Privacy Policy

Last Updated: April 7, 2026

Opes Ledger ("we," "us," "our") operates the personal finance application available at opesledger.ca (the "Service"). We are committed to protecting your privacy and handling your personal information responsibly and transparently. This Privacy Policy explains what information we collect, how we use it, how we protect it, and what rights you have regarding your data.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Your full name
• Your email address
• A password (stored in hashed form; we never store or have access to your plaintext password)
• Your selected subscription tier (Essential, Plus, or Pro)

1.2 Financial Data You Provide

As part of normal use of the Service, you may enter:

• Income and expense transactions (amounts, dates, categories, descriptions)
• Budget categories and targets
• Savings goals and progress
• Investment holdings and performance data
• Borrowed investing and mortgage recycling details
• Mortgage and loan information
• Scenario calculator inputs and results

All of this data is entered voluntarily by you. We do not connect to your bank accounts, credit cards, or any external financial institution to pull data automatically.

1.3 Usage Data

We automatically collect limited technical data when you use the Service:

• Browser type and version
• Device type (desktop, tablet, mobile)
• Pages and features accessed within the application
• Timestamps of access
• IP address (used for security and fraud prevention only)

1.4 Information We Do Not Collect

We do not collect or store:

• Bank account numbers, credit card numbers, or banking credentials
• Social Insurance Numbers (SIN) or government-issued identification numbers
• Location data beyond what is provided by your IP address

2. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Data Used
Providing and operating the Service	Account info, financial data
Authenticating your identity and securing your account	Email, hashed password, IP address
Generating reports and exports (e.g., Accountant Report)	Financial data you provide
Processing subscription payments	Email, subscription tier (payment details handled by Stripe)
Communicating service updates, security alerts, or billing notices	Email, name
Improving the Service through aggregate, anonymized analytics	Usage data (never individual financial data)
Complying with legal obligations	As required by law

We do not use your financial data for profiling, advertising, credit scoring, or any purpose unrelated to providing you with the Service.

3. How We Store and Protect Your Data

3.1 Infrastructure

Your data is stored on Supabase, a cloud database platform built on PostgreSQL. Supabase provides enterprise-grade infrastructure with the following security measures:

• Encryption at rest: All data stored in the database is encrypted using AES-256 encryption.
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Row-Level Security (RLS): Database policies ensure that users can only access their own data.
• Automated backups: Regular database backups ensure data can be recovered in the event of a system failure.

3.2 Authentication Security

User authentication is managed through Supabase Auth. Passwords are hashed using industry-standard bcrypt hashing. We never store, log, or have access to your plaintext password.

3.3 Access Controls

Access to production infrastructure is restricted to authorized personnel only, secured with multi-factor authentication, and logged for audit purposes.

4. Cookies and Local Storage

4.1 Cookies

We use a minimal number of cookies strictly necessary for the operation of the Service:

• Authentication cookies: Used to maintain your logged-in session. These are essential cookies and cannot be disabled while using the Service.
• Security cookies: Used for CSRF protection and fraud prevention.

We do not use advertising cookies, tracking cookies, or any third-party cookies for marketing purposes.

4.2 Local Storage (localStorage)

The application may use your browser's localStorage to:

• Cache user interface preferences (e.g., theme settings, selected views)
• Store temporary application state for a smoother user experience
• Maintain offline-capable functionality where applicable

No sensitive financial data is permanently stored in localStorage. Any cached data in localStorage is supplementary and the authoritative copy of your data resides in our secured database.

5. Third-Party Services

We use a limited number of third-party services to operate the Service. Each is bound by its own privacy and security obligations:

Service	Purpose	Data Shared
Supabase	Database hosting, authentication, backend infrastructure	All account and financial data (encrypted)
Stripe (future)	Payment processing for subscriptions	Email, subscription tier; Stripe handles all payment card data directly and we never see or store your card number

We do not share your data with any other third-party services, analytics platforms, advertisers, or data brokers.

