ExpenIQSign in
Pre-launch draft. This policy is pending review by Canadian counsel before ExpenIQ opens to the general public. The data practices described below accurately reflect current system behaviour.

Privacy Policy

Version 1.0  ·  Effective date: 2026-04-16  ·  Applies to expeniq.com

1. Who we are

ExpenIQ ("we", "us", "our") is a bookkeeping, documentation, and accountant-handoff tool for Canadian self-employed individuals and small business owners. ExpenIQ is operated by Adi Hitha Yasivakumar (adi@expeniq.com), based in Ontario, Canada.

ExpenIQ is a record-organization tool. It does not provide legal, tax, accounting, or audit advice. Final tax treatment depends on your facts, applicable law, CRA guidance, and your own qualified professional.

2. What data we collect and why

We collect only what is necessary to deliver the service.

Data categoryExamplesPurpose
Account credentialsEmail address, hashed password, authentication session tokensAccount creation, login, session management
Business profileFull name, business name, GST/HST number, province, filing frequencyPersonalizing your records and CRA-relevant fields
Financial recordsExpense amounts, categories, dates, vendor names, income entries, asset recordsCore bookkeeping functionality — tracking and organizing your records
Receipt and document filesReceipt and document files you upload as proof of expense, in any of the allowed formats: JPEG, PNG, WebP, HEIC, or PDF (up to 10 MB each)Storing documentary evidence linked to expense records
Vehicle and home office dataMileage logs, home office square footage, business-use percentagesSupporting CRA T777 and vehicle-use tracking
GST/HST recordsSnapshot amounts, filing-period summariesGST/HST tracking and accountant handoff support
Access and security logsIP addresses, browser user-agent strings, request timestampsSecurity monitoring, rate limiting, abuse prevention, and infrastructure diagnostics

3. Where your data is stored

All user financial data, receipt files, and authentication records are stored in Canada.

  • Financial and business records — Supabase PostgreSQL database in the ca-central-1 (Canada Central) region.
  • Receipt and document files — Supabase Storage in the ca-central-1 (Canada Central) region.
  • Authentication credentials — Supabase Auth in the ca-central-1 (Canada Central) region.
  • HTTP access logs— Vercel infrastructure (US-based); these logs contain IP addresses and request metadata only — no financial data or file content. Retention is short (days to weeks per Vercel's standard policy).

Our PIPEDA position: all personal financial information and documentary records remain in Canada. Only non-financial access logs pass through Vercel's US-based infrastructure.

4. Third-party processors (subprocessors)

We use the following third-party processors. No financial data or receipt files are sent to any processor outside Supabase.

ProcessorRoleData receivedRegion
Supabase (supabase.com)Database, authentication, and file storageAll financial records, auth credentials, receipt filesca-central-1 — Canada Central
Vercel (vercel.com)Application hosting and deliveryHTTP request metadata (IP, user-agent) — no financial dataGlobal edge; origin US-based
Cloudflare (cloudflare.com)DNS and traffic routingDNS queries, HTTP traffic metadata — no financial dataGlobal

ExpenIQ does not currently use any AI, OCR, or document-processing services. Your financial records and receipt files are not sent to any third party for analysis, categorization, or model training. If this changes in a future version, we will update this policy and notify you before that feature is activated.

5. Data retention

We retain your data for as long as your account is active. Specifically:

  • Financial records and receipt files — retained until you delete them or request full account deletion.
  • Authentication records — retained until account deletion.
  • Audit trail records — retained to support record integrity; deletion on account closure.
  • Access logs (Vercel) — retained per Vercel's standard policy (days to weeks).

We do not promise instant permanent deletion across all systems simultaneously. We will make reasonable efforts to complete deletion requests promptly and confirm when complete.

6. How we protect your data

  • All financial records are protected by Row Level Security (RLS) — each user can only access their own data, enforced at the database layer.
  • Receipt files are stored in a private bucket with per-user access policies. No public URLs are generated for your files.
  • Sessions are validated server-side on every request.
  • All team accounts use two-factor authentication.
  • Secrets (service credentials, API keys) are stored in a team password manager and server-side environment variables — never in client-side code.
  • An immutable audit trail records all changes to sensitive records.

7. Your rights under PIPEDA

As a Canadian resident, you have the following rights regarding your personal information:

  • Access — You may request a copy of the personal information we hold about you.
  • Correction — You may request correction of inaccurate personal information.
  • Deletion — You may request deletion of your account and all associated records.
  • Withdrawal of consent — You may withdraw consent for optional uses of your data at any time.
  • Complaint — You have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

To exercise any of these rights, contact us at adi@expeniq.com. We will respond within 30 days.

8. What we do not do

  • We do not sell your data to any third party.
  • We do not share your financial records with any party other than the processors listed in Section 4.
  • We do not use your data to train AI or machine learning models.
  • We do not provide legal, tax, accounting, or audit advice.
  • We do not guarantee CRA acceptance of any claim, deduction, or filing.

9. Changes to this policy

We may update this policy as the service evolves. If we make material changes — particularly changes to what data we collect, who we share it with, or how long we retain it — we will notify you by email before the change takes effect. The current version and effective date are shown at the top of this page.

10. Contact

For privacy questions, requests, or complaints, contact:

ExpenIQ — Privacy Inquiries

Email: adi@expeniq.com

Ontario, Canada

ExpenIQ is for organizational purposes only. It does not provide legal, tax, or accounting advice. Consult your accountant or tax advisor for decisions about your tax obligations.
← Back to sign inexpeniq.com/privacy