Privacy Policy
Last updated: February 1, 2025
1. Introduction
Comptaflow inc. ("Comptaflow", "we") is committed to protecting the personal information it collects and holds, in accordance with Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), the Personal Information Protection and Electronic Documents Act (PIPEDA), and all applicable laws. This policy describes the personal information we collect, the purposes for which we use it, the safeguards in place, and your rights as a data subject.
2. Information Collected
We collect the following categories of personal information: • Identification information: name, email address, phone number, business address. • Authentication information: password (hashed), multi-factor authentication factors. • Your firm's client information: names, contact details, social insurance numbers (SIN), Quebec enterprise numbers (NEQ), GST/QST numbers. • Government credentials: ClicSEQUR credentials, express codes, government portal passwords. • Usage data: access logs, IP addresses, platform activity. • Billing data: processed by Stripe; we do not store your credit card numbers.
3. Purposes of Collection and Use
We use your personal information for the following purposes: • Providing and operating the Comptaflow platform. • Managing your account and subscription. • Securely storing your clients' government credentials to facilitate tax filings. • Generating and tracking tax tasks and deadlines. • Communicating with you about the service (notifications, security alerts, updates). • Ensuring platform security and detecting unauthorized access. • Complying with our legal and regulatory obligations.
4. Legal Basis for Processing
The processing of your personal information is based on the following legal grounds: • Consent: you consent to processing by creating an account and using the platform. • Contract performance: processing is necessary to provide the service. • Legal obligation: certain processing is required to comply with tax laws and applicable regulations. • Legitimate interest: platform security and fraud prevention.
5. Security Measures
We implement technical and organizational security measures consistent with industry best practices: • Encryption at rest: all sensitive data (ClicSEQUR passwords, SINs, security codes) is encrypted using AES-256-GCM at the application level. • Encryption in transit: all communications use TLS 1.2 or higher. • Access control: data isolation by firm through row-level security (RLS) policies. Credential access restricted to owners and managers. • Authentication: time-based one-time password (TOTP) multi-factor authentication available for all users. • Monitoring: access logging for sensitive data with automatic secret redaction. • Rate limiting: protection against brute-force attacks on authentication. • Security headers: HSTS, CSP, X-Frame-Options, and other HTTP protections.
6. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the service. • Account data: retained for the duration of the subscription, then deleted 30 days after termination. • Audit logs: retained for 3 years in accordance with legal and tax requirements. • Security logs: retained for 1 year. • Billing data: retained in accordance with applicable tax requirements (minimum 6 years). Upon expiry of the retention period, data is securely deleted.
7. Third-Party Sharing
We never sell your personal information. We share data only with the following service providers, necessary for operating the platform: • Supabase (database hosting): data hosted in the ca-central-1 region (Montreal, Canada). • Vercel (application hosting): deployed in the yul1 region (Montreal, Canada). • Stripe (payment processing): receives only data necessary for billing. • Resend (transactional emails): receives email addresses for sending notifications. All our subprocessors are bound by data protection agreements. Your data is hosted in Canada.
8. Your Rights
In accordance with Quebec's Law 25 and PIPEDA, you have the following rights: • Right of access: obtain a copy of the personal information we hold about you. • Right of rectification: have inaccurate or incomplete information corrected. • Right of deletion: request the deletion of your personal information, subject to legal retention obligations. • Right to portability: receive your data in a structured, commonly used format. • Right to withdraw consent: withdraw your consent at any time; account termination triggers data deletion according to our retention policy. • Right to file a complaint: with the Commission d'acces a l'information du Quebec (CAI). To exercise your rights, contact our privacy officer at the address below.
9. Privacy Incidents
In the event of a privacy incident presenting a serious risk of harm, Comptaflow commits to: • Notifying the Commission d'acces a l'information du Quebec (CAI) within 72 hours of becoming aware of the incident. • Notifying affected individuals as soon as possible. • Maintaining a register of all privacy incidents in accordance with Law 25. • Implementing corrective measures to prevent recurrence of the incident.
10. Privacy Officer
In accordance with Law 25, Comptaflow has designated a privacy officer. For any questions or requests regarding your personal information, please contact us: Comptaflow inc. Email: privacy@comptaflow.ca You may also file a complaint with the Commission d'acces a l'information du Quebec (CAI): www.cai.gouv.qc.ca
11. Changes to This Policy
We may modify this policy from time to time. Any material changes will be communicated by email or by a notice on the platform at least 30 days before taking effect. The date of last update is indicated at the top of this page.