Privacy Policy

1. Introduction

TaxTrack Inc. ("TaxTrack," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use TaxTrack ("the Service"). We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

2. Information We Collect

Information you provide directly:

• Email address and password (account registration)
• Tax profile information (employment type, family status, home situation)
• Documents you upload (T4s, receipts, bank statements, invoices)
• Chat messages sent to Eldon
• Payment information (processed by Stripe — we do not store card details)

Information collected automatically:

• IP address and device information
• Browser type and operating system
• Pages visited and features used (usage analytics)
• Session timestamps and authentication logs

3. How We Use Your Information

We use your information to:

• Provide and improve the Service, including AI-powered document review
• Identify relevant tax deductions based on your profile
• Process payments and manage subscriptions
• Send transactional emails (account confirmation, receipts, important notices)
• Respond to support requests
• Comply with legal obligations, including CRA reporting requirements where applicable
• Detect and prevent fraud and abuse

We do not sell your personal information to third parties. We do not use your financial documents for advertising or marketing purposes.

4. Third-Party Services and AI Processing Disclosure

We work with trusted third-party service providers:

• Supabase — Database and file storage. Your documents and data are stored on Supabase infrastructure hosted in Canada. Supabase is SOC 2 Type II certified. Row-Level Security (RLS) policies are enforced at the database level, meaning each user can only access their own records — this is a technical constraint enforced by the database engine, not just application logic.
• Stripe — Payment processing. When you subscribe, payment information is handled directly by Stripe. We receive only a subscription status and a customer identifier. TaxTrack never stores or sees your credit card number. Stripe is PCI DSS Level 1 certified.
• Anthropic — AI processing (Claude). Documents you upload for OCR review, and messages you send to Eldon, are transmitted to and processed by Anthropic's Claude API. This means document content and chat messages leave TaxTrack's servers to be processed in the United States by Anthropic. Anthropic's Privacy Policy governs that processing. We do not store conversation content beyond what you see in your chat history. By using document OCR and Eldon AI features, you consent to this processing.
• Cloudflare — Network protection and DDoS mitigation. All traffic to TaxTrack passes through Cloudflare. Cloudflare may log metadata (IP address, request timestamps) as part of their network security service.

5. Document Security and Data Residency

Documents you upload are stored with row-level access controls enforced at the database level — only you can access your files. Storage paths include your unique user ID. We use HTTPS/TLS 1.3 for all data in transit and AES-256 encryption for data at rest.

Data residency:Your account data, documents, and tax profile are stored on infrastructure located in Canada (Toronto region), in accordance with PIPEDA. The exception is AI processing: when you use OCR or Eldon, document content is sent to Anthropic's API which operates in the United States. See section 4 above.

We recommend you do not upload documents containing your Social Insurance Number (SIN) unless strictly necessary for the Service (for example, a T4 slip that already contains it).

6. Data Retention

We retain your account data and documents for as long as your account is active. If you delete your account:

• Personal data (profile, tax information, documents) is deleted within 30 days of your deletion request
• Billing records and transaction history may be retained for up to 7 years as required by CRA regulations
• Anonymised or aggregated analytics data that cannot identify you may be retained indefinitely

Uploaded documents that have been processed by Anthropic's Claude API are subject to Anthropic's retention policies. Anthropic does not retain API input/output data beyond 24 hours for model training purposes under their standard API terms as of the date of this policy. Please verify current Anthropic data retention terms at anthropic.com if this is a concern.

7. Your Rights

Under PIPEDA and applicable provincial laws, you have the right to:

• Access — Request a copy of the personal information we hold about you
• Correction — Request correction of inaccurate or incomplete information
• Deletion — Request deletion of your account and associated data
• Portability — Request your data in a portable format (CSV/JSON)
• Withdraw consent — Withdraw consent to certain processing (noting some features may not function without it)

To exercise any of these rights, email hello@taxtrackai.com. We will respond within 30 days.

8. Cookies

We use cookies and similar technologies to maintain your session and remember your preferences. We use strictly necessary cookies (for authentication) and, with your consent, analytics cookies to understand how the Service is used.

You can control cookies through your browser settings. Disabling authentication cookies will prevent you from staying logged in.

9. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected such information, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice in the Service. Your continued use of the Service after changes constitutes acceptance of the updated Policy.

11. Privacy Officer

TaxTrack has designated a Privacy Officer responsible for PIPEDA compliance and oversight of personal information practices. The Privacy Officer is responsible for ensuring TaxTrack meets its obligations under PIPEDA and applicable provincial privacy legislation.

To exercise your rights (access, correction, deletion, portability), email privacy@taxtrackai.com. We will respond within 30 days.

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.