Privacy Policy

Last updated: May 16, 2026

1. Introduction

West Coast Kitchen ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website at westcoastkitchen.ca and use our services. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian privacy laws.

2. Information We Collect

We collect the following categories of personal information:

  • Account Information: When you create an account, we collect your email address, password (stored as a one-way hash by our authentication provider — we never see your plaintext password), and optionally your first and last name. If you choose to sign in with Google instead, Google provides us your name and email address; we do not receive your Google password.
  • Profile and Preferences: Optional information you add to your account — dietary preferences, allergens, favourite collections, and private customer notes you choose to save.
  • Order Information: When you place an order, we collect your name, email, shipping address, and order contents. Payment processing is handled by Stripe through their hosted, PCI-compliant checkout page — we never see or store your full credit card number, CVC, or banking details. We retain only a Stripe customer identifier and an order summary (line items, totals, shipping address) on our database.
  • Communication Data: If you contact us by email or the contact form, we collect the contents of your message so we can respond. If you submit a sponsorship application, we retain the details you provided.
  • WCK AI Agent Feedback:Our in-store AI chat assistant is currently paused for refinement. While paused, the chat panel shows a feedback form. If you submit a thumbs-up / thumbs-down reaction or an optional comment, we store that response together with a salted, one-way cryptographic hash of your IP address (so the same visitor can't flood the form) and — if you're signed in — your user ID. We cannot reverse the hash to recover your IP.
  • Technical and Usage Data:Our hosting provider (Vercel) and our anonymized analytics service (Vercel Analytics & Speed Insights) record standard web request information — page paths, referrer, country-level location, anonymized device and browser type, and aggregate performance timings. Vercel Analytics is cookieless and does not build a per-visitor profile.
  • Rate-Limit Data: We use Upstash Redis to apply per-IP rate limits to sensitive endpoints (checkout, search, AI assistant). Only your IP address and a short-lived request counter are kept in this cache; entries expire automatically.
  • Product Reviews:Reviews on product pages are collected and displayed by Judge.me. If you leave a review, the name, rating, and review text you submit are governed by Judge.me's own privacy policy.

3. How We Use Your Information

  • Create and manage your account
  • Process payments, fulfill orders, and arrange shipping
  • Send transactional email — order confirmations, shipping notifications, password resets, and email verification
  • Respond to questions you send to us, including sponsorship applications and contact-form messages
  • Save the dietary preferences, allergens, and notes you voluntarily add to your profile, so we can tailor your experience
  • Protect the site against abuse (rate limiting, fraud prevention, and basic anti-spam on the AI feedback form)
  • Improve the website and product catalog through anonymized, aggregate analytics
  • Comply with legal and tax obligations

We do not sell, rent, or trade your personal information, and we do not use your data for advertising or to build advertising audiences.

4. Third-Party Services (Sub-processors)

We use the following service providers to operate the site. Each has its own privacy policy that governs how it handles data on our behalf.

  • Stripe (Stripe Payments Canada, Ltd.): Processes all payments via Stripe Checkout, manages customer payment records, and (where enabled) calculates applicable sales tax. Stripe collects and stores your payment instrument directly — it is never transmitted through our servers.
  • Supabase: Hosts our Postgres database (accounts, orders, catalog, preferences) and our authentication service. Stores account credentials as hashed, salted values.
  • Google (Sign-in with Google / OAuth): Optional alternative to email/password sign-in. When you use it, Google shares your name and email with us; refer to Google's privacy policy for details about Google's own collection.
  • OpenAI:Powers the WCK AI Agent (currently paused — see Section 6). When we re-enable live answers, chat messages are sent to OpenAI's API to generate responses. OpenAI's API terms state that data submitted through the API is not used to train their models.
  • Vercel: Hosts the website. Provides cookieless, anonymized analytics (Vercel Analytics) and real-user performance metrics (Speed Insights).
  • Upstash: Operates the Redis cache we use for per-IP rate limiting and AI token budgeting.
  • Judge.me: Collects and displays product reviews on product pages.
  • Canada Post: Carries your shipment. We share your name and shipping address with Canada Post so your order can be delivered.

5. Cookies, Local Storage, and Tracking

When you first visit westcoastkitchen.ca, a notice at the bottom of the page tells you that we use essential cookies and lets you acknowledge it. We use only the storage that is strictly necessary to make the website work — we do not use advertising cookies, retargeting pixels, social-media trackers, or any third-party marketing tags.

