PersonyFi ("PersonyFi," "we," "us," or "our") is committed to protecting your personal information. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over it.
This policy is governed by Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
1. Information We Collect
1.1 Information you provide directly
- Account information: name, email address, phone number, and password.
- Profile information: location, employment, household composition, and other details you choose to provide.
- Documents you upload: tax returns (T1, T2, T4, T4A, T5), equity grant letters, vehicle leases, service contracts, and similar financial documents.
- Communications: messages you send through our chat, support, or feedback channels.
1.2 Information collected automatically
- Usage data: pages viewed, features used, session duration, and interaction events.
- Device data: browser type, operating system, IP address, and approximate location.
- Cookies and similar technologies: see Section 6.
1.3 Information from third-party connections
- Bank and brokerage data via Plaid: when you connect a financial account, Plaid Inc. provides us with account balances, transactions, account holder information, and institution metadata. Use of Plaid is governed by the Plaid End User Privacy Policy.
- Authentication providers: if you sign in with a third-party provider, we receive the basic identifying information that provider shares with us.
2. How We Use Your Information
We process your personal information to:
- Provide, operate, maintain, and improve the PersonyFi service;
- Parse and structure financial documents you upload, including via AI/LLM-based extraction;
- Generate insights, scenarios, and recommendations based on your data;
- Authenticate you, secure your account, and detect fraud or abuse;
- Send transactional communications (account, billing, security);
- Send product updates and marketing communications, where you have consented or where permitted by law;
- Comply with legal, regulatory, and tax obligations.
3. Legal Basis for Processing
We rely on the following bases under PIPEDA and equivalent legislation: your consent (express or implied), the necessity of processing to perform our contract with you, our legitimate business interests (where they do not override your rights), and compliance with legal obligations.
4. AI and Automated Processing
We use machine learning and large language models to extract structured data from documents you upload and to generate financial insights. We do not use your personal information or document contents to train third-party foundation models. Where third-party model providers are used (for example, Groq), we send only the minimum data required and contractually require those providers not to retain or train on your data.
5. How We Share Your Information
We share personal information only as follows:
- Service providers: hosting (Google Cloud, Vercel), database (Supabase), payments (Stripe), authentication (Firebase), analytics (PostHog), email delivery (SendGrid), bank data (Plaid), and AI inference (Groq). Each is bound by contractual confidentiality and data-protection obligations.
- Legal requirements: where compelled by valid legal process, court order, or to protect rights, safety, or property.
- Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to equivalent privacy protections.
- With your explicit consent: for any purpose disclosed at the time of collection.
We do not sell your personal information, and we do not share it with advertisers for targeted advertising.
6.
We use first-party cookies for authentication and session management (such as personyfi_user_session) and product analytics (PostHog) to understand how PersonyFi is used. You can control cookies through your browser settings; disabling them may break parts of the service. We do not use third-party advertising cookies.
7. Data Retention
We keep personal information for as long as your account is active or as needed to provide the service. After you delete your account, we delete or de-identify your personal information within 30 days, except where longer retention is required by law (for example, financial records under tax legislation) or to resolve disputes and enforce our agreements.
8. Security
We use industry-standard administrative, technical, and physical safeguards including encryption in transit (TLS 1.2+) and at rest, encryption of sensitive credentials with managed keys, role-based access control, audit logging, and regular security reviews. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security.
9. International Transfers
Your information may be processed in countries other than Canada, including the United States, where some of our service providers operate. Where information is transferred outside Canada, we use contractual and technical safeguards designed to protect it consistent with applicable Canadian privacy law.
10. Your Rights
Subject to applicable law, you have the right to:
- Access the personal information we hold about you;
- Correct inaccurate or incomplete information;
- Withdraw consent for processing (which may limit functionality);
- Request deletion of your account and associated personal information;
- Export your data in a machine-readable format;
- File a complaint with the Office of the Privacy Commissioner of Canada or your provincial regulator.
You can exercise most of these rights directly inside the PersonyFi dashboard under Settings. For other requests, contact us at info@personyfi.com.
11. Children
PersonyFi is not directed to individuals under the age of majority in their jurisdiction. We do not knowingly collect personal information from minors. If we learn that we have collected such information, we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email and via an in-product notice at least 30 days before they take effect.
13. Contact Us
Privacy Officer
PersonyFi
info@personyfi.com