Privacy Policy

"MetaTax" refers to the operator of metatax.ca and the MetaTax Client Portal at metatax-portal.vercel.app. We are based in Ontario, Canada, and subject to PIPEDA and the Personal Information Protection Act (Ontario, where applicable).

Privacy Officer: Questions about this policy or your data can be sent to privacy@metatax.ca.

Account information

• Email address and full name (for sign-in and personalization)
• Hashed password (we never see or store your plaintext password — Supabase Auth handles this with bcrypt)

Business information you provide

• Corporate legal name, business number (BN), fiscal year-end, province
• Bank statement PDFs you upload (we extract transactions, then keep both)
• Employee records you add to payroll: name, SIN, address, banking info (if entered)
• Subcontractor records: business name, contact, HST/BN numbers
• Receipts, invoices, and expense entries

Technical information

• Audit log of actions you take in the portal (sign-in, upload, expense added, etc.) for security and compliance
• Server logs from our hosting provider (Vercel) — IP address, request URL, status code — retained 30 days

We follow the 10 fair information principles in Schedule 1 of PIPEDA:

1. Accountability. Our Privacy Officer is responsible for compliance. Reach them at privacy@metatax.ca.
2. Identifying Purposes. We collect personal information solely to deliver the bookkeeping and tax-prep features described on our marketing site. We do not sell, rent, or trade your data.
3. Consent. By creating an account, you consent to the collection and use described in this policy. You can withdraw consent at any time by deleting your account in Settings — Privacy.
4. Limiting Collection. We only collect what's needed to run the service. We never ask for documents we don't use (e.g. drivers' licences, birth certificates).
5. Limiting Use, Disclosure, and Retention. Your data is used only for the purposes above. We retain financial records for 7 years following CRA requirements; we retain bank statement PDFs for 24 months unless you delete your account sooner.
6. Accuracy. You can edit your profile and corporation details anytime. Categorization mistakes can be fixed in the Transactions page.
7. Safeguards. We use encryption in transit (TLS 1.3), encryption at rest (Supabase managed Postgres on AWS), row-level security on every database table, magic-number file validation on uploads, signed-URL access to receipts, and 60-second TTLs on download URLs. See our security page for details.
8. Openness. This policy and our Terms of Service are linked from every page. Material changes will be announced via email and a notice in your account.
9. Individual Access. You can download all your personal data in JSON format from Settings — Privacy. You can also request a copy by emailing privacy@metatax.ca; we'll respond within 30 days as required.
10. Challenging Compliance. If you believe we've mishandled your data, email privacy@metatax.ca. If we can't resolve it, you can complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

All personal data is stored with our service providers, who are bound by contractual data-processing agreements:

• Supabase (database + authentication + file storage) — region: Canada Central (Toronto)
• Vercel (web application hosting) — region: Washington DC, USA
• Anthropic (AI transaction categorization) — only redacted merchant strings; never amounts, names, SINs, or account numbers

Because Vercel hosts the application in the US, your data transits a US-based server when you interact with MetaTax. However, the database where it's stored at rest is in Canada. We've assessed the implications under PIPEDA s. 4.1.3 and concluded the cross-border processing is compatible with the law.

When you upload a bank statement, the PDF text is sent to Anthropic's Claude AI to extract structured transactions. The text we send may include merchant names and transaction amounts as they appear on your statement. We do not send:

• Your account number
• Your name or address
• Your SIN or business number
• Statement balances (only transaction-level amounts)

Anthropic does not store the data you send for training purposes when accessed via the API with the standard agreement. See Anthropic's commercial terms.

We use one strictly necessary cookie (your Supabase session) so you stay signed in. We do not use analytics, marketing, or third-party tracking cookies on the application portal. The marketing site at metatax.ca may use anonymous Vercel Analytics for aggregate page-view counts; you can decline this via the cookie banner.

We retain different categories of data for different periods aligned to CRA record-keeping requirements (Income Tax Act, Excise Tax Act):

• Transaction records: 7 years from the related fiscal year-end (per CRA s. 230(4))
• Bank statement PDFs: 24 months, then auto-purged unless you re-upload
• Audit log: 24 months for security review purposes
• Session cookies: Until you sign out or 30 days of inactivity (whichever first)
• Account profile: Until you delete your account; then 30 days grace period before permanent deletion

MetaTax is for Canadian small business owners and accountants. We do not knowingly collect data from anyone under the age of majority in their province. If you believe a minor has provided data, email privacy@metatax.ca and we'll delete it.

If we become aware of a privacy breach that creates a real risk of significant harm, we will:

• Notify you by email and in-app banner as soon as practicable
• Notify the Office of the Privacy Commissioner of Canada as required by PIPEDA s. 10.1
• Keep records of the breach for at least 24 months

Material changes will be highlighted at the top of this page and sent to you by email at least 30 days before they take effect. Continued use of MetaTax after that date constitutes acceptance.

For privacy questions or to exercise your rights under PIPEDA:

Privacy Officer
MetaTax
Email: privacy@metatax.ca