Privacy Policy

Effective date: May 1, 2026

The short version

• FIMBY is run by Strathcona Vineyard Church in Vancouver, British Columbia. Strathcona Vineyard Church is a federally registered charity in Canada and a BC provincial society. FIMBY still follows applicable BC privacy law.
• We collect account, neighbourhood, posting, messaging, lending, notification, support, and safety information so FIMBY can work.
• Some information in FIMBY can be sensitive, including care preferences, accessibility notes, prayer requests, support relationships, safety reports, addresses, photos, and contact details you choose to share.
• Content you post in FIMBY is normally only visible to the neighbourhood, audience, or conversation it belongs to. Service providers that help us run FIMBY, moderation reviews of reported content, and narrow legal/safety exceptions are the limited cases where it may be seen more broadly.
• We do not sell your personal information and we do not build advertising profiles. We do collect limited technical and security information to run and protect the service.
• You can ask to see or correct your information, withdraw consent for optional features, turn off notifications, and delete your account.

Who we are

FIMBY is operated by Strathcona Vineyard Church, a federally registered charity in Canada and a British Columbia provincial society.

Postal address: Box 88195 – 88 W Pender St #1173, Vancouver, BC V6B 6N6
Email: help@fimby.com

We follow British Columbia’s Personal Information Protection Act (PIPA). Where the federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies — for example, certain interprovincial or cross-border activities — we follow it as well. These obligations apply to FIMBY in full. We try to collect only what a reasonable person would expect us to need for a neighbourhood mutual-aid tool.

Our Privacy Officer

Our Privacy Officer is the person appointed by Strathcona Vineyard Church to oversee FIMBY privacy matters. The current FIMBY Program Privacy Officer is Stephen Rathjen. The Privacy Officer is responsible for how FIMBY handles personal information.

You can contact our Privacy Officer at privacy@fimby.com (privacy questions, access or correction requests, withdrawal of consent for optional features, and complaints) or at help@fimby.com (anything else). Both addresses reach monitored FIMBY support channels; privacy-tagged messages are routed into our privacy intake process.

If you ask us about your information, ask to correct it, withdraw consent for an optional use, ask how a feature uses your information, request deletion of your account, or make a privacy complaint, we will:

1. acknowledge your request,
2. confirm what we need from you to identify the request,
3. respond within a reasonable time consistent with BC PIPA / PIPEDA,
4. explain our decision in plain language, and
5. tell you how to escalate if you are not satisfied — including to the Office of the Information and Privacy Commissioner for British Columbia, or the federal Office of the Privacy Commissioner of Canada where applicable.

What we collect and why

We collect different kinds of information depending on how you use FIMBY.

When you create your FIMBY account, you are asked to review and agree to this Privacy Policy. For most of what FIMBY collects — account basics, neighbourhood, and technical and security information — your agreement to this policy and your use of FIMBY is your consent. For sensitive information — such as care preferences, accessibility notes, prayer requests, support relationships, and safety reports — FIMBY asks for your consent at the point where you choose to provide that information, and you can withdraw that consent later by removing it or by contacting us.

Account basics

We collect your name, email address, account identifiers, neighbourhood, and login details so we can create your account, keep it secure, route you to the right neighbourhood, and contact you about your account.

Neighbourhood information

FIMBY is neighbourhood-scoped. We use your neighbourhood to decide what you can see and who can see what you post. This is part of how FIMBY keeps trust local.

Things you choose to share

If you create asks, offers, bulk buys, events, library items, RSVPs, replies, messages, photos, or Shared Life posts (such as thank-yous, prayer requests, neighbourhood moments, laments, and god stories), we store that content so it can be shown to the neighbours or conversations it belongs to.

Contact information you choose to share

You can choose to share specific contact details with another neighbour, such as phone, email, or other contact information. This is opt-in and field-by-field. You can revoke shared contact information later.

Sensitive or optional details

Some details can be sensitive in context. This includes care preferences, accessibility notes, support relationships, prayer requests, safety reports, photos, address information, and information about community groups or faith/community participation. We use these details only for FIMBY purposes, only where they are needed for the feature you are using, and only with the visibility described in the app.

Some information may become sensitive because of context, even if it does not seem sensitive on its own. For example, a request for help, a prayer request, a support relationship, an accessibility note, or a safety report may reveal personal circumstances.

Support relationships

If someone helps you use FIMBY, or you help someone else use FIMBY, we store information about that support relationship, including who is helping whom, the status of the relationship, consent records, and any paper form uploaded to support the relationship.

Notifications

If you allow notifications, we store push notification tokens and notification preferences so we can send you FIMBY notifications. Push delivery is handled through Expo, Apple, and Google.

Technical and security information

We collect technical information such as connection logs, error logs, security events, device push-token identifiers, app-issued session identifiers, and rate-limit counters. We use this to keep FIMBY secure, investigate bugs, prevent abuse, and protect the service.

When you use FIMBY on the web, your browser may store a small session cookie or similar token so FIMBY can keep you signed in. FIMBY does not use advertising cookies, analytics tracking pixels, or third-party behavioural tracking on the web app.

