How ArcticNote handles the small amount of data the cabinet collects, what we do not collect, and how to ask us to delete it. Written for Manitoba and Canada under PIPEDA, with a nod toward GDPR for European visitors.
This page describes the privacy posture of ArcticNote, a free social pixel arcade run by a small workshop in Winnipeg. The cabinet does not run a payment system, and we do not maintain user accounts. The data we touch is therefore small — but small is not zero, and this page lists every category we do touch.
The cabinet writes two pieces of data to the visitor's browser: a small cookie remembering whether the age gate has been confirmed, and a small cookie recording whether the cookie banner has been accepted or declined. Both expire after one hundred and eighty days. Neither contains a name, an email, an IP address, or any other identifier.
We log standard server-side request data when the site is hosted: the IP address making the request, the user-agent string, and the timestamp. These logs are kept for thirty days for security and basic operations. After thirty days the records are rotated and discarded.
ArcticNote does not collect a name, an email address, a phone number, a postal address, a date of birth, a payment instrument, a government identifier, biometric data, or any other category of personal information. The cabinet does not have a sign-up flow, a profile page, a payments page, or a withdrawal page. There is no shopping cart, no wallet, and no balance.
We do not run third-party advertising trackers on this domain. There is no Facebook pixel, no LinkedIn insight tag, no TikTok pixel, no doubleclick tag, no general retargeting infrastructure. The cabinet is paid for by the floor crew out of pocket; there is no advertising stack.
The host running the cabinet is the only third party with access to the small server-side logs described above. They run on Canadian infrastructure, have a published privacy policy that meets PIPEDA requirements, and rotate their logs on the same thirty-day window. We do not sell, lend, or otherwise share the logs with any other organisation.
The fonts on the cabinet are loaded from Google Fonts. Google Fonts may receive an IP address when the font file is requested. This is a single round-trip; the file is then cached for the duration of the session. We chose Google Fonts because the alternative (self-hosting) was a heavier ask and the privacy delta is small for a free arcade with no account system.
See the Crumb Cartridge for a full inventory of cookies and their purposes. The short version: two cookies, both strictly necessary, both expiring after one hundred and eighty days. No analytics cookies, no advertising cookies, no third-party cookies.
The two cookies described above are used for the cabinet to remember the visitor's consent decisions across pages. The server-side logs are used to identify abuse and recover from operational incidents. There is no other use; we do not do behavioural analytics, we do not build user profiles, and we do not export the data to any other system.
Cookies on the visitor's browser expire after one hundred and eighty days. Server-side logs are rotated and discarded after thirty days. Email correspondence with the support inbox is kept for as long as the conversation is active and discarded ninety days after the last message. None of these windows are extended on a one-off basis.
Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for European visitors, the General Data Protection Regulation (GDPR), you have the right to ask us what we have on file, to correct any inaccuracies, to ask us to delete it, and to lodge a complaint with the Office of the Privacy Commissioner of Canada or, in Europe, your national supervisory authority. Email [email protected] with the request and we will reply within thirty days.
Quebec residents have additional rights under Loi 25; the same email address handles those requests, and the response window is twenty-one days for a Loi 25 inquiry. We do not currently transfer Quebec personal information outside of Canada, so the cross-border notification requirements do not apply.
The cabinet runs over HTTPS on the production host. The cookies are written with a SameSite=Lax attribute. Server-side logs are stored on encrypted disks. We do not run a database with personal information; if we did, we would describe the encryption-at-rest posture here.
The host is in Canada and the small floor crew lives in Manitoba. There is no data transfer outside of Canada except the Google Fonts request described above. If we change hosts in the future, this page will be updated within thirty days of the move.
If the privacy posture of the cabinet changes — new cookie, new third party, new data category — this page will be updated and the change date noted at the bottom of the page. Material changes will be flagged with a small banner on the homepage for two weeks following the update.
The privacy contact is [email protected]. The address is 201 Portage Avenue, Winnipeg, MB R3B 2H8, Canada. The phone is +1 (204) 555-0418 — we do not staff the phone line for privacy inquiries; please write.
Last updated: 2026-05-05.