Privacy Policy | BookKeeper

1. Introduction

BookKeeper ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

Account Information: Email address, password (encrypted)
Financial Data: Receipt images, bank transaction data, vendor names, amounts, dates
User-Generated Content: Categories, notes, edits to extracted data

2.2 Lead Capture Data

When you use our marketing tools (such as the Tax Savings Calculator or Receipt Demo), we may collect the following information from non-users:

Contact Information: Email address, first name
Location Data: Province or state of residence (for tax calculation purposes)
Calculator Inputs: Annual revenue, expense estimates, and other financial data entered into our tax calculator tools
Demo Receipt Scans: Images uploaded to our receipt demo feature for demonstration purposes

2.3 Automatically Collected Information

Usage Data: Pages visited, features used, time spent
Device Information: Browser type, operating system, IP address
Cookies: Authentication cookies, preference cookies

3. How We Use Your Information

We use your information to:

Provide, maintain, and improve our Service
Process and store your receipts and transaction data
Perform AI-powered data extraction from receipts and bank statements
Authenticate your identity and manage your account
Send important Service notifications (security alerts, updates)
Respond to your requests and support inquiries
Analyze usage patterns to improve user experience
Detect and prevent fraud, abuse, and security incidents

4. CASL Compliance

BookKeeper complies with Canada's Anti-Spam Legislation (CASL). We obtain your express consent before sending any commercial electronic messages, including marketing emails and promotional content.

Express Consent: We collect explicit opt-in consent before sending marketing communications
Consent Records: We maintain records of when and how consent was obtained, including timestamps and IP addresses
Unsubscribe Mechanism: Every commercial message includes a clear and prominently displayed unsubscribe mechanism that is processed within 10 business days
Sender Identification: All messages clearly identify BookKeeper as the sender and include our contact information

Transactional messages (such as password resets, security alerts, and billing notifications) are exempt from CASL consent requirements, as they relate directly to your use of the Service.

5. PIPEDA Compliance

As a Canada-first product, BookKeeper operates in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). We adhere to the ten fair information principles established under PIPEDA, including accountability, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access, and challenging compliance.

You have the right to access your personal information held by BookKeeper, challenge its accuracy, and request amendments. To make such a request, please contact our Privacy Officer at support@bookkeepers.cloud.

6. Third-Party Services

We use the following third-party services:

6.1 Supabase (Infrastructure)

We use Supabase for database, authentication, and file storage. Supabase is SOC 2 Type II certified and complies with GDPR. Your data is encrypted at rest and in transit.

6.2 Google Gemini (AI Processing)

We use Google Gemini AI to extract data from receipts and bank statements. Receipt images are sent to Google's API for processing. Google does not store your images or use them for training purposes.

6.3 Vercel (Hosting)

Our Service is hosted on Vercel's infrastructure. Vercel may collect analytics and performance data to ensure Service availability.

6.4 Stripe (Payment Processing)

We use Stripe to handle subscription billing, payment processing, and credit metering. Stripe is PCI DSS compliant. We do not store your full payment card details on our servers.

6.5 Resend (Email Service)

We use Resend to send transactional emails such as welcome messages, billing notifications, and security alerts. Your email address is shared with Resend for delivery purposes only.

6.6 Cloud Storage Providers (File Import)

When you use our cloud import feature, we connect to your cloud storage provider to fetch your files. Files are retrieved for processing but are not stored on these third-party platforms by us. This feature is optional and only activated when you initiate a cloud import.

Google Drive: https://policies.google.com/privacy
Microsoft OneDrive: https://privacy.microsoft.com/en-us/privacystatement
Dropbox: https://www.dropbox.com/privacy

6.7 Sentry (Error Monitoring)

We use Sentry to monitor application errors and performance. Sentry may collect technical information such as error stack traces, browser type, and device information to help us diagnose and fix issues. No personally identifiable financial data is sent to Sentry.

7. Data Security

We implement security measures to protect your data:

Encryption: All data is encrypted in transit (TLS) and at rest (AES-256)
Authentication: Secure authentication via Supabase Auth
Access Control: Row-Level Security (RLS) ensures users can only access their own data
Storage Policies: File access restricted to authenticated owners
Regular Audits: Security reviews and vulnerability scanning

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. You can delete your data at any time through the Service interface.

Upon account deletion:

All receipts, transactions, and associated data are immediately deleted
Uploaded files in storage are removed
Database backups are purged within 30 days
Authentication credentials are permanently removed

9. Your Rights (GDPR/CCPA)

You have the following rights regarding your personal data:

Right to Access: Request a copy of your personal data
Right to Rectification: Request correction of inaccurate data
Right to Erasure: Request deletion of your data
Right to Data Portability: Export your data in CSV format
Right to Restrict Processing: Limit how we use your data
Right to Object: Object to processing of your data
Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, please contact us at support@bookkeepers.cloud

10. Cookies and Tracking

We use the following types of cookies:

Essential Cookies: Required for authentication and Service functionality
Analytics Cookies: Help us understand how you use the Service (optional)
Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service.

11. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us so we can delete it.

12. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. We ensure appropriate safeguards are in place for such transfers.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through a notice on the Service. Continued use after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Email: support@bookkeepers.cloud

15. Data Processing Agreement

For business users who need a Data Processing Agreement (DPA) for GDPR compliance, please contact us at the email address above.