Who can see what

FIMBY is built around neighbourhood trust.

In normal operation:

• A post you make in your neighbourhood is normally visible to neighbours who are verified in that neighbourhood.
• A direct message is normally visible to the people in that conversation.
• Contact information you share with a specific neighbour is normally visible only to that neighbour, in the fields you chose to share.
• A post you make as a Community Group represents that organization and is shown according to the same neighbourhood rules.

The cases where information may be seen more broadly are limited and are listed elsewhere in this policy: service providers that help us run FIMBY, moderators or admins reviewing reported or flagged content, narrow legal or safety exceptions, and any broader sharing you explicitly choose (for example, the opt-in Shared Life sharing toggle).

Supporters may see information needed to help the person they are approved to support. They cannot silently consent on that person’s behalf. Where FIMBY requires the supportee’s own consent, the supportee must give it directly, including by signed paper form where that path is used.

Who helps us run FIMBY

We use a small number of service providers to operate the FIMBY app:

Where your FIMBY account and community data lives

• Salesforce (CAN50, Montreal, Quebec, Canada) hosts the FIMBY app and the core account and community data, with encryption at rest.

Providers that may handle limited login, session, push, security, or delivery metadata

(depending on which features you use)

• Vercel runs the auth bridge used by the mobile app, which processes login and session traffic. Configured to run in Montréal, Canada (East) (ca-central-1 / yul1).
• Upstash Redis stores short-lived session and rate-limit data. Primary region Oregon, USA (us-west-2); read region Central Canada (ca-central-1).
• Expo Push Service helps route mobile push notifications. Hosted by Expo in the United States region.
• Apple Push Notification service and Google Firebase Cloud Messaging deliver notifications to your device on Apple’s and Google’s global delivery infrastructure.

These providers process information for FIMBY. They are not allowed to use your FIMBY content for their own advertising or to sell it. Some of them may still process limited security, session, push, or delivery metadata as part of running their own service.

Our service providers may process limited personal information, technical information, or delivery metadata as needed to provide hosting, login, security, analytics, communication, push notification, or support functions.

We have agreements with our service providers that require them to protect the personal information we share with them and to use it only for the purposes we direct. Strathcona Vineyard Church remains responsible for personal information in the hands of its service providers.

The service providers we use may change as FIMBY develops. If a change materially affects how personal information is collected, used, stored, disclosed, or protected, we will update this Privacy Policy and provide notice where appropriate.

Where your data lives

Your primary FIMBY account and community data is stored in Salesforce CAN50, located in Montreal, Quebec, Canada, with encryption at rest.

The FIMBY auth bridge on Vercel is configured to run in Montréal, Canada (East) (ca-central-1 / yul1).

Upstash Redis processes short-lived session and rate-limit data with a primary region in Oregon, USA (us-west-2) and a read region in Central Canada (ca-central-1).

Expo Push Service helps route mobile push notifications and is hosted by Expo in the United States region.

Apple Push Notification service and Firebase Cloud Messaging are managed push-delivery services operated by Apple and Google.

Depending on the provider and feature used, limited login, session, security, push, or delivery metadata may be processed outside British Columbia or outside Canada. When information is processed outside Canada, it may be subject to the laws of the place where it is processed.

How long we keep information

We keep personal information only as long as reasonably needed for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.

We keep active account and content information while your account is active or while the content is needed for the feature you used.

Some examples:

• Asks, offers, bulk buys, events, Shared Life posts, messages, library items, lending records, and support relationships stay while they are active unless you remove them or delete your account.
• Technical logs are generally kept for a limited period and reviewed periodically, unless they are needed longer for security, abuse prevention, debugging, legal compliance, or an investigation.
• Account deletion is explained in detail at /delete-account.
• Some limited records may be kept longer where needed for safety, legal compliance, dispute resolution, fraud prevention, an active lending hold, or an active investigation.

We do not keep personal information just because it might be useful someday.

Information removed from active systems may remain in secure backups for a limited period until those backups are overwritten or deleted through normal backup cycles.

Email, texts, and push notifications

What you hear from FIMBY falls into a small number of categories.

Notifications about your own activity. When something happens that involves you — someone responds to your post, a loan request comes in, an event you RSVP’d to is starting soon, your account or login needs attention, a supporter paper form needs your signature — we send you a push notification, an email, or both. These are part of how FIMBY actually works. You can turn each category on or off in Settings → Notifications, and your device’s notification settings are also respected.

Occasional updates about FIMBY itself. Strathcona Vineyard Church operates FIMBY at its own cost. From time to time, you may receive a separate email — clearly labelled — explaining how FIMBY is funded and inviting you to help support FIMBY’s operating costs. These messages:

• are strictly about FIMBY itself, not about other Strathcona Vineyard Church programs;
• are sent as their own message (we do not slip fundraising content into your activity notifications or any community digest);
• always identify Strathcona Vineyard Church as the sender;
• include a one-click unsubscribe link that does not require logging in;
• can also be turned off in Settings → Notifications under “Updates about FIMBY itself.”

