Privacy
Privacy Notice
How OPTAX collects, uses, protects, and retains business, tax, banking, support, and consent data for the preparation workflow.
1. Introduction
Your privacy is critical to us at OPTAX. This Privacy Notice explains how we collect, use, disclose, and safeguard your information when you use the OPTAX platform.
We are committed to protecting the financial and personal data of Canadian businesses and their owners. The OPTAX Privacy Officer is the accountability contact for this Privacy Notice and can be reached at privacy@optax.ai.
2. Information We Collect
We collect information necessary to operate the T2 preparation workflow and support review-ready materials:
- Account Data: Name, email address, password, and phone number.
- Business Data: Corporation name, Business Number (BN), address, and incorporation details.
- Financial Data: Transaction history, bank statements, expenses, and revenue records.
- Usage Data: Log data, device information, consent records, and interaction with our AI assistant.
- Feedback and Support Data: Feedback messages, ratings, issue category, page path, selected company context, limited metadata, and browser/device signal when you submit product feedback or an assistant issue report.
3. How We Use Your Data
- To format draft T2 preparation materials for review.
- To support verified calculations where the workflow supports them.
- To categorize transactions and tie records to source evidence.
- To communicate with you regarding account updates, review status, and workflow notices.
- To triage customer feedback, investigate support issues, maintain status/readback notes, and improve product quality.
- To improve product quality using aggregated operational metrics. We do not use your uploaded tax, banking, document, or chat data to train public AI models.
4. Third-Party Integrations
We use trusted third-party providers to enhance our service.
Plaid (Banking Connections)
We use Plaid Inc. ("Plaid") to connect your bank accounts. By using this integration, you authorize Plaid and us to access and transmit the account and transaction data you choose to share for the company you select in OPTAX. We use this data to import, categorize, reconcile, and prepare tax reports; we do not use Plaid bank data for unrelated marketing or model training. Please review Plaid's Privacy Policy.
OPTAX records a banking consent receipt when you complete Plaid Link, including the consent version, company, institution, selected account scope, timestamp, and privacy-preserving request evidence where available. You can disconnect a bank account in the app; future syncs stop after disconnection or when renewed authorization is required.
AI Service Providers (OpenAI, Google)
We use large language models provided by OpenAI, Google (Gemini), and other partners to process documents and power our chatbot. OPTAX does not use uploaded tax, banking, document, or chat content to train public AI models. Provider retention, training exclusion, regional processing, and zero-retention controls depend on the provider used for the feature, applicable agreements, account settings, and data-processing terms in effect at the time of processing.
Stripe (Payment Processing)
We use Stripe, Inc. ("Stripe") to process subscription payments and manage billing. When you make a payment, your payment card information is transmitted directly to Stripe and is never stored on our servers. Stripe may collect and use your payment data in accordance with their privacy policy. Please review Stripe's Privacy Policy.
Cloud Hosting and Analytics
We use cloud infrastructure for hosting and may use privacy-aware analytics, such as Cloudflare Web Analytics where configured, to understand aggregate website usage. Product analytics may also be captured inside the app when configured for operational quality and product improvement.
5. Data Storage & Security
Data Residency: We prioritize storing Canadian tax data within trusted cloud infrastructure regions (e.g., GCP North America).
Security Safeguards: We use secure transport, access controls, and privacy-aware safeguards for sensitive tax and financial information. Bank credentials are never stored on our servers; they are handled securely by Plaid.
6. Data Retention
Our data retention policy varies by subscription tier to balance storage costs with Canada Revenue Agency (CRA) record-keeping requirements:
- Paid Subscribers (Lite, Professional): We retain tax records and related financial records for up to seven (7) years where needed for CRA record-keeping and audit support.
- Customer Feedback and Support Records: Feedback and support inbox records may be retained for up to seven (7) years where they become operational, legal, security, billing, audit, or tax-support evidence. We review these records before deletion because users may include personal, business, or tax information in free-text messages.
- Visitors / Pre-Trial Accounts: Users without an active paid subscription have restricted product access. Any uploaded documents or incomplete setup artifacts may be retained for a limited operational period and then deleted or frozen unless the user purchases a paid plan.
Regardless of your subscription tier, you may request deletion of your account and associated data at any time, subject to legal, tax, billing, security, and audit-retention obligations. Where legal requirements mandate retention (e.g., CRA audit periods), we will retain the minimum data necessary to comply.
7. Canadian Privacy Safeguards
We design our privacy program around Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) principles.
We use PIPEDA's 10 Fair Information Principles as our operating framework:
- Accountability: The OPTAX Privacy Officer (privacy@optax.ai) is accountable for our privacy program.
- Identifying Purposes: We collect data for T2 preparation, evidence organization, account support, billing, security, and consent records.
- Consent: We request consent at account, bank-connection, checkout, marketing, and tax sign-off points where the workflow requires it.
- Limiting Collection: We collect only information necessary for our services.
- Limiting Use, Disclosure, and Retention: Your data is used only for stated purposes.
- Accuracy: You can update supported account and profile details in the product or contact the OPTAX Privacy Officer for corrections.
- Safeguards: We use secure transport, access controls, and internal security reviews.
- Openness: This policy explains current public data practices for the OPTAX website and preparation workflow.
- Individual Access: You can request an export of your personal information by contacting the OPTAX Privacy Officer, subject to legal, tax, billing, security, and audit-retention limits.
- Challenging Practices: Contact the OPTAX Privacy Officer with any concerns.
8. Your Rights
Under PIPEDA, you have the right to:
- Access: Request a copy of all personal data we hold about you.
- Correction: Update or correct inaccurate information.
- Deletion: Request deletion of your account and associated data, subject to legal, tax, billing, security, and audit-retention requirements.
- Portability: Request export of your data in a machine-readable format (JSON), subject to the same retention and confidentiality limits.
- Withdraw Consent: Request or manage withdrawal of consent for optional processing, subject to legal, tax, billing, security, provider, and audit-retention obligations.
To exercise these rights, use supported Account Settings and privacy request flows where available, or contact privacy@optax.ai.
9. Contact Us
If you have questions about this Privacy Notice, please contact the OPTAX Privacy Officer:
OPTAX Privacy Officer
Email: privacy@optax.ai