Numerly

Privacy Policy

Effective Date: [TO BE CONFIRMED BY COUNSEL] | Applies to: numerly.ca

[YOUR INCORPORATED ENTITY NAME] ("Numerly", "we", "us", or "our") is committed to protecting the privacy of our clients and their employees. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the British Columbia Personal Information Protection Act (PIPA).

1. What Information We Collect

Category	Examples	How Collected
Account information	Name, email address, business name, phone number	Provided by you at signup
Financial data	Transaction records, invoices, bank statements, payroll data, GST/HST filings	Uploaded or entered by you
Employee information	Employee names, SINs, pay rates, TD1 data (for payroll clients)	Uploaded or entered by you
Document files	Receipt images, PDFs, CSV files	Uploaded by you
Usage data	Login timestamps, IP addresses, pages visited	Automatically collected
Communications	Support emails, document requests	Provided by you

2. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Numerly platform
Process transactions, generate reports, and calculate payroll and tax obligations
Send document requests, deadline reminders, and account notifications
Respond to your support requests
Comply with legal obligations, including CRA record-keeping requirements
Improve and develop the Service (using anonymized, aggregated data only)
Detect and prevent fraudulent or unauthorized activity

3. Artificial Intelligence Processing

Important: When you upload receipts, invoices, or other documents, those files may be transmitted to the Anthropic Claude API for automated data extraction (e.g., vendor name, amount, GST). This processing occurs on Anthropic's servers, which are located outside Canada. By using the document upload feature, you consent to this cross-border data processing.

We have reviewed Anthropic's usage policies and do not use their API on a plan that permits your data to be used for model training. Documents are processed and the results returned; files are not stored by Anthropic beyond the duration of the API call.

AI-extracted data is always subject to human review by your accountant before any financial record is finalized.

4. Disclosure of Personal Information

We do not sell, rent, or trade your personal information. We may share information with:

Your accounting firm / Numerly ASP: Your assigned accountant has access to your financial data to provide services
Service providers: Third-party providers who help us operate the Service (e.g., hosting, email delivery, AI processing) under contractual confidentiality obligations
Legal authorities: Where required by law, court order, or to protect the rights and safety of persons

5. Third-Party Service Providers

Provider	Purpose	Data Shared
Anthropic (Claude API)	AI document extraction	Document images and text
DigitalOcean	Cloud hosting (Canadian region preferred)	All data stored on platform
Namecheap / Private Email	Email delivery	Email address, message content

6. Data Security

We implement industry-standard security measures including:

TLS/HTTPS encryption for all data in transit
Bcrypt password hashing — we never store plaintext passwords
Session-based authentication with 8-hour timeout
Role-based access control limiting data visibility
Daily automated database backups with 14-day retention
Security headers (CSP, HSTS, X-Frame-Options) on all responses

No system is 100% secure. In the event of a data breach affecting your personal information, we will notify you and the applicable privacy regulator as required by law.

7. Data Retention

We retain your data for as long as your account is active and for 90 days following termination, after which it is permanently deleted from production systems. Backups are retained for 14 days. Financial records may be retained longer if required by CRA or other legal obligations (typically 7 years for business records).

8. Your Rights

Under PIPEDA and PIPA, you have the right to:

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate information
Export: Download your financial data at any time from the platform
Withdrawal of consent: Withdraw consent to certain processing (may affect ability to use the Service)
Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca or the BC Information and Privacy Commissioner at oipc.bc.ca

To exercise any of these rights, contact us at support@numerly.ca.

9. Cookies and Tracking

Numerly uses only essential session cookies required for authentication. We do not use advertising cookies, tracking pixels, or analytics services that share data with third parties.

10. Children's Privacy

The Service is intended for business use by adults (18+). We do not knowingly collect personal information from individuals under 18 years of age.

11. Cross-Border Data Transfers

Our primary servers are hosted in Canada. AI processing via the Anthropic API occurs on servers outside Canada (United States). By using the AI features of the Service, you consent to this transfer. We take steps to ensure that your data is protected to a standard comparable to Canadian privacy law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before the change takes effect. The current version is always available at numerly.ca/privacy.

13. Contact Our Privacy Officer

For any privacy-related questions, access requests, or complaints:

Privacy Officer
[YOUR INCORPORATED ENTITY NAME]
[YOUR BUSINESS ADDRESS]
support@numerly.ca