Dished
Dished← Back to site
Legal

Privacy Policy

How Dished collects, uses, and protects your personal information.

Effective: March 14, 2025Last updated: March 14, 2025Jurisdiction: Ontario, Canada
Dished Inc. is committed to protecting your privacy in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), SC 2000, c 5, and all applicable Ontario privacy laws. This Policy explains what personal information we collect, why we collect it, and your rights regarding that information.

1. Overview

This Privacy Policy applies to all personal information collected by Dished Inc. ("Dished", "we", "our") through the Dished website, mobile applications, and related services (collectively, the "Platform").

By using the Platform, you consent to the collection, use, and disclosure of your personal information as described in this Policy. If you do not agree, please do not use the Platform.

2. Who We Are

Dished Inc. is the organization responsible for your personal information and is the "organization" as defined under PIPEDA. Our Privacy Officer can be reached at privacy@dished.ca.

We operate in Ontario, Canada and serve Canadians across all provinces. Our principal place of business is in Toronto, Ontario.

3. Information We Collect

3.1 Information You Provide

  • Account registration: Full name, email address, password (hashed), phone number.
  • Chef profile: Home address, city, province, postal code, bio, cuisine types, cooking experience, price range, and food safety certification status.
  • Order information: Delivery address, special instructions, items ordered.
  • Communications: Messages sent through the Platform, support requests, reviews.
  • Identity verification: Where required, proof of food handler certification or other regulatory documents.

3.2 Information Collected Automatically

  • Device and log data: IP address, browser type, operating system, pages visited, timestamps.
  • Cookies and similar technologies: Session identifiers, preferences. See Section 6.
  • Location data: General location derived from IP address for displaying nearby Chefs. We do not collect precise GPS location without explicit consent.

3.3 Information from Third Parties

  • Google OAuth: If you sign in with Google, we receive your name, email address, and Google profile photo as permitted by Google's privacy settings.
  • Payment processors: If future in-app payments are introduced, payment information will be handled by a PCI-DSS-compliant processor; Dished will not store full card numbers.

4. How We Use Your Information

We collect and use personal information only for identified purposes, as required by PIPEDA Principle 4:

  • Platform operation: Creating and managing your account, enabling Chef-Customer connections, processing Orders.
  • Safety and compliance: Verifying Chef certifications, investigating reports of non-compliance with food safety or community standards.
  • Communications: Sending transactional emails (order confirmations, account notices) as required for service delivery.
  • Marketing: Sending promotional content only with your express or implied CASL consent (see Section 11).
  • Analytics and improvement: Understanding how the Platform is used to improve features. Data is aggregated and anonymized where possible.
  • Legal obligations: Complying with applicable Canadian law, court orders, or regulatory requirements.
  • Fraud prevention: Detecting and preventing fraudulent, abusive, or harmful activity.

We do not use your personal information for automated decision-making that produces legal or similarly significant effects without human review.

5. Sharing Your Information

Dished does not sell your personal information. We share personal information only in the following limited circumstances:

5.1 Between Chefs and Customers

When a Customer places an Order, their name, delivery address, and special instructions are shared with the Chef to fulfil the Order. Chef profiles — including name, location (city/neighbourhood), bio, and cuisines — are publicly visible on the Platform.

5.2 Service Providers

We engage trusted third-party service providers to help operate the Platform, including:

  • Supabase Inc. — database and authentication infrastructure. Data may be stored on servers in the United States (see Section 8).
  • Vercel Inc. — web hosting and content delivery.
  • Google LLC — OAuth sign-in and analytics.

All service providers are contractually required to protect your information and use it only for the purposes for which it was disclosed.

5.3 Legal Requirements

We may disclose personal information if required by law, subpoena, court order, or a request from a regulatory authority (e.g., a local public health unit investigating a food safety complaint).

5.4 Business Transfers

In the event of a merger, acquisition, or sale of Dished assets, personal information may be transferred as part of that transaction. We will notify you by email and/or Platform notice before such a transfer takes effect.