Turning these off does not affect your FIMBY account or your activity notifications.

What we do not do. We do not use the email address you gave us to sign up for FIMBY to solicit for Strathcona Vineyard Church’s other programs. We do not run referral campaigns, growth/promotional emails, or general community newsletters in v1. If we ever introduce any of those, we will ask for separate, explicit consent first — your acceptance of the FIMBY Terms is not consent for those messages.

Why this matters under the law. Canada’s anti-spam law (CASL) applies to commercial electronic messages, including some sent by registered charities. Notifications about your own activity are exempt as transactional messages. The occasional “help support FIMBY” emails from Strathcona Vineyard Church are sent under CASL’s charity-primary-purpose-fundraising exemption — they still identify the sender and offer one-click unsubscribe, which we honour within 10 business days. CASL applies to FIMBY where it applies; charity status does not exempt the rest of the message mix.

Social media sharing

We do not pull content out of FIMBY for FIMBY’s own marketing without an explicit choice from the person who posted it. The way that choice works today is the Shared Life sharing toggle.

When you create a Shared Life post, FIMBY may offer a separate toggle asking whether we can share that post on FIMBY’s social media or public communications. That toggle is off by default. You can turn it off again by editing the post.

Outside that explicit choice, your content is normally only visible to the neighbourhood, audience, or conversation it belongs to, subject to the limited service-provider, moderation, safety, and legal exceptions described in this policy.

Your choices and rights

You can contact us at help@fimby.com to:

• ask what personal information we have about you;
• ask us to correct information that is wrong or incomplete;
• ask for a copy of your information in a readable format (for example, your posts, messages, and lending history) — we will provide this where reasonably practical;
• withdraw consent for optional uses of your information;
• ask how a feature uses your information;
• delete your account; or
• make a privacy complaint.

Withdrawing consent may mean we cannot provide a feature. For example, if you revoke shared contact information, the neighbour you shared it with should no longer see that contact detail. If you delete your account, you lose access to FIMBY.

We may need to confirm your identity before responding to access, correction, deletion, or privacy-related requests.

When we may disclose information without consent

We may collect, use, or disclose limited personal information without consent where the law allows or requires it. For example, we may do this to respond to legal process, protect someone’s health or safety, investigate abuse, prevent fraud or security incidents, enforce the Terms, or cooperate with law enforcement where legally permitted.

Age

FIMBY is for adults 19 or older, aligned with British Columbia’s age of majority. To create or use an account, you confirm at sign-up that you are 19 or older and able to agree to the FIMBY Terms. This is a hard eligibility requirement; FIMBY is not for anyone under 19.

We do not collect a full date of birth by default. If stronger verification is ever needed in the future, we may ask for less granular information (such as month and year, or year of birth), not a full DOB. If you believe someone under 19 has created an account, please contact help@fimby.com.

How we protect your information and respond to incidents

We use safeguards appropriate to the sensitivity of the information, including encrypted connections (TLS in transit), encryption at rest in Salesforce CAN50, OAuth PKCE, short-lived access tokens, refresh-token reuse detection, rate limits on sensitive endpoints, and access controls for administrators.

Access to FIMBY personal information is limited to authorized people who need it to operate, secure, support, moderate, or legally administer FIMBY. This may include approved administrators, moderators, technical support personnel, and authorized Strathcona Vineyard Church representatives. Access is handled under confidentiality expectations and should be limited to what is reasonably necessary for the purpose.

No system is perfect.

If a privacy or security incident creates a real risk of significant harm, we will notify affected individuals and regulators as soon as practicable and without unreasonable delay, where required by law.

FIMBY maintains internal breach-tracking and incident-response procedures to support the commitment above.

Changes to this policy

If we make a material change to this policy, we will give notice through FIMBY and/or email before the change takes effect, where practical. Where law, safety, or security requires a faster change — for example, a regulator orders an immediate update or a vulnerability needs an immediate fix — we may give shorter notice and explain the reason after the fact. Minor clarifications may be noted on the page without a separate notice.

If FIMBY is transferred or shuts down

If Strathcona Vineyard Church dissolves, transfers FIMBY to a different organization, or shuts the app down, we will:

• give you notice through FIMBY and/or email where practical;
• offer you a way to delete your personal information before any transfer;
• not transfer your personal information to a new operator without fresh consent where required by law; and
• handle deletion of remaining personal information according to the principles in /delete-account.

This matters because FIMBY users may have shared sensitive care preferences, prayer requests, and support-relationship information. We treat that as a commitment, not a footnote.

Contact

For privacy questions, access or correction requests, deletion requests, or complaints, contact our Privacy Officer (the FIMBY Program Privacy Officer; current officer: Stephen Rathjen):

Email: privacy@fimby.com (or help@fimby.com — both reach monitored FIMBY support channels)
Mail: Privacy Officer, Strathcona Vineyard Church, Box 88195 – 88 W Pender St #1173, Vancouver, BC V6B 6N6

You may also contact the Office of the Information and Privacy Commissioner for British Columbia. Where federal privacy law applies, you may contact the Office of the Privacy Commissioner of Canada.