Privacy Policy
Version 1.0 · Effective date: 2026-04-16 · Applies to expeniq.com
1. Who we are
ExpenIQ ("we", "us", "our") is a bookkeeping, documentation, and accountant-handoff tool for Canadian self-employed individuals and small business owners. ExpenIQ is operated by Adi Hitha Yasivakumar (adi@expeniq.com), based in Ontario, Canada.
ExpenIQ is a record-organization tool. It does not provide legal, tax, accounting, or audit advice. Final tax treatment depends on your facts, applicable law, CRA guidance, and your own qualified professional.
2. What data we collect and why
We collect only what is necessary to deliver the service.
| Data category | Examples | Purpose |
|---|---|---|
| Account credentials | Email address, hashed password, authentication session tokens | Account creation, login, session management |
| Business profile | Full name, business name, GST/HST number, province, filing frequency | Personalizing your records and CRA-relevant fields |
| Financial records | Expense amounts, categories, dates, vendor names, income entries, asset records | Core bookkeeping functionality — tracking and organizing your records |
| Receipt and document files | Receipt and document files you upload as proof of expense, in any of the allowed formats: JPEG, PNG, WebP, HEIC, or PDF (up to 10 MB each) | Storing documentary evidence linked to expense records |
| Vehicle and home office data | Mileage logs, home office square footage, business-use percentages | Supporting CRA T777 and vehicle-use tracking |
| GST/HST records | Snapshot amounts, filing-period summaries | GST/HST tracking and accountant handoff support |
| Access and security logs | IP addresses, browser user-agent strings, request timestamps | Security monitoring, rate limiting, abuse prevention, and infrastructure diagnostics |
3. Where your data is stored
All user financial data, receipt files, and authentication records are stored in Canada.
- Financial and business records — Supabase PostgreSQL database in the ca-central-1 (Canada Central) region.
- Receipt and document files — Supabase Storage in the ca-central-1 (Canada Central) region.
- Authentication credentials — Supabase Auth in the ca-central-1 (Canada Central) region.
- HTTP access logs— Vercel infrastructure (US-based); these logs contain IP addresses and request metadata only — no financial data or file content. Retention is short (days to weeks per Vercel's standard policy).
Our PIPEDA position: all personal financial information and documentary records remain in Canada. Only non-financial access logs pass through Vercel's US-based infrastructure.
4. Third-party processors (subprocessors)
We use the following third-party processors. No financial data or receipt files are sent to any processor outside Supabase.
| Processor | Role | Data received | Region |
|---|---|---|---|
| Supabase (supabase.com) | Database, authentication, and file storage | All financial records, auth credentials, receipt files | ca-central-1 — Canada Central |
| Vercel (vercel.com) | Application hosting and delivery | HTTP request metadata (IP, user-agent) — no financial data | Global edge; origin US-based |
| Cloudflare (cloudflare.com) | DNS and traffic routing | DNS queries, HTTP traffic metadata — no financial data | Global |
ExpenIQ does not currently use any AI, OCR, or document-processing services. Your financial records and receipt files are not sent to any third party for analysis, categorization, or model training. If this changes in a future version, we will update this policy and notify you before that feature is activated.
5. Data retention
We retain your data for as long as your account is active. Specifically:
- Financial records and receipt files — retained until you delete them or request full account deletion.
- Authentication records — retained until account deletion.
- Audit trail records — retained to support record integrity; deletion on account closure.
- Access logs (Vercel) — retained per Vercel's standard policy (days to weeks).
We do not promise instant permanent deletion across all systems simultaneously. We will make reasonable efforts to complete deletion requests promptly and confirm when complete.
6. How we protect your data
- All financial records are protected by Row Level Security (RLS) — each user can only access their own data, enforced at the database layer.
- Receipt files are stored in a private bucket with per-user access policies. No public URLs are generated for your files.
- Sessions are validated server-side on every request.
- All team accounts use two-factor authentication.
- Secrets (service credentials, API keys) are stored in a team password manager and server-side environment variables — never in client-side code.
- An immutable audit trail records all changes to sensitive records.
7. Your rights under PIPEDA
As a Canadian resident, you have the following rights regarding your personal information:
- Access — You may request a copy of the personal information we hold about you.
- Correction — You may request correction of inaccurate personal information.
- Deletion — You may request deletion of your account and all associated records.
- Withdrawal of consent — You may withdraw consent for optional uses of your data at any time.
- Complaint — You have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
To exercise any of these rights, contact us at adi@expeniq.com. We will respond within 30 days.
8. What we do not do
- We do not sell your data to any third party.
- We do not share your financial records with any party other than the processors listed in Section 4.
- We do not use your data to train AI or machine learning models.
- We do not provide legal, tax, accounting, or audit advice.
- We do not guarantee CRA acceptance of any claim, deduction, or filing.
9. Changes to this policy
We may update this policy as the service evolves. If we make material changes — particularly changes to what data we collect, who we share it with, or how long we retain it — we will notify you by email before the change takes effect. The current version and effective date are shown at the top of this page.
10. Contact
For privacy questions, requests, or complaints, contact: