Skip to content
Toronto Parks Atlas
Participate
Plain-English policy

Privacy

This page documents what data the Toronto Parks Atlas collects from visitors and contributors, why, how long we keep it, who can see it, and the analytics setup. It is meant to be read, not skimmed past. If anything below is unclear or out of date, please flag it.

Effective May 13, 2026 (rev. 2).

The short version

We do not require an account.

We do not run third-party advertising trackers, social pixels, or behavioural ad networks.

Feedback and ratings are stored aggregate-only, with no IP address and no identity attached.

If you provide your name and email for a CSV upload or to receive a reply, that contact info is visible only to project admins and is never published.

Analytics is self-hosted, IP-anonymised, and used to count page visits, not to profile readers.

What we collect, channel by channel

1. Feedback votes (thumbs up / thumbs down)

Each park page carries a quick thumbs-up / thumbs-down widget with an optional comment. When you submit, we save the timestamp, the park id, your vote, and your optional comment to a private log on disk. We do not save your IP address, your browser fingerprint, or anything that could be tied back to you. The aggregate up/down ratio is published on the park page and on /insights/contested; individual rows are not.

2. Validation submissions (1 to 5 dimension ratings)

The longer validation form captures per-dimension ratings (safety, sociability, comfort, and the other dimensions documented on the methodology page) plus a self-reported confidence value. Same storage contract as feedback: timestamp, park id, ratings, no IP, no identity. Only the per-park average and disagreement are published.

3. Structured feedback (the “Provide feedback” surface)

The page at /expert-review lets you leave longer-form comments about a specific park or about the methodology itself. The form accepts your name and email so we can attribute the comment (only if you choose attribution) and reply if you ask a question. Email addresses are used in-request only, as the reply-to on a single transactional email we send to ourselves; they are not written to disk. Names appear publicly only on submissions you mark as public-attributed. Everything else is either private to admins or published without identifying information.

4. Observation CSV uploads

The page at /contribute/observations lets contributors upload a completed observation CSV. Alongside the file, the form asks for your name, email, and role. The CSV itself (which contains aggregate park observations, no PII per the template) and the metadata row sit in a directory that is visible only to project admins. We use your contact info to credit submissions and to follow up with questions; we do not share it, publish it, or use it for any kind of marketing.

5. Server access logs

The reverse proxy in front of the application keeps short-lived access logs (request line, response code, and the requesting IP) for operational reasons (debugging outages, blocking abuse). These logs rotate on a 14-day cycle and are not used for analytics or shared with any third party.

What we deliberately do not collect

  • No user accounts and no passwords for visitors. The only credential on the site is a single shared admin token, used internally.
  • No third-party advertising trackers, behavioural ad pixels, or social-network beacons.
  • No cross-site identifiers. We do not write a long-lived cookie that follows you between visits.
  • No keystroke logging, session replay, or heatmap tooling.
  • No location data beyond what you explicitly type into a search box.

Who can see what

Project admins (today, that is one person) can read every submission in raw form, including contact info on CSV uploads and structured feedback. Admin access is gated by a shared token, stored as an httpOnly, SameSite-strict, Secure cookie. The cookie is invalidated as soon as the token is rotated. Admin endpoints return 401 to anyone without a valid cookie, and the admin UI shells the request before any row data is rendered, so unauthenticated visits never receive submission contents.

Everyone else sees only the aggregated outputs: per-park averages, disagreement scores, attributed public comments, and the published research and insights pages.

How long we keep your data

  • Anonymous feedback and validation rows are kept indefinitely. They contain no identifiers, so retention is a function of disk space and project lifespan, not privacy risk.
  • Contact info on CSV uploads and structured feedback is kept until the project ends or until you ask us to delete it, whichever comes first.
  • Server access logs rotate every 14 days.
  • Email metadata held by our transactional email provider follows their own retention policy (linked below).

Analytics

The site is fronted by Cloudflare for DNS, caching, and HTTPS, which is a network-layer dependency we’d need to disclose either way. On top of that, two analytics signals touch your browser:

  • Cloudflare Browser Insights. Because the site is proxied through Cloudflare, Cloudflare injects a small beacon.min.js that reports performance and Core Web Vitals data (page load timing, navigation type, viewport size, country code). Cloudflare states it does not use cookies, does not fingerprint, and does not build cross-site profiles from this data; full details are at developers.cloudflare.com/web-analytics/privacy.
  • Self-hosted Matomo at analytics.ideawarehouse.ca. Matomo is an open-source analytics engine that lives on infrastructure we control; no visitor data is sent to Google, Meta, or any other third party. The Matomo instance is the source of truth for our own product analytics; Cloudflare’s data we read but do not own.

Our Matomo configuration:

  • IP anonymisation. The last two octets of every visitor IP are zeroed out before the row is stored. Reverse lookups to a household-level IP are not possible.
  • No cross-site profiling. Matomo is configured to use first-party storage only. Visit data does not follow you to other Idea Warehouse properties.
  • Honors Do Not Track. If your browser sends the DNT header, the tracker does not record the visit at all.
  • Aggregate reporting. The dashboard answers questions like “which pages get read?” and “which referrers send visitors?”, not “what did this specific person do?”.
  • Data retention. Raw event data is kept for 12 months. Aggregated monthly reports are kept indefinitely.

To opt out of analytics entirely, block analytics.ideawarehouse.ca and static.cloudflareinsights.com in your browser or with an extension like uBlock Origin. Setting the Do Not Track header stops the Matomo tracker; the Cloudflare beacon does not honour DNT, which is the stronger reason to use a block list if you care about the second one.

Cookies

The site sets at most two cookies, both first-party:

  • Admin session cookie (parks_admin). Set only when a project admin signs in. HttpOnly, SameSite-strict, Secure in production, scoped to this site, 7-day lifetime.
  • Matomo first-party cookie (_pk_id family). Where Matomo is configured with a short-lived first-party cookie to deduplicate the same visitor across page loads, that cookie expires in 30 days and contains an anonymised identifier only. We may switch to fully cookieless Matomo at any time.

We do not display a cookie banner because we do not run third-party tracking. If a regulator requires one in a jurisdiction we serve, we will add it.

Third parties

A handful of third-party services touch your browser when you load this site:

  • Cloudflare. DNS, caching, TLS termination, and edge protection. Every request to torontoparksatlas.ca hits Cloudflare before reaching our origin server, which means Cloudflare sees your IP, user agent, and the URL you requested. Cloudflare’s privacy policy is at cloudflare.com/privacypolicy.
  • Map basemap. The base map tiles come from the CARTO Positron style hosted at basemaps.cartocdn.com. Loading those tiles reveals your IP and the bounding box of your map view to CARTO. We pass nothing else along.
  • Google Fonts. The site loads Public Sans, Newsreader, and Material Symbols from fonts.googleapis.com. Google sees the requesting IP and the font URL. We may self-host these fonts in a future build to remove this dependency.
  • Resend (transactional email). If you provide an email on the structured-feedback form, we use Resend to send one transactional message and set your email as the reply-to. Their privacy policy is at resend.com/legal/privacy-policy.
  • OpenStreetMap and City of Toronto Open Data. The data the site analyses comes from these sources, but the browser never calls them at request time. They are batch-ingested into the project’s own cache.

Your rights

  • Access. If you provided your name and email on a CSV upload or structured-feedback submission, you can request a copy of everything we hold against that email.
  • Correction. If a comment you marked as public-attributed needs an edit or a different attribution, write to us and we will update it.
  • Deletion. You can request deletion of your contact info and any submissions you made. Anonymous votes and ratings have no identifier on them, so we cannot find them on your behalf; if that is a concern, leave them as anonymous in the first place.
  • Withdraw analytics. Block analytics.ideawarehouse.ca or set your browser’s Do Not Track preference.

Requests go to the contact address below. We aim to acknowledge within five business days and to act within thirty.

Changes to this policy

When this policy changes in a way that affects what data we collect or who can see it, we will update the effective date at the top and note the change in the project’s public commit history. Material changes that affect previously submitted data will trigger a notice on the home page for at least 30 days.

Contact

Privacy questions, access requests, and corrections: infotorontoparksatlas.ca. For background on how the project handles activity-signal data specifically, see /data-ethics.