Privacy Policy

CanTaxPro ("we," "our," or "us") is a software-as-a-service platform designed for Canadian tax professionals and accounting firms. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use our platform, including our website at cantaxpro.net and all associated services (collectively, the "Service").

We are committed to protecting your privacy in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. By using the Service, you consent to the practices described in this policy.

• To provide, operate, and improve the Service
• To authenticate users and maintain session security
• To process subscription billing and send transactional emails
• To generate AI-assisted tax analysis using large language models (data is transmitted to Anthropic's API; see Section 5)
• To send deadline reminders and system notifications
• To respond to support requests and service inquiries
• To comply with legal obligations under Canadian federal and provincial law

We do not sell, rent, or share personal information with third parties for marketing purposes.

All primary data — including client records, uploaded documents, and database backups — is stored on Amazon Web Services infrastructure located in the Canada (Montreal) — ca-central-1 region. Uploaded documents are stored in Amazon S3; the application database runs on Amazon RDS PostgreSQL; document embeddings are stored in a local ChromaDB instance within the same environment.

Documents are retained for 7 years from the date of upload in accordance with standard Canadian tax record-keeping requirements, after which they are automatically archived to Amazon S3 Glacier and then purged. Deleted client records are permanently wiped (including encrypted SINs and all associated documents) within 30 daysof deletion in accordance with PIPEDA.

We implement industry-standard security measures including:

• TLS 1.2+ encryption in transit (HTTPS via Let's Encrypt)
• AES-256 encryption at rest for Social Insurance Numbers and OAuth tokens
• Bcrypt password hashing
• Optional time-based one-time password (TOTP) two-factor authentication
• Role-based access controls (admin, staff)
• No storage of plaintext sensitive credentials

While we take reasonable precautions, no system is completely secure. In the event of a data breach affecting your information, we will notify affected users in accordance with PIPEDA's mandatory breach reporting requirements.

You have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — request correction of inaccurate or incomplete information
• Withdrawal of consent — withdraw consent to processing where applicable (may affect Service functionality)
• Deletion — request deletion of your account and personal data (subject to legal retention requirements)
• Complaint — file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca

To exercise any of these rights, contact us at privacy@cantaxpro.net.

We use essential cookies and browser local storage for session authentication and user preferences (e.g., theme selection). We do not use advertising cookies, tracking pixels, or third-party analytics beyond server-side logs. You may disable cookies in your browser, but this will prevent login from functioning.

The Service is intended for professional use by adults (18+). We do not knowingly collect personal information from individuals under 18. If you become aware that a minor has provided us with personal information, contact us at privacy@cantaxpro.net.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice at least 14 days before taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

For privacy-related inquiries, data access requests, or to report a concern: