Privacy policy

Last updated: 2026-04-26

Who we are

noahwrealtor.com (“we”, “us”) is the personal website of Noah Wolgelerenter, Salesperson, Forest Hill Real Estate Inc., Brokerage. This policy describes how we collect, use, and protect your personal information in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL).

What we collect

• Contact information: name, email, phone — when you submit a contact, valuation, or saved-search form.
• Account information: email, password (stored only as a salted cryptographic hash), optional display name, and session metadata (last sign-in time, device fingerprint hash).
• Consent records: we keep a log of when and how you gave consent to each form submission — required by CASL.
• Listing preferences: neighbourhoods, price range, property type, etc., when you save a search.
• Technical metadata: IP address (hashed with a daily salt — we don't retain raw IPs for auth), user-agent hash, timestamps.
• Payment information: we don't collect or store payment details. Any future transactions are handled by a PCI-compliant processor.

Why we collect it

• To respond to your inquiries and provide the real estate services you ask for.
• To authenticate you when you sign in to your account.
• To send you listing alerts that match your saved searches — only if you explicitly consent at signup and each search creation.
• To protect the site from abuse (rate limiting, bot detection, breach-password checks).
• To comply with our legal obligations as a registered real estate agent in Ontario.

Cookies and tracking — your choice

Essential cookies (session, security, your cookie-preference choice) are always on. Everything else is opt-in via the cookie preferences banner. You can change these any time using the “Cookie settings” link in the footer.

• Analytics — Google Analytics 4 with IP anonymization. Helps Noah understand which pages visitors find useful. No cross-site tracking.
• Marketing — Google Ads remarketing and Google Signals. Google Signals enables aggregate demographic and interest reporting (age range, interest categories) for users signed in to a Google account who have enabled ads personalization. Reports are aggregated and not linked to a specific person.
• Personalization — local browser storage of recently-viewed listings and saved UI preferences (no server tracking; clears with your browser data).

We use Google Consent Mode v2 — when you decline a tier, the corresponding storage flags (analytics_storage, ad_storage, ad_user_data, ad_personalization, personalization_storage) are set to denied, and Google's tags suppress data collection for that purpose.

Third parties and where your data lives

We use the following sub-processors. All are trusted providers with their own compliance programs:

• Cloudflare (US) — site hosting, database (D1), file storage (R2), anti-bot (Turnstile).
• Google (US) — transactional email via Gmail API; Google Analytics 4; Google Ads (when consented); Google Calendar Appointment Schedules embed.
• PropTx / TRREB (Canada) — MLS® listings feed.
• haveibeenpwned.com (third-party) — passwords are checked against known breaches using k-anonymity (the full password never leaves our server).

Your data may be stored in or transit through the United States. Under PIPEDA this is permitted with notice; we use providers with strong security and contractual protections.

Your rights

• Access: request a copy of the personal information we hold about you, any time, at /account/export.
• Correction: ask us to correct inaccurate information.
• Deletion: delete your account at /account/delete. We soft-delete immediately and hard-delete after 30 days (undo window).
• Withdraw consent: unsubscribe from any email using the one-click link at the bottom. Withdrawing marketing consent doesn't affect transactional emails related to your account.
• Complaint: file a complaint with the Office of the Privacy Commissioner of Canada.

How long we keep it

• Active account data: while your account is active.
• Deleted account PII: scrubbed within 30 days of deletion request.
• Consent records (CASL): 3 years after the relationship ends.
• Security audit logs: 12 months.
• Failed login records: 90 days.
• Business records (transactional): 7 years (CRA), with PII scrubbed on account delete.

Security

Passwords are hashed with PBKDF2-SHA256 at 600,000 iterations (OWASP 2023 recommendation). Session cookies use the __Host- prefix, are HttpOnly and Secure, and server-side IDs are stored as SHA-256 hashes. Emails and reset links use single-use, short-lived, SHA-256-hashed tokens. IP addresses are hashed with a daily-rotating salt.

Breach notification

If we become aware of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will notify you and the Office of the Privacy Commissioner of Canada without unreasonable delay, as required by PIPEDA.

Contact

For privacy questions or to exercise any right above, contact Noah Wolgelerenter at noah@noahwrealtor.com. We respond within 30 days (PIPEDA).

This policy may change. We'll post updates here and notify you of material changes by email. The “Last updated” date above indicates the current revision.