6. Data Sharing and Disclosure

We do not sell, rent, lease, or trade your personal or financial information to any third party. We may disclose your information only in the following limited circumstances:

• With your consent: When you explicitly authorize us to share specific information (for example, generating an export for your accountant).
• Service providers: To the third-party providers listed in Section 5, solely for the purpose of operating the Service.
• Legal requirements: When required by law, regulation, legal process, or enforceable government request, including compliance with Canadian federal or provincial law.
• Protection of rights: When necessary to protect the rights, safety, or property of Opes Ledger, our users, or the public, including enforcing our Terms of Service.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. You will be notified of any such transfer and given the option to delete your data before the transfer occurs.

7. Your Rights

You have the following rights regarding your personal information:

7.1 Right to Access

You may request a complete copy of all personal and financial data we hold about you. We will provide this in a commonly used electronic format (such as CSV or JSON) within 30 days of your request.

7.2 Right to Export

You may export your data at any time through the application's built-in export functionality. The Accountant Report export feature provides a structured summary of your financial records.

7.3 Right to Correction

You may update or correct your personal and financial data at any time through the application. If you need assistance making corrections, contact us at privacy@opesledger.ca.

7.4 Right to Deletion

You may request the deletion of your account and all associated data at any time. Upon receiving a verified deletion request:

• Your account will be deactivated immediately.
• All personal and financial data will be permanently deleted from our active systems within 30 days.
• Data may persist in encrypted backups for up to 90 days, after which it will be automatically purged.
• We may retain minimal records (email address and deletion date) where required by law or to prevent fraud.

7.5 Right to Withdraw Consent

Where we rely on your consent to process your data, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, contact us at privacy@opesledger.ca. We will respond to all requests within 30 days.

8. Data Retention

We retain your data according to the following schedule:

• Active accounts: Your data is retained for as long as your account remains active and you maintain an active subscription.
• Cancelled subscriptions: If you cancel your subscription, your data will be retained for 90 days to allow you to reactivate your account. After 90 days, your data will be permanently deleted unless you request earlier deletion.
• Account deletion requests: Data is permanently deleted from active systems within 30 days. Backup copies are purged within 90 days.
• Legal retention: Certain records may be retained longer where required by Canadian federal or provincial law, including tax and financial regulations.

9. Canadian Privacy Law Compliance (PIPEDA)

Opes Ledger complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. In accordance with PIPEDA, we adhere to the following ten fair information principles:

1. Accountability: We are responsible for the personal information under our control and have designated a privacy officer to oversee compliance.
2. Identifying Purposes: We identify the purposes for which personal information is collected at or before the time of collection, as outlined in this Privacy Policy.
3. Consent: We obtain your knowledge and consent for the collection, use, and disclosure of your personal information, except where inappropriate or as permitted by law.
4. Limiting Collection: We limit the collection of personal information to that which is necessary for the purposes identified.
5. Limiting Use, Disclosure, and Retention: We do not use or disclose personal information for purposes other than those for which it was collected, except with your consent or as required by law. We retain personal information only as long as necessary to fulfill those purposes.
6. Accuracy: We keep personal information as accurate, complete, and up to date as necessary for the purposes for which it is used. You may update your information at any time through the application.
7. Safeguards: We protect personal information with security safeguards appropriate to the sensitivity of the information, including encryption, access controls, and secure infrastructure.
8. Openness: We make information about our policies and practices relating to the management of personal information readily available through this Privacy Policy.
9. Individual Access: Upon request, we will inform you of the existence, use, and disclosure of your personal information and give you access to that information within 30 days.
10. Challenging Compliance: You may challenge our compliance with this Privacy Policy by contacting our privacy officer at privacy@opesledger.ca. If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at privacy@opesledger.ca.

11. International Data Transfers

Your data may be processed and stored on servers located outside of Canada, depending on the infrastructure used by our service providers (Supabase). Where your data is transferred outside of Canada, we ensure that adequate safeguards are in place to protect your information in accordance with PIPEDA and applicable Canadian law.

12. Security Breach Notification

In the event of a security breach involving your personal information that creates a real risk of significant harm, we will:

• Notify affected users as soon as feasible after the breach is discovered.
• Report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA.
• Provide clear information about what data was affected, what we are doing to address the breach, and what steps you can take to protect yourself.
• Maintain records of all breaches as required by law.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

• We will post the updated Privacy Policy on this page with a revised "Last Updated" date.
• We will notify you by email or through a prominent notice within the application at least 14 days before the changes take effect.
• Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.