Privacy Policy
Last updated: February 11, 2026
1. Introduction
Comptaflow inc. ("Comptaflow", "we") is committed to protecting the personal information it collects and holds, in accordance with Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25, P-39.1), the Personal Information Protection and Electronic Documents Act (PIPEDA), and all applicable laws. This policy describes the personal information we collect, the means of collection, the purposes for which we use it, the categories of persons with access, the safeguards in place, and your rights as a data subject. Comptaflow adopts a privacy-by-design and privacy-by-default approach (s. 9.1 P-39.1): the highest level of privacy is applied by default, without any action required on your part.
2. Information Collected
We collect the following categories of personal information: • Identification information: name, email address, phone number, business address. • Authentication information: password (hashed), multi-factor authentication factors. • Your firm's client information: names, contact details, social insurance numbers (SIN), Quebec enterprise numbers (NEQ), GST/QST numbers. • Government credentials: ClicSEQUR credentials, express codes, government portal passwords. • Usage data: access logs, IP addresses, platform activity. • Billing data: processed by Stripe; we do not store your credit card numbers. Sensitive data classification (s. 12 P-39.1): social insurance numbers, government credentials, client financial data, and tax information are considered sensitive personal information. Express consent is required for any use of this data beyond its original purpose of collection.
3. Means of Collection
We collect your personal information through the following means (s. 3.2 P-39.1): • Directly from you: when you create your account, enter data into the platform (client forms, government credentials, billing information), and through your communications with us. • Automatically during platform use: access logs, IP addresses, browsing and usage data, authentication cookies. • Through third parties: payment data confirmed by Stripe Payments Canada Ltd. We do not collect any personal information through concealed means or without your knowledge. Cookies are managed in accordance with our cookie policy, accessible on our website.
4. Purposes of Collection and Use
We use your personal information for the following purposes: • Providing and operating the Comptaflow platform. • Managing your account and subscription. • Securely storing your clients' government credentials to facilitate tax filings. • Generating and tracking tax tasks and deadlines. • Communicating with you about the service (notifications, security alerts, updates). • Ensuring platform security and detecting unauthorized access. • Complying with our legal and regulatory obligations. Your personal information will never be used for any purpose other than those listed above without first obtaining your express consent.
5. Legal Basis for Processing
The processing of your personal information is based on the following legal grounds: • Consent: you consent to processing by creating an account and using the platform. This consent is manifest, free, informed, and specific in accordance with sections 8 and 14 of Law P-39.1. • Contract performance: processing is necessary to provide the service. • Legal obligation: certain processing is required to comply with tax laws and applicable regulations, including regulatory retention periods of professional orders. • Legitimate interest: platform security and fraud prevention. Withdrawal of consent: you may withdraw your consent at any time from your account settings or by contacting our privacy officer. Withdrawal is as easy as granting consent. Please note that withdrawal may affect your ability to use certain platform features.
6. Categories of Persons with Access
In accordance with section 3.2 of Law P-39.1, the following categories of persons have access to your personal information within our organization: • Firm owners: full access to their firm's data, including client information, government credentials, and billing data. • Managers: access to firm data, client information, and government credentials according to granted permissions. • Employees: limited access to tasks, comments, and basic client information assigned to them. No access to government credentials or billing data. • Comptaflow technical staff: restricted and supervised access, only for maintenance and technical support, with logging of all access. Access is controlled by row-level security (RLS) policies in the database, ensuring that no user can access data belonging to another firm.
7. Roles and Responsibilities
In accordance with section 3.2 of Law P-39.1, the following roles and responsibilities apply to the protection of personal information throughout its lifecycle: • Privacy officer: oversees compliance with Law 25, processes rights exercise requests, coordinates incident response, and conducts privacy impact assessments (PIAs). • Development team: implements technical security measures (encryption, access control, logging), applies privacy by design in new features. • Firm owner (user): responsible for managing accounts within their firm, data accuracy, and employee awareness. All Comptaflow staff with access to personal information are bound by confidentiality obligations.
8. Security Measures
We implement technical and organizational security measures consistent with industry best practices: • Encryption at rest: all sensitive data (ClicSEQUR passwords, SINs, security codes) is encrypted using AES-256-GCM at the application level. • Encryption in transit: all communications use TLS 1.2 or higher. • Access control: data isolation by firm through row-level security (RLS) policies. Credential access restricted to owners and managers. • Authentication: time-based one-time password (TOTP) multi-factor authentication available for all users. • Monitoring: access logging for sensitive data with automatic secret redaction. • Rate limiting: protection against brute-force attacks on authentication. • Security headers: HSTS, CSP, X-Frame-Options, and other HTTP protections. • Automatic purging: data past its retention period is automatically deleted by scheduled tasks. These measures are proportional to the sensitivity, quantity, and storage medium of the protected information, in accordance with section 9.1 of Law P-39.1.
9. Data Retention and Destruction
We retain your personal information for as long as your account is active or as needed to provide the service. • Account data: retained for the duration of the subscription, then deleted 30 days after termination. • Audit logs: retained for 3 years in accordance with legal and tax requirements. • Security logs: retained for 1 year. • Billing data: retained in accordance with applicable tax requirements (minimum 6 years). • Notifications: automatically deleted after 1 year. • Chat messages: automatically deleted after 3 years. • Completed privacy requests: automatically deleted after 3 years. Upon expiry of the retention period, data is securely and irreversibly deleted. Please note that certain regulatory retention periods of professional orders and tax laws may take precedence over deletion requests. In such cases, we will inform you accordingly.
