder, so we can follow up another way (such as a phone call) if needed. We do not read the content of your replies.
  • Electronic signature (waiver): when you sign our Risk Statement / Waiver of Liability before paying a deposit, we record your typed full name, the IP address you signed from, your browser type, the exact timestamp, and the version of the terms you saw. This is required by our liability insurance provider and is treated as a legally binding electronic signature under Ontario's Electronic Commerce Act, 2000.

3) How We Use Your Information

We use your information only for these purposes:

  • To prepare and send you a rental quote
  • To confirm bookings and coordinate delivery, setup and pickup
  • To send you invoices, deposit reminders, and event reminders
  • To respond to your questions or feedback
  • To meet our legal and tax record-keeping obligations
  • To detect and prevent fraud or abuse of our site

We will never sell or rent your personal information to third parties. We will not use your contact details for unrelated marketing without your consent.

4) Who We Share Information With

We share information only with the small number of trusted service providers needed to run our business:

  • Stripe: payment processing (deposit and final balance payments)
  • Namecheap PrivateEmail: sends and receives emails on our behalf over secure (TLS) connections
  • Hosting provider: the server that hosts this website (located in Canada)
  • Government agencies: only if required by Canadian law, court order, or to protect our legal rights

We do not share data with advertisers, analytics brokers, or marketing platforms.

5) How Long We Keep It

We keep your information only as long as needed for the purpose it was collected:

  • Inquiries that don't become bookings: up to 12 months, then deleted
  • Completed bookings and invoices: 7 years, as required by the Canada Revenue Agency for tax and accounting purposes
  • Signed liability waivers: 7 years from the event date, as required by our insurance provider's policy for claims-period coverage
  • Email engagement data: kept with the related quote/invoice and deleted on the same schedule
  • Server logs: 90 days, then automatically purged

You can ask us to delete your data sooner. See "Your Rights" below.

6) Your Rights

Under PIPEDA, you have the right to:

  • Access the personal information we hold about you
  • Correct any inaccurate information
  • Delete your information (subject to legal retention requirements above)
  • Withdraw consent for future contact at any time
  • File a complaint with us or with the Office of the Privacy Commissioner of Canada

To exercise any of these rights, contact us at info@kernelsandcones.com or call 416-821-1892. We respond within 30 days as required by PIPEDA.

7) How We Protect Your Information

We use industry-standard safeguards proportional to the sensitivity of the data we hold:

  • HTTPS everywhere: our site forces HTTPS with a 1-year HSTS policy. Data in transit is encrypted.
  • CSRF protection: our forms use one-time tokens to prevent cross-site request forgery
  • SQL injection protection: all database queries use prepared statements
  • Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are set on every response
  • Restricted admin access: our admin dashboard is password-protected and locked to authenticated sessions
  • No payment data on our servers: Stripe handles all card processing

No system is perfectly secure. If we ever discover a breach affecting your personal information, we will notify you and the Office of the Privacy Commissioner of Canada as required by PIPEDA's breach reporting provisions.

8) Cookies and Tracking

Our public website uses minimal cookies: only what is needed for the contact form (CSRF token via PHP session) and remembering your form input on the contact page so you don't lose data if you navigate away. We do not use third-party advertising cookies, Google Analytics, or social media tracking pixels on our public pages.

If you receive a quote or invoice email from us, it may contain a 1-pixel image that tells us when the email is opened. We use this to confirm our messages aren't getting caught in your junk or spam folder. If we don't see an open after a reasonable time, we'll reach out another way (such as a phone call) so important booking details don't fall through the cracks. You can prevent this tracking by disabling "load remote images" in your email client; we will still send and you will still receive the message normally.

9) Children's Privacy

Our services are intended for adults arranging events. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

10) Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Material changes will be brought to your attention on this page for at least 30 days before taking effect.

11) Contact Us

Questions, requests, or complaints about your personal information:

12) Office of the Privacy Commissioner of Canada

If you're not satisfied with our response, you have the right to file a complaint with Canada's federal privacy regulator:

Office of the Privacy Commissioner of Canada
30 Victoria Street · Gatineau, QC K1A 1H3
Toll-free: 1-800-282-1376
www.priv.gc.ca