Specifically, we use:

  • Authentication cookies (essential): When you sign in, Supabase Auth sets HTTP-only cookies on your device so you stay signed in across pages. These cookies hold a session token and expire when the session ends or when you sign out.
  • Browser local storage (essential):Your shopping cart is stored entirely in your browser's local storage (wck_cart_v2) — it never reaches our servers until you start checkout. We also store a one-time flag (wck-cookie-consent-v1) to remember that you've seen the cookie notice.
  • Stripe Checkout:When you proceed to payment you are taken to Stripe's hosted Checkout page. Stripe may set its own cookies on that page for fraud prevention and session continuity; those are governed by Stripe's privacy policy.
  • Vercel Analytics & Speed Insights: Anonymized, aggregate analytics — cookieless and not linked to your identity.

You can clear cookies and local storage at any time through your browser settings. Doing so will sign you out and empty your cart.

6. WCK AI Agent & AI Processing

The WCK AI Agent is an AI-powered chat designed to answer questions about our products, ingredients, allergens, and collections. It is currently paused for refinement. While paused, no chat messages are sent to OpenAI, no AI tools run against your account, and the chat panel only collects optional thumbs-up / thumbs-down feedback as described in Section 2.

The remainder of this section describes how the agent will operate once we re-enable it. We're publishing it ahead of time so you have full transparency before anything turns on.

  • Model and provider:The agent is built with the OpenAI Agents SDK and runs on OpenAI's language models. Chat messages you type are sent to OpenAI to generate a response.
  • Training opt-out:We use OpenAI's API, not its consumer ChatGPT product. Per OpenAI's API terms, data sent through the API is not used to train OpenAI's models.
  • Context the agent can see: Each request includes our public product catalog and curated knowledge-base entries so the agent can answer accurately. The agent has access to a limited set of tools that read or write only on your behalf:
    • Product / collection / knowledge-base lookups (public data)
    • If you are signed in, reading your own profile (name, dietary preferences, allergens), reading your own past purchase history, and adding or removing notes you ask it to save on your profile
    Anonymous (signed-out) chats have access only to the public product and knowledge-base tools — not to any account data.
  • Guardrails: Inputs are moderated and length-limited. Per-IP rate limits and per-user token budgets cap usage to prevent abuse.
  • Not a substitute for direct contact: AI-generated responses may contain inaccuracies. For allergy-critical questions or specific dietary concerns, please confirm with us at info@westcoastkitchen.ca. The agent does not process orders or handle payment information.
  • Retention: We do not currently store the content of individual chat conversations on our database. OpenAI may retain API request data temporarily as described in its own terms (typically up to 30 days for abuse monitoring) before deletion.

7. Data Retention

We retain account, order, and tax records for as long as your account is active and for the period required by Canadian tax and consumer-protection law (typically six years for financial records). Rate-limit data expires within minutes. AI feedback rows are retained as part of our product improvement records and are not linked to a reversible identifier. You may ask us to delete your account and associated personal information at any time, subject to records we are legally required to keep.

8. Data Security

We protect your information with HTTPS-only connections, strict Content Security Policy and other security headers, input sanitization, server-side validation, row-level security on our database, signed webhook verification for payment events, and a hashed-credential authentication system. Payment card data is handled entirely by Stripe and never touches our servers. No system, however, can be guaranteed 100% secure.

9. International Transfers

Some of our service providers (notably Stripe, OpenAI, Vercel, Upstash, and Judge.me) are based in or process data in the United States and other jurisdictions outside Canada. When your information is transferred outside Canada, it is subject to the laws of those jurisdictions, including lawful access by foreign governments and authorities. We rely on contractual protections with our providers to keep your data secure during these transfers.

10. Your Rights Under PIPEDA

Under Canadian privacy law, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Withdraw consent for the collection or use of your information (note: we may not be able to provide certain services without that information)
  • Request deletion of your personal information
  • File a complaint with the Office of the Privacy Commissioner of Canada

To exercise any of these rights, contact us at info@westcoastkitchen.ca. We respond to verifiable requests within 30 days.

11. Children's Privacy

Our services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes will be communicated more prominently when reasonable.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at info@westcoastkitchen.ca or by mail at West Coast Kitchen, 3880 Telegraph Road, Cobble Hill, BC V0R 1L4, Canada.

Help shape our meal assistant

WCK AI AgentPreview

In progress. Your feedback shapes this.

Your WCK guide, coming soon

Like having our chef on speed dial. Ask about any meal, ingredient, allergen, or the family story behind it.

  • Knows our kitchen · menu, allergens, ingredients, sourcing, our story, and more

  • Personalized to you · your allergies, diet, favorites, past orders, and more

  • Try asking · ‘what’s nut-free?’, ‘what should I try?’, ‘when will it ship?’, and more

Would this be useful to you?

0/1000