10. Third-Party Sharing
We never sell your personal information. We share data only with the following service providers, necessary for operating the platform: • Supabase (database hosting): data hosted in the ca-central-1 region (Montreal, Canada). • Vercel (application hosting): deployed in the yul1 region (Montreal, Canada). • Stripe Payments Canada Ltd. (payment processing): receives only data necessary for billing. Approved payment processor operating in Canada. • Resend (transactional emails): receives email addresses for sending notifications. • Canny.io (user feedback): collects user suggestions and feedback. Functional cookie, enabled only with your consent. In accordance with section 18.3 of Law P-39.1, all our subprocessors are bound by written data protection agreements specifying the safeguards to be taken, limitation of use to the mandate's purposes, prohibition of data retention after the mandate's expiry, and the obligation to notify us of any incident. Your data is hosted in Canada. No cross-border transfers are made by ComptaFlow.
11. Cookies and Tracking Technologies
In accordance with section 8.1 of Law P-39.1, we inform you of the use of the following technologies: • Authentication and session cookies: necessary for the operation of the platform. These cookies are exempt from the consent requirement. • Functional cookies (Canny.io): enabled only with your explicit consent. We do not use tracking cookies, behavioral analytics, or advertising cookies. No identification or profiling technology is enabled by default (s. 8.1 P-39.1). For more details, see our cookie policy accessible from our website.
12. Automated Decisions and Profiling
In accordance with section 12.1 of Law P-39.1, we inform you that Comptaflow does not use any automated decision-making technology or profiling to make decisions about you. Platform features (automatic generation of tax tasks, deadline calculations) are decision-support tools and not automated decisions within the meaning of the law. All final decisions are made by the accounting professionals using the platform. Should we introduce such technologies in the future, we will inform you in accordance with the law and obtain your consent beforehand.
13. Your Rights
In accordance with Quebec's Law 25 (s. 27-28.1) and PIPEDA, you have the following rights: • Right of access: obtain confirmation that we hold personal information about you and receive a copy. • Right of rectification: have inaccurate or incomplete information corrected. • Right of deletion: request the deletion of your personal information, subject to legal retention obligations. • Right to portability (s. 27, in force Sept. 2024): receive the information you have provided to us in a structured, commonly used technological format (JSON or CSV), or request its transfer to another organization. • Right to withdraw consent: withdraw your consent at any time; account termination triggers data deletion according to our retention policy. • Right to de-indexing: require the cessation of dissemination of your personal information or the de-indexing of any hyperlink associated with your name. • Right to file a complaint: with the Commission d'accès à l'information du Québec (CAI). How to exercise your rights: • Data export: available directly from your account settings (JSON and CSV formats). • Client dossier export: owners and managers can export a client's complete dossier from their client profile. • Formal requests: submit a request from the "Privacy Protection" section in your account settings, or contact our officer at privacy@comptaflow.ca. • Account deletion: available from your account settings. We commit to responding to any request within 30 days in accordance with section 32 of Law P-39.1.
14. Privacy Impact Assessments
In accordance with sections 3.3 and 3.4 of Law P-39.1, Comptaflow conducts privacy impact assessments (PIAs) before any project involving the collection, use, communication, retention, or destruction of personal information. The privacy officer is consulted from the beginning of any new project or feature. These assessments consider the sensitivity of the data, the purposes of use, the quantity of data, and the safeguards to be applied.
15. Privacy Incidents
In accordance with sections 3.5 to 3.8 of Law P-39.1, in the event of a privacy incident: • Risk assessment: each incident is assessed for serious risk of harm, considering the sensitivity of the information and the likelihood of malicious use. • Notification to the CAI: if a serious risk of harm is identified, the Commission d'accès à l'information du Québec (CAI) is notified with diligence within 72 hours of becoming aware of the incident. • Notification to individuals: affected individuals are notified as soon as possible, with a description of the information involved, the circumstances, measures taken, and recommended actions. • Incident register: all incidents are recorded in a register kept for a minimum of 5 years, including those not reaching the serious harm threshold. This register is made available to the CAI upon request. • Corrective measures: measures are implemented to prevent recurrence of the incident.
16. Professional Secrecy
Comptaflow acknowledges that some accounting firms using the platform may be bound by professional secrecy under Quebec's Professional Code (C-26) and the rules of their professional order. The platform is designed to respect this dual obligation (Law 25 and professional secrecy). Data isolation by firm (RLS) and encryption of sensitive data (AES-256-GCM) ensure that a firm's client information cannot be accessed by unauthorized persons. In accordance with section 21.1 of Law P-39.1, no communication of information permits the identification of the person to whom a professional service was rendered.
17. Privacy Officer
In accordance with section 3.1 of Law P-39.1, Comptaflow has designated a privacy officer. For any questions, rights exercise requests, or concerns regarding your personal information, please contact us: Comptaflow inc. Email: privacy@comptaflow.ca You may also file a complaint with the Commission d'accès à l'information du Québec (CAI): www.cai.gouv.qc.ca
18. Changes to This Policy
We may modify this policy from time to time. Any material changes will be communicated by email or by a notice on the platform at least 30 days before taking effect. The date of last update is indicated at the top of this page. We maintain a version history of this policy. You may request a copy of any previous version by contacting our privacy officer.