6. Cookies & Tracking Technologies

We use cookies and similar technologies to maintain your session, remember your preferences, and understand how you use the Platform. We use the following categories:

  • Strictly necessary cookies: Required for the Platform to function (authentication session, security tokens). Cannot be disabled.
  • Analytics cookies: Help us understand usage patterns (e.g., Google Analytics with IP anonymisation enabled). You may opt out via your browser settings.
  • Preference cookies: Remember your settings such as language or region.

You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent you from signing in or using core Platform features.

7. Data Retention

We retain your personal information only as long as necessary for the purposes for which it was collected, subject to any legal obligations requiring longer retention:

  • Active accounts: For as long as your account remains active.
  • Deleted accounts: Core account data is deleted within 30 days of account deletion. Anonymized transaction records may be retained for up to 7 years for accounting and tax compliance under the Income Tax Act (Canada) and Ontario tax law.
  • Order records: Retained for 7 years from the transaction date to satisfy CRA requirements.
  • Support communications: Retained for 2 years after resolution.

8. Cross-Border Transfers

Some of our service providers, including Supabase Inc. and Vercel Inc., may store or process your personal information in the United States. When your information is transferred outside Canada, it may be subject to the laws of the jurisdiction where it is stored, including potential access by law enforcement authorities.

We take steps to ensure that any cross-border transfer is subject to appropriate contractual protections consistent with PIPEDA requirements. By using the Platform, you consent to this transfer as described in this Policy.

9. Your Rights Under PIPEDA

Under PIPEDA, you have the following rights regarding your personal information held by Dished:

  • Right of access: You may request access to the personal information we hold about you, free of charge, within 30 days of your request.
  • Right to correction: If your information is inaccurate or incomplete, you have the right to request a correction. We will correct or annotate the information as appropriate.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time, subject to legal or contractual restrictions. Withdrawal may affect your ability to use the Platform.
  • Right to deletion: You may request deletion of your personal information. We will comply unless retention is required by law.
  • Right to complain: If you are unsatisfied with our handling of your personal information, you may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

To exercise any of these rights, contact our Privacy Officer at privacy@dished.ca. We will respond within 30 days.

10. Children's Privacy

The Platform is not directed to persons under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has registered on the Platform, please contact us immediately at privacy@dished.ca and we will promptly delete the account and associated information.

11. Marketing Consent (CASL)

Under Canada's Anti-Spam Legislation (CASL), we distinguish between:

  • Transactional messages (e.g., order confirmations, password resets, account alerts) — sent as necessary to operate the service; not subject to CASL opt-out.
  • Commercial electronic messages (e.g., newsletters, promotions, new Chef announcements) — sent only with your express or implied consent, as defined under CASL s.6.

You may withdraw consent to commercial messages at any time by clicking "Unsubscribe" in any promotional email, or by emailing privacy@dished.ca. We will action your request within 10 business days as required by CASL.

12. Security

We implement industry-standard technical and organizational safeguards to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These include:

  • TLS/HTTPS encryption for all data in transit.
  • Bcrypt password hashing — Dished never stores plaintext passwords.
  • Row-level security on our database (Supabase RLS policies).
  • Access controls limiting employee access to personal data on a need-to-know basis.

No method of electronic transmission or storage is 100% secure. If you become aware of any security vulnerability or breach, please report it immediately to security@dished.ca.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated by email to your registered address at least 14 days before taking effect. We encourage you to review this Policy periodically.

Continued use of the Platform after an updated Policy takes effect constitutes acceptance of the revised Policy. If you do not agree, you may delete your account before the effective date.

14. Contact & Complaints

Our Privacy Officer is responsible for Dished's compliance with PIPEDA and this Privacy Policy. To ask questions, make a request, or file a complaint:

If we are unable to resolve your complaint to your satisfaction, you have the right to escalate to:

  • Office of the Privacy Commissioner of Canada www.priv.gc.ca · 1-800-282-1376
  • Information and Privacy Commissioner of Ontario www.ipc.on.ca · 1-800-387-0073

See also our Terms of Service for the full agreement governing your use of the Dished Platform.

Questions about this document? Contact us at legal@dished.ca · Dished Inc., Toronto, Ontario, Canada